Suspicious and Malicious Activity Explained by Statistical Anomalies
This catalog explains how observable suspicious and malicious activity can manifest as statistical anomalies. It connects ATT&CK-aligned activity to the reference population, expected behavior, measurable deviation, applicable statistical anomaly types, and supporting log sources.
An anomaly does not prove malicious intent. It establishes that observed behavior differs materially from an explicit expectation. Activities that are better detected through signatures, deterministic policy checks, or threat intelligence are marked as weak anomaly candidates.
Mapping Model
For every mapping:
- Comparison unit identifies the entity, group, sequence, graph, or distribution being evaluated.
- Expected behavior defines the relevant baseline or reference model.
- Statistical explanation states the measurable deviation produced by the activity.
- Anomaly types link to the precise statistical concepts that explain the deviation.
- Evidence sources link to telemetry capable of measuring it.
- CTI/IR evidence links to a downloaded report copy and its original publisher. The report documents the observed or investigated behavior and its threat context; the statistical anomaly interpretation is the analysis made in this catalog.
The same report may support multiple mappings when the investigation documented a multi-stage intrusion. A report link establishes that the behavior occurred in a real investigation or threat campaign; it does not imply that the report authors used the same statistical terminology or detection model.
Reconnaissance
| Activity and ATT&CK | Statistical explanation | Anomaly types | Evidence sources | CTI/IR evidence |
|---|---|---|---|---|
| Repeated probing of public services — T1595 Active Scanning | Unit: source address or source network. Expected: ordinary clients contact a small set of exposed services. Deviation: unusually high destination-port or destination-host fan-out within a short interval. | Rate Anomaly, Burst Anomaly, Fan-Out Anomaly | Network Firewall Logs, Network Flow Logs | Documented in FortiGuard Incident Response Report H1 2023 — downloaded copy (original source) |
| Enumeration of public web paths and APIs — T1595.003 Wordlist Scanning | Unit: client session. Expected: requests follow common application paths with ordinary response-code proportions. Deviation: high path diversity, repeated missing-resource responses, and an unusual request composition. | Count Anomaly, Ratio or Proportion Anomaly, Categorical-Distribution Anomaly | Web Server Access Logs, Web Application Firewall Logs | Documented in Volt Typhoon joint advisory — downloaded copy (original source) |
| DNS enumeration or zone-transfer attempts — T1590 Gather Victim Network Information | Unit: requesting client. Expected: clients request a limited distribution of record types and names. Deviation: rare query types, unusually broad name coverage, or a sudden increase in authoritative queries. | Rare-Category Anomaly, Volume Anomaly, Distribution-Shift Anomaly | Authoritative DNS Logs, DNS Resolver Logs | Documented in Volt Typhoon joint advisory — downloaded copy (original source) |
Initial Access
| Activity and ATT&CK | Statistical explanation | Anomaly types | Evidence sources | CTI/IR evidence |
|---|---|---|---|---|
| Malicious attachment, link, or message delivery — T1566 Phishing | Unit: sender-recipient relationship and message feature vector. Expected: established senders use recurring infrastructure, content types, and recipient groups. Deviation: first-seen sender-recipient edge combined with unusual attachment, URL, or message characteristics. | Edge Anomaly, Novel-Category Anomaly, Multivariate Combination Anomaly | Email Gateway Logs, Mailbox Audit Logs | Documented in Truebot joint advisory — downloaded copy (original source) |
| User opens delivered content followed by execution — T1566 Phishing | Unit: user and endpoint event sequence. Expected: opening messages or documents rarely transitions directly to script or command execution. Deviation: low-probability communication-to-file-to-process transition. | Sequence-Order Anomaly, Transition Anomaly, Cross-View Anomaly | Email Gateway Logs, File-System Activity Logs, Process Execution Logs | Documented in Truebot joint advisory — downloaded copy (original source) |
