Quick Start Security for Snowbit STA
Thank you!
We got your information.
Coralogix Extension For Snowbit STA Includes:
Dashboards - 40
Gain instantaneous visualization of all your Snowbit STA data.
Alerts - 160
Stay on top of Snowbit STA key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
STA - Health Status - No Logs From STA Tools
This alert indicates that no logs were seen from any of the connected STAs to this Coralogix account in the past 10 minutes. If this is not expected, check the status of the STAs deployed.
STA - Health Status - No Connection Logs From STA Tools
This alert indicates that no network connections were seen by the STA. This usually indicates that the mirroring configuration is not properly set. If this is not expected, check the mirroring configuration of the STAs deployed.
STA - Health Status - No DNS Logs From STA Tools
This alert indicates that no DNS connections were seen by the STA. If your mirroring configuration does not block DNS traffic, check the mirroring configuration and the status of the deployed STAs.
Building Block - STA - Zeek - Multiple Unique DNS Queries Per Domain Name
This alert triggres when a host makes multiple unique DNS queries for a specific domain. The purpose is to detect the C2 communication over DNS. It is based on the attack method when threat actors want the infected machine to communicate with their registered domain over DNS. The infected machine will send details to the C2 server using DNS queries. The DNS query itself will have unusual resource records. For example, a malicious FQDN will look like: u201Cbas64-encodedstring.evil.comu201D. So, this will result in multiple such unique DNS queries from the infected host.
STA - Building Block - C2 Connectivity - Unusual TOR Activity
Connection attempts from TOR network (https://en.wikipedia.org/wiki/Tor_(network)) nodes to publicly accessible servers is unfortunately a common behavior. This alert will fire only if the number of such attempts is higher than normal. It is recommended that if this alert fires, the IPs involved would be inspected (which connections from/to the organization involved them, what data was received/sent from/to them) and if possible block them at the gateway for several hours (because IPs can change if they are DHCP based or behind NAT).
Building Block - STA - Zeek - Connections From Blacklisted IPs
This alert triggers whenever connections are made from a blacklisted IP. Please fine-tune the threshold value as per your business requirements to limit potential false positives.
STA - Building Block - Reconnaissance - Unusual Reconnaissance Activity Detected
Reconnaissance attempts on publicly accessible servers is unfortunately a common behavior. This alert will fire only if the number of such attempts is higher than normal. It is recommended that if this alert fires, the IPs used will be inspected (which connections from/to the organization involved them, what data was received/sent from/to them) and if possible blocked at the gateway for several hours (because IPs can change if they are DHCP based or behind NAT).
Building Block - STA - Zeek - DNS Query on TCP Protocol
This alert triggers whenever a DNS query is made to a domain over TCP rather than the usual UDP protocol. DNS requests over TCP are usually used for either DNS zone transfer or for transferring large quantities of data using the DNS protocol. This can be an indication of malicious activity.
STA - Health Status - S3 Config Bucket Inaccessible for write requests
This alert indicates that the STA could not upload files to its configuration S3 bucket. This is required for the VPC mirroring sessions auto-handler to work properly
STA - Health Status - Services on the STA cannot reach the Internet to public enrichment services
This alert indicates that the STA could not connect to public enrichment services
Building Block - STA - Zeek - Notice Log Detected
This alert triggers whenever an entry is logged in Zeek Notice logs. The correct course of action depends on the event this entry was logged for. Please see more here: https://docs.zeek.org/en/master/frameworks/notice.html
STA - Zeek - Unrecognized Software Detected
This alert triggers whenever a new software that was not previously seen is detected in an environment. The introduction of new and unrecognized software into an environment can have several significant security impacts. Impact The presence of unrecognized or unauthorized software in an environment can pose significant security risks and impacts. Here are some key considerations: 1. Unrecognized software may be a trojan horse, appearing legitimate but containing malicious payloads such as viruses, worms, ransomware, or spyware. 2. The software might install backdoors, providing attackers with persistent access to the system and network. 3. Unrecognized software may exploit vulnerabilities to gain elevated privileges, allowing attackers to execute commands, access sensitive data, and modify system configurations. 4. Unrecognized software might perform actions that degrade system performance or cause service outages, leading to denial of service. Mitigation When this alert triggers, check the respective log entry, the source IP, destination IP, software details. Check with the admin if the software is legit and they are aware of it. If not, investigate if any entries are present for the same destination IP or the software in the Zeek Notice log, and Suricata logs. additionally, organisations should follow below best practices: 1. Implement application whitelisting to ensure that only approved and authorized software can run on the network. 2. Maintain an up-to-date inventory of all software installed on the network and regularly review for unauthorized applications. 3. Implement network segmentation to contain the impact of potential breaches and restrict unauthorized communications. 4. Regularly update and patch operating systems, applications, and security software to protect against known vulnerabilities. MITRE Tactic: TA0002 MITRE Technique: T1072
STA - Zeek - Access to a Baby Domain Detected
