GitHub Repo

Network Detections

Name Data Source Technique Type Analytic Story Date
Prohibited Network Traffic Allowed Cisco Secure Firewall Threat Defense Connection Event T1048 TTP Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Cisco Secure Firewall Threat Defense Analytics, Ransomware 2026-05-13
3CX Supply Chain Attack Network Indicators Sysmon EventID 22 T1195.002 TTP 3CX Supply Chain Attack 2026-05-13
Windows Multi hop Proxy TOR Website Query Sysmon EventID 22 T1071.003 Anomaly AgentTesla, Interlock Ransomware 2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Correlation Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2026-05-13
Internal Horizontal Port Scan NMAP Top 20 Cisco Secure Firewall Threat Defense Connection Event, AWS CloudWatchLogs VPCflow T1046 TTP China-Nexus Threat Activity, Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Network Discovery 2026-05-13
HTTP RMM User Agent Suricata T1071.001 T1219 Anomaly Suspicious User Agents, Remote Monitoring and Management Software 2026-05-13
Windows Remote Desktop Network Bruteforce Attempt Cisco Secure Access Firewall, Sysmon EventID 3 T1110.001 Anomaly Cisco Secure Access Analytics, Compromised User Account, Windows RDP Artifacts and Defense Evasion, SamSam Ransomware, Ryuk Ransomware 2026-05-13
HTTP Malware User Agent Suricata T1071.001 TTP Lokibot, Lumma Stealer, Suspicious User Agents, RedLine Stealer, Crypto Stealer, Meduza Stealer 2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
DNS Query Length With High Standard Deviation Sysmon EventID 22 T1048.003 Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2026-05-13
Wermgr Process Connecting To IP Check Web Services Sysmon EventID 22 T1590.005 TTP Trickbot 2026-05-13
Cisco SD-WAN - Peering Activity Cisco SD-WAN NTCE 1000001 T1190 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
Cisco Secure Firewall - Bits Network Activity Cisco Secure Firewall Threat Defense Connection Event N/A Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Remote Desktop Network Traffic Zeek Conn T1021.001 Anomaly Active Directory Lateral Movement, Hidden Cobra Malware, Windows RDP Artifacts and Defense Evasion, SamSam Ransomware, Ryuk Ransomware 2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
HTTP C2 Framework User Agent Suricata T1071.001 TTP Spearphishing Attachments, BishopFox Sliver Adversary Emulation Framework, Brute Ratel C4, Meterpreter, Suspicious User Agents, Cobalt Strike, Malicious PowerShell, Tuoni 2026-05-13
Detect Remote Access Software Usage DNS Sysmon EventID 22 T1219 Anomaly Scattered Spider, CISA AA24-241A, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Interlock Ransomware 2026-05-13
Cisco Secure Firewall - Blocked Connection Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Large ICMP Traffic Palo Alto Network Traffic, Cisco Secure Access Firewall T1095 TTP China-Nexus Threat Activity, Command And Control, Cisco Secure Access Analytics, Backdoor Pingpong 2026-05-13
Cisco Secure Firewall - Privileged Command Execution via HTTP Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1505.003 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
HTTP PUA User Agent Suricata T1071.001 Anomaly BlackSuit Ransomware, Local Privilege Escalation With KrbRelayUp, Cactus Ransomware, Suspicious User Agents 2026-05-13
Cisco Secure Firewall - React Server Components RCE Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP React2Shell 2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect DNS Query to Decommissioned S3 Bucket Sysmon EventID 22 T1485 Anomaly Data Destruction, AWS S3 Bucket Security Monitoring 2026-05-13
Detect ARP Poisoning Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security 2026-05-13
Internal Horizontal Port Scan Cisco Secure Firewall Threat Defense Connection Event, AWS CloudWatchLogs VPCflow T1046 TTP China-Nexus Threat Activity, Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Network Discovery 2026-05-13
Cisco Secure Firewall - Repeated Blocked Connections Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Smart Install Oversized Packet Detection Splunk Stream TCP T1190 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Smart Install Port Discovery and Status Splunk Stream TCP T1190 TTP Scattered Lapsus$ Hunters, Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Potential Data Exfiltration Cisco Secure Firewall Threat Defense Connection Event T1041 T1048.003 T1567.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