| Public-facing application exploitation — T1190 Exploit Public-Facing Application | Unit: request and application process. Expected: requests produce known response patterns and application behavior. Deviation: request feature combinations, error distributions, or request-to-child-process transitions outside the normal application flow. Signature detection is often stronger for known exploits. | Conditional Anomaly, Transition Anomaly, Distribution-Shift Anomaly | Web Application Firewall Logs, Web Server Access Logs, Application Runtime Logs | Documented in Play ransomware joint advisory — downloaded copy (original source) |
| Valid credentials used from an unexpected context — T1078 Valid Accounts | Unit: identity. Expected: each identity and peer group uses a stable set of locations, devices, applications, times, and authentication methods. Deviation: a rare combination or abrupt shift across those attributes. | Self-Baseline Anomaly, Peer-Group Anomaly, Temporal-Context Anomaly, Multivariate Combination Anomaly | Identity Provider Sign-In Logs, Directory-Service Authentication Logs, Remote Access and VPN Authentication Logs | Documented in Scattered Spider joint advisory — downloaded copy (original source) |
| External remote-service session — T1133 External Remote Services | Unit: user-device-service relationship. Expected: remote access follows established source, device, and destination relationships. Deviation: a new edge, unusual session duration, or access outside the entity's temporal context. | Edge Anomaly, Duration Anomaly, Temporal-Context Anomaly | Remote Access and VPN Authentication Logs, Remote Desktop and Remote Support Logs | Documented in Play ransomware joint advisory — downloaded copy (original source) |
| Compromised software or update installation — T1195 Supply Chain Compromise | Unit: package, publisher, and installation population. Expected: approved packages originate from known publishers and produce consistent post-install behavior. Deviation: novel package-publisher combination or synchronized behavioral shift across many endpoints. | Category-Combination Anomaly, Synchronization Anomaly, Population Anomaly | Package and Software Installation Logs, Artifact Repository Logs, Process Execution Logs | Documented in Mandiant SUNBURST investigation — downloaded copy (original source) |
Execution
| Activity and ATT&CK | Statistical explanation | Anomaly types | Evidence sources | CTI/IR evidence |
|---|---|---|---|---|
| Command or scripting interpreter execution — T1059 Command and Scripting Interpreter | Unit: user, host, and process lineage. Expected: interpreters are launched by recurring parents with familiar arguments. Deviation: rare parent-interpreter edge, first-seen argument pattern, or unusual execution rate. | Self-Baseline Anomaly, Edge Anomaly, Rare-Category Anomaly | Process Execution Logs, Script-Execution Logs | Documented in Volt Typhoon joint advisory — downloaded copy (original source) |
| PowerShell script, encoded content, or remote command execution — T1059.001 PowerShell | Unit: account-host-script combination. Expected: recurring administrative scripts use known modules, hosts, and execution paths. Deviation: novel script features, uncommon account-host relationship, or unusual sequence of module and process activity. | Novel-Category Anomaly, Category-Combination Anomaly, Sequence-Order Anomaly | Windows PowerShell Logs, Process Execution Logs | Documented in Truebot joint advisory — downloaded copy (original source) |
| Trusted system binary launches unexpected content — T1218 System Binary Proxy Execution | Unit: parent-child process relationship and command context. Expected: trusted binaries execute a limited set of recurring children or resources. Deviation: an otherwise common binary forms a rare edge or conditional combination. | Conditional Anomaly, Edge Anomaly, Category-Combination Anomaly | Process Execution Logs, Application-Control Logs | Documented in Volt Typhoon joint advisory — downloaded copy (original source) |
