Network Detections

Name Data Source Technique Type Analytic Story Date
Detect ARP Poisoning Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-08-14
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Anomaly Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-05-29
Detect DNS Data Exfiltration using pretrained model in DSDL Exfiltration Over Unencrypted Non-C2 Protocol Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-05-22
Detect hosts connecting to dynamic domain providers Sysmon EventID 22 Drive-by Compromise TTP Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic 2024-05-18
Detect IPv6 Network Infrastructure Threats Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-05-12
Detect Large Outbound ICMP Packets Non-Application Layer Protocol TTP Command And Control 2024-05-24
Detect Outbound LDAP Traffic Bro Exploit Public-Facing Application Command and Scripting Interpreter Hunting Log4Shell CVE-2021-44228 2024-05-21
Detect Outbound SMB Traffic File Transfer Protocols Application Layer Protocol TTP DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group 2024-05-25
Detect Port Security Violation Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-08-16
Detect Remote Access Software Usage DNS Sysmon EventID 22 Remote Access Software Anomaly CISA AA24-241A, Command And Control, Insider Threat, Ransomware 2024-07-09
Detect Remote Access Software Usage Traffic Palo Alto Network Traffic Remote Access Software Anomaly Command And Control, Insider Threat, Ransomware 2024-07-09
Detect Rogue DHCP Server Hardware Additions Network Denial of Service Adversary-in-the-Middle TTP Router and Infrastructure Security 2024-08-14
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel TTP Data Exfiltration 2024-05-21
Detect Software Download To Network Device TFTP Boot Pre-OS Boot TTP Router and Infrastructure Security 2024-05-20
Detect suspicious DNS TXT records using pretrained model in DSDL Domain Generation Algorithms Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-05-13
Detect Traffic Mirroring Hardware Additions Automated Exfiltration Network Denial of Service Traffic Duplication TTP Router and Infrastructure Security 2024-08-14
Detect Unauthorized Assets by MAC address N/A TTP Asset Tracking 2024-05-10
Detect Windows DNS SIGRed via Splunk Stream Exploitation for Client Execution TTP Windows DNS SIGRed CVE-2020-1350 2024-08-14
Detect Windows DNS SIGRed via Zeek Exploitation for Client Execution TTP Windows DNS SIGRed CVE-2020-1350 2024-09-24
Detect Zerologon via Zeek Exploit Public-Facing Application TTP Detect Zerologon Attack, Rhysida Ransomware 2024-05-28
DNS Query Length Outliers - MLTK DNS Application Layer Protocol Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2024-05-22
DNS Query Length With High Standard Deviation Sysmon EventID 22 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2024-05-15
Excessive DNS Failures DNS Application Layer Protocol Anomaly Command And Control, Suspicious DNS Traffic 2024-05-20
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Palo Alto Network Threat Exploit Public-Facing Application External Remote Services TTP CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388 2024-05-28
High Volume of Bytes Out to Url Nginx Access Exfiltration Over Web Service Anomaly Data Exfiltration 2024-05-24
Hosts receiving high volume of network traffic from email server Remote Email Collection Email Collection Anomaly Collection and Staging 2024-05-15
Internal Horizontal Port Scan AWS CloudWatchLogs VPCflow Network Service Discovery TTP Network Discovery 2024-08-07
Internal Vertical Port Scan AWS CloudWatchLogs VPCflow Network Service Discovery TTP Network Discovery 2023-10-20
Internal Vulnerability Scan Vulnerability Scanning Network Service Discovery TTP Network Discovery 2023-10-27
Large Volume of DNS ANY Queries Network Denial of Service Reflection Amplification Anomaly DNS Amplification Attacks 2024-05-15
Multiple Archive Files Http Post Traffic Splunk Stream HTTP Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol TTP Command And Control, Data Exfiltration 2024-05-16
Ngrok Reverse Proxy on Network Sysmon EventID 22 Protocol Tunneling Proxy Web Service Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2024-05-24
Plain HTTP POST Exfiltrated Data Splunk Stream HTTP Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol TTP Command And Control, Data Exfiltration 2024-05-26
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware 2024-05-11
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Anomaly Command And Control, Prohibited Traffic Allowed or Protocol Mismatch 2024-05-29
Protocols passing authentication in cleartext N/A TTP Use of Cleartext Protocols 2024-05-29
Remote Desktop Network Bruteforce Remote Desktop Protocol Remote Services TTP Ryuk Ransomware, SamSam Ransomware 2024-05-17
Remote Desktop Network Traffic Remote Desktop Protocol Remote Services Anomaly Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware 2024-05-29
SMB Traffic Spike SMB/Windows Admin Shares Remote Services Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-05-27
SMB Traffic Spike - MLTK SMB/Windows Admin Shares Remote Services Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-05-21
Splunk Identified SSL TLS Certificates Splunk Stream TCP Network Sniffing Hunting Splunk Vulnerabilities 2024-05-23
SSL Certificates with Punycode Encrypted Channel Hunting OpenSSL CVE-2022-3602 2024-05-29
TOR Traffic Palo Alto Network Traffic Proxy Multi-hop Proxy TTP Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware 2024-05-29
Unusually Long Content-Type Length N/A Anomaly Apache Struts Vulnerability 2024-05-13
Windows AD Replication Service Traffic OS Credential Dumping DCSync Rogue Domain Controller TTP Sneaky Active Directory Persistence Tricks 2024-05-19
Windows AD Rogue Domain Controller Network Activity Rogue Domain Controller TTP Sneaky Active Directory Persistence Tricks 2024-05-18
Zeek x509 Certificate with Punycode Encrypted Channel Hunting OpenSSL CVE-2022-3602 2024-05-30