Security alert categories-Security Center(Security Center)-阿里云帮助中心

Security Center detects a wide range of threats on your assets in real time, including web tamper-proofing, anomalous processes, webshells, unusual logons, and malicious processes. Its threat detection models provide comprehensive coverage, allowing you to promptly identify security threats and maintain a real-time view of your security posture.

Overview

Risk levels

Security Center classifies alerts into three risk levels to help you prioritize your response.

Risk level	Description	Recommended action
Urgent	Indicates activity that closely resembles a known attack pattern and can cause destructive or persistent damage to an asset, such as a reverse shell. This level means the asset is likely under active attack.	Respond immediately. Recommended actions: quarantine the asset, block suspicious network connections, and preserve the attack scene.
Suspicious	Indicates potentially risky activity that may resemble routine operations, such as a process that adds a new user. The activity might also be a non-critical step in an attack chain, such as an attempt to clear tracks. This level indicates a moderate probability that the asset is under attack.	Investigation required. Check whether the activity is a scheduled operation. If so, add the behavior to an allowlist. Otherwise, treat it as an Urgent alert.
Reminder	Indicates non-essential attack activity that resembles normal operations, such as a process listening on a suspicious port.	Audit and optimize. Use these alerts to identify non-compliant configurations or potential risks. We recommend that you regularly review and optimize your security policies. No immediate action is required.

Threat detection models

Security Center uses more than 380 threat detection models to provide comprehensive threat detection. These models cover key stages of the attack chain to detect an attack's full lifecycle. The following list provides examples for each detection stage:

Note

On the Alert page, you can click the icon in the upper-left corner to view the threat detection models that Security Center provides.

Initial Access: Anomalous command execution in Java applications and web vulnerability exploits.
Code Execution: Reverse shells and malicious script execution.
Persistence: Suspicious writes to passwordless logon certificate files and exploitation of misconfigured Redis instances.
Privilege Escalation: Exploitation of misconfigured Redis instances and unauthorized execution of high-risk commands.
Defense Evasion: Logons by a RAM user from an unusual location and execution of suspicious programs.
Credential Access: Logons to an ECS instance from an unusual location and successful brute-force attacks on an ECS instance.
Discovery: Suspicious access to OSS and suspected scanning of sensitive ports.
Lateral Movement: Worms and suspicious network connections in Windows.
Collection: Port scanning and suspected man-in-the-middle attacks on a Kubernetes service (CVE-2020-8554).
Data Leakage: Requests to out-of-band (OOB) attack domain names and suspicious command-and-control (C2) trojan communication.
Remote Control: Trojan programs and backdoor programs.
Impact and Damage: DDoS trojans and ransomware.
Prepare Resources: Self-mutating trojans and hacking tools.
Target Discovery: Proactive connections to malicious download sources and scanners.

Limitations

Security Center is designed to enhance asset security with features such as real-time alerting, vulnerability management, and attack attribution. However, due to the following limitations, we recommend that you adopt a defense in depth strategy to improve overall security:

Defense startup delay: After a server is restarted, the Security Center defense process requires a period of time to start. During this startup period, fast-acting attacks such as ransomware and DDoS trojans cannot be effectively blocked.
Risk of unknown threats: Attack methods and virus samples are constantly evolving and business environments vary. Because of this, Security Center cannot guarantee real-time detection and defense against all unknown threats.

To build a more comprehensive security defense, we recommend that you combine Security Center with the following measures:

Regularly apply security patches to your server's operating system and applications.
Use products such as Cloud Firewall and Web Application Firewall to reduce the network attack surface.

Alert handling process

Supported editions

Subscription

Service edition	Detection scope	Alert handling capabilities
Basic, Value-added Plan	Detects common cloud-based attacks, including traditional single-line webshells, logons from unusual locations, self-mutating trojans, DDoS trojans, and mining programs. This edition does not cover container assets.	Alert suppression: Add to Whitelist, Ignore, etc.
Anti-virus	Includes all features of the Basic edition, plus detection and precision defense models for suspicious and malicious files, including binaries. This edition does not cover container assets.	Threat removal: Virus Detection and Removal, Deep Cleanup, Quarantine, etc. Alert suppression: Add to Whitelist, Ignore, etc.
Advanced	Includes all features of the Antivirus edition, plus detection and precision defense models for suspicious and malicious process activities and file operations. This edition does not cover container assets.
Enterprise	Includes all features of the Advanced edition, plus more than 380 detection and precision defense models for all types of malicious behavior, including process activities, file operations, and network connections. This edition does not cover container assets.
Ultimate	Includes all features of the Enterprise edition (covering container assets), plus detection and proactive defense models for container-specific attacks, such as container escapes, running risky images, and launching non-image programs.

Pay-as-you-go

Protection level	Detection scope	Alert handling capabilities
Unprotected	Detects common cloud-based attacks, including traditional single-line webshells, logons from unusual locations, self-mutating trojans, DDoS trojans, and mining programs. This level does not cover container assets.	Alert suppression: Add to Whitelist, Ignore, etc.
Antivirus	Includes all features of the Unprotected level, plus detection and precision defense models for suspicious and malicious files, including binaries. This level does not cover container assets.	Threat removal: Virus Detection and Removal, Deep Cleanup, Quarantine, etc. Alert suppression: Add to Whitelist, Ignore, etc.
Host Protection	Includes all features of the Antivirus level, plus more than 380 detection and precision defense models for all types of malicious behavior, including process activities, file operations, and network connections. This level does not cover container assets.
Hosts and Container Protection	Includes all features of the Host Protection level (covering container assets), plus detection and proactive defense models for container-specific attacks, such as container escapes, running risky images, and launching non-image programs.

Security alert types

Type	Description
Network Defense Alert (formerly attack analysis)	If you enable rules in the Network Threat Prevention category of Malicious Behavior Defense for Hosts and the Brute-force Attack Protection for Hosts policies, Security Center automatically blocks detected attacks based on these protection rules and generates a Network Defense Alert. For more information, see Network Defense Alert (formerly attack analysis). Important For newly purchased cloud products, you must wait about 3 hours for Security Center to synchronize network attack data before you can view related attack analysis information. Defensive alerts indicate that attacks are automatically blocked by Security Center. No manual action is required.
Precise Defense	The Malicious Host Behavior Prevention feature generates Precise Defense alerts based on your enabled defense rules. For more information about Malicious Host Behavior Prevention, see Host protection settings.
Suspicious Process Behavior	Detects unusual process behavior, such as running suspicious command sequences, starting from an abnormal path, process injection, and unauthorized changes to system files or configurations.
Webshell	Detects webshell backdoor files on the server, or malicious code injected into non-program files, such as logs and images.
Unusual Logon	Detects logons that do not comply with preset policies, successful brute-force attacks, and logon attempts from known malicious IP addresses or backdoor accounts.
Malware	Detects various types of malware running or present on the host, including viruses, trojans, ransomware, mining programs, and hacking tools.
Cloud Service Threat Detection	Detects the theft and abuse of cloud platform identity credentials, such as an AccessKey, as well as unusual configurations and permission probing on cloud resources.
Unusual Network Connection	Detects various suspicious network behaviors on the server, such as port scanning, connections to malicious sources, and a reverse shell. These behaviors are typical signs of attack reconnaissance, remote control, and lateral movement. Note This feature does not detect encrypted HTTPS traffic.
Malicious Script	Detects when a malicious or suspicious script file is executed on the server. This indicates an attacker has compromised the system and is running malicious commands.
Persistent Webshell	Detects persistence mechanisms used to maintain long-term control, such as creating auto-start items, memory-resident backdoors, hidden processes, and exploiting advanced system features.
Sensitive File Tampering	Detects tampering with core system files and configurations (such as shared library preload files). Such tampering includes modifying, replacing, or moving files to achieve persistence or bypass security detection.
Container cluster anomaly	Detects complex, multi-stage attacks in container clusters. These attacks can include using a service account for privilege escalation (such as creating unusual tokens or binding to high-privilege roles), lateral movement (such as entering a container to execute commands or accessing Kubelet), and information theft (such as enumerating Secrets).
Suspicious Account	Detects the creation or use of a suspicious account in the system.
Webshell detection (local scan)	Analyzes file behavior to identify and score suspicious files.
EXP	Detects attacks that use known vulnerabilities in the operating system or applications to achieve remote code execution, privilege escalation, or container escape.
Abnormal network traffic	Identifies past and ongoing attacks by analyzing network traffic and correlating it with host behavior.
Container Escape Prevention	After you create a Container Escape Prevention rule in Proactive Defense for Containers, if a process inside a container attempts an operation that violates the rule (such as accessing a sensitive path on the host or attempting privilege escalation), the defense module blocks the operation and generates a security alert.
Proactive Defense for Containers	Proactive Defense for Containers provides two core runtime security capabilities and generates security alerts for all detected risky behaviors: Non-image Program Defense: In real time, detects and blocks programs that are started in a container but are not part of the original image. This effectively prevents malicious behaviors such as trojan implantation. Container File Defense: Monitors specified files or directories within a container in real time and alerts on or blocks malicious tampering.
Risk Image Blocking	After you create a Risky Image Blocking rule in Proactive Defense for Containers, Security Center performs real-time security checks on images used to create cluster resources (such as a Pod). If an image matches the rule, the system automatically alerts, blocks, or allows its use and generates a security alert.
Trusted Exception	Monitors the status of an ECS trusted instance and reports any anomalies.
Others	Unexpected offline status of the Security Center client, DDoS flood attack, and more.