| Scheduled job, service, or automation executes payload — T1053 Scheduled Task/Job | Unit: scheduled object and resulting process sequence. Expected: scheduled objects run consistent actions at recurring times. Deviation: new action, new owner, phase change, or unexpected task-to-process transition. | Phase Anomaly, Transition Anomaly, Novel-Category Anomaly | Scheduled Task and Job Logs, Process Execution Logs | Documented in FortiGuard Incident Response Report H1 2023 — downloaded copy (original source) |
| Container administration interface executes command — T1609 Container Administration Command | Unit: identity-namespace-workload relationship. Expected: a small approved set of identities performs interactive execution in specific namespaces. Deviation: new identity-to-namespace edge or rare service-account action. | Edge Anomaly, Peer-Group Anomaly, Rare-Category Anomaly | Orchestrator Audit Logs, Container Runtime Logs | Documented in Sysdig TeamTNT kubelet investigation — downloaded copy (original source) |
| Unexpected serverless or cloud-workload invocation — T1648 Serverless Execution | Unit: function, caller, and trigger. Expected: functions are invoked by known trigger and caller combinations with stable rates. Deviation: new caller-trigger edge, burst, or invocation outside established temporal context. | Edge Anomaly, Burst Anomaly, Temporal-Context Anomaly | Cloud Function and Serverless Logs, Cloud Control-Plane Audit Logs | Documented in Sysdig AI-assisted cloud intrusion investigation — downloaded copy (original source) |
Persistence and Privilege Escalation
| Activity and ATT&CK | Statistical explanation | Anomaly types | Evidence sources | CTI/IR evidence |
|---|---|---|---|---|
| New local, domain, cloud, or service account — T1136 Create Account | Unit: creator, target account type, and time. Expected: account creation is performed by a small set of provisioning identities following recurring workflows. Deviation: rare creator, unusual account type, or creation outside expected sequence. | Peer-Group Anomaly, Rare-Category Anomaly, Transition Anomaly | Directory-Service Audit Logs, Identity Provider Audit Logs | Documented in Scattered Spider joint advisory — downloaded copy (original source) |
| Credential, group, role, or account-property modification — T1098 Account Manipulation | Unit: identity privilege graph. Expected: privilege edges are created through known administrators and approved paths. Deviation: new high-impact edge, uncommon path to privilege, or sudden graph restructuring. | Edge Anomaly, Graph-Path-Length Anomaly, Graph-Evolution Anomaly | Directory-Service Audit Logs, Cloud Identity and Access Management Logs | Documented in FortiGuard Incident Response Report H1 2023 — downloaded copy (original source) |
| Startup or logon configuration changed to launch code — T1547 Boot or Logon Autostart Execution | Unit: host and autostart location. Expected: stable set of startup entries and executable targets. Deviation: first-seen target, unusual modification actor, or abrupt state transition. | Novel-Category Anomaly, Self-Baseline Anomaly, Change-Point Anomaly | Registry and Configuration-Store Logs, File-System Activity Logs | Documented in Volt Typhoon joint advisory — downloaded copy (original source) |
| New or modified system service — T1543 Create or Modify System Process | Unit: host-service-binary relationship. Expected: services and binary paths remain stable for a host class. Deviation: new edge or service configuration unlike peers. | Edge Anomaly, Peer-Group Anomaly, Novel-Category Anomaly | Service and Daemon Management Logs, Windows System Event Logs | Documented in Volt Typhoon joint advisory — downloaded copy (original source) |
| Email forwarding rule created — T1114.003 Email Forwarding Rule | Unit: mailbox-destination relationship. Expected: forwarding is absent or targets a small stable destination set. Deviation: first-seen external destination or rule created outside the user's normal workflow. | Edge Anomaly, Novel-Category Anomaly, Temporal-Context Anomaly | Mailbox Audit Logs, Application Audit Logs | Documented in FortiGuard Incident Response Report H1 2023 — downloaded copy (original source) |
