GitHub Repo

Network Detections

Name Data Source Technique Type Analytic Story Date
3CX Supply Chain Attack Network Indicators Sysmon EventID 22 Compromise Software Supply Chain TTP 3CX Supply Chain Attack 2025-06-10
Cisco Configuration Archive Logging Analysis Cisco IOS Logs Disable or Modify Tools Account Manipulation Web Shell Hunting Cisco Smart Install Remote Code Execution CVE-2018-0171 2025-08-21
Cisco IOS Suspicious Privileged Account Creation Cisco IOS Logs Create Account Valid Accounts Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2025-08-21
Cisco Network Interface Modifications Cisco IOS Logs Modify Authentication Process Remote Services External Remote Services Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2025-08-21
Cisco Secure Firewall - Binary File Type Download Cisco Secure Firewall Threat Defense File Event Exploitation for Client Execution Command and Scripting Interpreter Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-05-02
Cisco Secure Firewall - Bits Network Activity Cisco Secure Firewall Threat Defense Connection Event N/A Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-07-10
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall Threat Defense Connection Event Code Signing Certificates Digital Certificates Web Protocols Asymmetric Cryptography TTP Cisco Secure Firewall Threat Defense Analytics 2025-05-02
Cisco Secure Firewall - Blocked Connection Cisco Secure Firewall Threat Defense Connection Event Remote System Discovery Network Service Discovery Brute Force Exploitation for Client Execution Vulnerability Scanning Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-07-10
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt Cisco Secure Firewall Threat Defense Intrusion Event Exploitation for Client Execution Command and Scripting Interpreter TTP Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777 2025-07-17
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event Remote Services Process Injection PowerShell Ingress Tool Transfer Remote Access Tools Non-Standard Port Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-05-02
Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall Threat Defense Connection Event Web Protocols External Proxy Ingress Tool Transfer Exfiltration to Cloud Storage Tool Anomaly Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters 2025-10-14
Cisco Secure Firewall - File Download Over Uncommon Port Cisco Secure Firewall Threat Defense File Event Ingress Tool Transfer Non-Standard Port Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-05-02
Cisco Secure Firewall - High EVE Threat Confidence Cisco Secure Firewall Threat Defense Connection Event Exfiltration Over C2 Channel Web Protocols Ingress Tool Transfer Asymmetric Cryptography Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-05-02
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event Exploitation for Client Execution OS Credential Dumping Application Layer Protocol Exploit Public-Facing Application Valid Accounts TTP Cisco Secure Firewall Threat Defense Analytics 2025-04-28
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event Command and Scripting Interpreter Application Layer Protocol Vulnerability Scanning Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-05-02
Cisco Secure Firewall - Intrusion Events by Threat Activity Cisco Secure Firewall Threat Defense Intrusion Event Exfiltration Over C2 Channel Asymmetric Cryptography Anomaly ArcaneDoor, Cisco Secure Firewall Threat Defense Analytics 2025-09-25
Cisco Secure Firewall - Lumma Stealer Activity Cisco Secure Firewall Threat Defense Intrusion Event Exploit Public-Facing Application Exploitation of Remote Services Obfuscated Files or Information User Execution TTP Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2025-04-28
Cisco Secure Firewall - Lumma Stealer Download Attempt Cisco Secure Firewall Threat Defense Intrusion Event Exfiltration Over C2 Channel Asymmetric Cryptography Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2025-04-26
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Cisco Secure Firewall Threat Defense Intrusion Event Exfiltration Over C2 Channel Asymmetric Cryptography Anomaly Cisco Secure Firewall Threat Defense Analytics, Lumma Stealer 2025-04-26
