You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
Version 1
Next »
SecOpsBroRdpBruteForceSuccessHydraNcrack
Detects a successful RDP connection via Hydra or Ncrack hacking tools.
Source table → ids.bro.rdp
SecOpsBroWinLsatUserEnumeration
Detects actors utilizing MS-LSAT Remote protocol to map security SIDs to user accounts.
Source table → ids.bro.dce_rpc
SecOpsBroWinDceRpceServiceCall
Detects the creation or deletion of services via RPC remote administration. Actors may create/delete services to establish a greater foothold once inside a network.
Source table → ids.bro.dce_rpc
SecOpsBroWinDceRpcSamrEnumeration
Detects actors enumerating user accounts in Active Directory via Security Account Manager Remote Protocol (SAMR).
Source table → ids.bro.dce_rpc
SecOpsBroSmbFirstSeenShare
Detects the first seen SMB share for an entity. Adversaries may utilize SMB shares to transport files; while not inherently malicious, this event should be reviewed for legitimacy.
Source table → ids.bro.notice
SecOpsBroSshInteresingHostNameLogin
Detects interesting host name login events. See Bro/Zeek reference for context around interesting hostnames.
Source table → ids.bro.notice
SecOpsBroHttpRequestSingleHeader
Detects HTTP requests that contain only a single header.
Source table → ids.bro.http
SecOpsBroSelfSignedCert
Detects servers responding via SSL or TLS services using self-signed certificates.
Source table → ids.bro.ssl