TOR Traffic Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event T1090.003 TTP Cisco Secure Firewall Threat Defense Analytics, Ransomware, NOBELIUM Group, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Interlock Ransomware 2026-05-13
Cisco TFTP Server Configuration for Data Exfiltration Cisco IOS Logs T1005 T1567 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity Cisco SD-WAN Service Proxy Access Logs T1190 TTP Cisco Catalyst SD-WAN Analytics 2026-05-13
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Detect Software Download To Network Device T1542.005 TTP Router and Infrastructure Security 2026-05-13
Cisco SD-WAN - Low Frequency Rogue Peer Cisco SD-WAN NTCE 1000001 T1190 Anomaly Cisco Catalyst SD-WAN Analytics 2026-05-13
Detect Zerologon via Zeek T1190 TTP Rhysida Ransomware, Black Basta Ransomware, Detect Zerologon Attack 2026-05-13
Detect SNICat SNI Exfiltration T1041 TTP Data Exfiltration 2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic Cisco Secure Firewall Threat Defense Connection Event T1219 Anomaly Scattered Spider, Cisco Secure Firewall Threat Defense Analytics, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Interlock Ransomware 2026-05-13
Protocols passing authentication in cleartext Cisco Secure Firewall Threat Defense Connection Event N/A Anomaly Use of Cleartext Protocols, Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters 2026-05-13
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Palo Alto Network Threat T1133 T1190 TTP CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388 2026-05-13
Cisco Secure Firewall - Malware File Downloaded Cisco Secure Firewall Threat Defense File Event T1105 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Internal Vulnerability Scan T1046 T1595.002 TTP Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
Windows DNS Query Request by Telegram Bot API Sysmon EventID 22 T1071.004 T1102.002 Anomaly 0bj3ctivity Stealer, Crypto Stealer, BlankGrabber Stealer, VIP Keylogger 2026-05-13
Cisco Secure Firewall - Static Tundra Smart Install Abuse Cisco Secure Firewall Threat Defense Intrusion Event T1190 T1210 T1499 TTP Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Suspicious Process With Discord DNS Query Sysmon EventID 22 T1059.005 Anomaly BlankGrabber Stealer, Data Destruction, WhisperGate, PXA Stealer, Cactus Ransomware 2026-05-13
Cisco Configuration Archive Logging Analysis Cisco IOS Logs T1098 T1505.003 T1685 Hunting Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1573.002 T1587.002 T1588.004 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Rundll32 DNSQuery Sysmon EventID 22 T1218.011 TTP IcedID, Living Off The Land 2026-05-13
Detect Remote Access Software Usage Traffic Palo Alto Network Traffic T1219 Anomaly Scattered Spider, Ransomware, Insider Threat, Command And Control, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Interlock Ransomware 2026-05-13
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 TTP Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777 2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Detect Rogue DHCP Server Cisco IOS Logs T1200 T1498 T1557 TTP Router and Infrastructure Security, Scattered Lapsus$ Hunters 2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Rare Snort Rule Triggered Cisco Secure Firewall Threat Defense Intrusion Event T1583.006 T1598 Hunting Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Gather Victim Network Info Through Ip Check Web Services Sysmon EventID 22 T1590.005 Anomaly Phemedrone Stealer, 0bj3ctivity Stealer, Quasar RAT, Void Manticore, BlankGrabber Stealer, Azorult, Castle RAT, PXA Stealer, Snake Keylogger, Meduza Stealer, VIP Keylogger, DarkCrystal RAT, Water Gamayun, Handala Wiper 2026-05-13
Internal Vertical Port Scan Cisco Secure Firewall Threat Defense Connection Event, AWS CloudWatchLogs VPCflow T1046 TTP China-Nexus Threat Activity, Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics, Network Discovery 2026-05-13
