Network Detections

Name Data Source Technique Type Analytic Story Date
Detect ARP Poisoning Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Anomaly Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-10-17
Detect DNS Data Exfiltration using pretrained model in DSDL Exfiltration Over Unencrypted Non-C2 Protocol Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-10-17
Detect hosts connecting to dynamic domain providers Sysmon EventID 22 Drive-by Compromise TTP Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic 2024-09-30
Detect IPv6 Network Infrastructure Threats Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect Large Outbound ICMP Packets Palo Alto Network Traffic Non-Application Layer Protocol TTP Command And Control 2024-11-06
Detect Outbound LDAP Traffic Bro Exploit Public-Facing Application Command and Scripting Interpreter Hunting Log4Shell CVE-2021-44228 2024-10-17
Detect Outbound SMB Traffic File Transfer Protocols Application Layer Protocol TTP DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group 2024-10-16
Detect Port Security Violation Hardware Additions Network Denial of Service Adversary-in-the-Middle ARP Cache Poisoning TTP Router and Infrastructure Security 2024-10-17
Detect Remote Access Software Usage DNS Sysmon EventID 22 Remote Access Software Anomaly CISA AA24-241A, Command And Control, Insider Threat, Ransomware 2024-09-30
Detect Remote Access Software Usage Traffic Palo Alto Network Traffic Remote Access Software Anomaly Command And Control, Insider Threat, Ransomware 2024-09-30
Detect Rogue DHCP Server Hardware Additions Network Denial of Service Adversary-in-the-Middle TTP Router and Infrastructure Security 2024-10-17
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel TTP Data Exfiltration 2024-10-17
Detect Software Download To Network Device TFTP Boot Pre-OS Boot TTP Router and Infrastructure Security 2024-10-17
Detect suspicious DNS TXT records using pretrained model in DSDL Domain Generation Algorithms Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-10-17
Detect Traffic Mirroring Hardware Additions Automated Exfiltration Network Denial of Service Traffic Duplication TTP Router and Infrastructure Security 2024-10-17
Detect Unauthorized Assets by MAC address N/A TTP Asset Tracking 2024-10-17
Detect Windows DNS SIGRed via Splunk Stream Exploitation for Client Execution TTP Windows DNS SIGRed CVE-2020-1350 2024-10-17
Detect Windows DNS SIGRed via Zeek Exploitation for Client Execution TTP Windows DNS SIGRed CVE-2020-1350 2024-10-17
Detect Zerologon via Zeek Exploit Public-Facing Application TTP Detect Zerologon Attack, Rhysida Ransomware 2024-10-17
DNS Query Length Outliers - MLTK DNS Application Layer Protocol Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2024-10-17
DNS Query Length With High Standard Deviation Sysmon EventID 22 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2024-09-30
Excessive DNS Failures DNS Application Layer Protocol Anomaly Command And Control, Suspicious DNS Traffic 2024-10-17
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Palo Alto Network Threat Exploit Public-Facing Application External Remote Services TTP CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388 2024-09-30
Hosts receiving high volume of network traffic from email server Remote Email Collection Email Collection Anomaly Collection and Staging 2024-10-17
Internal Horizontal Port Scan AWS CloudWatchLogs VPCflow Network Service Discovery TTP Network Discovery 2024-09-30
Internal Horizontal Port Scan NMAP Top 20 AWS CloudWatchLogs VPCflow Network Service Discovery TTP Network Discovery 2024-09-25
Internal Vertical Port Scan AWS CloudWatchLogs VPCflow Network Service Discovery TTP Network Discovery 2024-09-30
Internal Vulnerability Scan Vulnerability Scanning Network Service Discovery TTP Network Discovery 2024-10-17
Large Volume of DNS ANY Queries Network Denial of Service Reflection Amplification Anomaly DNS Amplification Attacks 2024-10-17
Ngrok Reverse Proxy on Network Sysmon EventID 22 Protocol Tunneling Proxy Web Service Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2024-09-30
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware 2024-09-30
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Anomaly Command And Control, Prohibited Traffic Allowed or Protocol Mismatch 2024-10-17
Protocols passing authentication in cleartext N/A TTP Use of Cleartext Protocols 2024-10-17
Remote Desktop Network Bruteforce Remote Desktop Protocol Remote Services TTP Ryuk Ransomware, SamSam Ransomware 2024-10-16
Remote Desktop Network Traffic Remote Desktop Protocol Remote Services Anomaly Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware 2024-10-16
SMB Traffic Spike SMB/Windows Admin Shares Remote Services Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-10-17
SMB Traffic Spike - MLTK SMB/Windows Admin Shares Remote Services Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-10-17
Splunk Identified SSL TLS Certificates Splunk Stream TCP Network Sniffing Hunting Splunk Vulnerabilities 2024-10-17
SSL Certificates with Punycode Encrypted Channel Hunting OpenSSL CVE-2022-3602 2024-10-17
TOR Traffic Palo Alto Network Traffic Proxy Multi-hop Proxy TTP Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware 2024-09-30
Windows AD Replication Service Traffic OS Credential Dumping DCSync Rogue Domain Controller TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Rogue Domain Controller Network Activity Rogue Domain Controller TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Zeek x509 Certificate with Punycode Encrypted Channel Hunting OpenSSL CVE-2022-3602 2024-10-17