| Privileged or long-running container workload deployed — T1610 Deploy Container | Unit: deployer-image-namespace-runtime configuration. Expected: peer workloads use approved images and recurring privilege profiles. Deviation: rare combination of privilege, image, mounts, identity, and namespace. | Multivariate Combination Anomaly, Peer-Group Anomaly, Novel-Category Anomaly | Orchestrator Audit Logs, Container Runtime Logs, Container Image Registry Logs | Documented in Sysdig SCARLETEEL 2.0 ATT&CK analysis — downloaded copy (original source) |
| Process or account invokes elevation mechanism — T1548 Abuse Elevation Control Mechanism | Unit: identity, host, and elevation action. Expected: elevation is concentrated among specific roles and tools. Deviation: peer-group deviation, unusual transition from low to high privilege, or burst of elevation actions. | Peer-Group Anomaly, Transition Anomaly, Burst Anomaly | Windows Security Event Logs, Linux Authentication Logs | Documented in Sysdig AI-assisted cloud intrusion investigation — downloaded copy (original source) |
Defense Evasion
| Activity and ATT&CK | Statistical explanation | Anomaly types | Evidence sources | CTI/IR evidence |
|---|---|---|---|---|
| Object renamed to resemble trusted object — T1036 Masquerading | Unit: name-path-hash-publisher combination. Expected: trusted names correspond to stable paths, hashes, and publishers. Deviation: common name appears in an improbable feature combination. | Conditional Anomaly, Category-Combination Anomaly, Multivariate Combination Anomaly | Process Execution Logs, Application-Control Logs | Documented in Volt Typhoon joint advisory — downloaded copy (original source) |
| Encoded, packed, or obfuscated content — T1027 Obfuscated Files or Information | Unit: content or command representation. Expected: ordinary content has stable length, entropy, token, and character distributions. Deviation: extreme entropy, rare token composition, or distribution shift. | Tail Anomaly, Entropy Anomaly, Distribution-Shift Anomaly | Script-Execution Logs, Content Inspection and Malware Scanning Logs | Documented in Mandiant SUNBURST investigation — downloaded copy (original source) |
| Process injection or in-memory execution — T1055 Process Injection | Unit: process-to-process access graph and event sequence. Expected: cross-process memory and thread relationships occur among a limited set of process pairs. Deviation: rare edge followed by an unusual write-to-execution transition. | Edge Anomaly, Transition Anomaly, Subgraph Anomaly | Endpoint Detection and Response Telemetry, Memory-Protection and Exploit-Mitigation Logs | Documented in Truebot joint advisory — downloaded copy (original source) |
| File timestamps, metadata, logs, or indicators modified — T1070 Indicator Removal | Unit: file or telemetry stream. Expected: metadata follows causal ordering and log sources emit regularly. Deviation: impossible timestamp relationships, sudden missing telemetry, or abrupt state change. | Conditional Anomaly, Drought or Silence Anomaly, Missing-Correspondence Anomaly | File-System Activity Logs, Central Log Collector Logs | Documented in Play ransomware joint advisory — downloaded copy (original source) |
| Security tool, sensor, or logging disabled — T1562.001 Disable or Modify Tools | Unit: endpoint or source heartbeat stream. Expected: sensors emit recurring telemetry and remain enabled. Deviation: abrupt level shift to zero, missing correspondence, or sustained silence. | Drought or Silence Anomaly, Level-Shift Anomaly, Missing-Correspondence Anomaly | Endpoint Sensor Health Logs, Central Log Collector Logs, Security Information and Event Management Logs | Documented in Play ransomware joint advisory — downloaded copy (original source) |
