Network Detections

Name Data Source Technique Type Analytic Story Date
Prohibited Network Traffic Allowed Cisco Secure Firewall Threat Defense Connection Event T1048 TTP Command And Control, Ransomware, Cisco Secure Firewall Threat Defense Analytics, Prohibited Traffic Allowed or Protocol Mismatch 2026-05-13
3CX Supply Chain Attack Network Indicators Sysmon EventID 22 T1195.002 TTP 3CX Supply Chain Attack 2026-05-13
Windows Multi hop Proxy TOR Website Query Sysmon EventID 22 T1071.003 Anomaly Interlock Ransomware, AgentTesla 2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Correlation Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2026-05-13
Internal Horizontal Port Scan NMAP Top 20 AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event T1046 TTP China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
HTTP RMM User Agent Suricata T1071.001 T1219 Anomaly Remote Monitoring and Management Software, Suspicious User Agents 2026-05-13
Windows Remote Desktop Network Bruteforce Attempt Sysmon EventID 3, Cisco Secure Access Firewall T1110.001 Anomaly Compromised User Account, SamSam Ransomware, Cisco Secure Access Analytics, Ryuk Ransomware, Windows RDP Artifacts and Defense Evasion 2026-05-13
HTTP Malware User Agent Suricata T1071.001 TTP RedLine Stealer, Lokibot, Crypto Stealer, Meduza Stealer, Lumma Stealer, Suspicious User Agents 2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
DNS Query Length With High Standard Deviation Sysmon EventID 22 T1048.003 Anomaly Command And Control, Suspicious DNS Traffic, Hidden Cobra Malware 2026-05-13
Cisco SA - Automated Web Reconnaissance via HTTP Access Errors Cisco Secure Access Proxy T1595 Anomaly Cisco Secure Access Analytics 2026-06-09
Wermgr Process Connecting To IP Check Web Services Sysmon EventID 22 T1590.005 TTP Trickbot 2026-05-13
Cisco SD-WAN - Peering Activity Cisco SD-WAN NTCE 1000001 T1190 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
Cisco Secure Firewall - Bits Network Activity Cisco Secure Firewall Threat Defense Connection Event N/A Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Remote Desktop Network Traffic Zeek Conn T1021.001 Anomaly SamSam Ransomware, Hidden Cobra Malware, Ryuk Ransomware, Windows RDP Artifacts and Defense Evasion, Active Directory Lateral Movement 2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
HTTP C2 Framework User Agent Suricata T1071.001 TTP Cobalt Strike, Malicious PowerShell, BishopFox Sliver Adversary Emulation Framework, Tuoni, Spearphishing Attachments, Brute Ratel C4, Meterpreter, Suspicious User Agents 2026-05-13
Detect Remote Access Software Usage DNS Sysmon EventID 22 T1219 Anomaly Command And Control, Interlock Ransomware, CISA AA24-241A, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Insider Threat 2026-05-13
Cisco Secure Firewall - Blocked Connection Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Large ICMP Traffic Cisco Secure Access Firewall, Palo Alto Network Traffic T1095 TTP China-Nexus Threat Activity, Command And Control, Cisco Secure Access Analytics, Backdoor Pingpong 2026-05-13
Cisco Secure Firewall - Privileged Command Execution via HTTP Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1505.003 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
HTTP PUA User Agent Suricata T1071.001 Anomaly Local Privilege Escalation With KrbRelayUp, Suspicious User Agents, BlackSuit Ransomware, Cactus Ransomware 2026-05-13
Cisco Secure Firewall - React Server Components RCE Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP React2Shell 2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect DNS Query to Decommissioned S3 Bucket Sysmon EventID 22 T1485 Anomaly Data Destruction, AWS S3 Bucket Security Monitoring 2026-05-13
Detect ARP Poisoning Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security 2026-05-13
Internal Horizontal Port Scan AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event T1046 TTP China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
Cisco Secure Firewall - Repeated Blocked Connections Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Smart Install Oversized Packet Detection Splunk Stream TCP T1190 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Smart Install Port Discovery and Status Splunk Stream TCP T1190 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171, Scattered Lapsus$ Hunters 2026-05-13
Cisco Secure Firewall - Potential Data Exfiltration Cisco Secure Firewall Threat Defense Connection Event T1041 T1048.003 T1567.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