Cisco Secure Firewall - Malware File Downloaded Cisco Secure Firewall Threat Defense File Event Exploitation for Client Execution Ingress Tool Transfer Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-05-02
Cisco Secure Firewall - Oracle E-Business Suite Correlation Cisco Secure Firewall Threat Defense Intrusion Event Exploit Public-Facing Application TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2025-10-23
Cisco Secure Firewall - Oracle E-Business Suite Exploitation Cisco Secure Firewall Threat Defense Intrusion Event Exploit Public-Facing Application TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2025-04-26
Cisco Secure Firewall - Possibly Compromised Host Cisco Secure Firewall Threat Defense Intrusion Event Exploitation for Client Execution Command and Scripting Interpreter Malware Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-05-02
Cisco Secure Firewall - Potential Data Exfiltration Cisco Secure Firewall Threat Defense Connection Event Exfiltration Over C2 Channel Exfiltration to Cloud Storage Exfiltration Over Unencrypted Non-C2 Protocol Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-05-02
Cisco Secure Firewall - Rare Snort Rule Triggered Cisco Secure Firewall Threat Defense Intrusion Event Phishing for Information Web Services Hunting Cisco Secure Firewall Threat Defense Analytics 2025-05-02
Cisco Secure Firewall - Remote Access Software Usage Traffic Cisco Secure Firewall Threat Defense Connection Event Remote Access Tools Anomaly Cisco Secure Firewall Threat Defense Analytics, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider 2025-10-14
Cisco Secure Firewall - Repeated Blocked Connections Cisco Secure Firewall Threat Defense Connection Event Remote System Discovery Network Service Discovery Brute Force Exploitation for Client Execution Vulnerability Scanning Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-07-10
Cisco Secure Firewall - Repeated Malware Downloads Cisco Secure Firewall Threat Defense File Event Ingress Tool Transfer Obfuscated Files or Information Anomaly Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware 2025-10-14
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Cisco Secure Firewall Threat Defense Intrusion Event Ingress Tool Transfer Obfuscated Files or Information Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-05-02
Cisco Secure Firewall - Static Tundra Smart Install Abuse Cisco Secure Firewall Threat Defense Intrusion Event Exploit Public-Facing Application Exploitation of Remote Services Endpoint Denial of Service TTP Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171 2025-08-21
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Cisco Secure Firewall Threat Defense Intrusion Event Exploit Public-Facing Application Exploitation of Remote Services PowerShell LSASS Memory TTP Cisco Secure Firewall Threat Defense Analytics 2025-04-14
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event Cron Command and Scripting Interpreter Web Protocols Ingress Tool Transfer Anomaly Cisco Secure Firewall Threat Defense Analytics 2025-07-10
Cisco Smart Install Oversized Packet Detection Splunk Stream TCP Exploit Public-Facing Application TTP Cisco Smart Install Remote Code Execution CVE-2018-0171 2025-09-09
Cisco Smart Install Port Discovery and Status Splunk Stream TCP Exploit Public-Facing Application TTP Cisco Smart Install Remote Code Execution CVE-2018-0171, Scattered Lapsus$ Hunters 2025-10-14
Cisco SNMP Community String Configuration Changes Cisco IOS Logs Disable or Modify Tools Network Sniffing Unsecured Credentials Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2025-08-21
Cisco TFTP Server Configuration for Data Exfiltration Cisco IOS Logs Exfiltration Over Web Service Data from Local System TTP Cisco Smart Install Remote Code Execution CVE-2018-0171 2025-08-21
Detect ARP Poisoning Cisco IOS Logs Hardware Additions Network Denial of Service ARP Cache Poisoning TTP Router and Infrastructure Security 2025-10-21
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Anomaly Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2025-05-02