| Firewall policy disabled or weakened — T1562.004 Disable or Modify System Firewall | Unit: firewall rule population and actor. Expected: policy changes originate from a limited admin group and approved change process. Deviation: rare actor-rule combination or abrupt distribution shift toward permissive rules. | Peer-Group Anomaly, Category-Combination Anomaly, Distribution-Shift Anomaly | Local Firewall Logs, Network Firewall Logs, Cloud Firewall and Security-Group Logs | Documented in Volt Typhoon joint advisory — downloaded copy (original source) |
Credential Access
| Activity and ATT&CK | Statistical explanation | Anomaly types | Evidence sources | CTI/IR evidence |
|---|---|---|---|---|
| Repeated password guessing against an account — T1110 Brute Force | Unit: account and source. Expected: low failure counts and stable success-to-failure ratio. Deviation: burst, rate increase, or ratio shift. | Rate Anomaly, Burst Anomaly, Ratio or Proportion Anomaly | Identity Provider Sign-In Logs, Directory-Service Authentication Logs | Documented in Scattered Spider joint advisory — downloaded copy (original source) |
| Low-volume failures distributed across many accounts — T1110.003 Password Spraying | Unit: source-to-account authentication graph. Expected: a source authenticates to a small set of accounts. Deviation: unusually high fan-out with low per-account frequency. | Fan-Out Anomaly, Graph-Evolution Anomaly, Collective Anomaly | Identity Provider Sign-In Logs, Directory-Service Authentication Logs | Documented in Scattered Spider joint advisory — downloaded copy (original source) |
| Repeated MFA prompts and denials — T1621 Multi-Factor Authentication Request Generation | Unit: account challenge sequence. Expected: isolated prompts followed by a prompt response. Deviation: burst of repeated prompts, abnormal inter-arrival times, or unusual denial ratio. | Burst Anomaly, Inter-Arrival-Time Anomaly, Ratio or Proportion Anomaly | Multi-Factor Authentication Logs, Identity Provider Sign-In Logs | Documented in Scattered Spider joint advisory — downloaded copy (original source) |
| Protected credential memory or stores accessed — T1003 OS Credential Dumping | Unit: process-to-protected-resource relationship. Expected: only a small approved process set accesses credential resources. Deviation: first-seen edge or rare process-resource combination. | Edge Anomaly, Rare-Category Anomaly, Conditional Anomaly | Endpoint Detection and Response Telemetry, Memory-Protection and Exploit-Mitigation Logs | Documented in Play ransomware joint advisory — downloaded copy (original source) |
| Unusual service-ticket requests — T1558.003 Kerberoasting | Unit: account-service ticket relationships. Expected: accounts request tickets for a stable service set and encryption distribution. Deviation: fan-out across services, request burst, or rare encryption category. | Fan-Out Anomaly, Burst Anomaly, Rare-Category Anomaly | Directory-Service Authentication Logs, Windows Security Event Logs | Documented in Play ransomware joint advisory — downloaded copy (original source) |
| Cloud secrets, keys, or tokens retrieved — T1552 Unsecured Credentials | Unit: identity-secret relationship. Expected: stable identities access specific secret sets. Deviation: new edge, peer-group deviation, or sudden access burst. | Edge Anomaly, Peer-Group Anomaly, Burst Anomaly | Cloud Secrets-Manager Logs, Secrets-Management Logs | Documented in Sysdig SCARLETEEL investigation — downloaded copy (original source) |
Discovery and Lateral Movement
| Activity and ATT&CK | Statistical explanation | Anomaly types | Evidence sources | CTI/IR evidence |
|---|---|---|---|---|
| Accounts, groups, roles, or permissions enumerated — T1087 Account Discovery | Unit: actor and directory-object access stream. Expected: ordinary identities query a narrow object subset. Deviation: broad object fan-out, burst, or peer-group deviation. | Fan-Out Anomaly, Volume Anomaly, Peer-Group Anomaly | Directory-Service Audit Logs, Cloud Identity and Access Management Logs | Documented in Volt Typhoon joint advisory — downloaded copy (original source) |
