|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
Compromise Software Supply Chain
|
TTP
|
3CX Supply Chain Attack
|
2025-05-02
|
|
Cisco Secure Firewall - Binary File Type Download
|
Cisco Secure Firewall Threat Defense File Event
|
Exploitation for Client Execution
Command and Scripting Interpreter
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Bits Network Activity
|
Cisco Secure Firewall Threat Defense Connection Event
|
N/A
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
|
Cisco Secure Firewall Threat Defense Connection Event
|
Code Signing Certificates
Digital Certificates
Web Protocols
Asymmetric Cryptography
|
TTP
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
Remote System Discovery
Network Service Discovery
Brute Force
Exploitation for Client Execution
Vulnerability Scanning
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Communication Over Suspicious Ports
|
Cisco Secure Firewall Threat Defense Connection Event
|
Remote Services
Process Injection
PowerShell
Ingress Tool Transfer
Remote Access Tools
Non-Standard Port
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Connection to File Sharing Domain
|
Cisco Secure Firewall Threat Defense Connection Event
|
Web Protocols
External Proxy
Ingress Tool Transfer
Exfiltration to Cloud Storage
Tool
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - File Download Over Uncommon Port
|
Cisco Secure Firewall Threat Defense File Event
|
Ingress Tool Transfer
Non-Standard Port
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - High EVE Threat Confidence
|
Cisco Secure Firewall Threat Defense Connection Event
|
Exfiltration Over C2 Channel
Web Protocols
Ingress Tool Transfer
Asymmetric Cryptography
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Command and Scripting Interpreter
Application Layer Protocol
Vulnerability Scanning
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Malware File Downloaded
|
Cisco Secure Firewall Threat Defense File Event
|
Exploitation for Client Execution
Ingress Tool Transfer
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Possibly Compromised Host
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Exploitation for Client Execution
Command and Scripting Interpreter
Malware
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Potential Data Exfiltration
|
Cisco Secure Firewall Threat Defense Connection Event
|
Exfiltration Over C2 Channel
Exfiltration to Cloud Storage
Exfiltration Over Unencrypted Non-C2 Protocol
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Rare Snort Rule Triggered
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Phishing for Information
Web Services
|
Hunting
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
Remote System Discovery
Network Service Discovery
Brute Force
Exploitation for Client Execution
Vulnerability Scanning
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Repeated Malware Downloads
|
Cisco Secure Firewall Threat Defense File Event
|
Ingress Tool Transfer
Obfuscated Files or Information
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
|
Cisco Secure Firewall Threat Defense Intrusion Event
|
Ingress Tool Transfer
Obfuscated Files or Information
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Cisco Secure Firewall - Wget or Curl Download
|
Cisco Secure Firewall Threat Defense Connection Event
|
Cron
Command and Scripting Interpreter
Web Protocols
Ingress Tool Transfer
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-05-02
|
|
Detect ARP Poisoning
|
|
Hardware Additions
Network Denial of Service
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2025-05-02
|
|
Detect DGA domains using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2025-05-02
|
|
Detect DNS Data Exfiltration using pretrained model in DSDL
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic
|
2025-05-02
|
|
Detect DNS Query to Decommissioned S3 Bucket
|
Sysmon EventID 22
|
Data Destruction
|
Anomaly
|
AWS S3 Bucket Security Monitoring, Data Destruction
|
2025-05-02
|
|
Detect hosts connecting to dynamic domain providers
|
Sysmon EventID 22
|
Drive-by Compromise
|
TTP
|
Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic
|
2025-05-02
|
|
Detect IPv6 Network Infrastructure Threats
|
|
Hardware Additions
Network Denial of Service
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2025-05-02
|
|
Detect Large ICMP Traffic
|
Palo Alto Network Traffic
|
Non-Application Layer Protocol
|
TTP
|
Backdoor Pingpong, China-Nexus Threat Activity, Command And Control
|
2025-05-02
|
|
Detect Outbound LDAP Traffic
|
Palo Alto Network Traffic
|
Exploit Public-Facing Application
Command and Scripting Interpreter
|
Hunting
|
Log4Shell CVE-2021-44228
|
2025-05-02
|
|
Detect Outbound SMB Traffic
|
Zeek Conn
|
File Transfer Protocols
|
TTP
|
DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group
|
2025-05-02
|
|
Detect Port Security Violation
|
|
Hardware Additions
Network Denial of Service
ARP Cache Poisoning
|
TTP
|
Router and Infrastructure Security
|
2025-05-02
|
|
Detect Remote Access Software Usage DNS
|
Sysmon EventID 22
|
Remote Access Tools
|
Anomaly
|
CISA AA24-241A, Command And Control, Insider Threat, Ransomware, Remote Monitoring and Management Software
|
2025-05-02
|
|
Detect Remote Access Software Usage Traffic
|
Palo Alto Network Traffic
|
Remote Access Tools
|
Anomaly
|
