Network Detections

Name Data Source Technique Type Analytic Story Date
Prohibited Network Traffic Allowed Cisco Secure Firewall Threat Defense Connection Event T1048 TTP Cisco Secure Firewall Threat Defense Analytics, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware, Command And Control 2026-05-13
3CX Supply Chain Attack Network Indicators Sysmon EventID 22 T1195.002 TTP 3CX Supply Chain Attack 2026-05-13
Windows Multi hop Proxy TOR Website Query Sysmon EventID 22 T1071.003 Anomaly AgentTesla, Interlock Ransomware 2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Correlation Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2026-05-13
Internal Horizontal Port Scan NMAP Top 20 Cisco Secure Firewall Threat Defense Connection Event, AWS CloudWatchLogs VPCflow T1046 TTP Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, China-Nexus Threat Activity, Network Discovery 2026-05-13
HTTP RMM User Agent Suricata T1071.001 T1219 Anomaly Remote Monitoring and Management Software, Suspicious User Agents 2026-05-13
Windows Remote Desktop Network Bruteforce Attempt Sysmon EventID 3, Cisco Secure Access Firewall T1110.001 Anomaly Ryuk Ransomware, Windows RDP Artifacts and Defense Evasion, Cisco Secure Access Analytics, Compromised User Account, SamSam Ransomware 2026-05-13
HTTP Malware User Agent Suricata T1071.001 TTP Lumma Stealer, RedLine Stealer, Meduza Stealer, Lokibot, Suspicious User Agents, Crypto Stealer 2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
DNS Query Length With High Standard Deviation Sysmon EventID 22 T1048.003 Anomaly Hidden Cobra Malware, Command And Control, Suspicious DNS Traffic 2026-05-13
Cisco SA - Automated Web Reconnaissance via HTTP Access Errors Cisco Secure Access Proxy T1595 Anomaly Cisco Secure Access Analytics 2026-06-09
Wermgr Process Connecting To IP Check Web Services Sysmon EventID 22 T1590.005 TTP Trickbot 2026-05-13
Cisco SD-WAN - Peering Activity Cisco SD-WAN NTCE 1000001 T1190 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
Cisco Secure Firewall - Bits Network Activity Cisco Secure Firewall Threat Defense Connection Event N/A Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Remote Desktop Network Traffic Zeek Conn T1021.001 Anomaly Active Directory Lateral Movement, Ryuk Ransomware, Hidden Cobra Malware, Windows RDP Artifacts and Defense Evasion, SamSam Ransomware 2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
HTTP C2 Framework User Agent Suricata T1071.001 TTP Tuoni, Malicious PowerShell, Spearphishing Attachments, Suspicious User Agents, Cobalt Strike, Brute Ratel C4, Meterpreter, BishopFox Sliver Adversary Emulation Framework 2026-05-13
Detect Remote Access Software Usage DNS Sysmon EventID 22 T1219 Anomaly Interlock Ransomware, Remote Monitoring and Management Software, Insider Threat, CISA AA24-241A, Scattered Lapsus$ Hunters, Ransomware, Scattered Spider, Command And Control 2026-05-13
Cisco Secure Firewall - Blocked Connection Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Large ICMP Traffic Palo Alto Network Traffic, Cisco Secure Access Firewall T1095 TTP Backdoor Pingpong, China-Nexus Threat Activity, Command And Control, Cisco Secure Access Analytics 2026-05-13
Cisco Secure Firewall - Privileged Command Execution via HTTP Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1505.003 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
HTTP PUA User Agent Suricata T1071.001 Anomaly Local Privilege Escalation With KrbRelayUp, Cactus Ransomware, BlackSuit Ransomware, Suspicious User Agents 2026-05-13
Cisco Secure Firewall - React Server Components RCE Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP React2Shell 2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, ArcaneDoor 2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports Cisco Secure Firewall Threat Defense Connection Event T1021 T1055 T1059.001 T1105 T1219 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect DNS Query to Decommissioned S3 Bucket Sysmon EventID 22 T1485 Anomaly AWS S3 Bucket Security Monitoring, Data Destruction 2026-05-13
