Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
An unusual amount of cytool commands were executed in a short period from a user who doesn't usually run these commands.
This may indicate an attempt to guess the Administrator password.
Attacker's Goals
The attacker may disable the agent to perform malicious activities.
Investigative actions
Verify which user ran these commands and if it is a legitimate behavior on this host.