Prep your Microsoft environment for an identity-based attack.
Book an identity exposure gap analysis today.

Vectra AI Detections

Get a demo
By Kill Chain Stage
ReconnaissanceLateral MovementCommand & ControlExfiltrationBotnet
By Attack Surface
NetworkAzure AD & M365AWS

Vectra AI Detections Across the Kill Chain

Vectra AI employs advanced threat detection mechanisms to detect and neutralize cyber threats throughout the stages of the attack chain.

After an initial exploit, the malware will contact its Command & Control server from which it will be remotely controlled in an automated fashion or by a human.

The attack usually progresses along the opportunistic path – the malware joins the host to a botnet and the bot herder steals information from the infected host and makes use of your resources to make money by attacking other systems across the Internet (Botnet Activity).

The attack may also have you as its intended target, something that is rarer, but also more threatening – in this case, the infected host will orient itself in your network (Reconnaissance), spread laterally to get closer to your crown jewels (Lateral Movement) and steal your data and send it to an outside system (Exfiltration).

List of Vectra AI Detections

Detections of Reconnaissance Activities

  • A host or account is mapping out the inside of your network or cloud environment
  • The activity may indicate that this is a targeted attack
  • Detection types cover fast scans and slow scans – your vulnerability scanner will show up here as it performs much the same activity as an attacker

AWS Network Configuration Discovery

AWS Organization Discovery

AWS S3 Enumeration

AWS Suspect Credential Access from EC2

AWS Suspect Credential Access from ECS

AWS Suspect Credential Access from SSM

AWS Suspect Discovery From EC2 Instance

AWS Suspect Escalation Reconnaissance

AWS Suspicious EC2 Enumeration

AWS User Permissions Enumeration

File Share Enumeration

Internal Darknet Scan

Kerberoasting: Cipher Downgrade

Kerberoasting: SPN Sweep

Kerberos Account Scan

Kerberos Brute-Sweep

M365 Suspect eDiscovery Usage

M365 Suspicious Compliance Search

M365 Unusual eDiscovery Search

RDP Recon

RPC Recon

RPC Targeted Recon

SMB Account Scan

Suspicious LDAP Query

Suspicious Port Scan

Suspicious Port Sweep

Detections of Lateral Movement

  • Covers scenarios of lateral action meant to further a targeted attack
  • This can involve attempts to steal account credentials or to steal data from another resource
  • It can also involve compromising another host or account to make the attacker’s foothold more durable or to get closer to target data

AWS ECR Hijacking

AWS Lambda Hijacking

AWS Logging Disabled

AWS Ransomware S3 Activity

AWS Security Tools Disabled

AWS Suspect Admin Privilege Granting

AWS Suspect Console Pivot

AWS Suspect Login Profile Manipulation

AWS Suspect Organization Exit

AWS Suspect Privilege Escalation

AWS User Hijacking

Automated Replication

Azure AD Change to Trusted IP Configuration

Azure AD MFA Disabled

Azure AD Newly Created Admin Account

Azure AD Privilege Operation Anomaly

Azure AD Successful Brute-Force

Azure AD Unusual Scripting Engine Usage

Brute-Force

M365 Attacker Tool: Ruler

M365 DLL Hijacking Activity

M365 Disabling of Security Tools

M365 External Teams Access

M365 Internal Spearphishing

M365 Log Disabling Attempt

M365 Malware Stage: Upload

M365 Ransomware

M365 Risky Exchange Operation

M365 Suspicious Mailbox Manipulation

M365 Suspicious Mailbox Rule Creation

M365 Suspicious SharePoint Operation

M365 Suspicious Teams Application

Privilege Anomaly: Unusual Account on Host

Privilege Anomaly: Unusual Host

Privilege Anomaly: Unusual Service

Privilege Anomaly: Unusual Service - Insider

Privilege Anomaly: Unusual Service from Host

Privilege Anomaly: Unusual Trio

Ransomware File Activity

SMB Brute-Force

SQL Injection Activity

Shell Knocker Client

Shell Knocker Server

Stage Loader

Suspicious Active Directory Operations

Suspicious Admin

Suspicious Remote Desktop Protocol

Suspicious Remote Execution

Detections of C2 Activities

  • A host or account appears to be under control of an external entity
  • Most often, the control is automated as the host or account is part of a botnet or has adware or spyware installed
  • The host or account may be manually controlled from the outside – this is the most threatening case and makes it highly likely that this is a targeted attack

AWS Root Credential Usage

AWS Suspicious Credential Usage

AWS TOR Activity

Azure AD Admin Account Creation

Azure AD MFA-Failed Suspicious Sign-On

Azure AD Redundant Access Creation

Azure AD Suspected Compromised Access

Azure AD Suspicious OAuth Application

Azure AD Suspicious Sign-on

Azure AD TOR Activity

External Remote Access

Hidden DNS Tunnel

Hidden HTTP Tunnel

Hidden HTTPS Tunnel

M365 Power Automate HTTP Flow Creation

M365 Suspicious Power Automate Flow Creation

Malware Update

Multi-home Fronted Tunnel

Peer-To-Peer

Stealth HTTP Post

Suspect Domain Activity

Suspicious HTTP

Suspicious Relay

TOR Activity

Detections of Exfiltration Activities

  • Covers scenarios where data is being sent outside or collected in a way meant to hide the data transfer
  • While data is constantly being sent out of the network or cloud environment, it usually does not involve the use of techniques meant to hide the transfer
  • The host or account transmitting the data, where it is transmitting the data, the amount of data and the technique used to send it all provide indicators of exfiltration

