IDS detections

Detects a successful RDP connection via Hydra or Ncrack hacking tools.

Source table → ids.bro.rdp

Detects actors utilizing MS-LSAT Remote protocol to map security SIDs to user accounts.

Source table → ids.bro.dce_rpc

Detects the creation or deletion of services via RPC remote administration. Actors may create/delete services to establish a greater foothold once inside a network.

Source table → ids.bro.dce_rpc

Detects actors enumerating user accounts in Active Directory via Security Account Manager Remote Protocol (SAMR).

Source table → ids.bro.dce_rpc

Detects the first seen SMB share for an entity. Adversaries may utilize SMB shares to transport files; while not inherently malicious, this event should be reviewed for legitimacy.

Source table → ids.bro.notice