Network_Traffic

Network Traffic to Active Directory Web Services Protocol

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect Remote Access Software Usage Traffic

Remote Access Software

Windows Rundll32 WebDav With Network Connection

Exfiltration Over Unencrypted Non-C2 Protocol

Windows WinLogon with Public Network Connection

Bootkit

Unknown Process Using The Kerberos Protocol

Use Alternate Authentication Material

Windows InstallUtil Remote Network Connection

InstallUtil, System Binary Proxy Execution

TOR Traffic

Proxy, Multi-hop Proxy

DLLHost with no Command Line Arguments with Network

Process Injection

SearchProtocolHost with no Command Line with Network

Process Injection

Rundll32 with no Command Line Arguments with Network

System Binary Proxy Execution, Rundll32

GPUpdate with no Command Line Arguments with Network

Process Injection

Windows Suspect Process With Authentication Traffic

Account Discovery, Domain Account, User Execution, Malicious File

Windows AD Replication Service Traffic

OS Credential Dumping, DCSync, Rogue Domain Controller

Outbound Network Connection from Java Using Default Ports

Exploit Public-Facing Application, External Remote Services

Windows MSIExec With Network Connections

Msiexec

Windows InstallUtil Uninstall Option with Network

InstallUtil, System Binary Proxy Execution

Log4Shell JNDI Payload Injection with Outbound Connection

Exploit Public-Facing Application, External Remote Services

Detect Outbound LDAP Traffic

Exploit Public-Facing Application, Command and Scripting Interpreter

LOLBAS With Network Traffic

Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution

Protocols passing authentication in cleartext

Detect Software Download To Network Device

TFTP Boot, Pre-OS Boot

Detect Windows DNS SIGRed via Zeek

Exploitation for Client Execution

SMB Traffic Spike - MLTK

SMB/Windows Admin Shares, Remote Services

SMB Traffic Spike

SMB/Windows Admin Shares, Remote Services

Prohibited Network Traffic Allowed

Exfiltration Over Alternative Protocol

Remote Desktop Network Bruteforce

Remote Desktop Protocol, Remote Services

Email servers sending high volume traffic to hosts

Email Collection, Remote Email Collection

Hosts receiving high volume of network traffic from email server

Remote Email Collection, Email Collection

Protocol or Port Mismatch

Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol

Detect Outbound SMB Traffic

File Transfer Protocols, Application Layer Protocol

Remote Desktop Network Traffic

Remote Desktop Protocol, Remote Services

Detect Large Outbound ICMP Packets

Non-Application Layer Protocol