|
Detect ARP Poisoning
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
|
Detect DGA domains using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-10-17
|
|
Detect DNS Data Exfiltration using pretrained model in DSDL
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic
|
2024-10-17
|
|
Detect hosts connecting to dynamic domain providers
|
Sysmon EventID 22
|
Drive-by Compromise
|
TTP
|
Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic
|
2024-09-30
|
|
Detect IPv6 Network Infrastructure Threats
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
|
Detect Large Outbound ICMP Packets
|
Palo Alto Network Traffic
|
Non-Application Layer Protocol
|
TTP
|
Command And Control
|
2024-11-06
|
|
Detect Outbound LDAP Traffic
|
Bro
|
Exploit Public-Facing Application
Command and Scripting Interpreter
|
Hunting
|
Log4Shell CVE-2021-44228
|
2024-10-17
|
|
Detect Outbound SMB Traffic
|
|
File Transfer Protocols
Application Layer Protocol
|
TTP
|
DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group
|
2024-10-16
|
|
Detect Port Security Violation
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
|
Detect Remote Access Software Usage DNS
|
Sysmon EventID 22
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Insider Threat, Ransomware
|
2024-09-30
|
|
Detect Remote Access Software Usage Traffic
|
Palo Alto Network Traffic
|
Remote Access Software
|
Anomaly
|
Command And Control, Insider Threat, Ransomware
|
2024-09-30
|
|
Detect Rogue DHCP Server
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
|
Detect SNICat SNI Exfiltration
|
|
Exfiltration Over C2 Channel
|
TTP
|
Data Exfiltration
|
2024-10-17
|
|
Detect Software Download To Network Device
|
|
TFTP Boot
Pre-OS Boot
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
|
Detect suspicious DNS TXT records using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic
|
2024-10-17
|
|
Detect Traffic Mirroring
|
|
Hardware Additions
Automated Exfiltration
Network Denial of Service
Traffic Duplication
|
TTP
|
Router and Infrastructure Security
|
2024-10-17
|
|
Detect Unauthorized Assets by MAC address
|
|
N/A
|
TTP
|
Asset Tracking
|
2024-10-17
|
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
Exploitation for Client Execution
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2024-10-17
|
|
Detect Windows DNS SIGRed via Zeek
|
|
Exploitation for Client Execution
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2024-10-17
|
|
Detect Zerologon via Zeek
|
|
Exploit Public-Facing Application
|
TTP
|
Detect Zerologon Attack, Rhysida Ransomware
|
2024-10-17
|
|
DNS Query Length Outliers - MLTK
|
|
DNS
Application Layer Protocol
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2024-10-17
|
|
DNS Query Length With High Standard Deviation
|
Sysmon EventID 22
|
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Alternative Protocol
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2024-09-30
|
|
Excessive DNS Failures
|
|
DNS
Application Layer Protocol
|
Anomaly
|
Command And Control, Suspicious DNS Traffic
|
2024-10-17
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388
|
2024-09-30
|
|
Hosts receiving high volume of network traffic from email server
|
|
Remote Email Collection
Email Collection
|
Anomaly
|
Collection and Staging
|
2024-10-17
|
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-09-30
|
|
Internal Horizontal Port Scan NMAP Top 20
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-09-25
|
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-09-30
|
|
Internal Vulnerability Scan
|
|
Vulnerability Scanning
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-10-17
|
|
Large Volume of DNS ANY Queries
|
|
Network Denial of Service
Reflection Amplification
|
Anomaly
|
DNS Amplification Attacks
|
2024-10-17
|
|
Ngrok Reverse Proxy on Network
|
Sysmon EventID 22
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2024-09-30
|
|
Prohibited Network Traffic Allowed
|
|
Exfiltration Over Alternative Protocol
|
TTP
|
Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware
|
2024-09-30
|
|
Protocol or Port Mismatch
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
Exfiltration Over Alternative Protocol
|
Anomaly
|
Command And Control, Prohibited Traffic Allowed or Protocol Mismatch
|
2024-10-17
|
|
Protocols passing authentication in cleartext
|
|
N/A
|
TTP
|
Use of Cleartext Protocols
|
2024-10-17
|
|
Remote Desktop Network Bruteforce
|
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Ryuk Ransomware, SamSam Ransomware
|
2024-10-16
|
|
Remote Desktop Network Traffic
|
|
Remote Desktop Protocol
Remote Services
|
Anomaly
|
Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware
|
2024-10-16
|
|
SMB Traffic Spike
|
|
SMB/Windows Admin Shares
Remote Services
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2024-10-17
|
|
SMB Traffic Spike - MLTK
|
|
SMB/Windows Admin Shares
Remote Services
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2024-10-17
|
|
Splunk Identified SSL TLS Certificates
|
Splunk Stream TCP
|
Network Sniffing
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
|
SSL Certificates with Punycode
|
|
Encrypted Channel
|
Hunting
|
OpenSSL CVE-2022-3602
|
2024-10-17
|
|
TOR Traffic
|
Palo Alto Network Traffic
|
Proxy
Multi-hop Proxy
|
TTP
|
Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware
|
2024-09-30
|
|
Windows AD Replication Service Traffic
|
|
OS Credential Dumping
DCSync
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-10-17
|
|
Windows AD Rogue Domain Controller Network Activity
|
|
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-10-17
|
|
Zeek x509 Certificate with Punycode
|
|
Encrypted Channel
|
Hunting
|
OpenSSL CVE-2022-3602
|
2024-10-17
|