Detect ARP Poisoning Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security 2026-05-13
Internal Horizontal Port Scan Cisco Secure Firewall Threat Defense Connection Event, AWS CloudWatchLogs VPCflow T1046 TTP Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, China-Nexus Threat Activity, Network Discovery 2026-05-13
Cisco Secure Firewall - Repeated Blocked Connections Cisco Secure Firewall Threat Defense Connection Event T1018 T1046 T1110 T1203 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Smart Install Oversized Packet Detection Splunk Stream TCP T1190 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Smart Install Port Discovery and Status Splunk Stream TCP T1190 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171, Scattered Lapsus$ Hunters 2026-05-13
Cisco Secure Firewall - Potential Data Exfiltration Cisco Secure Firewall Threat Defense Connection Event T1041 T1048.003 T1567.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
TOR Traffic Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event T1090.003 TTP Cisco Secure Firewall Threat Defense Analytics, Interlock Ransomware, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware, NOBELIUM Group, Command And Control 2026-05-13
Cisco TFTP Server Configuration for Data Exfiltration Cisco IOS Logs T1005 T1567 TTP Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity Cisco SD-WAN Service Proxy Access Logs T1190 TTP Cisco Catalyst SD-WAN Analytics 2026-05-13
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2026-05-13
Detect Software Download To Network Device T1542.005 TTP Router and Infrastructure Security 2026-05-13
Cisco SD-WAN - Low Frequency Rogue Peer Cisco SD-WAN NTCE 1000001 T1190 Anomaly Cisco Catalyst SD-WAN Analytics 2026-05-13
Detect Zerologon via Zeek T1190 TTP Rhysida Ransomware, Detect Zerologon Attack, Black Basta Ransomware 2026-05-13
Detect SNICat SNI Exfiltration T1041 TTP Data Exfiltration 2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic Cisco Secure Firewall Threat Defense Connection Event T1219 Anomaly Cisco Secure Firewall Threat Defense Analytics, Interlock Ransomware, Remote Monitoring and Management Software, Insider Threat, Scattered Lapsus$ Hunters, Ransomware, Scattered Spider, Command And Control 2026-05-13
Protocols passing authentication in cleartext Cisco Secure Firewall Threat Defense Connection Event N/A Anomaly Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, Use of Cleartext Protocols 2026-05-13
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Palo Alto Network Threat T1133 T1190 TTP F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A 2026-05-13
Cisco Secure Firewall - Malware File Downloaded Cisco Secure Firewall Threat Defense File Event T1105 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Internal Vulnerability Scan T1046 T1595.002 TTP Scattered Lapsus$ Hunters, Network Discovery 2026-05-13
Windows DNS Query Request by Telegram Bot API Sysmon EventID 22 T1071.004 T1102.002 Anomaly Phantom Stealer, VIP Keylogger, BlankGrabber Stealer, 0bj3ctivity Stealer, Crypto Stealer 2026-06-25
Cisco Secure Firewall - Static Tundra Smart Install Abuse Cisco Secure Firewall Threat Defense Intrusion Event T1190 T1210 T1499 TTP Cisco Secure Firewall Threat Defense Analytics, Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Suspicious Process With Discord DNS Query Sysmon EventID 22 T1059.005 Anomaly Phantom Stealer, Data Destruction, BlankGrabber Stealer, Cactus Ransomware, WhisperGate, PXA Stealer 2026-06-25
Cisco Configuration Archive Logging Analysis Cisco IOS Logs T1098 T1505.003 T1685 Hunting Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1573.002 T1587.002 T1588.004 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Rundll32 DNSQuery Sysmon EventID 22 T1218.011 TTP Living Off The Land, IcedID 2026-05-13