Detect DNS Data Exfiltration using pretrained model in DSDL Exfiltration Over Unencrypted Non-C2 Protocol Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2025-05-02
Detect DNS Query to Decommissioned S3 Bucket Sysmon EventID 22 Data Destruction Anomaly AWS S3 Bucket Security Monitoring, Data Destruction 2025-05-02
Detect hosts connecting to dynamic domain providers Sysmon EventID 22 Drive-by Compromise TTP Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic 2025-05-02
Detect IPv6 Network Infrastructure Threats Cisco IOS Logs Hardware Additions Network Denial of Service ARP Cache Poisoning TTP Router and Infrastructure Security, Scattered Lapsus$ Hunters 2025-10-21
Detect Large ICMP Traffic Palo Alto Network Traffic Non-Application Layer Protocol TTP Backdoor Pingpong, China-Nexus Threat Activity, Command And Control 2025-05-02
Detect Outbound LDAP Traffic Cisco Secure Firewall Threat Defense Connection Event, Palo Alto Network Traffic Exploit Public-Facing Application Command and Scripting Interpreter Hunting Cisco Secure Firewall Threat Defense Analytics, Log4Shell CVE-2021-44228 2025-05-22
Detect Outbound SMB Traffic Cisco Secure Firewall Threat Defense Connection Event File Transfer Protocols TTP Cisco Secure Firewall Threat Defense Analytics, DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group 2025-06-10
Detect Port Security Violation Cisco IOS Logs Hardware Additions Network Denial of Service ARP Cache Poisoning TTP Router and Infrastructure Security 2025-10-21
Detect Remote Access Software Usage DNS Sysmon EventID 22 Remote Access Tools Anomaly CISA AA24-241A, Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider 2025-10-14
Detect Remote Access Software Usage Traffic Palo Alto Network Traffic Remote Access Tools Anomaly Command And Control, Insider Threat, Interlock Ransomware, Ransomware, Remote Monitoring and Management Software, Scattered Lapsus$ Hunters, Scattered Spider 2025-10-14
Detect Rogue DHCP Server Cisco IOS Logs Hardware Additions Network Denial of Service Adversary-in-the-Middle TTP Router and Infrastructure Security, Scattered Lapsus$ Hunters 2025-10-21
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel TTP Data Exfiltration 2025-05-02
Detect Software Download To Network Device TFTP Boot TTP Router and Infrastructure Security 2025-05-02
Detect suspicious DNS TXT records using pretrained model in DSDL Domain Generation Algorithms Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2025-05-02
Detect Traffic Mirroring Cisco IOS Logs Traffic Duplication Hardware Additions Network Denial of Service TTP Router and Infrastructure Security 2025-10-21
Detect Unauthorized Assets by MAC address N/A TTP Asset Tracking 2025-05-02
Detect Windows DNS SIGRed via Splunk Stream Exploitation for Client Execution TTP Windows DNS SIGRed CVE-2020-1350 2025-05-02
Detect Windows DNS SIGRed via Zeek Exploitation for Client Execution TTP Windows DNS SIGRed CVE-2020-1350 2025-05-02
Detect Zerologon via Zeek Exploit Public-Facing Application TTP Black Basta Ransomware, Detect Zerologon Attack, Rhysida Ransomware 2025-05-02
DNS Query Length Outliers - MLTK DNS Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2025-05-02
DNS Query Length With High Standard Deviation Sysmon EventID 22 Exfiltration Over Unencrypted Non-C2 Protocol Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2025-05-02
Excessive DNS Failures DNS Anomaly Command And Control, Suspicious DNS Traffic 2025-05-02
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Palo Alto Network Threat Exploit Public-Facing Application External Remote Services TTP CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388 2025-05-02
Hosts receiving high volume of network traffic from email server Remote Email Collection Anomaly Collection and Staging 2025-05-02
Internal Horizontal Port Scan AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event Network Service Discovery TTP China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Network Discovery, Scattered Lapsus$ Hunters 2025-10-14
Internal Horizontal Port Scan NMAP Top 20 AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event Network Service Discovery TTP China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Network Discovery, Scattered Lapsus$ Hunters 2025-10-14
