Examine built-in security agent alerts
Microsoft Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity. In addition, you can create custom alerts based on your knowledge of expected device behavior. An alert acts as an indicator of potential compromise, and should be investigated and remediated.
Installing and configuring a Security Agent onto your IoT devices adds a large number of alerts to your security solution.
Name
Severity
Data Source
Description
Suggested remediation steps
High severity
Binary Command Line
High
Agent
LA Linux binary being called/executed from the command line was detected. This process may be legitimate activity, or an indication that your device is compromised.
Review the command with the user that ran it. Verify that this command is intended to run on the device. If not, escalate the alert to your information security team.
Disable firewall
High
Agent
Possible manipulation of on-host firewall detected. Malicious actors often disable the on-host firewall in an attempt to exfiltrate data.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to your information security team.
Port forwarding detection
High
Agent
Initiation of port forwarding to an external IP address detected.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Possible attempt to disable Audited logging detected
High
Agent
Linux Audited system provides a way to track security-relevant information on the system. The system records as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine who violated the security policy and the actions they performed. Disabling Audited logging may prevent your ability to discover violations of security policies used on the system.
Check with the device owner to ensure that this was an expected activity with business reasons. If not, this event may be hiding activity by malicious actors. Immediately escalated the incident to your information security team.
Reverse shells
High
Agent
Analysis of host data on a device detected a potential reverse shell. Reverse shells are often used to get a compromised machine to call back into a machine controlled by a malicious actor.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Successful Brute force attempt
High
Agent
Multiple unsuccessful login attempts were identified, followed by a successful login. Attempted Brute force attack may have succeeded on the device.
Review SSH Brute force alert and the activity on the devices. If the activity was malicious: Roll out password reset for compromised accounts. Investigate and remediate (if found) devices for malware.
Successful local login
High
Agent
Successful local sign-in to the device detected.
Make sure the signed-in user is an authorized party.
Web shell
High
Agent
Possible web shell detected. Malicious actors commonly upload a web shell to a compromised machine to gain persistence or for further exploitation.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Medium severity
Behavior similar to common Linux bots detected
Medium
Agent
Execution of a process normally associated with common Linux botnets detected.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Behavior similar to Fairware ransomware detected
Medium
Agent
Execution of rm -rf commands applied to suspicious locations detected using analysis of host data. Because rm -rf recursively deletes files, it is normally only used on discrete folders. In this case, it is being used in a location that could remove a large amount of data. Fairware ransomware is known to execute rm -rf commands in this folder.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Behavior similar to ransomware detected
Medium
Agent
Execution of files similar to known ransomware that may prevent users from accessing their system, or personal files, and may demand ransom payment to regain access.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Crypto coin miner container image detected
Medium
Agent
Container detecting running known digital currency mining images.
- If this behavior is not intended, delete the relevant container image. 2. Make sure that the Docker daemon is not accessible via an unsafe TCP socket. 3. Escalate the alert to the information security team.
Crypto coin miner image
Medium
Agent
Execution of a process normally associated with digital currency mining detected.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Detected suspicious use of the nohup command
Medium
Agent
Suspicious use of the nohup command on host detected. Malicious actors commonly run the nohup command from a temporary directory, effectively allowing their executables to run in the background. Seeing this command run on files located in a temporary directory is not expected or usual behavior.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Detected suspicious use of the useradd command
Medium
Agent
Suspicious use of the useradd command detected on the device.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Exposed Docker daemon by TCP socket
Medium
Agent
Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. Default Docker configuration enables full access to the Docker daemon, by anyone with access to the relevant port.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Failed local login
Medium
Agent
A failed local login attempt to the device was detected.
Make sure no unauthorized party has physical access to the device.
File downloads from a known malicious source detected
Medium
Agent
Download of a file from a known malware source detected.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
htaccess file access detected
Medium
Agent
Analysis of host data detected possible manipulation of a htaccess file. Htaccess is a powerful configuration file that allows you to make multiple changes to a web server running Apache Web software, including basic redirect functionality, and more advanced functions, such as basic password protection. Malicious actors often modify htaccess files on compromised machines to gain persistence.
