{{ secondMenu.name }}
{{ language }}
This page shows the summary of all recent security events detected (events detected in the last seven days are displayed by default; you can select a period). It provides an overview of events detected within the current network, including the total number of events, affected critical assets, and a breakdown of events such as web shell attacks and brute-force attacks.
Scans and monitors endpoints in real time via the Athena EPP agent for web shells. 
Click View Details to view the event details.
Click Fix to fix the threat entity or the compromised endpoint.
Click Threat Intelligence to go to Sangfor Threat Intelligence for web shell identification. 
Click Go to Response. You will be redirected to the Detection and Response > Response page to view event logs. 
Scans and monitors endpoints in real time for memory backdoors via the Athena EPP agent.
Memory backdoors are mainly detected on endpoints.
Click View Details to view the event details.
Click Fix to fix the threat entity or the compromised endpoint.
Click Go to Response. You will be redirected to the Detection and Response > Response page to view event logs. 
Athena EPP can detect brute-force attacks against Remote Desktop Protocol (RDP), Server Message Block (SMB), Microsoft SQL Server, and SSH services.
Click View Details to view the details of a brute-force attack event, including the source IP address, destination IP address, time when the attack was detected, number of attacks, and whether the attack is successful.
Click Fix to fix the threat entity or the compromised endpoint.
Click Go to Response. You will be redirected to the Detection and Response > Response page to view event logs. 
Athena EPP can detect suspicious logins from unusual times or uncommon IP addresses. It can also detect suspicious login events on Windows endpoints (including PCs) via RDP or SMB and those on Linux endpoints via SSH. 
Click View Details to view the details of a suspicious login event, including the login IP address, protocol, login name, destination IP address, login time, number of occurrences, and recommendations.
Click Fix to fix the threat entity or the compromised endpoint.
Click Go to Response. You will be redirected to the Detection and Response > Response page to view event logs. 
The Athena EPP agent can actively and passively detect the port scanning activity. The agent-installed endpoint can actively detect the port-scanning activity and detect the port-scanning activity from other endpoints toward the agent-installed endpoint.
Suspicious scans will be reported automatically once detected without requiring manual configuration. 
Click View Details to view the details of a suspicious scan event, including the source IP address, target endpoint and port, time when the scan was detected, number of occurrences, and recommendations.
Click Fix to fix the compromised endpoint.
Click Go to Response. You will be redirected to the Detection and Response > Response page to view event logs. 
Scenario
In response to emerging threats and attack-defense scenarios, such as ransomware attacks and phishing emails exploiting office networks to breach internal systems, Athena EPP can, by leveraging Indicator of Attack (IOA) rules, detect abnormal behaviors such as ransomware and phishing (for details, see MITRE ATT&CK framework, which outlines adversary tactics and techniques such as fault injection, credential stealing, and permission escalation). Athena EPP swiftly generates security alerts when detecting threats or attacks and blocks high-risk activities. Furthermore, Athena EPP traces the process chain responsible for initiating an attack, consolidates all related abnormal behaviors into a precise security event, and helps identify the source of the attack and any startup items created in the operating system for comprehensive removal.
Example:
The following is an example of detecting and handling cryptomining, which illustrates the features of Advanced Threats.
During routine O&M, the security administrator observes some suspicious activities flagged by the Advanced Threats service of Athena EPP. These activities include cryptomining attacks, account activations, and creating suspicious files, as shown in the following figure.
On the Event Mode tab, the administrator finds a security event of critical severity, as shown in the following figure. Athena EPP has consolidated various suspicious activities into a complete attack event.
On the Event Mode tab, the administrator finds multiple hits within the ATT&CK matrix, as shown in the following figure.
The attack hits multiple tactics within the ATT&CK matrix, including execution, persistence, defense evasion, credential access, discovery, command and control, and impact.
After clicking View Details, the administrator can check the involved threat entities and alerts. 
After clicking In-Depth Analysis, the administrator can trace the complete attack chain. 
The attacker accessed the testing machine through a remote desktop login and released the attack sample emulator.exe. After the sample is executed, the beacon.exe file and a process are automatically created.
The beacon.exe creates the schtasts.exe process and creates suspicious task plans through the schtasts.exe process to carry out persistent attacks.
The beacon.exe creates a powershell.exe process to bypass security protection and carry out the attack by executing confusing PowerShell commands.
The beacon.exe creates the svchost.exe process and calls the command cmd /c quser to detect host user information to achieve information collection.
The beacon.exe creates the svchost.exe process and calls the command net user guest guest /active to activate the host guest user to carry out a persistent attack.
The beacon.exe creates the svchost.exe process and calls the netsh command to add firewall whitelist rules and establish suspicious connections in an attempt to bypass firewall security protection.
The beacon.exe creates the xmrig.exe file and a process, calls the cmd /c whoami command to check the current user's permissions, and gathers sensitive information.
beacon.exe creates xmrig.exe files and processes, and calls bitsadmin.exe to download a mining virus for mining. 
Through the traceability analysis of the above process attack chain, the conclusions are as follows:
The testing machine is infected with a mining virus. The attack sample emulator.exe created the malicious files beacon.exe and xmrig.exe, and launched multiple processes to complete attacks such as execution, persistence, defense evasion, credential access, detection, and command and control.
The handling method is as follows:
• Isolate the malicious files emulator.exe, beacon.exe, and xmrig.exe.
• Isolate the endpoint without affecting the business and avoid the horizontal spread of the threat.
• Perform a full investigation, kill the endpoint with the threat detected, and
remove the remaining items.
a)The attacker obtained permissions and injected the virus via RDP access/brute-force attacks. Therefore, the following security enhancements are recommended:
A reverse shell is a malicious activity in which the victim's host actively connects to applications on the attacker's server. 
Click View Details to view the event details.
Click More > Isolate to isolate the endpoint.
Remote Command Execution breaches business systems via Remote Command Execution vulnerabilities, enabling attackers to inject commands or code directly into backend servers.
Click View Details to view the event details.
Click More > Isolate to isolate the endpoint.
Local privilege escalation is an activity that involves elevating users' privilege from very low or restricted privilege to high or even root-level privilege.
Click View Details to view the event details.
Click More > Isolate to isolate the endpoint.
PowerShell threats employ unusual attacking techniques that are difficult to detect, aiming to infect endpoints with viruses and cause damage. 
Click the name of a threat to view the details of the relevant event, including the infected endpoints, process, parameters, and time detected. 
Click Block to block the current process.
Select Also Block execution of process with same commands on the endpoint to prevent subsequent execution of processes with the same PowerShell parameters.
{{ $t('index.defaultHeader.chromeBrowserTip') }}