Internal Vertical Port Scan AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event Network Service Discovery TTP China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Network Discovery, Scattered Lapsus$ Hunters 2025-10-14
Internal Vulnerability Scan Vulnerability Scanning Network Service Discovery TTP Network Discovery, Scattered Lapsus$ Hunters 2025-10-14
Large Volume of DNS ANY Queries Reflection Amplification Anomaly DNS Amplification Attacks 2025-05-02
Ngrok Reverse Proxy on Network Sysmon EventID 22 Protocol Tunneling Proxy Web Service Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2025-05-02
Prohibited Network Traffic Allowed Cisco Secure Firewall Threat Defense Connection Event Exfiltration Over Alternative Protocol TTP Cisco Secure Firewall Threat Defense Analytics, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware 2025-06-17
Protocol or Port Mismatch Cisco Secure Firewall Threat Defense Connection Event Exfiltration Over Unencrypted Non-C2 Protocol Anomaly Cisco Secure Firewall Threat Defense Analytics, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch 2025-05-27
Protocols passing authentication in cleartext Cisco Secure Firewall Threat Defense Connection Event N/A Anomaly Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Use of Cleartext Protocols 2025-10-14
Remote Desktop Network Traffic Zeek Conn Remote Desktop Protocol Anomaly Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware, Windows RDP Artifacts and Defense Evasion 2025-08-07
Rundll32 DNSQuery Sysmon EventID 22 Rundll32 TTP IcedID, Living Off The Land 2025-05-02
SMB Traffic Spike SMB/Windows Admin Shares Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2025-05-02
SMB Traffic Spike - MLTK SMB/Windows Admin Shares Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2025-05-02
SSL Certificates with Punycode Encrypted Channel Hunting OpenSSL CVE-2022-3602 2025-05-02
Suspicious Process DNS Query Known Abuse Web Services Sysmon EventID 22 Visual Basic TTP Cactus Ransomware, Data Destruction, Malicious Inno Setup Loader, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate 2025-05-26
Suspicious Process With Discord DNS Query Sysmon EventID 22 Visual Basic Anomaly Cactus Ransomware, Data Destruction, PXA Stealer, WhisperGate 2025-05-02
TOR Traffic Cisco Secure Firewall Threat Defense Connection Event, Palo Alto Network Traffic Multi-hop Proxy TTP Cisco Secure Firewall Threat Defense Analytics, Command And Control, Interlock Ransomware, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware 2025-07-28
Wermgr Process Connecting To IP Check Web Services Sysmon EventID 22 IP Addresses TTP Trickbot 2025-07-16
Windows Abused Web Services Sysmon EventID 22 Web Service TTP CISA AA24-241A, Malicious Inno Setup Loader, NjRAT 2025-05-26
Windows AD Replication Service Traffic DCSync Rogue Domain Controller TTP Sneaky Active Directory Persistence Tricks 2025-05-02
Windows AD Rogue Domain Controller Network Activity Rogue Domain Controller TTP Sneaky Active Directory Persistence Tricks 2025-05-02
Windows DNS Query Request by Telegram Bot API Sysmon EventID 22 DNS Bidirectional Communication Anomaly 0bj3ctivity Stealer, Crypto Stealer 2025-08-22
Windows Gather Victim Network Info Through Ip Check Web Services Sysmon EventID 22 IP Addresses Anomaly 0bj3ctivity Stealer, Azorult, DarkCrystal RAT, Handala Wiper, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Quasar RAT, Snake Keylogger, Water Gamayun 2025-08-22
Windows Multi hop Proxy TOR Website Query Sysmon EventID 22 Mail Protocols Anomaly AgentTesla, Interlock Ransomware 2025-07-28
Windows Remote Desktop Network Bruteforce Attempt Sysmon EventID 3 Password Guessing Anomaly Compromised User Account, Ryuk Ransomware, SamSam Ransomware, Windows RDP Artifacts and Defense Evasion 2025-08-01
Windows Spearphishing Attachment Connect To None MS Office Domain Sysmon EventID 22 Spearphishing Attachment Hunting AsyncRAT, Spearphishing Attachments 2025-05-02
Zeek x509 Certificate with Punycode Encrypted Channel Hunting OpenSSL CVE-2022-3602 2025-05-02