Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
30 Days |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user executed a living-off-the-land binary (LOLBIN) process that is unusual for this user. This may be indicative of a compromised account.
Attacker's Goals
Unusual processes may be executed for various purposes, including exfiltration, lateral movement, etc.
Investigative actions
Investigate the process that was executed to determine if it was used for legitimate purposes or malicious activity.