Â
Detects actors utilizing MS-LSAT Remote protocol to map security SIDs to user accounts.
Source table → ids.bro.dce_rpc
ids.bro.dce_rpc
Detects servers responding via SSL or TLS services using self-signed certificates.
Source table → ids.bro.ssl
ids.bro.ssl
Detects interesting host name login events. See Bro/Zeek reference for context around interesting hostnames.
Source table → ids.bro.notice
ids.bro.notice
Remote Desktop Services Scan from one Entity to Multiple Destinations.
Source table → ids.bro.rdp
ids.bro.rdp
Detects actors enumerating user accounts in Active Directory via Security Account Manager Remote Protocol (SAMR).