Confirm that this is an expected activity on the host. If not, escalate the alert to your information security team.
Known attack tool
Medium
Agent
A tool often associated with malicious users attacking other machines in some way was detected.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
IoT agent attempted and failed to parse the module twin configuration
Medium
Agent
The Microsoft Defender for IoT security agent failed to parse the module twin configuration due to type mismatches in the configuration object.
Validate your module twin configuration against the IoT agent configuration schema, fix all mismatches.
Local host reconnaissance detected
Medium
Agent
Execution of a command normally associated with common Linux bot reconnaissance detected.
Review the suspicious command line to confirm that it was executed by a legitimate user. If not, escalate the alert to your information security team.
Mismatch between script interpreter and file extension
Medium
Agent
Mismatch between the script interpreter and the extension of the script file provided as input detected. This type of mismatch is commonly associated with attacker script executions.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Possible backdoor detected
Medium
Agent
A suspicious file was downloaded and then run on a host in your subscription. This type of activity is commonly associated with the installation of a backdoor.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Potential loss of data detected
Medium
Agent
Possible data egress condition detected using analysis of host data. Malicious actors often egress data from compromised machines.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Potential overriding of common files
Medium
Agent
Common executable overwritten on the device. Malicious actors are known to overwrite common files as a way to hide their actions or as a way to gain persistence.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Privileged container detected
Medium
Agent
Machine logs indicate that a privileged Docker container is running. A privileged container has full access to host resources. If compromised, a malicious actor can use the privileged container to gain access to the host machine.
If the container doesn't need to run in privileged mode, remove the privileges from the container.
Removal of system logs files detected
Medium
Agent
Suspicious removal of log files on the host detected.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Space after filename
Medium
Agent
Execution of a process with a suspicious extension detected using analysis of host data. Suspicious extensions may trick users into thinking files are safe to be opened and can indicate the presence of malware on the system.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Suspected malicious credentials access tools detected
Medium
Agent
Detection usage of a tool commonly associated with malicious attempts to access credentials.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Suspicious compilation detected
Medium
Agent
Suspicious compilation detected. Malicious actors often compile exploits on a compromised machine to escalate privileges.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Suspicious file download followed by file run activity
Medium
Agent
Analysis of host data detected a file that was downloaded and run in the same command. This technique is commonly used by malicious actors to get infected files onto victim machines.
Review with the user that ran the command. Verify that this was an expected activity on the device. If not, escalate the alert to the information security team.
Suspicious IP address communication
Medium
Agent
Communication with a suspicious IP address detected.
Verify if the connection is legitimate. Consider blocking communication with the suspicious IP.
LOW severity
Bash history cleared
Low
Agent
Bash history log cleared. Malicious actors commonly erase bash history to hide their own commands from appearing in the logs.
Review with the user that ran the command. Verify that this was an expected administrative activity on the device. If not, escalate the alert to the information security team.
Device silent
Low
Agent
Device has not sent any telemetry data in the last 72 hours.
Make sure device is online and sending data. Check that the Azure Security Agent is running on the device.
Failed Brute force attempt
Low
Agent
Multiple unsuccessful login attempts identified. Potential Brute force attack attempt failed on the device.
Review SSH Brute force alerts and the activity on the device. No further action required.
Local user added to one or more groups
Low
Agent
New local user added to a group on this device. Changes to user groups are uncommon, and can indicate a malicious actor may be collecting access permissions.
Verify that the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team.
Local user deleted from one or more groups
Low
Agent
A local user was deleted from one or more groups. Malicious actors are known to use this method in an attempt to deny access to legitimate users or to delete the history of their actions.
Verify that the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team.
Local user deletion detected
Low
Agent
Deletion of a local user detected. Local user deletion is uncommon, a malicious actor may be trying to deny access to legitimate users or to delete the history of their actions.
Verify that the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team.