| Internal network services or systems scanned — T1046 Network Service Discovery | Unit: internal source host. Expected: hosts communicate with a stable peer and service set. Deviation: rapid fan-out across destinations or ports and abrupt graph growth. | Fan-Out Anomaly, Rate Anomaly, Graph-Evolution Anomaly | Network Flow Logs, Network Detection and Response Telemetry | Documented in Volt Typhoon joint advisory — downloaded copy (original source) |
| Cloud resources or configurations enumerated — T1580 Cloud Infrastructure Discovery | Unit: cloud identity and API action distribution. Expected: identities use a role-specific action set. Deviation: peer-group deviation, high API category diversity, or burst of list and describe operations. | Peer-Group Anomaly, Categorical-Distribution Anomaly, Burst Anomaly | Cloud Control-Plane Audit Logs, Cloud Resource-Configuration Inventory | Documented in Sysdig SCARLETEEL investigation — downloaded copy (original source) |
| Remote administrative service used between systems — T1021 Remote Services | Unit: user-source-destination graph. Expected: administrative connections follow recurring paths. Deviation: new edge, unusual path, or broad fan-out from one source. | Edge Anomaly, Graph-Path-Length Anomaly, Fan-Out Anomaly | Network Flow Logs, Windows Security Event Logs, Linux Authentication Logs | Documented in Volt Typhoon joint advisory — downloaded copy (original source) |
| Tool or payload transferred internally — T1570 Lateral Tool Transfer | Unit: source-destination-file relationship and sequence. Expected: internal file transfers follow established system pairs and content types. Deviation: new edge followed by remote execution or unusual file category. | Edge Anomaly, Sequence-Order Anomaly, Category-Combination Anomaly | File-System Activity Logs, Network Flow Logs, Process Execution Logs | Documented in Play ransomware joint advisory — downloaded copy (original source) |
Collection and Exfiltration
| Activity and ATT&CK | Statistical explanation | Anomaly types | Evidence sources | CTI/IR evidence |
|---|---|---|---|---|
| Files, records, messages, or objects accessed in bulk — T1119 Automated Collection | Unit: identity or process. Expected: stable access volume, object mix, and rate. Deviation: tail-level volume, access burst, or sustained level shift. | Volume Anomaly, Tail Anomaly, Level-Shift Anomaly | File-System Activity Logs, Database Audit Logs, Cloud Object-Storage Access Logs | Documented in Sysdig SCARLETEEL investigation — downloaded copy (original source) |
| Email content collected — T1114 Email Collection | Unit: mailbox actor and operation stream. Expected: users read and export bounded message sets. Deviation: unusual read volume, export operation, or actor-mailbox edge. | Volume Anomaly, Edge Anomaly, Rare-Category Anomaly | Mailbox Audit Logs, Application Audit Logs | Documented in Scattered Spider joint advisory — downloaded copy (original source) |
| Data staged, compressed, or archived — T1074 Data Staged | Unit: process-path-file sequence. Expected: archive creation occurs in known workflows and paths. Deviation: rare process-path combination, sudden volume accumulation, or collection-to-archive transition. | Category-Combination Anomaly, Volume Anomaly, Transition Anomaly | Process Execution Logs, File-System Activity Logs | Documented in Scattered Spider joint advisory — downloaded copy (original source) |
| Large outbound transfer — T1041 Exfiltration Over C2 Channel | Unit: source-destination flow. Expected: outbound byte volume and destination relationships remain within an entity's normal range. Deviation: extreme volume, new edge, or abrupt level shift. | Volume Anomaly, Tail Anomaly, Edge Anomaly | Network Flow Logs, Data Loss Prevention Logs | Documented in FortiGuard Incident Response Report H1 2023 — downloaded copy (original source) |
| Data uploaded to cloud or web service — T1567 Exfiltration Over Web Service | Unit: identity-destination-upload stream. Expected: approved users upload bounded data to known services. Deviation: new destination edge, peer-group deviation, or upload-volume tail event. | Edge Anomaly, Peer-Group Anomaly, Tail Anomaly | Proxy and Secure Web Gateway Logs, Data Loss Prevention Logs | Documented in Scattered Spider joint advisory — downloaded copy (original source) |
