Network

Name Technique Datamodel
DNS Query Length Outliers - MLTK DNS, Application Layer Protocol Network_Resolution
DNS Query Length With High Standard Deviation Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Network_Resolution
Detect ARP Poisoning Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning None
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Network_Resolution
Detect IPv6 Network Infrastructure Threats Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning None
Detect Large Outbound ICMP Packets Non-Application Layer Protocol Network_Traffic
Detect Outbound LDAP Traffic Exploit Public-Facing Application, Command and Scripting Interpreter Network_Traffic
Detect Outbound SMB Traffic File Transfer Protocols, Application Layer Protocol Network_Traffic
Detect Port Security Violation Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning None
Detect Rogue DHCP Server Hardware Additions, Network Denial of Service, Adversary-in-the-Middle None
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel None
Detect Software Download To Network Device TFTP Boot, Pre-OS Boot Network_Traffic
Detect Traffic Mirroring Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication None
Detect Unauthorized Assets by MAC address None Network_Sessions
Detect Windows DNS SIGRed via Splunk Stream Exploitation for Client Execution None
Detect Windows DNS SIGRed via Zeek Exploitation for Client Execution Network_Resolution
Detect Zerologon via Zeek Exploit Public-Facing Application None
Detect hosts connecting to dynamic domain providers Drive-by Compromise Network_Resolution
Excessive DNS Failures DNS, Application Layer Protocol Network_Resolution
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Exploit Public-Facing Application Web
Hosts receiving high volume of network traffic from email server Remote Email Collection, Email Collection Network_Traffic
Large Volume of DNS ANY Queries Network Denial of Service, Reflection Amplification Network_Resolution
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Network_Traffic
Ngrok Reverse Proxy on Network Protocol Tunneling, Proxy, Web Service Network_Resolution
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Network_Traffic
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol Network_Traffic
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Network_Traffic
Protocols passing authentication in cleartext None Network_Traffic
Remote Desktop Network Bruteforce Remote Desktop Protocol, Remote Services Network_Traffic
Remote Desktop Network Traffic Remote Desktop Protocol, Remote Services Network_Traffic
SMB Traffic Spike SMB/Windows Admin Shares, Remote Services Network_Traffic
SMB Traffic Spike - MLTK SMB/Windows Admin Shares, Remote Services Network_Traffic
SSL Certificates with Punycode Encrypted Channel None
Splunk Identified SSL TLS Certificates Network Sniffing None
TCP Command and Scripting Interpreter Outbound LDAP Traffic Command and Scripting Interpreter Endpoint_Processes
TOR Traffic Application Layer Protocol, Web Protocols Network_Traffic
Unusual Volume of Data Download from Internal Server Per Entity Data from Information Repositories, Data from Network Shared Drive Network_Traffic
Unusually Long Content-Type Length None None
Zeek x509 Certificate with Punycode Encrypted Channel None

Endpoint

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Application

Back to Top ↑

Network

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Back to Top ↑

Web

Back to Top ↑