AWS Suspect External Access Granting

AWS Suspect Public AMI Change

AWS Suspect Public EBS Change

AWS Suspect Public EC2 Change

AWS Suspect Public RDS Change

AWS Suspect Public S3 Change

Data Gathering

Data Smuggler

Hidden DNS Tunnel

Hidden HTTP Tunnel

Hidden HTTPS Tunnel

M365 Exfiltration Before Termination

M365 Suspect Power Automate Activity

M365 Suspicious Download Activity

M365 Suspicious Exchange Transport Rule

M365 Suspicious Mail Forwarding

M365 Suspicious Sharing Activity

M365 eDiscovery Exfil

Smash and Grab

Detections of Botnet Activities

  • A host is making money for its bot herder
  • The ways in which an infected host can be used to produce value can range from mining bitcoins to sending spam emails to producing fake ad clicks
  • The bot herder is utilizing the host computer, its network connection and, most of all, the unsullied reputation of the assigned IP to turn a profit

AWS Cryptomining

AWS Suspect Traffic Mirror Creation

Brute-Force

Cryptocurrency Mining

Outbound DoS

Outbound Port Sweep

Detections by Attack Surface

Detections in the Network

Automated Replication

Brute-Force

Cryptocurrency Mining

Data Gathering

Data Smuggler

External Remote Access

File Share Enumeration

Hidden DNS Tunnel

Hidden HTTP Tunnel

Hidden HTTPS Tunnel

Internal Darknet Scan

Kerberoasting: Cipher Downgrade

Kerberoasting: SPN Sweep

Kerberos Account Scan

Kerberos Brute-Sweep

Malware Update

Multi-home Fronted Tunnel

Outbound DoS

Outbound Port Sweep

Peer-To-Peer

Privilege Anomaly: Unusual Account on Host

Privilege Anomaly: Unusual Host

Privilege Anomaly: Unusual Service

Privilege Anomaly: Unusual Service - Insider

Privilege Anomaly: Unusual Service from Host

Privilege Anomaly: Unusual Trio

RDP Recon

RPC Recon

RPC Targeted Recon

Ransomware File Activity

SMB Account Scan

SMB Brute-Force

SQL Injection Activity

Shell Knocker Client

Shell Knocker Server

Smash and Grab

Stage Loader

Stealth HTTP Post

Suspect Domain Activity

Suspicious Active Directory Operations

Suspicious Admin

Suspicious HTTP

Suspicious LDAP Query

Suspicious Port Scan

Suspicious Port Sweep

Suspicious Relay

Suspicious Remote Desktop Protocol

Suspicious Remote Execution

TOR Activity

Detections in Azure AD & M365

Azure AD Admin Account Creation

Azure AD Change to Trusted IP Configuration

Azure AD MFA Disabled

Azure AD MFA-Failed Suspicious Sign-On

Azure AD Newly Created Admin Account

Azure AD Privilege Operation Anomaly

Azure AD Redundant Access Creation

Azure AD Successful Brute-Force

Azure AD Suspected Compromised Access

Azure AD Suspicious OAuth Application

Azure AD Suspicious Sign-on

Azure AD TOR Activity

Azure AD Unusual Scripting Engine Usage

M365 Attacker Tool: Ruler

M365 DLL Hijacking Activity

M365 Disabling of Security Tools

M365 Exfiltration Before Termination

M365 External Teams Access

M365 Internal Spearphishing

M365 Log Disabling Attempt

M365 Malware Stage: Upload

M365 Power Automate HTTP Flow Creation

M365 Ransomware

M365 Risky Exchange Operation

M365 Suspect Power Automate Activity

M365 Suspect eDiscovery Usage

M365 Suspicious Compliance Search

M365 Suspicious Download Activity

M365 Suspicious Exchange Transport Rule

M365 Suspicious Mail Forwarding

M365 Suspicious Mailbox Manipulation

M365 Suspicious Mailbox Rule Creation

M365 Suspicious Power Automate Flow Creation

M365 Suspicious SharePoint Operation

M365 Suspicious Sharing Activity

M365 Suspicious Teams Application

M365 Unusual eDiscovery Search

M365 eDiscovery Exfil

Detections in AWS

AWS Cryptomining

AWS ECR Hijacking

AWS Lambda Hijacking

AWS Logging Disabled

AWS Network Configuration Discovery

AWS Organization Discovery

AWS Ransomware S3 Activity

AWS Root Credential Usage

AWS S3 Enumeration

AWS Security Tools Disabled

AWS Suspect Admin Privilege Granting

AWS Suspect Console Pivot

AWS Suspect Credential Access from EC2

AWS Suspect Credential Access from ECS

AWS Suspect Credential Access from SSM

AWS Suspect Discovery From EC2 Instance

AWS Suspect Escalation Reconnaissance

AWS Suspect External Access Granting

AWS Suspect Login Profile Manipulation

AWS Suspect Organization Exit

AWS Suspect Privilege Escalation

AWS Suspect Public AMI Change

AWS Suspect Public EBS Change

AWS Suspect Public EC2 Change

AWS Suspect Public RDS Change

AWS Suspect Public S3 Change

AWS Suspect Traffic Mirror Creation

AWS Suspicious Credential Usage

AWS Suspicious EC2 Enumeration

AWS TOR Activity

AWS User Hijacking

AWS User Permissions Enumeration

See our Detections in Action

Hop on a interactive platform tour and see how our AI detects what other solutions miss.

Launch the free tour
Ask for a custom demo