Alert checks

Precise Defense

Alert name	Description
DDoS trojan	A DDoS trojan is a malicious program that runs on a compromised host and receives instructions to launch DDoS attacks against a target specified by an attacker.
ransomware	Ransomware is a malicious program that encrypts critical data files on a host and demands a ransom.
backdoor program	A backdoor program is a persistent program implanted in a system that allows an attacker to maintain continuous access to the host.
malicious program	A cloud-based scan detected a malicious program.
infectious virus	An infectious virus is an advanced type of malware that injects malicious code into legitimate program files, causing many normal programs to become infected and act as hosts.
mining program	A mining program illicitly uses your server's computing resources to mine cryptocurrency. This activity often leads to high CPU usage and can indicate the presence of other malicious programs.
trojan program	A trojan program is a malicious program that disguises itself to infiltrate your server. Once active, it typically downloads and runs other malicious programs.
worm	A worm is a malicious program used for lateral movement from a compromised host, such as your server, to other hosts. It often spreads by exploiting vulnerabilities and brute-forcing passwords.
suspicious program	A suspicious program exhibits characteristics of malicious code or suspicious behavior but has not been definitively classified as malicious. You should evaluate the program based on the information provided in the alert.
self-mutating trojan	A self-mutating trojan is a type of trojan that alters its own file hash or copies itself to multiple locations to evade detection and removal.
malicious IP blocking	Security Center detected an attack attempt against your server. The Precise Defense feature blocked the malicious request, preventing potential harm. This alert confirms the attack was stopped and does not mean your server was compromised.
malicious DNS request blocking	Alibaba Cloud Security detected your ECS instance communicating with a malicious domain, which can indicate a compromise. The Precise Defense feature blocked this request to protect your server.
process behavior blocking	Security Center detected and blocked a high-risk command, which may indicate an attacker has compromised your server. The Precise Defense feature prevented this command from running to protect your server from harm.
malicious disruption of client process	Security Center detected and blocked suspicious activity intended to disrupt the Server Guard agent. This proactive block ensures that threat detection capabilities remain active. Attackers often attempt to disable security measures to compromise a host. Investigate this alert carefully and check the server for other security alerts, high-risk vulnerabilities, and weak passwords. If you performed this action intentionally, you can ignore this alert.
malicious disruption of client file	Security Center detected and blocked suspicious file activity intended to disrupt the Server Guard agent. This proactive block ensures that threat detection capabilities remain active. Attackers often attempt to disable security measures to compromise a host. Investigate this alert carefully and check the server for other security alerts, high-risk vulnerabilities, and weak passwords. If you performed this action intentionally, you can ignore this alert.
exploit program	An exploit program attacks known vulnerabilities in an operating system or application. Attackers use these programs to escalate privileges, escape from containers, or execute arbitrary code.
bait capture for ransomware protection	Security Center used a preset bait file (honeypot) to detect and block a suspicious process, which is likely ransomware.
webshell malicious connection blocking	Security Center blocked a malicious connection from a webshell.
hacking tool	Hacking tools are used by attackers for privilege escalation, sensitive data theft, or security software uninstallation. They can also be implanted as backdoor programs after an intrusion.
Windows backdoor account logon session blocking	Security Center detected and blocked an attacker's attempt to log on to this server by using a backdoor account.
process start blocking (custom)	This alert is triggered when a process is blocked based on a custom rule. You can define rules in the proactive defense settings to block specific processes at startup by adding their MD5 file hashes.
AntSword webshell communication	Security Center detected an attack attempt using the AntSword tool. The Precise Defense feature blocked this malicious request. This alert confirms the attack was prevented and does not mean your server was compromised.
Cknife webshell communication	Security Center detected an attack attempt using the Cknife tool. The Precise Defense feature blocked this malicious request. This alert confirms the attack was prevented and does not mean your server was compromised.
rootkit	A rootkit is a malicious module implanted at a low level of the system to hide its own traces or the traces of other malicious programs.
XISE webshell communication	Security Center detected an attack attempt using the XISE tool. The Precise Defense feature blocked this malicious request. This alert confirms the attack was prevented and does not mean your server was compromised.
reverse shell	A reverse shell is a technique attackers use to control a compromised server. This alert is triggered when a process (such as bash, python, perl, lua, php, and telnet) initiates a reverse shell connection.
unauthorized execution of high-risk commands	An attacker escalates their privileges on a compromised server by exploiting vulnerabilities or misconfigurations, such as the Dirty COW vulnerability or sudo privilege escalation.
webshell command execution	An attacker uses a webshell management tool, such as Cknife, AntSword, Behinder, or Godzilla, to communicate with a webshell on a compromised server and execute arbitrary commands.
counteracting security software	An attacker attempts to disable security software or delete security configurations. Examples include stopping the Server Guard agent or disabling the firewall.
implanting suspicious files	An attacker exploits a vulnerability or uses a weak password to log on and write suspicious files using commands such as `wget`, `curl`, `tar`, and `powershell`.
implanting malicious files	An attacker exploits a vulnerability or uses a weak password to log on and write malicious files using commands such as `wget`, `curl`, `tar`, and `powershell`.
suspicious worm script behavior	An attacker exploits a vulnerability or uses a weak password to log on and implant a suspicious worm script. This alert is triggered by scripts such as bash, python, perl, and powershell.
downloading and running malicious files from the command line	An attacker exploits a vulnerability or uses a weak password to log on, remotely execute commands, and download and implant malicious files. This alert is triggered by download commands such as `wget`, `curl`, `python`, and `powershell`.
high-risk operation by a web service	An attacker exploits a web vulnerability, such as a Confluence or Exiftool vulnerability, to execute arbitrary commands.
information gathering	A service program executes host commands, such as `whoami`, `netstat`, and `id`, to collect host information and determine whether remote command execution was successful.
Cloud Assistant advanced protection	A Cloud Assistant token may be leaked or stolen. This protection prohibits Cloud Assistant from executing arbitrary commands.
suspicious network connection	An attacker runs a malicious program or uses a system program to connect to the network and receive instructions from a command-and-control server. This behavior is associated with DDoS, mining programs, and reverse shells.
obfuscated command	An attacker encrypts, encodes, or otherwise manipulates host commands to bypass antivirus protection. Examples of manipulation include using base64 or other encoding methods.
PowerShell high-risk command execution	An attacker uses the system's PowerShell component to execute malicious commands, such as downloading or executing a payload.
PowerShell suspicious command execution	An attacker uses the system's PowerShell component to execute malicious commands, such as downloading or executing a payload.
high-risk operation by a browser service	An attacker uses an entry service to perform malicious operations, such as remotely downloading or executing a payload by using a trusted system component.
suspicious operation by an entry service	An attacker uses an entry service to perform malicious operations, such as remotely downloading or executing a payload by using a trusted system component.
high-risk operation by a system process	An attacker uses an entry service to perform malicious operations, such as remotely downloading or executing a payload by using a trusted system component.
high-risk operation by a Java service	An attacker uses an entry service to perform malicious operations, such as remotely downloading or executing a payload by using a trusted system component.
high-risk operation by an Office component	An attacker uses an entry service to perform malicious operations, such as remotely downloading or executing a payload by using a trusted system component.
loading a high-risk driver	A virus, trojan, or hacking tool attempts to bypass antivirus protection by loading a driver module.
high-risk account manipulation behavior	An attacker performs unauthorized account operations to achieve persistence.
malicious command execution	An attacker calls system tools to execute commands or scripts to perform various malicious behaviors.
suspicious process startup	A process started by a suspected virus or trojan was detected.
system backup deletion behavior	Ransomware was detected deleting system backups to prevent data restoration.
internal network scan	An attacker expands the scope of an intrusion by scanning for weaknesses in internal network assets or attempting to log on with the same password. This includes activities such as brute-force attacks, password spraying, and web vulnerability scanning.
creating a service auto-start item	A virus creates a persistent startup item by using the registry, scheduled tasks, or services.
creating a high-risk auto-start item	A virus creates a persistent startup item by using the registry, scheduled tasks, or services.
creating a scheduled task auto-start item	A virus creates a persistent startup item by using the registry, scheduled tasks, or services.
creating a registry auto-start item	A virus creates a persistent startup item by using the registry, scheduled tasks, or services.
creating a WMI auto-start item	A virus creates a persistent startup item by using the registry, scheduled tasks, or services.
clearing intrusion traces	An attacker attempts to destroy intrusion traces by deleting data such as system logs and command execution records.
high-risk credential theft behavior	An attacker attempts to steal logon credentials by using credential theft tools such as Mimikatz.
HashDump attack	An attacker uses memory dump tools such as Procdump to access the Local Security Authority (LSA) process and obtain credential data.
hijacking a dynamic-link library	Security Center detected that a system program loaded a suspicious dynamic-link library (DLL), suggesting an attempt to hijack system functions. This behavior was blocked. If you believe this action was a false positive, you can disable the "Hijacking a dynamic-link library" rule set on the Proactive Defense - Malicious Behavior Defense page or remove the affected machine from your list of managed hosts.
Cknife webshell communication	Security Center detected an attack attempt using the Cknife tool. The Precise Defense feature blocked this malicious request. This alert confirms the attack was prevented and does not mean your server was compromised.
Behinder webshell communication	An attacker uses a webshell management tool, such as Cknife, AntSword, Behinder, or Godzilla, to communicate with a webshell on a compromised server and execute arbitrary commands.
Godzilla webshell communication	An attacker uses a webshell management tool, such as Cknife, AntSword, Behinder, or Godzilla, to communicate with a webshell on a compromised server and execute arbitrary commands.
sensitive registry key protection	Protection for sensitive registry keys, including defense for persistent startup items, group policy configuration items, system security configuration items, and Image File Execution Options hijacking.
process injection protection	An attacker injects malicious code into a legitimate process to bypass detection and defense. An example is a ptrace injection.
proxy tool	Proxy tools are used by attackers for operations such as proxying and tunneling, often to facilitate further server intrusion.
Cloud Assistant service information gathering	The Cloud Assistant service executes host commands, such as `whoami`, `netstat`, and `id`, to collect host information and determine whether remote command execution was successful.
LSA security authority service protection	The Local Security Authority Subsystem Service (LSASS) is the process responsible for enforcing the security policy on the operating system. Attackers can compromise security by reading from or writing to LSASS process memory. This rule prevents other processes from accessing the LSASS process with read or write permissions. Note: This is a security hardening feature that blocks attempts by default and does not generate alerts. If your workload requires read or write access to the LSASS process memory, you can disable this protection rule.
entry service implants suspicious script or binary file	A database, web, or other service was detected implanting a suspicious script or binary file.
entry service executes suspicious behavior sequence	An attacker uses an entry service to perform a series of malicious operations, such as executing download commands, reading and writing files, and gathering information, all under the same parent process.
adaptive webshell communication blocking	The detection model found malicious webshell communication traffic on your server, which an attacker could use for remote control. Precise Defense successfully blocked this network request to prevent potential damage.
webshell upload	Security Center detected an attack attempt against your server. The Precise Defense feature blocked the malicious request, preventing potential harm. This alert confirms the attack was stopped and does not mean your server was compromised.
scanner	Scanners are often used by attackers to discover live hosts, open ports, and hosts with security risks such as vulnerabilities and weak passwords, often to facilitate further intrusions.
Java general RCE vulnerability blocking	Security Center detected an attack attempt against your server. The Precise Defense feature blocked the malicious request, preventing potential harm. This alert confirms the attack was stopped and does not mean your server was compromised.
adaptive web attack defense	Security Center uses a cloud-based intelligent analysis engine to automatically identify and block various web remote code execution (RCE) attacks, preventing malicious requests from damaging your server. If you believe this block was a false positive, you can disable the corresponding rule on the Proactive Defense - Malicious Behavior Defense page or remove the affected machine from your list of managed hosts.
downloader trojan	A downloader trojan typically downloads and runs third-party programs such as malicious trojans and adware.
host defense link test	This alert is used to test whether the host defense link is effective.
database service information gathering	A database service program executes host commands, such as `whoami`, `netstat`, and `id`, to collect host information and determine whether remote command execution was successful.
Alibaba Cloud Security process protection	Protection against abnormal access to Alibaba Cloud Security processes.
webshell file defense	Security Center found a webshell on your server and detected an attempt to use it. The defense module identified and blocked this behavior. Note: Although this attempt was blocked, you must manually quarantine or delete the webshell file itself. To add this file to an allowlist, go to Protection Configuration > Host Protection > Host Rule Management > Custom Defense Rules and create a new rule for the file path. To disable this feature, go to Protection Configuration > Host Protection > Host Rule Management > System Defense Rules > Webshell File Defense and turn it off.
SQL Server brute-force attack	Security Center detected an attack attempt against your server. The Precise Defense feature blocked the malicious request, preventing potential harm. This alert confirms the attack was stopped and does not mean your server was compromised.
PHP webshell upload	An attacker uses the file upload feature to upload a PHP webshell. Security Center blocks the upload of files with .php and .phtml extensions.
JSP webshell upload	An attacker uses the file upload feature to upload a JSP webshell. Security Center blocks the upload of files with the .jsp extension.
ASP webshell upload	An attacker uses the file upload feature to upload an ASP webshell. Security Center blocks the upload of files with .asp, .ashx, .asa, .asmx, and .cshtml extensions.
webshell upload with special extension	An attacker uses the file upload feature to upload a webshell with a special extension. Security Center blocks the upload of files with .cer and .ascx extensions.
operating system account behavior	This rule set blocks operating system account behavior at the kernel level. It is disabled by default. Evaluate your security needs and enable it if necessary.
webshell upload intelligent defense	Security Center detected an attack attempt against your server. The Precise Defense feature blocked the malicious request, preventing potential harm. This alert confirms the attack was stopped and does not mean your server was compromised.
suspicious file upload via interface	An attacker uses certain interfaces to upload a suspicious webshell. Security Center blocks the upload feature of these interfaces.
information-stealing tool	Information-stealing tools are often used to steal sensitive files and information from a host.
system persistent process access protection	System persistent processes and services carry the core functions of the system. Attackers often access system processes with high-risk permissions to carry out malicious actions. This protection rule prohibits any process from accessing system persistent processes with high-risk permissions, including permissions for thread creation, handle copying, and memory operations. Note: This is a security hardening feature that blocks attempts by default and does not generate alerts. If your workload requires access to system persistent processes, you can disable this protection rule.
RDP brute-force attack	Security Center detected an attack attempt against your server. The Precise Defense feature blocked the malicious request, preventing potential harm. This alert confirms the attack was stopped and does not mean your server was compromised.
SSH brute-force attack	Security Center detected an attack attempt against your server. The Precise Defense feature blocked the malicious request, preventing potential harm. This alert confirms the attack was stopped and does not mean your server was compromised.
malicious driver	An attacker installs a rootkit by installing or compiling malicious code, or by loading driver files such as .ko or .sys.
ransomware	Ransomware is a malicious program that encrypts critical data files on a host and demands a ransom.
non-trusted process startup	The startup of a process that is not on the allowlist was blocked.
anomalous startup of a non-trusted process chain	The startup of an anomalous process in a non-trusted process chain was blocked.
high-risk network operation by a non-trusted process	A process not on the allowlist was blocked from anomalously accessing public or internal IP addresses.
high-risk file operation by a non-trusted process	A high-risk operation by a process not on the allowlist was blocked. An example is anomalously modifying office documents or critical system configuration files.
network request blocking	An anomalous network request was detected and blocked by the Precise Defense feature to prevent harm to your server. This alert does not mean your server has been compromised.

