Protocols passing authentication in cleartext
Network_Traffic
Plain HTTP POST Exfiltrated Data
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol
Multiple Archive Files Http Post Traffic
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
TOR Traffic
Application Layer Protocol, Web Protocols
SMB Traffic Spike - MLTK
SMB/Windows Admin Shares, Remote Services
SMB Traffic Spike
SMB/Windows Admin Shares, Remote Services
Remote Desktop Network Bruteforce
Remote Desktop Protocol, Remote Services
Protocol or Port Mismatch
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol
Prohibited Network Traffic Allowed
Exfiltration Over Alternative Protocol
Hosts receiving high volume of network traffic from email server
Remote Email Collection, Email Collection
Email servers sending high volume traffic to hosts
Email Collection, Remote Email Collection
Detect Outbound SMB Traffic
File Transfer Protocols, Application Layer Protocol
Remote Desktop Network Traffic
Remote Desktop Protocol, Remote Services
Detect Large Outbound ICMP Packets
Non-Application Layer Protocol