Detect Remote Access Software Usage Traffic Palo Alto Network Traffic T1219 Anomaly Interlock Ransomware, Remote Monitoring and Management Software, Insider Threat, Scattered Lapsus$ Hunters, Ransomware, Scattered Spider, Command And Control 2026-05-13
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 TTP Cisco Secure Firewall Threat Defense Analytics, Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777 2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity T1021.004 T1078 T1136 Correlation Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Detect Rogue DHCP Server Cisco IOS Logs T1200 T1498 T1557 TTP Scattered Lapsus$ Hunters, Router and Infrastructure Security 2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt Cisco Secure Firewall Threat Defense Intrusion Event T1041 T1573.002 Anomaly Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification Cisco Secure Firewall Threat Defense Intrusion Event T1003 T1071 T1078 T1190 T1203 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Rare Snort Rule Triggered Cisco Secure Firewall Threat Defense Intrusion Event T1583.006 T1598 Hunting Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Gather Victim Network Info Through Ip Check Web Services Sysmon EventID 22 T1590.005 Anomaly PXA Stealer, Meduza Stealer, Quasar RAT, Snake Keylogger, BlankGrabber Stealer, 0bj3ctivity Stealer, VIP Keylogger, Handala Wiper, Water Gamayun, DarkCrystal RAT, Phemedrone Stealer, Castle RAT, Void Manticore, Azorult 2026-05-13
Internal Vertical Port Scan Cisco Secure Firewall Threat Defense Connection Event, AWS CloudWatchLogs VPCflow T1046 TTP Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters, China-Nexus Threat Activity, Network Discovery 2026-05-13
Cisco IOS Suspicious Privileged Account Creation Cisco IOS Logs T1078 T1136 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Suspicious Process DNS Query Known Abuse Web Services Sysmon EventID 22 T1059.005 TTP Malicious Inno Setup Loader, Meduza Stealer, Braodo Stealer, Snake Keylogger, RedLine Stealer, Data Destruction, BlankGrabber Stealer, Cactus Ransomware, WhisperGate, PXA Stealer, Phemedrone Stealer, Remcos 2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence Cisco Secure Firewall Threat Defense Connection Event T1041 T1071.001 T1105 T1573.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads Cisco Secure Firewall Threat Defense File Event T1027 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics, Hellcat Ransomware 2026-05-13
Windows AD Replication Service Traffic T1003.006 T1207 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Cisco Secure Firewall - SSH Connection to Non-Standard Port Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13
Windows AD Rogue Domain Controller Network Activity T1207 TTP Sneaky Active Directory Persistence Tricks 2026-05-13
Cisco Network Interface Modifications Cisco IOS Logs T1021 T1133 T1556 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Wget or Curl Download Cisco Secure Firewall Threat Defense Connection Event T1053.003 T1059 T1071.001 T1105 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Abused Web Services Sysmon EventID 22 T1102 Anomaly NjRAT, Malicious Inno Setup Loader, CISA AA24-241A, BlankGrabber Stealer 2026-05-13
Detect Port Security Violation Cisco IOS Logs T1200 T1498 T1557.002 TTP Router and Infrastructure Security 2026-05-13
Large Volume of DNS ANY Queries T1498.002 Anomaly DNS Amplification Attacks 2026-05-13
Ngrok Reverse Proxy on Network Sysmon EventID 22 T1090 T1102 T1572 Anomaly CISA AA24-241A, CISA AA22-320A, Reverse Network Proxy 2026-05-13
Detect Windows DNS SIGRed via Zeek T1203 TTP Windows DNS SIGRed CVE-2020-1350 2026-05-13