Suspicious Process Behavior

Alert name	Description
Reverse shell	Security Center detected that a `reverse shell` command was executed on your `server`. Attackers use this technique to establish a reverse network connection to their own `server`, which allows them to execute arbitrary commands.
Anomalous command execution in a Java application	This alert indicates that a `Java` process on your `server` initiated high-risk behavior, such as downloading malicious programs or adding a `backdoor`. This activity often results from a `vulnerability` in a web framework or `middleware`.
Anomalous command execution in MySQL	This alert indicates that your `MySQL` service executed a suspicious command. This could be due to a `weak password` for the `MySQL` service or an `SQL injection` `vulnerability` in a web service.
Anomalous command execution in a PostgreSQL application	This alert indicates that your `PostgreSQL` service executed a suspicious command. This could be due to a `weak password` for the `PostgreSQL` service or an `SQL injection` `vulnerability` in a web service.
Exploitation due to misconfigured Redis	This alert is triggered when the `Redis` application on your `server` writes a suspicious file to disk. This may indicate an attacker exploited a blank or `weak password` to execute malicious commands, potentially gaining direct control of the `server`.
Suspicious writing of a passwordless logon certificate	Alibaba Cloud Security detected an anomalous file change in a directory related to root certificates. This could indicate an attacker is attempting to inject a passwordless certificate into the `server` for future logon attacks.
Suspicious information leak via HTTP tunnel	This alert indicates that Security Center has detected activity where the output of a command was sent to an external `server` over an HTTP channel. This may indicate that an attacker is exfiltrating the results of a command executed through a remote code execution (RCE) `vulnerability`.
Suspicious UDF library file written by misusing the PostgreSQL export function	This alert indicates that the `PostgreSQL` application on your `server` attempted to write a suspicious shared object (.so) file to disk. This could indicate that an attacker exploited a `weak password` to log on and execute malicious SQL. A successful attack could give the attacker control of your `server`.
Suspicious file written by misusing the MySQL export function	This alert indicates that the `MySQL` application on your `server` attempted to write a file to a sensitive directory. This could indicate an attacker exploited a `weak password` or a `vulnerability` in a web application to execute malicious SQL.
Suspicious CMD command sequence	This alert is triggered when a process on your system executes a sequence of suspicious commands that closely resembles patterns used by attackers post-compromise. We recommend investigating the `parent process`, which could be a `remote control trojan`, a vulnerable web service, or a legitimate process injected with malicious code.
Anomalous operation on a Windows account	This alert indicates that a suspicious command was executed in the context of an operating system account. This could be the result of malware or an attacker performing unauthorized user account operations.
Suspicious script operation	This alert indicates that a highly suspicious command related to a script was executed on your system. This activity is likely associated with malware or a security breach.
Anomalous registry operation	This alert indicates that a command modified the `registry` in a highly suspicious manner. This could be a configuration change made by malware or an attacker after an intrusion.
Suspicious command execution	This alert indicates that the command line of a process executed on your `server` is highly suspicious and likely related to a `trojan`, `virus`, or malicious attacker activity.
Suspicious obfuscated command in Windows	This alert is triggered when a command line executed on the `host` is obfuscated. Attackers and malware often use case variations or special characters to obfuscate command lines to bypass security detection.
Suspicious process path	This alert indicates that a process on your `server` was launched from an unusual path. Legitimate software is typically not located in such directories, suggesting the process could be a `virus`, `trojan`, or a tool placed by an attacker.
Suspicious encoded command	This alert indicates that the command line of a process executed on your `server` is highly suspicious and likely related to a `trojan`, `virus`, or malicious attacker activity.
Suspicious command sequence in Linux	This alert is triggered when a process on your system executes a series of suspicious commands that closely resembles patterns used by attackers post-compromise. We recommend investigating the `parent process`, which could be a `reverse shell`, a `remote control trojan`, a vulnerable web service, or a legitimate process injected with malicious code.
Anomalous deletion of system logs	This alert indicates that a process on your system attempted to delete `system logs`. Attackers and malware often clear `system logs` to evade detection.
Anomalous deletion of system backups	This alert indicates that a process on your system attempted to delete system backup files. This could be an action by `ransomware` to prevent file restoration and ensure the ransom is paid.
Anomalous modification of system security configuration	This alert indicates that a process on your system modified the system security configuration. This could be malware or an attacker modifying `firewall` or antivirus software configurations to evade detection.
Anomalous call to a system tool	This alert indicates that a process on your system called a system tool in a suspicious manner. Trojans, viruses, or attackers often use this method to bypass conventional security software to perform malicious actions such as downloading files, encrypting data, or loading malicious code.
Anomalous modification of a startup item	This alert indicates that a process on your system attempted to modify a system `startup item`. This could be a `trojan`, `virus`, or an attacker using a `startup item` to maintain `persistence`.
Suspicious probing command	This alert indicates that a command typically used for reconnaissance was executed. Attackers use probing commands to gather information about the system environment, network configuration, or running services.
Suspicious command execution inside a container	This alert indicates anomalous command execution inside your `container`, which suggests a potential intrusion.
Running a malicious container image	This alert indicates that your `server` is running a malicious `container image`. This image is highly likely to contain a `backdoor`, mining program, `virus`, or known severe `vulnerability`. Investigate immediately and use trusted image resources.
Privilege escalation or escape inside a container	Security Center has detected suspicious behavior inside a `container`, such as an attempt at `privilege escalation` or `container escape`. Common techniques include accessing docker.sock, using escape tools, or creating cgroups. This activity may also be part of a legitimate operation. If this is an authorized operation, you can ignore the alert or mark it as a `false positive`.
Privileged container startup	This alert indicates that a suspicious `privileged container` has started on your `server`. A `privileged container` weakens runtime security and, if compromised, can endanger other containers and assets on the `host`. Ensure that your `privileged container` uses a trusted image source and that its running services are secure.
Risky Docker remote debugging interface	This alert indicates that your `Docker` remote debugging interface is exposed to 0.0.0.0. An interface exposed to the public internet can be quickly compromised by a `worm`. Even an internally exposed interface presents a risk, as attackers often use such misconfigurations for `lateral movement` to control additional `container` resources after an initial breach.
Suspected privilege escalation	This alert indicates that a process on your `server` is likely exploiting a system or application `vulnerability` to gain higher privileges. This may be a `privilege escalation` attempt by an attacker during an intrusion.
Anomalous container behavior	Security Center has detected manual operations inside your `container`, such as installing software, executing scripts, or probing the `container` environment. This is a common tactic for `lateral movement` and `privilege escalation` after a `container` compromise, but it can also be part of a legitimate operation. If you determine this alert is a `false positive`, you can select "Add to whitelist" or "Ignore" on the alert handling page.
Container initiating network scanning behavior	This alert indicates that your `container` initiated suspicious network scanning behavior. This may be a method used by an attacker for further penetration and `lateral movement`.
Credential information gathering inside a container	This alert indicates that access to sensitive files was detected inside your `container`. These files can include configuration files for `Docker`, Swarm, or `Kubernetes`; database connection configurations; logon credentials; an `AccessKey`; certificates; and `private key` files. Immediately check for an intrusion and the risk of a data breach.
High-risk container operation	This alert indicates that your `server` is performing a high-risk `container` operation. See the alert details for the specific reason. Investigate this behavior. If this is a legitimate operation, you can ignore the alert or mark it as a `false positive`.
File time tampering	This alert indicates that a process on your `server` attempted to tamper with a file's timestamp. Attackers may use this technique to forge the true creation, access, or modification times of a malicious file to evade detection by mimicking the timestamps of normal system files.
Network proxy forwarding behavior	This alert indicates that your `server` called a risky tool. Such tools are used by attackers for proxying, tunneling, and scanning as part of further intrusions.
Masquerading as a Kubernetes system container	Security Center has detected that a `Docker` command was executed on your `server` to start a `container` masquerading as a `Kubernetes` internal service. This is a common tactic used by attackers to hide a `backdoor` `container` by naming it after a legitimate `Kubernetes` internal `container`.