TOR Traffic Cisco Secure Firewall Threat Defense Connection Event, Palo Alto Network Traffic T1090.003 TTP Command And Control, Interlock Ransomware, Ransomware, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco TFTP Server Configuration for Data Exfiltration Cisco IOS Logs T1005 T1567 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity Cisco SD-WAN Service Proxy Access Logs T1190 TTP Cisco Catalyst SD-WAN Analytics 2026-05-13
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Detect Software Download To Network Device T1542.005 TTP Router and Infrastructure Security 2026-05-13
Cisco SD-WAN - Low Frequency Rogue Peer Cisco SD-WAN NTCE 1000001 T1190 Anomaly Cisco Catalyst SD-WAN Analytics 2026-05-13
Detect Zerologon via Zeek T1190 TTP Black Basta Ransomware, Rhysida Ransomware, Detect Zerologon Attack 2026-05-13
Detect SNICat SNI Exfiltration T1041 TTP Data Exfiltration 2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic Cisco Secure Firewall Threat Defense Connection Event T1219 Anomaly Command And Control, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Scattered Spider, Insider Threat 2026-05-13
Protocols passing authentication in cleartext Cisco Secure Firewall Threat Defense Connection Event N/A Anomaly Cisco Secure Firewall Threat Defense Analytics, Use of Cleartext Protocols, Scattered Lapsus$ Hunters 2026-05-13
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Palo Alto Network Threat T1133 T1190 TTP F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A 2026-05-13
Cisco Secure Firewall - Malware File Downloaded Cisco Secure Firewall Threat Defense File Event T1105 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Internal Vulnerability Scan T1046 T1595.002 TTP Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
Windows DNS Query Request by Telegram Bot API Sysmon EventID 22 T1071.004 T1102.002 Anomaly Phantom Stealer, VIP Keylogger, BlankGrabber Stealer, Crypto Stealer, 0bj3ctivity Stealer 2026-06-25
Cisco Secure Firewall - Static Tundra Smart Install Abuse Cisco Secure Firewall Threat Defense Intrusion Event T1190 T1210 T1499 TTP Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Suspicious Process With Discord DNS Query Sysmon EventID 22 T1059.005 Anomaly WhisperGate, Data Destruction, BlankGrabber Stealer, Phantom Stealer, PXA Stealer, Cactus Ransomware 2026-06-25
Cisco Configuration Archive Logging Analysis Cisco IOS Logs T1098 T1505.003 T1685 Hunting Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1573.002 T1587.002 T1588.004 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Rundll32 DNSQuery Sysmon EventID 22 T1218.011 TTP IcedID, Living Off The Land 2026-05-13
Detect Remote Access Software Usage Traffic Palo Alto Network Traffic T1219 Anomaly Command And Control, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider, Insider Threat 2026-05-13
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 TTP Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777 2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Detect Rogue DHCP Server Cisco IOS Logs T1200 T1498 T1557 TTP Router and Infrastructure Security, Scattered Lapsus$ Hunters 2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Rare Snort Rule Triggered Cisco Secure Firewall Threat Defense Intrusion Event T1583.006 T1598 Hunting Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Gather Victim Network Info Through Ip Check Web Services Sysmon EventID 22 T1590.005 Anomaly Quasar RAT, Castle RAT, Void Manticore, Handala Wiper, BlankGrabber Stealer, VIP Keylogger, Water Gamayun, PXA Stealer, Snake Keylogger, Azorult, DarkCrystal RAT, Meduza Stealer, 0bj3ctivity Stealer, Phemedrone Stealer 2026-05-13
Internal Vertical Port Scan AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event T1046 TTP China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
Cisco IOS Suspicious Privileged Account Creation Cisco IOS Logs T1078 T1136 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Suspicious Process DNS Query Known Abuse Web Services Sysmon EventID 22 T1059.005 TTP WhisperGate, Data Destruction, BlankGrabber Stealer, Cactus Ransomware, PXA Stealer, RedLine Stealer, Snake Keylogger, Braodo Stealer, Remcos, Meduza Stealer, Malicious Inno Setup Loader, Phemedrone Stealer 2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence Cisco Secure Firewall Threat Defense Connection Event T1041 T1071.001 T1105 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads Cisco Secure Firewall Threat Defense File Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware 2026-05-13