| Transfers deliberately limited to evade controls — T1030 Data Transfer Size Limits | Unit: repeated source-destination transfers. Expected: transfer sizes and inter-arrival times vary with ordinary usage. Deviation: persistent repeated small transfers, unusual periodicity, or changed autocorrelation. | Periodicity Anomaly, Autocorrelation Anomaly, Persistent Anomaly | Network Flow Logs, Proxy and Secure Web Gateway Logs | Documented in Truebot joint advisory — downloaded copy (original source) |
Command and Control
| Activity and ATT&CK | Statistical explanation | Anomaly types | Evidence sources | CTI/IR evidence |
|---|---|---|---|---|
| Endpoint communicates periodically with external destination — T1071 Application Layer Protocol | Unit: source-destination event series. Expected: human and application traffic has characteristic timing variability. Deviation: strong periodicity, unusual autocorrelation, or repeated fixed inter-arrival times. | Periodicity Anomaly, Autocorrelation Anomaly, Inter-Arrival-Time Anomaly | Network Flow Logs, Network Detection and Response Telemetry | Documented in Mandiant SUNBURST investigation — downloaded copy (original source) |
| DNS carries command, control, or encoded data — T1071.004 DNS | Unit: client query distribution and sequence. Expected: domain lengths, record types, entropy, and response codes follow stable distributions. Deviation: entropy increase, novel category mix, or unusual periodic query subsequence. | Entropy Anomaly, Categorical-Distribution Anomaly, Subsequence Anomaly | DNS Resolver Logs, Packet-Capture Data | Documented in Mandiant SUNBURST investigation — downloaded copy (original source) |
| Encrypted or obfuscated network channel — T1573 Encrypted Channel | Unit: host-destination TLS feature vector. Expected: hosts use recurring certificate, protocol, cipher, and destination combinations. Deviation: first-seen combination or peer-group deviation. | Novel-Category Anomaly, Multivariate Combination Anomaly, Peer-Group Anomaly | TLS and Certificate Metadata Logs, Network Metadata Logs | Documented in Truebot joint advisory — downloaded copy (original source) |
| Web or collaboration service used as control channel — T1102 Web Service | Unit: process-user-service relationship. Expected: approved processes and users access a known service set. Deviation: new relationship, unusual service category, or repeated low-volume sequence. | Edge Anomaly, Rare-Category Anomaly, Persistent Anomaly | Proxy and Secure Web Gateway Logs, Collaboration Platform Audit Logs | Documented in FortiGuard Incident Response Report H1 2023 — downloaded copy (original source) |
Impact
| Activity and ATT&CK | Statistical explanation | Anomaly types | Evidence sources | CTI/IR evidence |
|---|---|---|---|---|
| Files, records, or resources deleted or destroyed — T1485 Data Destruction | Unit: actor or process deletion stream. Expected: deletions occur at bounded rates and within known workflows. Deviation: extreme deletion volume, burst, or abrupt transition from read/write to deletion. | Volume Anomaly, Burst Anomaly, Transition Anomaly | File-System Activity Logs, Database Audit Logs, Cloud Object-Storage Access Logs | Documented in LockBit joint advisory — downloaded copy (original source) |
| Files encrypted for impact — T1486 Data Encrypted for Impact | Unit: process file-operation stream and file population. Expected: ordinary processes modify limited file sets with stable extension distributions. Deviation: sudden high-volume writes, extension-distribution shift, and cascading impact across directories. | Volume Anomaly, Categorical-Distribution Anomaly, Cascading Anomaly | File-System Activity Logs, Endpoint Detection and Response Telemetry | Documented in Play ransomware joint advisory — downloaded copy (original source) |