Sensitive manual operation inside a container	Security Center has detected manual operations inside your `container`, such as installing software, executing scripts, or probing the `container` environment. This often occurs when an attacker needs to enrich the `container`'s environment for `lateral movement` after a compromise. It may also occur during testing. Confirm whether the action is authorized. If the operation is legitimate, you can add a rule to the `whitelist` to suppress this alert.
Suspicious probing command sequence in a container environment	Security Center has detected a sequence of suspicious commands executed in a `container` environment. This is common when an attacker, after gaining access to the `container`, probes the `host` environment, cluster information, or `container escape` conditions to achieve `privilege escalation` and `lateral movement`. Because these actions are subtle, they may also be part of a legitimate operation. Investigate whether the access and actions from the source IP address are part of a normal operation.
Worm command	This alert is triggered when a command associated with a `worm` is executed. Worms use such commands to self-replicate and spread to other systems.
Penetration tool exploitation behavior	This alert indicates that behavior associated with the use of a penetration testing tool was detected. While these tools can be used for legitimate security testing, their unauthorized use may indicate an attack.
Calling a scanning tool	This alert indicates that a network or `vulnerability` scanning tool was called. This is a common reconnaissance technique used by attackers to discover weaknesses in a system.
Starting a suspicious image	Security Center has found that your `server` started a `container` from a suspicious image. This is common when an attacker exploits a service `vulnerability` to schedule a `container` and implant a malicious image for mining or creating a `backdoor`. Investigate immediately. If this is legitimate, you can ignore the alert or mark it as a `false positive`. Security Center maintains a malicious image intelligence library by analyzing public repositories and monitoring how malicious images spread in the cloud. You can use the `Image Scan` feature to check images for vulnerabilities and malicious files.
Suspicious PowerShell instruction	Attackers often use `PowerShell` for malicious activities such as downloading files, executing fileless malware, or creating a `reverse shell`.
Suspicious file implantation behavior	This alert is triggered when a suspicious file is created or written to disk. This may indicate that an attacker compromised the system and is implanting malware or other tools.
LSASS memory dump	This alert indicates that malware, such as Mimikatz, was detected running on your `server`. This type of tool can extract account hashes from the Local Security Authority Subsystem Service (LSASS) process, which can lead to `credential` compromise.
Extracting operating system identity credentials	This alert is triggered when activity associated with extracting operating system credentials, such as password hashes or Kerberos tickets, is detected. Attackers use this technique to escalate privileges or move laterally within a network.
Suspicious process behavior sequence	This alert is triggered when a process starts multiple suspicious child processes. This may indicate that a vulnerable application service has been compromised or that the `parent process` itself is malicious.
Executing a file dynamically loaded from memory	This alert indicates that a file was dynamically loaded from memory and executed. This "fileless" technique is often used by malware to evade detection by traditional file-based scanners.
Suspected process injection	A process injected code into another process. Attackers use this technique to bypass detection, escalate privileges, or access sensitive information in memory. We recommend you take the following actions: 1. Examine the source and target process files. If they are not legitimate, terminate the processes and quarantine the files. If they are legitimate, restart or terminate the processes if there is no impact on your services. 2. Correlate this alert with other alerts on the same system to assess the potential impact of the intrusion and take further action. 3. Analyze the cause of the intrusion and patch the relevant security `vulnerability`.
Web application creates anomalous child process	This alert indicates that a web application created an unusual child process. Legitimate web applications typically do not spawn shells or other unexpected processes. This behavior could indicate a successful remote code execution exploit.
Suspected internal network lateral attack	This alert indicates behavior consistent with `lateral movement` within your internal network, such as attempts to connect to other hosts using stolen credentials or network service exploits. This often follows an initial compromise.
Persistence backdoor creation behavior	This alert is triggered when Security Center detects the creation of a `persistence` mechanism, such as a new service, `scheduled task`, or `registry` key, that is commonly used to maintain access to a compromised system.
Persistence backdoor startup behavior	This alert is triggered when a known or suspected `persistence` mechanism is activated. This indicates that a previously established `backdoor` is now running.
Process command line obfuscation	This alert indicates that the command line of a process on the `host` contains obfuscated encoding, which suggests that a malicious program or an attacker is attempting to bypass security detection.
Cloud environment information collection	This alert indicates that commands were used to collect information about the cloud environment, such as instance metadata, user data, or IAM role credentials. Attackers perform this reconnaissance to understand the environment and identify further targets.
Executing an anomalous scheduled task	This alert indicates that the system's `scheduled task` component created a suspicious process. This may be the result of a malicious program or an attacker adding malicious code to a `scheduled task` to maintain `persistence` after gaining access to the `host`.
SSH backdoor	A `backdoor` process related to Secure Shell (SSH) was detected. After gaining access to a `Linux` `host`, an attacker or malicious program may modify SSH-related files or configurations to create a logon `backdoor`.
Editor extension backdoor	A suspected `backdoor` related to an editor `extension` was found. Malicious programs or attackers may use the `extension` functionality of a normal editor to hide a `backdoor`.
Suspected escape by file tampering	Security Center has detected an attempt to open an important file in write mode. This technique is often used to escape from a `container` to the `host` by tampering with the file. Investigate the process, the file being accessed, and the file's open attributes to determine if this is a legitimate operation. If the operation is legitimate, you can ignore the alert or mark it as a `false positive`.
Requesting an out-of-band (OOB) attack domain	A process on the `host` was detected requesting a domain name commonly used for data exfiltration in an `out-of-band (OOB) attack`. Attackers often specify in a payload to request a target domain upon successful exploitation. They then monitor DNS requests to that domain to confirm a successful attack.
Anomalous pseudo-terminal shell creation behavior	This alert is triggered by the creation of an anomalous pseudo-terminal (PTY) shell. While PTYs are used for legitimate interactive sessions, their unexpected creation by a web service or non-interactive process can indicate a `reverse shell` or `backdoor`.
Accessing a suspicious mining pool domain	A process on the `host` was detected requesting a suspicious `mining pool` domain. This may indicate that the system is communicating with a `mining pool`. Investigate for mining activity based on the alert and recommended actions.
Container escape program startup	The usermode-helper API is a `Linux` kernel mechanism for calling a user-specified user-space program (for example, a program specified in files like /proc/sys/kernel/core_pattern). When executed, this program runs with `host` root privileges. This mechanism should not typically be used in a `container`. Therefore, when a program inside a `container` is called by the `host` kernel, it usually indicates a `container escape`.
Windows token tampering for privilege escalation	This alert indicates an attempt to tamper with a `Windows` access token. Attackers use this technique to impersonate other users or escalate from a lower-privileged account to a higher-privileged one, such as SYSTEM.
Accessing a suspicious tunnel domain	A process on the `host` was detected requesting a suspicious tunnel domain. This may indicate that the system is being used for tunnel proxy communication. Investigate further based on the alert and recommended actions.
Anomalous modification of a system file	This alert is triggered by an anomalous modification of a critical system file. This could be an attempt to disable security controls, create a `backdoor`, or otherwise compromise the integrity of the operating system.
Modifying a registry auto-start item	This alert is triggered by a modification to a `registry` key used for automatic program startup. Malware often uses this technique to achieve `persistence` across system reboots.
Scheduled task modification behavior	This alert indicates a modification to a `scheduled task`. Attackers often create or modify scheduled tasks to execute malicious code at regular intervals for `persistence`.
Suspicious system policy modification behavior	This alert indicates a suspicious modification to a system security policy. This could be an attempt to weaken security settings, such as audit policies or user rights assignments, to evade detection or facilitate further attacks.
Web application modifies anomalous file	This alert is triggered when a web application modifies a file in an unusual way, such as writing an executable file to a web-accessible directory. This often indicates a successful file upload `vulnerability` exploit.
Parent process spoofing	This alert is triggered when a process is launched with a spoofed `parent process`. This is a defense evasion technique used to make a malicious process appear as if it were launched by a legitimate system process.
Container mounts high-risk host path	This alert indicates that a `container` was started with a high-risk `host` path mounted, such as /proc or the `Docker` socket. This configuration can be exploited to escape the `container` and gain privileges on the `host`.
Hijacking control flow using an environment variable	This alert indicates an attempt to hijack the control flow of a program by manipulating environment variables, such as LD_PRELOAD. This technique can be used to load malicious code into a legitimate process.