This alert triggers whenever a DNS query is made to a newly registered domain or a baby domain. "Baby domains" is a term used to describe newly registered domain names. These domains are often very young, sometimes only a few hours or days old. They are considered "babies" in the sense that they are fresh and have not yet developed a history or reputation. Impact Monitoring baby domains is crucial from a security perspective for several reasons: 1. Malicious Activities a) Phishing Attacks: Cybercriminals frequently use newly registered domains to carry out phishing attacks. These domains are less likely to be blacklisted, allowing attackers to deceive users and steal sensitive information such as login credentials, credit card details, and other personal data. b) Malware Distribution: Attackers use baby domains to host and distribute malware. Since these domains are new, they can evade detection by traditional security measures and blacklist services, which may not have updated information on them yet. c) Command and Control (C2) Servers: Newly registered domains are often used as command and control servers for botnets. Monitoring these domains helps in identifying and blocking communication channels used by malware to receive commands and exfiltrate data. 2. Domain Generation Algorithms (DGAs) a) Evasion Techniques: Some malware families use Domain Generation Algorithms (DGAs) to create a large number of new domains. By monitoring baby domains, security teams can detect patterns consistent with DGA activity and preemptively block these domains, disrupting the operation of the malware. 3. DNS Tunneling and Data Exfiltration a) Covert Channels: Baby domains can be used for DNS tunneling, a technique for bypassing network security controls to exfiltrate data. By monitoring these domains, security teams can detect and block such attempts at data theft. Mitigation Inspect the data that was sent to that domain. Correlate with other Zeek logs for that "uid" to check if any files were downloaded as part of that connection, and types of DNS queries to further understand the intention of that DNS query. Please see the below link for more details on baby domains and the mitigation strategies: https://unit42.paloaltonetworks.com/newly-registered-domains-malicious-abuse-by-bad-actors/ MITRE Tactic: TA0011 MITRE Technique: T1568 MITRE Sub-Technique: 002
Building Block - STA - Zeek - Unusual High Volume of DNS Requests Returned NXDOMAIN
This alert triggers whenever an unusually high number of DNS queries result in failure with the NXDOMAIN response code. A high number of NXDOMAIN response codes in DNS queries indicates that there are many requests being made for domain names that do not exist. This situation can have several implications, ranging from benign configuration issues to signs of malicious activity.
STA - Building Block - Initial Access - Unusual Administrator Logins
An unusual number of administrative logins (using NTLM) is often an indication of lateral movement. It is recommend that if this alert has fired, the related audit logs of the relevant machines should be inspected to better understand which actions were performed by these administrative login sessions and whether these actions should be permitted in your organization or not.
STA - Suricata - Possible Trojan Activity Detected
This alert triggers whenever Suricata (IDS) logs an entry for the Suricata alert type 'A Network Trojan was detected', meaning, Suricata has detected a traffic as potential trojan activity. Impact Trojan can have a wide range of detrimental impacts on a system or network. Here are the potential impacts of a Trojan: 1. Data Theft: Trojans can capture usernames, passwords, and other authentication details, leading to unauthorized access to sensitive accounts and services. They can steal personal information, such as social security numbers, credit card details, and banking information, leading to identity theft and financial loss. 2. Backdoor Installation: Trojans often install backdoors, allowing attackers to gain remote access to the infected system at any time. This enables ongoing control and exploitation of the system. Attackers can use backdoors to infiltrate and move laterally within a network, compromising additional systems and accessing sensitive data across the organization. 3. Malware Distribution: Trojans can download and install additional malicious software, such as ransomware, spyware, or adware, further compromising the infected system. Infected systems can be incorporated into a botnet, which attackers can use for coordinated activities like DDoS attacks, spam campaigns, or further spreading of malware. Mitigation Investigate the log for source IP, destination IP, geolocation, any payloads, URLs, and user agents involved. Check if this was legitimate traffic. If after investigation, legitimacy can not be verified investigate further for malicious activities. Investigate the corresponding Zeek logs such as Zeek PE (portable executable) logs, and Zeek files logs using the 'community ID' present in the Suricata log, and then use the 'UID' present in the Zeek logs to further drill down any malicious behavior. MITRE Tactic: TA0002 MITRE Technique: T1204 MITRE Sub-Technique: 002
STA - Discovery - Source IP Is Suspected
This alert will fire whenever a source ip was found as potentially malicious
STA - Discovery - Destination IP is Suspected
This alert will fire whenever a destination ip was found as potentially malicious based on Coralogix security enrichment
STA - Lateral Movement - New Software with CVE Detected
The US National Cyber Security Division of the US Department of Homeland Security maintains a list of common vulnerabilities and exposures (a.k.a CVE) in software and hardware products. These are available in the MITRE corporation's website here: https://cve.mitre.org/ and in the National Vulnerability Database here: https://nvd.nist.gov/. Zeek software information is enriched with the CVE data from the NVD. This alert will fire if a new software that wasn''''''''t seen in the previous 3 months that has a known CVE has been detected in the network. If this alert has fired, it is recommended to read about the relevant CVEs and either decide not to use that software and uninstall it or find a suitable mitigation plan for these vulnerabilities in the organization.'