Detect hosts connecting to dynamic domain providers Sysmon EventID 22 T1189 TTP DNS Hijacking, Dynamic DNS, Suspicious DNS Traffic, Prohibited Traffic Allowed or Protocol Mismatch, Data Protection, Command And Control 2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port Cisco Secure Firewall Threat Defense File Event T1105 T1571 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Cisco Secure Firewall Threat Defense Intrusion Event T1003.001 T1059.001 T1190 T1210 TTP Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Protocol or Port Mismatch Cisco Secure Firewall Threat Defense Connection Event T1048.003 Anomaly Cisco Secure Firewall Threat Defense Analytics, Prohibited Traffic Allowed or Protocol Mismatch, Command And Control 2026-05-13
Detect Outbound SMB Traffic Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Access Firewall T1071.002 TTP Cisco Secure Firewall Threat Defense Analytics, DHS Report TA18-074A, Hidden Cobra Malware, Cisco Secure Access Analytics, NOBELIUM Group 2026-05-13
Detect Unauthorized Assets by MAC address N/A TTP Asset Tracking 2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Exploitation Cisco Secure Firewall Threat Defense Intrusion Event T1190 TTP Cisco Secure Firewall Threat Defense Analytics, Oracle E-Business Suite Exploitation 2026-05-13
Cisco Secure Firewall - Binary File Type Download Cisco Secure Firewall Threat Defense File Event T1059 T1203 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect Traffic Mirroring Cisco IOS Logs T1020.001 T1200 T1498 TTP Router and Infrastructure Security 2026-05-13
DNS Kerberos Coercion Sysmon EventID 22, Suricata T1071.004 T1187 T1557.001 TTP Suspicious DNS Traffic, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS, Compromised Windows Host 2026-05-13
Cisco Secure Firewall - Possibly Compromised Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1203 T1587.001 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain Cisco Secure Firewall Threat Defense Connection Event T1071.001 T1090.002 T1105 T1567.002 T1588.002 Anomaly Cisco Secure Firewall Threat Defense Analytics, Scattered Lapsus$ Hunters 2026-05-13
Excessive DNS Failures T1071.004 Anomaly Suspicious DNS Traffic, Command And Control 2026-05-13
Cisco SNMP Community String Configuration Changes Cisco IOS Logs T1040 T1552 T1685 Anomaly Cisco Smart Install Remote Code Execution CVE-2018-0171 2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity Cisco Secure Firewall Threat Defense Intrusion Event T1027 T1190 T1204 T1210 TTP Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Windows Spearphishing Attachment Connect To None MS Office Domain Sysmon EventID 22 T1566.001 Hunting AsyncRAT, MuddyWater, Spearphishing Attachments 2026-05-13
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity Cisco SD-WAN Service Proxy Access Logs T1595 Hunting Cisco Catalyst SD-WAN Analytics 2026-05-13
SMB Traffic Spike T1021.002 Anomaly Hidden Cobra Malware, Emotet Malware DHS Report TA18-201A, Ransomware, DHS Report TA18-074A 2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Cisco Secure Firewall Threat Defense Intrusion Event T1059 T1071 T1595.002 Anomaly Cisco Secure Firewall Threat Defense Analytics 2026-05-13
Detect IPv6 Network Infrastructure Threats Cisco IOS Logs T1200 T1498 T1557.002 TTP Scattered Lapsus$ Hunters, Router and Infrastructure Security 2026-05-13
Hosts receiving high volume of network traffic from email server T1114.002 Anomaly Collection and Staging 2026-05-13
Cisco SA - Access to Anonymizer Services Cisco Secure Access DNS T1090.003 Anomaly Cisco Secure Access Analytics 2026-06-09
Detect Windows DNS SIGRed via Splunk Stream T1203 TTP Windows DNS SIGRed CVE-2020-1350 2026-05-13
Detect Outbound LDAP Traffic Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Access Firewall T1059 T1190 Hunting Cisco Secure Firewall Threat Defense Analytics, Cisco Secure Access Analytics, Log4Shell CVE-2021-44228 2026-05-13
Cisco Secure Firewall - SSH Connection to sshd_operns Cisco Secure Firewall Threat Defense Intrusion Event T1021.004 Anomaly Cisco Secure Firewall Threat Defense Analytics, Salt Typhoon 2026-05-13