Windows AD Replication Service Traffic T1003.006 T1207 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Cisco Secure Firewall - SSH Connection to Non-Standard Port Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Windows AD Rogue Domain Controller Network Activity T1207 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Cisco Network Interface Modifications Cisco IOS Logs T1021 T1133 T1556 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Abused Web Services Sysmon EventID 22 T1102 Anomaly BlankGrabber Stealer, Malicious Inno Setup Loader, CISA AA24-241A, NjRAT 2026-05-13
Detect Port Security Violation Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security 2026-05-13
Large Volume of DNS ANY Queries T1498.002 Anomaly DNS Amplification Attacks 2026-05-13
Ngrok Reverse Proxy on Network Sysmon EventID 22 T1090 T1102 T1572 Anomaly CISA AA24-241A, Reverse Network Proxy, CISA AA22-320A 2026-05-13
Detect Windows DNS SIGRed via Zeek T1203 TTP Windows DNS SIGRed CVE-2020-1350 2026-05-13
Detect hosts connecting to dynamic domain providers Sysmon EventID 22 T1189 TTP Command And Control, DNS Hijacking, Data Protection, Prohibited Traffic Allowed or Protocol Mismatch, Dynamic DNS, Suspicious DNS Traffic 2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port Cisco Secure Firewall Threat Defense File Event T1105 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Cisco Secure Firewall Threat Defense Intrusion Event T1003.001 T1059.001 T1190 T1210 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Protocol or Port Mismatch Cisco Secure Firewall Threat Defense Connection Event T1048.003 Anomaly Command And Control, Cisco Secure Firewall Threat Defense Analytics, Prohibited Traffic Allowed or Protocol Mismatch 2026-05-13
Detect Outbound SMB Traffic Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Access Firewall T1071.002 TTP Cisco Secure Access Analytics, Hidden Cobra Malware, DHS Report TA18-074A, NOBELIUM Group, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Unauthorized Assets by MAC address N/A TTP Asset Tracking 2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Exploitation Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2026-05-13
Cisco Secure Firewall - Binary File Type Download Cisco Secure Firewall Threat Defense File Event T1059 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Traffic Mirroring Cisco IOS Logs T1020.001 T1200 T1498 TTP Router and Infrastructure Security 2026-05-13
DNS Kerberos Coercion Suricata, Sysmon EventID 22 T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host, Suspicious DNS Traffic 2026-05-13
Cisco Secure Firewall - Possibly Compromised Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 T1587.001 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1090.002 T1105 T1567.002 T1588.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters 2026-05-13
Excessive DNS Failures T1071.004 Anomaly Command And Control, Suspicious DNS Traffic 2026-05-13
Cisco SNMP Community String Configuration Changes Cisco IOS Logs T1040 T1552 T1685 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1190 T1204 T1210 TTP Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
Windows Spearphishing Attachment Connect To None MS Office Domain Sysmon EventID 22 T1566.001 Hunting Spearphishing Attachments, MuddyWater, AsyncRAT 2026-05-13
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity Cisco SD-WAN Service Proxy Access Logs T1595 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
SMB Traffic Spike T1021.002 Anomaly Emotet Malware DHS Report TA18-201A, DHS Report TA18-074A, Ransomware, Hidden Cobra Malware 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect IPv6 Network Infrastructure Threats Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security, Scattered Lapsus$ Hunters 2026-05-13
Hosts receiving high volume of network traffic from email server T1114.002 Anomaly Collection and Staging 2026-05-13
Cisco SA - Access to Anonymizer Services Cisco Secure Access DNS T1090.003 Anomaly Cisco Secure Access Analytics 2026-06-09
Detect Windows DNS SIGRed via Splunk Stream T1203 TTP Windows DNS SIGRed CVE-2020-1350 2026-05-13
Detect Outbound LDAP Traffic Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Access Firewall, Palo Alto Network Traffic T1059 T1190 Hunting Cisco Secure Access Analytics, Cisco Secure Firewall Threat Defense Analytics, Log4Shell CVE-2021-44228 2026-05-13
Cisco Secure Firewall - SSH Connection to sshd_operns Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13