Command And Control, Insider Threat, Ransomware, Remote Monitoring and Management Software
|
2025-05-02
|
|
Detect Rogue DHCP Server
|
|
Hardware Additions
Network Denial of Service
Adversary-in-the-Middle
|
TTP
|
Router and Infrastructure Security
|
2025-05-02
|
|
Detect SNICat SNI Exfiltration
|
|
Exfiltration Over C2 Channel
|
TTP
|
Data Exfiltration
|
2025-05-02
|
|
Detect Software Download To Network Device
|
|
TFTP Boot
|
TTP
|
Router and Infrastructure Security
|
2025-05-02
|
|
Detect suspicious DNS TXT records using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic
|
2025-05-02
|
|
Detect Traffic Mirroring
|
|
Traffic Duplication
Hardware Additions
Network Denial of Service
|
TTP
|
Router and Infrastructure Security
|
2025-05-02
|
|
Detect Unauthorized Assets by MAC address
|
|
N/A
|
TTP
|
Asset Tracking
|
2025-05-02
|
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
Exploitation for Client Execution
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2025-05-02
|
|
Detect Windows DNS SIGRed via Zeek
|
|
Exploitation for Client Execution
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2025-05-02
|
|
Detect Zerologon via Zeek
|
|
Exploit Public-Facing Application
|
TTP
|
Black Basta Ransomware, Detect Zerologon Attack, Rhysida Ransomware
|
2025-05-02
|
|
DNS Query Length Outliers - MLTK
|
|
DNS
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2025-05-02
|
|
DNS Query Length With High Standard Deviation
|
Sysmon EventID 22
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2025-05-02
|
|
Excessive DNS Failures
|
|
DNS
|
Anomaly
|
Command And Control, Suspicious DNS Traffic
|
2025-05-02
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388
|
2025-05-02
|
|
Hosts receiving high volume of network traffic from email server
|
|
Remote Email Collection
|
Anomaly
|
Collection and Staging
|
2025-05-02
|
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2025-05-02
|
|
Internal Horizontal Port Scan NMAP Top 20
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2025-05-02
|
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow
|
Network Service Discovery
|
TTP
|
Network Discovery
|
2025-05-02
|
|
Internal Vulnerability Scan
|
|
Vulnerability Scanning
Network Service Discovery
|
TTP
|
Network Discovery
|
2025-05-02
|
|
Large Volume of DNS ANY Queries
|
|
Reflection Amplification
|
Anomaly
|
DNS Amplification Attacks
|
2025-05-02
|
|
Ngrok Reverse Proxy on Network
|
Sysmon EventID 22
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2025-05-02
|
|
Prohibited Network Traffic Allowed
|
Zeek Conn
|
Exfiltration Over Alternative Protocol
|
TTP
|
Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware
|
2025-05-02
|
|
Protocol or Port Mismatch
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
Anomaly
|
Command And Control, Prohibited Traffic Allowed or Protocol Mismatch
|
2025-05-02
|
|
Protocols passing authentication in cleartext
|
|
N/A
|
Anomaly
|
Use of Cleartext Protocols
|
2025-05-02
|
|
Remote Desktop Network Traffic
|
Zeek Conn
|
Remote Desktop Protocol
|
Anomaly
|
Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware
|
2025-05-02
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2025-05-02
|
|
SMB Traffic Spike
|
|
SMB/Windows Admin Shares
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2025-05-02
|
|
SMB Traffic Spike - MLTK
|
|
SMB/Windows Admin Shares
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2025-05-02
|
|
SSL Certificates with Punycode
|
|
Encrypted Channel
|
Hunting
|
OpenSSL CVE-2022-3602
|
2025-05-02
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
Visual Basic
|
TTP
|
Cactus Ransomware, Data Destruction, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate
|
2025-05-02
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
Visual Basic
|
Anomaly
|
Cactus Ransomware, Data Destruction, PXA Stealer, WhisperGate
|
2025-05-02
|
|
TOR Traffic
|
Palo Alto Network Traffic
|
Multi-hop Proxy
|
TTP
|
Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware
|
2025-05-02
|
|
Wermgr Process Connecting To IP Check Web Services
|
Sysmon EventID 22
|
IP Addresses
|
TTP
|
Trickbot
|
2025-05-02
|
|
Windows Abused Web Services
|
Sysmon EventID 22
|
Web Service
|
TTP
|
CISA AA24-241A, NjRAT
|
2025-05-02
|
|
Windows AD Replication Service Traffic
|
|
DCSync
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-05-02
|
|
Windows AD Rogue Domain Controller Network Activity
|
|
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-05-02
|
|
Windows DNS Query Request by Telegram Bot API
|
Sysmon EventID 22
|
DNS
Bidirectional Communication
|
Anomaly
|
Crypto Stealer
|
2025-05-02
|
|
Windows Gather Victim Network Info Through Ip Check Web Services
|
Sysmon EventID 22
|
IP Addresses
|
Hunting
|
Azorult, DarkCrystal RAT, Handala Wiper, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Snake Keylogger, Water Gamayun
|
2025-05-02
|
|
Windows Multi hop Proxy TOR Website Query
|
Sysmon EventID 22
|
Mail Protocols
|
Anomaly
|
AgentTesla
|
2025-05-02
|
|
Windows Remote Desktop Network Bruteforce Attempt
|
Sysmon EventID 3
|
Password Guessing
|
Anomaly
|
Compromised User Account, Ryuk Ransomware, SamSam Ransomware
|
2025-05-02
|
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
Spearphishing Attachment
|
Hunting
|
AsyncRAT, Spearphishing Attachments
|
2025-05-02
|
|
Zeek x509 Certificate with Punycode
|
|
Encrypted Channel
|
Hunting
|
OpenSSL CVE-2022-3602
|
2025-05-02
|