Cisco IOS Suspicious Privileged Account Creation Cisco IOS Logs T1078 T1136 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Suspicious Process DNS Query Known Abuse Web Services Sysmon EventID 22 T1059.005 TTP Phemedrone Stealer, Malicious Inno Setup Loader, BlankGrabber Stealer, Data Destruction, Braodo Stealer, Remcos, RedLine Stealer, WhisperGate, PXA Stealer, Meduza Stealer, Snake Keylogger, Cactus Ransomware 2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence Cisco Secure Firewall Threat Defense Connection Event T1041 T1071.001 T1105 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads Cisco Secure Firewall Threat Defense File Event T1027 T1105 Anomaly Hellcat Ransomware, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows AD Replication Service Traffic T1003.006 T1207 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Cisco Secure Firewall - SSH Connection to Non-Standard Port Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Windows AD Rogue Domain Controller Network Activity T1207 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Cisco Network Interface Modifications Cisco IOS Logs T1021 T1133 T1556 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Abused Web Services Sysmon EventID 22 T1102 Anomaly Malicious Inno Setup Loader, NjRAT, BlankGrabber Stealer, CISA AA24-241A 2026-05-13
Detect Port Security Violation Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security 2026-05-13
Large Volume of DNS ANY Queries T1498.002 Anomaly DNS Amplification Attacks 2026-05-13
Ngrok Reverse Proxy on Network Sysmon EventID 22 T1090 T1102 T1572 Anomaly Reverse Network Proxy, CISA AA24-241A, CISA AA22-320A 2026-05-13
Detect Windows DNS SIGRed via Zeek T1203 TTP Windows DNS SIGRed CVE-2020-1350 2026-05-13
Detect hosts connecting to dynamic domain providers Sysmon EventID 22 T1189 TTP Suspicious DNS Traffic, Dynamic DNS, Command And Control, Data Protection, Prohibited Traffic Allowed or Protocol Mismatch, DNS Hijacking 2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port Cisco Secure Firewall Threat Defense File Event T1105 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Cisco Secure Firewall Threat Defense Intrusion Event T1003.001 T1059.001 T1190 T1210 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Protocol or Port Mismatch Cisco Secure Firewall Threat Defense Connection Event T1048.003 Anomaly Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Outbound SMB Traffic Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event T1071.002 TTP Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics, NOBELIUM Group, Hidden Cobra Malware, DHS Report TA18-074A 2026-05-13
Detect Unauthorized Assets by MAC address N/A TTP Asset Tracking 2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Exploitation Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2026-05-13
Cisco Secure Firewall - Binary File Type Download Cisco Secure Firewall Threat Defense File Event T1059 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Traffic Mirroring Cisco IOS Logs T1020.001 T1200 T1498 TTP Router and Infrastructure Security 2026-05-13
DNS Kerberos Coercion Sysmon EventID 22, Suricata T1071.004 T1187 T1557.001 TTP Local Privilege Escalation With KrbRelayUp, Suspicious DNS Traffic, Kerberos Coercion with DNS, Compromised Windows Host 2026-05-13
Cisco Secure Firewall - Possibly Compromised Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 T1587.001 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1090.002 T1105 T1567.002 T1588.002 Anomaly Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Excessive DNS Failures T1071.004 Anomaly Command And Control, Suspicious DNS Traffic 2026-05-13
Cisco SNMP Community String Configuration Changes Cisco IOS Logs T1040 T1552 T1685 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1190 T1204 T1210 TTP Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2026-05-13
Windows Spearphishing Attachment Connect To None MS Office Domain Sysmon EventID 22 T1566.001 Hunting Spearphishing Attachments, MuddyWater, AsyncRAT 2026-05-13
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity Cisco SD-WAN Service Proxy Access Logs T1595 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
SMB Traffic Spike T1021.002 Anomaly DHS Report TA18-074A, Hidden Cobra Malware, Ransomware, Emotet Malware DHS Report TA18-201A 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect IPv6 Network Infrastructure Threats Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security, Scattered Lapsus$ Hunters 2026-05-13
Hosts receiving high volume of network traffic from email server T1114.002 Anomaly Collection and Staging 2026-05-13
Detect Windows DNS SIGRed via Splunk Stream T1203 TTP Windows DNS SIGRed CVE-2020-1350 2026-05-13
Detect Outbound LDAP Traffic Palo Alto Network Traffic, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event T1059 T1190 Hunting Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics, Log4Shell CVE-2021-44228 2026-05-13
Cisco Secure Firewall - SSH Connection to sshd_operns Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13