| Service or system availability disrupted — T1499 Endpoint Denial of Service | Unit: service metrics and request stream. Expected: request rate, latency, error ratio, and availability stay within operating ranges. Deviation: rate tail event, abrupt level shift, and synchronized error increase. | Rate Anomaly, Level-Shift Anomaly, Synchronization Anomaly | Metrics and Monitoring-System Logs, Application Runtime Logs | Documented in F5 Labs 2024 DDoS Attack Trends — downloaded copy (original source) |
| Backup, snapshot, or recovery capability impaired — T1490 Inhibit System Recovery | Unit: backup system action sequence. Expected: backups follow recurring schedules and deletion operations are rare and controlled. Deviation: missing expected backup, unusual deletion transition, or abrupt level shift in protected coverage. | Missing-Correspondence Anomaly, Transition Anomaly, Level-Shift Anomaly | Backup and Recovery Logs, Cloud Control-Plane Audit Logs | Documented in LockBit joint advisory — downloaded copy (original source) |
| Unauthorized computation or resource abuse — T1496 Resource Hijacking | Unit: workload resource-consumption series. Expected: compute, power, cost, and network use follow workload schedules. Deviation: sustained level shift, tail consumption, or emerging upward trend. | Level-Shift Anomaly, Tail Anomaly, Emerging Anomaly | Metrics and Monitoring-System Logs, Cloud Billing and Usage Logs | Documented in Sysdig SCARLETEEL investigation — downloaded copy (original source) |
Activities with Weak Statistical Explanations
Some activity is suspicious because it matches known malicious content or violates an explicit policy, not because it is statistically unusual. Examples include a known exploit payload, a known-malicious hash, a prohibited tool signature, or a single forbidden configuration change. These should remain primarily signature-based or deterministic detections, with anomaly evidence used only as supporting context.
Downloaded CTI/IR Report Corpus
| Report | Publisher and investigation basis | Links |
|---|---|---|
| PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | Joint advisory based on confirmed compromises and incident-response findings; commonly associated with Volt Typhoon. | Downloaded copy, original source |
| #StopRansomware: Play Ransomware | Joint FBI, CISA, and ASD's ACSC advisory based on investigations and observed Play ransomware TTPs. | Downloaded copy, original source |
| Scattered Spider | Joint advisory containing TTPs obtained through FBI investigations and partner reporting. | Downloaded copy, original source |
| Increased Truebot Activity Infects U.S. and Canada Based Networks | Joint advisory based on observed Truebot operations, analytical findings, and incident-response guidance. | Downloaded copy, original source |
| FortiGuard Incident Response Report H1 2023 | FortiGuard Labs analysis of incident-response engagements with observed activity mapped to ATT&CK. | Downloaded copy, original source |
| Understanding Ransomware Threat Actors: LockBit | Joint advisory based on FBI investigations and partner reporting, including observed LockBit 3.0 TTPs. | Downloaded copy, original source |
| 2024 DDoS Attack Trends | F5 Labs threat-intelligence analysis of observed DDoS attack telemetry mapped to ATT&CK. | Downloaded copy, original source |
| Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor | Mandiant investigation documenting the SolarWinds supply-chain compromise and post-compromise activity. | Downloaded copy, original source |
| SCARLETEEL: Operation Leveraging Terraform, Kubernetes, and AWS for Data Theft | Sysdig Threat Research Team investigation of a customer cloud environment and the resulting data theft. | Downloaded copy, original source |
| SCARLETEEL 2.0 and the MITRE ATT&CK Framework | Sysdig analysis correlating a documented cloud-native intrusion with ATT&CK behavior. | Downloaded copy, original source |
| TeamTNT Targeting Misconfigured Kubelet | Sysdig Threat Research Team investigation of a detected attack against a Kubernetes pod. | Downloaded copy, original source |
| AI-Assisted Cloud Intrusion Achieves Admin Access in Eight Minutes | Sysdig Threat Research Team analysis of an observed AWS intrusion involving Lambda code injection and rapid privilege escalation. | Downloaded copy, original source |