...
Detects a successful RDP connection via Hydra or Ncrack hacking tools.
Source table → ids.bro.rdp
...
| Expand | |
|---|---|
|
...
| |
Detects actors utilizing MS-LSAT Remote protocol to map security SIDs to user accounts. Source table → |
| Expand | |
|---|---|
|
...
| |
Detects |
...
servers responding via SSL or TLS services using self-signed certificates. Source table → |
| Expand | ||
|---|---|---|
| ||
Detects interesting host name login events. See Bro/Zeek reference for context around interesting hostnames. Source table → |
| Expand | ||
|---|---|---|
| ||
Remote Desktop Services Scan from one Entity to Multiple Destinations. Source table → |
...
|
| Expand | ||
|---|---|---|
| ||
Detects actors enumerating user accounts in Active Directory via Security Account Manager Remote Protocol (SAMR). Source table → |
| Expand | ||
|---|---|---|
| ||
Detects HTTP requests that contain only a single header. Source table → |
| Expand | ||
|---|---|---|
| ||
Detects the first seen SMB share for an entity. Adversaries may utilize SMB shares to transport files; while not inherently malicious, this event should be reviewed for legitimacy. Source table → |
| Expand | |
|---|---|
|
...
| |
Detects the creation or deletion of services via RPC remote administration. Actors may create/delete services to establish a greater foothold once inside a network. Source table → |
...
|
| Expand | |
|---|---|
|
...
| |
Detects |
...
Source table → ids.bro.http
...
| title | SecOpsBroSelfSignedCert |
|---|
...
a successful RDP connection via Hydra or Ncrack hacking tools. Source table → |
...
|