Webshell

Alert name	Description
Webshell file found	The detection model found a suspicious `webshell` file on your `server`. This `backdoor file` may have been implanted by an `attacker` to maintain persistent access after compromising a website.
Log or image file containing webshell code	The detection model found `webshell` code within a file on your `server`. This may indicate an `attacker` is attempting to exploit a `file inclusion vulnerability`.
Arbitrary file write backdoor found	`Security Center` found a file on your `system disk` that could be used to write arbitrary files. This file may have been implanted by an `attacker` after compromising the network, or it could be a legitimate `O&M` file. Confirm the file's legitimacy before taking action.
Information-stealing backdoor found	`Security Center` found a file on your `system disk` that could be used to steal information, such as a database operation log. This file may have been implanted by an `attacker` after compromising the network, or it could be a legitimate `O&M` file. Confirm the file's legitimacy before taking action.
Trojan or hotlinking backdoor file found	The detection model found a suspicious `trojan` file on your `system disk`. It may have been implanted by an `attacker` after compromising a website. This file can perform malicious actions, such as unauthorized traffic redirection and `hotlinking`. Confirm the file's legitimacy before taking action. If an administrator intentionally deployed this file, you can `ignore` the alert or `mark it as a false positive` in the console.
DLL-type web backdoor found	The detection model found a suspicious `webshell` file on your `server`. This `backdoor file` may have been implanted by an `attacker` to maintain persistent access after compromising a website.

Unusual Logon

Alert name	Description
Logon to an ECS instance from an unusual location	The logon location is not one of the legitimate locations you defined. Verify that this logon is authorized.
Logon to an ECS instance from an unusual IP address	The logon IP address is not one of the legitimate IP addresses you defined. Verify that this logon is authorized.
Logon to an ECS instance with an unusual account	The logon account is not one of the legitimate accounts you defined. Verify that this logon is authorized.
Logon to an ECS instance at an unusual time	The logon time is outside the legitimate time range you defined. Verify that this logon is authorized.
Successful brute-force attack on an ECS instance	A logon to your ECS instance succeeded after numerous failed attempts, suggesting a brute-force attack has compromised the password.
Successful brute-force attack on an ECS instance (SSH)	An attacker gained access to your system by successfully guessing the SSH service password after multiple attempts.
Successful brute-force attack on an ECS instance (RDP)	An attacker gained access to your system by successfully guessing the RDP service password after multiple attempts.
Anomalous command sequence executed after ECS logon (SSH)	Malicious commands were executed on your server after a logon from a specific IP address. This may indicate that an attacker gained access by using a weak or compromised password.
Anomalous account logon	This alert is triggered when a logon is detected from an anomalous account added to the administrator group. If this was not an authorized action, delete this account immediately.
Logon from a malicious IP address	A logon to your server succeeded from a known malicious IP address. If you do not recognize this logon, rotate your ECS password immediately.
Backdoor account logon	A successful logon from a backdoor account on your server was detected. If this was not an authorized action, delete this account immediately.
Suspected outbound logon scanning activity	Your server is frequently initiating outbound brute-force attacks against protocols such as SSH, RDP, and SMB. This behavior indicates that your server may be compromised and used as a springboard to attack other machines.
Successful brute-force attack on an ECS instance (multiple invalid users)	An IP address successfully logged on to your server after trying multiple invalid usernames. If you do not recognize this logon, rotate your ECS password immediately.
Logon from a malicious IP address (MySQL)	A logon to MySQL on your server succeeded from a known malicious IP address. If you do not recognize this logon, rotate your MySQL password immediately.
Logon from a malicious IP address (FTP)	A logon to FTP on your server succeeded from a known malicious IP address. If you do not recognize this logon, rotate your FTP password immediately.
Logon from a malicious IP address (SQL Server)	A logon to SQL Server on your server succeeded from a known malicious IP address. If you do not recognize this logon, rotate your SQL Server password immediately.

Malware

Alert name	Description
Trojan	A trojan is a malicious program that infiltrates a host by disguising itself as legitimate software. Once implanted, it typically downloads and executes other malicious payloads.
Suspicious C2 trojan communication	Communication with a malicious command and control (C2) server was detected, indicating a trojan infection.
DDoS trojan	A DDoS trojan is a malicious program that receives commands from an attacker to launch DDoS attacks against a target.
Ransomware	Ransomware is a malicious program that encrypts critical files on a host and demands a ransom for their decryption.
Backdoor	A backdoor is a program implanted in a system that gives an attacker persistent, unauthorized access.
Infectious virus	An infectious virus is a type of malware that injects malicious code into legitimate program files. This infects the programs, causing them to spread the virus.
Worm	A worm is a program that spreads from a compromised host to other hosts, typically by exploiting vulnerabilities or brute-forcing passwords.
Malicious program	Refers to a program that exhibits multiple malicious behaviors or is a third-party program known to cause disruption or damage.
Mining program	A mining program illicitly uses the server's computing resources to mine cryptocurrency. This activity typically causes high CPU usage and can be accompanied by other malware.
Suspicious program	A program that exhibits characteristics of malicious code or suspicious behavior but has not yet been definitively classified. You should evaluate the program based on the information provided.
High-risk program	A program, detected by a cloud-based scan, that poses a significant threat to system security.
Self-mutating trojan	A trojan that evades detection and removal by altering its own hash, copying itself to multiple locations, and running in the background.
Tainted basic software	A legitimate system program that has been injected with malicious code. It may retain its original functionality while also performing hidden malicious actions.
Exploit program	A program that attacks known vulnerabilities in the operating system or applications to escalate privileges, escape containers, or execute arbitrary code.
Hacking tool	A tool used by an attacker to escalate privileges, steal sensitive data, or uninstall security software. It can also be implanted as a backdoor after an intrusion.
Rootkit	A malicious module implanted at a low level of the system to hide its own traces or those of other malicious programs.
Rootkit kernel module	A rootkit that operates at the kernel level. This type of rootkit is especially difficult to detect and remove because it can modify the core of the operating system.
Highly suspicious program	A program that exhibits strong characteristics of malicious code but has not been definitively classified. You should evaluate the program and treat it with high priority.
Riskware	Software that is not inherently malicious but has functions that can pose a security threat if misused. Common examples include remote administration and process management tools. You should evaluate its use case based on the provided information.
Downloader trojan	A trojan designed to download and execute other malicious software, such as other trojans or adware.
Proxy tool	A tool used by attackers for operations like proxying and tunneling, often to conceal their activity or facilitate further server intrusion.
Engine test program	A program used to verify that a security detection engine is functioning correctly. It is typically harmless.
Information-stealing tool	A tool designed to steal sensitive files and information from a server.
Scanner	A tool used by attackers to discover live hosts, open ports, and security risks like vulnerabilities and weak passwords. Scanning is often a prelude to further intrusion.
Ransomware	Ransomware is a malicious program that encrypts critical files on a host and demands a ransom for their decryption.
Adware	Software, typically bundled with legitimate programs, that displays unwanted advertisements, disrupts normal use, and consumes system resources.
Obfuscated program	A program whose code has been intentionally obscured to make it difficult to analyze. Malware often uses obfuscation to evade detection by security software.
Cracking program	A tool designed to bypass software licensing or digital rights management (DRM). The source of such programs is often untrustworthy, and they may contain malware.
Private server tool	A tool used to emulate a private server, typically for online games or as a form of cheating software. These tools may contain malicious code.
Reverse shell	A shell session initiated from the target server to an attacker's machine. This technique is often used to bypass firewall rules that block incoming connections.
Malicious document	A document file, such as a PDF or Office document, containing a malicious payload. Attackers often use these in phishing campaigns to compromise a system.

