Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
30 Days |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
A user executed multiple living-off-the-land binary (LOLBIN) processes that are unusual for this user. This may be indicative of a compromised account.
Attacker's Goals
Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
Investigative actions
Investigate the processes that were executed to determine if they were used for legitimate purposes or malicious activity.