Document toolboxDocument toolbox

Alert Pack: Command and Control (MITRE Att&ck Tactic TA0011)

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 08, 2023
2 min read
[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

This alert pack brings our SecOps-related content to our non-SecOps customers and helps jump-start threat coverage. This pack contains a multitude of detections that alert when an attacker is using common impact-focused MITRE Attack tactics. These tactics are often used to disrupt environments and availability.

These tactics can cause extensive damage to your organization and its reputation with customers and these alerts provide your team with actionable information as soon as the attackers attempt these tactics.

Security Operations application

SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.

SecOpsProxyHttpSingleCharacterFileNameRequest

SecOpsFWExcessFirewallDeniesOutbound

SecOpsFWIrcTrafficExternalDestination

SecOpsProxyGithubRawURLResourceRequest

SecOpsFWIcmpExcessivePackets

SecOpsWinDnsExcessiveEmptyOrRefusedQueries

SecOpsProxyHttpExternalPowershellRequest

SecOpsFWRdpTrafficUnauthorized

SecOpsHostNameSubdomainLength

SecOpsFWEmbargoedCountryOutboundTrafficDetected

SecOpsFWEmbargoedCountryInboundTrafficDetected

SecOpsWinExternalDeviceInstallationDenied

SecOpsFWSMBTrafficOutbound

SecOpsFWSigred

SecOpsWinSuspiciousExternalDeviceInstallation

SecOpsFWTrafficOnUnassignedLowPort

 

 

 

What is Command and Control?

Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.

Â