Cloud Service Threat Detection

Alert name	Description
Unusual logon of a RAM user	This alert is generated when a RAM user in your Alibaba Cloud account logs on from an unusual location. This can occur during legitimate activity, such as when you log on from a new device or location. However, if you do not recognize this activity, the RAM user's credentials may be compromised.
Malicious IP address using an AccessKey	This alert indicates that your AccessKey was used by a known malicious IP address. If you do not recognize this activity, you should immediately disable and rotate the AccessKey.
Suspicious access to OSS	This alert indicates anomalous access to your OSS bucket from an OSS tool. This activity can be triggered by a change in the calling IP address or a failed API call. You should verify that the source IP address and the tool's activity are legitimate. If the activity is unauthorized, it may indicate that an attacker has gained control of your OSS bucket.
Anomalous command from Cloud Assistant	This alert is triggered when an attacker executes a malicious command on your server by using the Cloud Assistant OpenAPI. This behavior strongly suggests that your AccessKey has been compromised and is being used by an attacker.
Anomalous AccessKey call	This alert indicates that your AccessKey was used to make an anomalous API call.
ECS instance role credential called externally	This alert is generated when an external IP address uses the STS temporary credentials of a role granted to an ECS instance. This may indicate that the ECS instance has been compromised and an attacker has stolen the associated role credentials. Alibaba Cloud recommends that you use STS temporary credentials only on the host from which they were requested. For more information about ECS instance roles, see Instance RAM role.
Cloud Assistant registration hijacking	This alert indicates that another Alibaba Cloud account is attempting to install Cloud Assistant on your ECS instance to gain remote command execution capabilities. You should immediately confirm whether this action was performed by authorized O&M personnel and investigate the server for other anomalous activities.
Hacking tool using an AK	This alert is generated when a known hacking tool is detected using your AK. You should immediately investigate to determine if this is legitimate user activity.
ECS role credential called by another Alibaba Cloud account	This alert is generated when a different Alibaba Cloud account uses the STS temporary credentials of a role granted to an ECS instance. This may indicate that the ECS instance has been compromised and an attacker has stolen the associated role credentials. Alibaba Cloud recommends that you use STS temporary credentials only on the host from which they were requested. For more information about ECS instance roles, see Instance RAM role.
Anomalous call to a sensitive API by an ECS role credential	This alert is triggered when a role attached to your ECS instance is used to perform a sensitive API operation. You should immediately verify the identity of the calling IP address and confirm whether this activity is legitimate. Even if the IP address belongs to another ECS instance within your account, you should investigate it for potential compromise. Attackers often steal ECS instance role credentials by compromising a server or website and then use these credentials to make sensitive API calls.
Suspicious identity calling a sensitive API	This alert is generated when an identity performs a sensitive API operation on your account from an unusual geographic location. You should verify the identity of the caller and the legitimacy of the operation to mitigate the risk of a compromised AK.
Anomalous traversal of ECS resources	This alert indicates that an identity is enumerating ECS instances across multiple regions from an unusual geographic location. This activity is a common reconnaissance technique. You should verify the identity of the caller and the legitimacy of the operation to mitigate the risk of a compromised AK.
Anomalous traversal of RDS resources	This alert indicates that an identity is enumerating RDS instances across multiple regions from an unusual geographic location. This activity is a common reconnaissance technique. You should verify the identity of the caller and the legitimacy of the operation to mitigate the risk of a compromised AK.
Anomalous traversal of OSS access permissions	This alert is triggered when an identity enumerates the access control list (ACL) of multiple OSS buckets from an unusual geographic location. You should verify the identity of the caller and the legitimacy of the operation to mitigate the risk of a compromised AK.
Anomalous creation of a high-privilege sub-account	This alert indicates that an identity created a RAM user with administrator privilege and enabled web console logon for that user. This is a common tactic used by attackers to create a backdoor for persistent access. You should immediately investigate to determine whether this RAM user was created by authorized personnel.
Anomalous traversal of multiple sub-account permissions	This alert is generated when an identity enumerates the permission policies of multiple sub-accounts from an unusual geographic location. You should verify the identity of the caller and the legitimacy of the operation to mitigate the risk of a compromised AK.
Anomalous traversal of a single sub-account's permissions	This alert is triggered when an identity enumerates the permission policies of a sub-account and its associated user groups from an unusual geographic location. You should verify the identity of the caller and the legitimacy of the operation to mitigate the risk of a compromised AK.
Anomalous traversal of role permissions	This alert indicates that an identity is enumerating the permission policies of multiple roles in your account from an unusual geographic location. You should verify the identity of the caller and the legitimacy of the operation to mitigate the risk of a compromised AK.
Anomalous configuration of public network access for a database	This alert is triggered when an identity configures a database for public access and adds an IP whitelist from an unusual geographic location. You should verify the identity of the caller and the legitimacy of the operation to mitigate the risk of a compromised AK.
Anomalous creation of a high-privilege role	This alert indicates that an identity created a role with administrator privilege. Alibaba Cloud recommends granting roles only the permissions required for a service, rather than full administrator privilege. You should immediately verify whether the creation of this role is a legitimate business requirement.
Anomalous permission probing behavior	This alert is generated when an identity enumerates the API call permissions for multiple cloud products. This behavior resembles the automated activity of a hacking tool. You should immediately verify the identity of the caller and the legitimacy of the operation to mitigate the risk of a compromised AK.
RAM user logs into the console and performs sensitive operations	This alert is triggered when a RAM user with web console logon enabled performs a sensitive operation on the console.
Anomalous command from Cloud Assistant	This alert is triggered when an attacker executes a malicious command on your server by using the Cloud Assistant OpenAPI. This behavior strongly suggests that your AccessKey has been compromised and is being used by an attacker.

Unusual Network Connection

Alert name	Description
Outbound connection to a malicious download source	This alert is triggered when Security Center detects your server attempting to access a malicious download source over HTTP. This activity may indicate that an attacker has compromised the server by using a weak password or exploiting a command execution vulnerability and is now attempting to download malicious files.
Suspected sensitive port scanning	This alert is triggered when Security Center detects a process on your server making an unusually high number of network requests to sensitive ports in a short period. This behavior is characteristic of port scanning.
Anomalous network connection in Windows	This alert is triggered when Security Center detects anomalous network connection behavior from a process on your system. This type of activity is often associated with malware such as a virus or trojan, or with malicious actions by an attacker.
Reverse shell outbound network connection	This alert is triggered when Security Center detects a suspected outbound network connection characteristic of a reverse shell. A reverse shell allows an attacker to establish a connection from your server back to their own, which can then be used to execute arbitrary commands. Investigate this activity immediately. If this is a legitimate O&M operation or business function, you can ignore the alert or mark it as a false positive.
Suspicious port listening	This alert is triggered when Security Center detects a process listening on a suspicious port.
Internal network scan	This alert is triggered when Security Center detects a process on your server making connection attempts to specified ports on multiple IP addresses in the internal network in a short period. This behavior is a strong indicator of an internal network scan, a common lateral movement technique used by attackers after an initial compromise.
Suspicious manual access to a container API	This alert is triggered when Security Center detects suspicious manual access to a container API. If authentication and authorization are not enabled for your container service, an attacker can exploit this access to retrieve container information, create containers, execute commands within a container, or upload a malicious image. This activity may also be a legitimate manual O&M operation. Investigate immediately.

Malicious Script

Alert name	Description
Malicious script file detected	The detection model detected a malicious script file on your server. An attacker likely implanted this file after a successful compromise. Verify the file's legitimacy based on its tags and take appropriate action.
Malicious script code execution	The detection model detected malicious Bash, PowerShell, or Python script code executing on your server.
Suspicious download behavior detected	The detection model detected suspicious download activity on your server. This activity might result from a command an attacker executed after a successful compromise. Verify the command's legitimacy and take appropriate action.
Suspicious script file detected	The detection model detected a suspicious script file on your server. An attacker may have implanted this file after a successful compromise. Verify the file's legitimacy based on its tags and take appropriate action.
Suspicious script code execution	The detection model detected suspicious Bash, PowerShell, or Python script code executing on your server.
Malicious script	`SCRIPT_agentless`.
File containing malicious code	The detection model detected a malicious script file on your server. An attacker likely implanted this file after a successful compromise. Verify the file's legitimacy based on its tags and take appropriate action.
File containing suspicious code	The detection model detected a suspicious script file on your server. An attacker may have implanted this file after a successful compromise. Verify the file's legitimacy based on its tags and take appropriate action.

Persistent Webshell

Alert name	Description
Anomalous code resident in memory	Security Center detected malicious code in the memory space of a process. This may indicate that malicious instructions were injected into a legitimate process after it started, or that the process file itself is malicious. We recommend taking the following actions: 1. Examine the process file. If it is not a legitimate file, terminate the process and quarantine the file. If it is a legitimate process, terminate it if doing so does not affect your services. 2. Correlate this alert with other alerts on the machine to assess the potential impact of the intrusion and take further action. 3. Analyze the root cause of the intrusion and patch the relevant security vulnerabilities.
Backdoor process	This alert indicates that a suspicious process, potentially a backdoor, was detected on your server. An attacker may use this technique to maintain persistent access.
Auto-start backdoor	Security Center detected an anomalous auto-start item on your host. This is likely a persistence mechanism implanted by malware or an attacker. If not addressed, the malicious program may be re-implanted. We recommend performing a full scan and cleaning the host with antivirus protection features, or manually resolving the issue based on the alert details.
Anomalous process persistence	This alert indicates that an anomalous process is running on your server. This could be a malicious program or a legitimate program that has loaded malicious code.
Malicious auto-start script	This alert indicates that suspicious files were found in your server's auto-start items. This could be a persistence technique used by malware or an attacker through scheduled tasks or auto-start scripts.
Hidden process	Security Center detected a process hidden from standard viewing tools. Malware or attackers often use various techniques to hide malicious processes. This may indicate the host has been compromised by a rootkit backdoor.
SSH public key backdoor	This alert indicates that an anomalous SSH public key was found on your server. Worms or attackers are known to add such keys to compromised servers to maintain persistent access.
Cobalt Strike remote control Trojan	Security Center detected a Cobalt Strike remote control backdoor in the memory of this process. This can result from a process injection attack where malicious code is injected into a legitimate process. Even if the process file is legitimate, it executes malicious code after injection. Alternatively, the program itself may be malicious. We recommend taking the following actions: 1. Examine the process file. If it is not a legitimate file, terminate the process and quarantine the file. If it is a legitimate process, terminate it if doing so does not affect your services. 2. Correlate this alert with other alerts on the machine to assess the potential impact of the intrusion and take further action. 3. Analyze the root cause of the intrusion and patch the relevant security vulnerabilities.
Hidden kernel module	This alert indicates that a hidden kernel module was found on your server. This is likely a rootkit backdoor implanted by an attacker or malware to maintain system privileges and hide other malicious activities.
Memory-resident backdoor in web application	This alert indicates that suspicious code or data was detected in the memory of a web application process. This memory-resident backdoor does not require a file on disk. We recommend patching the web application vulnerability and restarting the application to remove the backdoor. Also, check for other related alerts on the host. If you determine this alert is a false positive, you can ignore it or add it to a whitelist.
Kerberos ticket injection attack	This alert indicates a Kerberos ticket injection attack.
WMI event subscription persistence attack	This alert indicates a WMI event subscription persistence attack.
Skeleton Key domain controller persistence attack	This alert indicates a Skeleton Key domain controller persistence attack.
Process path spoofing	This alert indicates process path spoofing.
Anomalous registry key	This alert indicates a suspicious registry configuration item on your server. Malware often modifies key registry configurations to achieve persistence or interfere with security protection.
Anomalous library file loading	This alert indicates an anomalous library file was loaded.
Process executable image tampering	This alert indicates tampering with a process executable image.
SID History injection attack	This alert indicates an SID History injection attack.
Dynamic-link library function hijacking	This alert indicates dynamic-link library function hijacking.
Anomalous .NET module loaded into memory	This alert indicates that an anomalous .NET module was loaded into memory.
Anomalous scheduled task	This alert indicates an anomalous scheduled task.
Anomalous scheduled task	This alert indicates an anomalous scheduled task.
Anomalous thread execution	This alert indicates anomalous thread execution.
Process hiding behavior	This alert indicates process hiding behavior.
Anomalous code found in web application memory	This alert indicates that anomalous code was found in web application memory.
Anomalous service in Linux	This alert indicates an anomalous service in Linux.
Anomalous service in Windows	This alert indicates an anomalous service in Windows.
System base library file hijacking	This alert indicates system base library file hijacking.
Process runtime function hijacking	This alert indicates process runtime function hijacking.
Anomalous startup script in Linux	This alert indicates an anomalous startup script in Linux.
Cobalt Strike remote control Trojan	Security Center detected a Cobalt Strike remote control backdoor in the memory of this process. This can result from a process injection attack where malicious code is injected into a legitimate process. Even if the process file is legitimate, it executes malicious code after injection. Alternatively, the program itself may be malicious. We recommend taking the following actions: 1. Examine the process file. If it is not a legitimate file, terminate the process and quarantine the file. If it is a legitimate process, terminate it if doing so does not affect your services. 2. Correlate this alert with other alerts on the machine to assess the potential impact of the intrusion and take further action. 3. Analyze the root cause of the intrusion and patch the relevant security vulnerabilities.
Kerberos ticket injection attack	This alert indicates a Kerberos ticket injection attack.
Anomalous service in Linux	This alert indicates an anomalous service in Linux.
Anomalous scheduled task	This alert indicates an anomalous scheduled task.
SID History injection attack	This alert indicates an SID History injection attack.
Skeleton Key domain controller persistence attack	This alert indicates a Skeleton Key domain controller persistence attack.
Anomalous service in Windows	This alert indicates an anomalous service in Windows.
Anomalous scheduled task	This alert indicates an anomalous scheduled task.
WMI event subscription persistence attack	This alert indicates a WMI event subscription persistence attack.
Dynamic-link library function hijacking	This alert indicates dynamic-link library function hijacking.
Backdoor process	This alert indicates that a suspicious process, potentially a backdoor, was detected on your server. An attacker may use this technique to maintain persistent access.
Anomalous .NET module loaded into memory	This alert indicates that an anomalous .NET module was loaded into memory.
Anomalous code resident in memory	Security Center detected malicious code in the memory space of a process. This may indicate that malicious instructions were injected into a legitimate process after it started, or that the process file itself is malicious. We recommend taking the following actions: 1. Examine the process file. If it is not a legitimate file, terminate the process and quarantine the file. If it is a legitimate process, terminate it if doing so does not affect your services. 2. Correlate this alert with other alerts on the machine to assess the potential impact of the intrusion and take further action. 3. Analyze the root cause of the intrusion and patch the relevant security vulnerabilities.
Anomalous library file loading	This alert indicates an anomalous library file was loaded.
Anomalous registry key	This alert indicates a suspicious registry configuration item on your server. Malware often modifies key registry configurations to achieve persistence or interfere with security protection.
Anomalous thread execution	This alert indicates anomalous thread execution.
System base library file hijacking	This alert indicates system base library file hijacking.
Process executable image tampering	This alert indicates tampering with a process executable image.
Process path spoofing	This alert indicates process path spoofing.
Process runtime function hijacking	This alert indicates process runtime function hijacking.
Process hiding behavior	This alert indicates process hiding behavior.
Anomalous terminal configuration file in Linux	This alert indicates an anomalous terminal configuration file in Linux.

Sensitive File Tampering

Alert name	Description
System file tampering	A process on your server attempted to modify or replace system files. This may be an attacker's attempt to evade detection or hide a backdoor. Immediately verify that the affected system file is authentic.
System file moving	A process on your server attempted to move system files. An attacker might do this to bypass security software that monitors these files.
Suspicious tampering with the Linux shared library preload configuration file	The system detected suspicious tampering with the shared library preload configuration file on your server.

Container cluster anomalies

Alert name	Description
Suspicious command executed in a container via the Kubernetes API	Security Center detected a suspicious command executed within a container via the Kubernetes API. This activity is a common technique for lateral movement, such as across containers or from a node to a container. While this activity may be legitimate for certain business or O&M tasks, it can also indicate malicious intent.
Malicious image pod startup	This alert is triggered when a pod starts from a malicious image in your Kubernetes cluster. This typically occurs when an image contains backdoors, crypto-mining programs, or other malware.
Kubernetes service account lateral movement	This alert is triggered when a service account requests permissions that deviate from its established baseline or triggers multiple authentication failures. This behavior often means an attacker has compromised a pod and is using the stolen service account credentials to attack the API server. Investigate this activity immediately.
Successful authentication of a Kubernetes anonymous user	This alert is triggered when an anonymous user successfully authenticates. Do not allow anonymous users to access critical resources in a production cluster. The risk is extremely high if the cluster is exposed to the public internet and allows anonymous access. Attackers often exploit anonymous authentication to control the Kubernetes API server and deploy malicious workloads. Verify this operation was performed by a trusted user and restrict anonymous access permissions.
Anomalous access to Kubernetes Secrets	This alert is triggered when an account enumerates Secrets in your Kubernetes cluster. This activity may indicate that an attacker has compromised the cluster and is attempting to steal sensitive information stored in Secrets. Verify this operation was performed by a trusted application or administrator.
Suspicious Kubernetes operation sequence	Security Center detected an account in your Kubernetes cluster that executed a series of high-risk commands that deviate from its established baseline. Verify these commands were executed by an authorized administrator. Otherwise, your cluster may have been compromised. If you confirm that the activity is legitimate, add it to the whitelist to suppress similar alerts in the future.
Kubernetes user bound to an administrator role	Security Center detected a user in your Kubernetes cluster being bound to a high-privilege system role, such as a ClusterRole. Confirm this action was performed by an authorized administrator or system component. Otherwise, it may indicate that an attacker has compromised your server and is creating a backdoor account for persistence. If this is a false positive, you can add the behavior to the whitelist to suppress this type of alert.
Suspected Kubernetes service man-in-the-middle attack (CVE-2020-8554)	In a Kubernetes cluster, a user can create a Service to hijack cluster traffic and forward it to an arbitrary external IP address for data exfiltration. Security Center has detected that a Service created in your Kubernetes cluster has an external IP address specified in its `ExternalIP` field. This behavior matches the exploit pattern for the Kubernetes man-in-the-middle vulnerability (CVE-2020-8554).
Sensitive host path mount	Security Center found a pod mounting a sensitive directory or file from the host at startup. This configuration poses a container escape risk. If the pod is compromised, an attacker could exploit the mounted file to escape the container and gain control of the node. Minimize the use of sensitive host path mounts for pods, such as the root directory, scheduled task configuration directories, or system service configuration directories. If this configuration is necessary for your business and the risk is acceptable, you can add it to a whitelist to suppress this alert.
Suspicious request to the Kubernetes API server	This alert is triggered by a suspicious request to the Kubernetes API server. For specifics about the anomaly, see the alert details. This activity could also be a normal business operation. To determine if the request is legitimate, investigate the source IP address, User-Agent, requested resource, and the user that initiated the request. To view the complete Kubernetes API server audit logs, use the `auditID` field from the alert details to search the Kubernetes audit logs in SLS.
Kubernetes cluster user bound to a high-privilege role	This alert is triggered when a user in your Kubernetes cluster is bound to a high-privilege role. High privilege refers to permissions to read or modify critical resources within a namespace or across the entire cluster. Examples include cluster administrator permissions, the ability to read all Secrets in a namespace, create pods, execute commands within pods, or create other high-privilege roles. A common attack scenario involves granting a web application's service account excessive permissions. An attacker can exploit a web vulnerability to enter a pod and then use the service account's credentials to access and control other cluster resources.
Anomalous token creation by a service account	Token requests are typically initiated by real users. A service account is a Kubernetes object that allows processes in a pod to interact with the API server. When one service account attempts to obtain a token for another account, it can indicate a privilege escalation attempt.
Service account modifies its own cluster role permissions	A service account typically does not modify the permissions of the ClusterRole to which it is bound. When a service account requests to modify the permissions of its own bound ClusterRole, it often indicates a privilege escalation attempt.
Service account modifies its bound cluster role	An application's service account typically does not modify the ClusterRole to which it is bound. This alert is triggered when a service account creates and binds its own role, which often indicates a privilege escalation attempt.
Service account impersonates another user principal to request resources	An application's service account usually does not need to impersonate other user principals to request resources. When a service account makes a request while impersonating another user principal, it often indicates a privilege escalation attempt.
Service account creates a pod using a system component's service account	Service accounts for system components typically have high privileges and should not be used by other workloads. When a service account creates a pod that uses a system component's service account, it often indicates a privilege escalation attempt.
Suspicious request to check its own permissions	Workloads in a cluster rarely need to check their own service account permissions. When a service account requests its own set of permissions, it may indicate an attacker has compromised the service account.
Node identity obtains cluster Secret	A cluster node's kubelet certificate can be used to obtain Secrets. An attacker can abuse this capability to access sensitive information in the cluster. Therefore, when a node's identity requests a Secret, it often indicates a privilege escalation attempt.
Service account creates a node proxy resource to execute a command	A node's proxy subresource can be used to execute commands in a pod, but this method is generally not required for workloads in a cluster. When a service account uses a node's proxy subresource to execute a command in a pod, it often indicates a privilege escalation attempt.
Service account steals another node's pod	A taint is a Kubernetes scheduling feature that restricts which pods can be scheduled on a given node. An attacker who has compromised a node can apply taints to other nodes to mark them as unschedulable. This forces a target pod to be scheduled on the compromised node, allowing the attacker to steal its credentials. When a service account creates taints for many nodes, it often indicates a privilege escalation attempt.
Service account directly accesses the kubelet listening port	The kubelet and the API server use port `10250` for communication. Business workloads within the cluster do not typically use a service account to access this port. When a service account directly accesses the kubelet listening port and requests a specific resource, it often indicates a privilege escalation attempt.
Service account creates an ephemeral container to enter a pod	Ephemeral containers allow developers to debug a running pod by creating an ephemeral container in the target pod's namespace. This operation should not be initiated by a service account. When a service account requests to create an ephemeral container, it typically means an attacker is using that identity to attempt privilege escalation by entering another pod.

Suspicious Account

Alert name	Description
Backdoor account	This alert indicates a suspicious account on your host. An attacker or malicious program may create a new account or activate a guest account to maintain persistence. If this account is not used for legitimate business operations, log on to the host to investigate and take action.

Webshell detection (Local scan)

Alert name	Description
Webshell file found	This feature identifies suspicious files by scoring their threat level based on their behavior and functions. A flagged file may be a webshell implanted by an attacker, but it could also be a legitimate file with suspicious code. Storing log files in a web-accessible path can also trigger this alert. Therefore, an administrator must investigate the file to determine if it poses a threat.

Exploit

Alert name	Description
Web vulnerability exploit	Web vulnerability exploit.
Host vulnerability exploit	Host vulnerability exploit.
Suspected container escape via file tampering	Security Center detected that a critical file was opened in `write mode`. This behavior is common in container escape scenarios, where an attacker tampers with the file to escape from the container to the host. You should investigate the process, the affected file, and the file's open attributes to determine whether the activity is part of a legitimate business operation. If this is a normal O&M task or business function, ignore the alert or mark it as a false positive.
TOCTOU-type vulnerability exploit	Security Center detected a suspected time-of-check-to-time-of-use (TOCTOU) exploit. See the alert details for the vulnerability ID. This type of vulnerability is often used for container escape or privilege escalation. Check if your software is affected and patch it promptly. In the rare event of a false positive, you can mark the alert as a false positive or add the activity to the whitelist.
Sensitive host directory mounted at container startup	Security Center detected risky container behavior, such as starting in privileged mode or mounting sensitive host directories or files at startup. An attacker could exploit this misconfiguration to escape to the host. Do not start containers in privileged mode. Do not configure a Pod to mount sensitive host directories, such as the root directory, scheduled task configuration directories, or system service configuration directories.

Abnormal network traffic

Alert name	Description
Suspicious file upload	This alert is triggered when suspicious file upload traffic is detected, and a related suspicious file is created or modified on the host. Use the alert details to investigate further. Recommended steps: 1) Check for related webshell file alerts. 2) Investigate the file upload endpoint to determine if it can be exploited. 3) Determine if the file was created or modified during a legitimate administrative task, such as a web service update or backup. If the activity is legitimate, ignore the alert or add the file path to an allowlist. 4) If you confirm the activity is malicious, remove the file from the host and harden the file upload endpoint. We recommend enforcing an allowlist for file names.
Web application command execution	This alert is triggered when malicious web attack traffic is detected, and a corresponding command is executed on the host. This indicates that an attacker may have exploited a vulnerability in your service. Use the alert details to determine the impact and plan your next steps.
Mining pool communication traffic	This alert is triggered when traffic is detected between your server and an IP address associated with a cryptocurrency mining pool. This may indicate that your server has been compromised and is being used for cryptocurrency mining.
Tunnel proxy communication	This alert is triggered when suspicious tunnel proxy communication is detected on your server. Use the alert details to investigate this activity and determine the next steps.
Reverse shell traffic	This alert is triggered when malicious reverse shell traffic is detected from your server. A reverse shell allows an attacker to establish a network connection from your server to one they control, which allows them to execute arbitrary commands. Use the alert details to investigate and respond to this threat.
Backdoor communication traffic	This alert is triggered when malicious backdoor traffic is detected from your server. This type of traffic indicates that an attacker may have established a remote control channel to your server. Use the alert details to investigate this potential compromise.
Java deserialization attack	This alert is triggered when malicious Java deserialization attack traffic is detected, and the associated Java process makes a suspicious outbound network connection or executes a suspicious command. This indicates that an attacker may have exploited a vulnerability in your service. Use the alert details to determine the impact and plan your next steps.
DNS-log attack	This alert is triggered when malicious DNS-log attack traffic is detected and your server accesses the corresponding DNS-log domain. This indicates that an attacker may have exploited a vulnerability in your service. Use the alert details to determine the impact and plan your next steps.

Container Escape Prevention

Alert name	Description
High-risk system call	Indicates a key system call often used to exploit a kernel vulnerability for privilege escalation or a container escape.
Escape by exploiting a vulnerability or misconfiguration	This alert is triggered when a container starts with excessive privilege or mounts a pseudo file system. These misconfigurations allow an attacker to exploit system mechanisms, such as `core_pattern` or `cgroup`, to escape the container.
Modifying a host user configuration file	This alert is triggered when a container is started with host user configuration files, such as `/etc/passwd` or SSH service configuration directories, mounted. This allows an attacker to modify these files from within the container and gain user privilege on the host node.
Escaping by writing to a high-risk host directory	This alert is triggered when a container is started with a high-risk host directory mounted. Examples include system scheduled task directories like `/etc/crontab`, auto-start task directories like `/etc/init.d`, trigger-based task directories like `/etc/profile`, or Kubernetes static pod configuration directories. An attacker can write malicious code to these directories. The host then automatically executes this code, allowing the attacker to gain privilege.
Running a container escape tool	Security Center has detected a container escape tool running inside a container. An attacker typically uses this tool after compromising a container to break the isolation between the container and the host node and gain access control over the host node.

Proactive Defense for Containers

Alert name	Description
non-image program startup	This alert indicates that a program not included in the original image has started. This activity often occurs when an executable program, such as a backdoor trojan, is installed in a running container. While this may be a legitimate installation required by your services, it can also be a security risk. Investigate this activity promptly.
file defense	file defense.
non-image program startup blocking	Security Center blocked a program that was not part of the original image from starting. This preventative action is triggered when an executable program, such as a backdoor trojan, attempts to run inside a container. While the blocked program may be legitimate, such attempts can also indicate a security risk. Investigate the cause of this blocked activity promptly.

Risk Image Blocking

Alert name	Description
Cluster starts a malicious image from the internet	This alert triggers when a cluster attempts to start a known malicious image. Running a malicious image can introduce vulnerabilities, backdoors, or other security threats into your environment.
Cluster starts an unscanned image	This alert triggers when a cluster attempts to start a container from an unscanned image. Deploying unscanned images can introduce unknown security risks, such as vulnerabilities or malware, into your environment.
Cluster starts an image with vulnerabilities	This alert triggers when a cluster attempts to start a container from an image with known vulnerabilities. Exploiting these vulnerabilities could allow an attacker to compromise your applications or the underlying cluster.
Cluster starts an image with malicious files	This alert triggers when a cluster attempts to start a container from an image containing a malicious file. This can lead to the execution of malware, such as trojans or cryptocurrency miners, within your cluster.
Cluster starts an image that failed a baseline check	This alert triggers when a cluster attempts to start a container from an image that has failed a baseline check. This means the image does not comply with your organization's security and configuration standards.
Cluster starts an image with sensitive files	This alert triggers when a cluster attempts to start a container from an image containing a sensitive file, such as a private key or access credential. Including sensitive information directly in an image is a high-risk practice that can lead to credential leakage.
Cluster starts an image with risky build instructions	This alert triggers when a cluster attempts to start a container from an image built with risky build instructions. These instructions can introduce security weaknesses or misconfigurations into the final image.

Trusted Exception

Alert name	Description
system startup component trust event	Detects the trusted status of ECS trusted instances and handles abnormal statuses. For more information, see Using Trusted Instances.

Other

Alert name	Description
DDoS	DDoS attack.
Security Center client abnormally offline	This alert triggers when AliYunDun, the main process of the Security Center client, goes offline on your server and remains offline for a specified period. This can result from temporary network instability or a cyberattack that forcibly uninstalls the client. Log on to the server to check if the client process is running. If the process is not running, restart it promptly.
Security Center client on a non-Alibaba Cloud host abnormally offline	This alert triggers when AliYunDun, the main process of the Security Center client, goes offline on your non-Alibaba Cloud host and remains offline for a specified period. This can result from temporary network instability or a cyberattack that forcibly uninstalls the client. Log on to the server to check if the client process is running. If the process is not running, restart it promptly.