Network

Name Technique Datamodel
DNS Query Length Outliers - MLTK DNS, Application Layer Protocol Network_Resolution
DNS Query Length With High Standard Deviation Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Network_Resolution
Detect ARP Poisoning Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning None
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Network_Resolution
Detect DNS Data Exfiltration using pretrained model in DSDL Exfiltration Over Unencrypted Non-C2 Protocol Network_Resolution
Detect IPv6 Network Infrastructure Threats Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning None
Detect Large Outbound ICMP Packets Non-Application Layer Protocol Network_Traffic
Detect Outbound LDAP Traffic Exploit Public-Facing Application, Command and Scripting Interpreter Network_Traffic
Detect Outbound SMB Traffic File Transfer Protocols, Application Layer Protocol Network_Traffic
Detect Port Security Violation Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning None
Detect Remote Access Software Usage DNS Remote Access Software Network_Resolution
Detect Remote Access Software Usage Traffic Remote Access Software Network_Traffic
Detect Rogue DHCP Server Hardware Additions, Network Denial of Service, Adversary-in-the-Middle None
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel None
Detect Software Download To Network Device TFTP Boot, Pre-OS Boot Network_Traffic
Detect Traffic Mirroring Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication None
Detect Unauthorized Assets by MAC address None Network_Sessions
Detect Windows DNS SIGRed via Splunk Stream Exploitation for Client Execution None
Detect Windows DNS SIGRed via Zeek Exploitation for Client Execution Network_Resolution, Network_Traffic
Detect Zerologon via Zeek Exploit Public-Facing Application None
Detect hosts connecting to dynamic domain providers Drive-by Compromise Network_Resolution
Detect suspicious DNS TXT records using pretrained model in DSDL Domain Generation Algorithms Network_Resolution
Excessive DNS Failures DNS, Application Layer Protocol Network_Resolution
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Exploit Public-Facing Application, External Remote Services Web
High Volume of Bytes Out to Url Exfiltration Over Web Service Web
Hosts receiving high volume of network traffic from email server Remote Email Collection, Email Collection Network_Traffic
Large Volume of DNS ANY Queries Network Denial of Service, Reflection Amplification Network_Resolution
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol None
Ngrok Reverse Proxy on Network Protocol Tunneling, Proxy, Web Service Network_Resolution
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol None
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol Network_Traffic
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Network_Traffic
Protocols passing authentication in cleartext None Network_Traffic
Remote Desktop Network Bruteforce Remote Desktop Protocol, Remote Services Network_Traffic
Remote Desktop Network Traffic Remote Desktop Protocol, Remote Services Network_Traffic
SMB Traffic Spike SMB/Windows Admin Shares, Remote Services Network_Traffic
SMB Traffic Spike - MLTK SMB/Windows Admin Shares, Remote Services Network_Traffic
SSL Certificates with Punycode Encrypted Channel None
Splunk Identified SSL TLS Certificates Network Sniffing None
TOR Traffic Proxy, Multi-hop Proxy Network_Traffic
Unusually Long Content-Type Length None None
Windows AD Replication Service Traffic OS Credential Dumping, DCSync, Rogue Domain Controller Network_Traffic
Windows AD Rogue Domain Controller Network Activity Rogue Domain Controller Change
Zeek x509 Certificate with Punycode Encrypted Channel None

Endpoint

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Windows Post Exploitation Risk Behavior

Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Application

Back to Top ↑

Web

Web JSP Request via URL

Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services

Back to Top ↑

Network

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Back to Top ↑