Rule Category

Endpoint Sensor classifies the analyzed files based on the object's behavior and origin.

Table 1. Rule Categories


Behavior Description

Intelligence gathering

Performs extensive research using readily available public information, network scanning tools, social media, and other sources to identify promising points of entry, and uncover the structure of existing defenses

Point of entry

Uses tactics and techniques used to gain entry to a network, including but not limited to:
  • Sending emails with a malicious file attachment, or a link to a malicious URL

  • Compromising a legitimate web site to download malware

  • Directly hacking the target system

  • Penetrating a partner’s network and hitching a ride into yours via normal communication

  • Using unsecured or third-party networks (hotel, coffee shop, airport, etc.)

  • Delivering attack code via a USB or other removable storage media

Command-and-control (C&C)

Initiates communication with a C&C server to deliver information, receive instructions, and download other malware. This allows attackers to actively respond to security efforts, or to new information about the network. C&C traffic can occur to/from a trusted IP address or a malicious host, using various communication and encryption protocols.

Lateral movement

Identifies other assets within the network that it can use to move from system to system. These search for directories, email, and administration servers to map the internal structure of the network and obtain credentials to access these systems.

Asset/data discovery

Locates the specific servers and services that contain the most valuable data by scanning selected ports, monitoring internal traffic, etc.

Data exfiltration

Copies data for extraction and monetization, through the use of encryption, compression, and other techniques to disguise the activity. Data is transmitted to external locations, where it will be put up for sale on the black market.

Attack accomplice

Runs functions that assist in the routines of other malware involved in the attack.

User defined

Files specified by the user through user-defined IOC files.

The classification is based mainly on the six stages of a targeted attack.

For details, refer to the documentation available at: