Skip to main content

User Launched New Binary

This event occurs when a user launches an application that has not previously observed being launched by that specific user.

Why this Event is Important

The list of data center applications is for the most part static. New applications are sometimes introduced as part of a service offering or internal tooling changes, but their introduction may indicate malicious activity.

Investigation

Identify the new application. Is its introduction expected? If not, research the application and its purpose. Perform local forensics, look for signs of lateral movement.

Resolution

Determine if the application and its use are expected and benign. If it appears to be possible malicious use of an existing administrative tool, review logs from both source and destination machines. Disable the user and take the necessary steps to restore either host to a known, clean state.