STA - Collection - NIDS alert detected
This alert will fire whenever Suricata detects an issue. The correct course of action will vary depending on the event details. See more here about Suricata alert categories: https://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf
STA - Suricata - Potential Corporate Privacy Violation
This alert triggers whenever traffic is seen to/from a domain that is either not using the usual port number for the communication or the domain itself could be suspicious in nature or may be a threat to the organization's security. For example, traffic to any torrent site may be restricted by the organization's policy but someone attempted a connection to it and thus violated the policy. This is a new value alert and it checks for any domain that was not seen before in the last 1 month. Impact When employees violate corporate policies by querying or accessing unauthorized domains, several significant impacts can arise. Here are the key consequences: 1. Increased Risk of Malware Infection: a) Malicious Downloads: Accessing unauthorized domains can lead to the unintentional download of malware, such as viruses, ransomware, and spyware. This can compromise the security of corporate systems and data. b) Phishing Sites: Unauthorized domains may host phishing sites designed to steal credentials and other sensitive information, leading to potential breaches. 2. Data Leakage and Exfiltration: a) Sensitive Information Exposure: Querying unauthorized domains can result in the accidental or intentional transmission of sensitive corporate information to external parties. b) Data Harvesting: Unauthorized domains might be used to harvest data from corporate systems, leading to information leakage and potential exploitation. 3. Network Compromise: a) Lateral Movement: Compromised endpoints from querying malicious domains can become entry points for attackers to move laterally within the corporate network, targeting other systems and data. b) Command and Control (C2): Unauthorized domains may be part of command and control infrastructures for botnets, allowing attackers to maintain persistent control over compromised systems. Mitigation It is recommended to inspect the domain in question and verify whether it is needed by the organization. If not, inspect the connections from and to that domain. MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Technique: 004
STA - Resource Development - Potentially Bad Traffic To/From a New Domain
This alert fires when Suricata detects potentially bad traffic (e.g. dir listing outputs from a web server, DNS query for suspicious TLDs) on a domain for the first time in the last 1 month. It is recommended to inspect the domain in question and verify that it is needed by the organization and if not, to inspect the connections from and to that domain (e.g. WHOIS or VirusTotal queries).
STA - Initial Access - New Service Offered by an Internal Host
This alert will fire whenever a local IP has offered to an external IP a service which was not seen previously in the past 3 months. If this alert fires, it is recommended to either exclude the service from the alert's query if it is a service that is expected to be used by external clients or inspect the process that was used to handle the offered service by using audit logs from the local server as well as Zeek PE and Zeek files logs to understand how that service was installed and use the actual packets to understand what types of data were exchanged using that service.
STA - Defense Evasion - New Destination Country
This alert will fire whenever a local IP has connected to a country that hasn't been seen before as a destination country in the past three months. If this alert fires, it is recommended to analyze the connections to the detected country by using Zeek's conn logs and/or Suricata's flow logs and related logs to understand what type of connections was observed, what types of data were transferred, in which direction and by which service, contact the relevant service owners and understand whether this connection is expected.
STA - Zeek - New DCE/RPC Endpoint Detected
This alert triggers when a new dce-rpc endpoint (service) is seen on the network. This is a new value alert so it will trigger if that endpoint wasn't seen in the past 3 months. The DCE/RPC (Distributed Computing Environment/Remote Procedure Call) protocol, developed by the Open Software Foundation (OSF), enables remote procedure calls between networked systems. It is commonly used in Microsoft Windows environments for communication between various services and components. Please feel free to modify the time duration as per your business requirements to limit the false positives. Impact Introducing a new DCE/RPC endpoint in a network can have several security impacts: 1. Increased Attack Surface: Every new endpoint introduces potential new vulnerabilities. Attackers might exploit weaknesses in the new DCE/RPC service to gain unauthorized access, execute code remotely, or cause a denial of service. Attackers can enumerate available RPC endpoints to identify new services, which might reveal valuable information about the network and its configuration. 2. Authentication and Authorization Challenges: Properly configuring and enforcing access control for the new endpoint is crucial. Failure to do so can lead to unauthorized access to sensitive functions and data. Ensuring secure authentication mechanisms (such as Kerberos) and managing credentials appropriately are essential to prevent unauthorized access. 3. Potential for Misconfiguration: New endpoints might come with default configurations that are not secure. Proper hardening and customization of settings are required to mitigate risks. Introducing new services increases the complexity of network management, which can lead to misconfigurations that might be exploited by attackers. Mitigation Investigate using Zeek dce_rpc logs and locate the machine and process that hosts that new DCE-RPC endpoint and determine whether it is legitimate and properly secured. MITRE Tactic: TA0003 MITRE Technique: T1505
STA - Zeek - New DHCP Server Detected
This alert triggers when a new IP address is assigned as a DHCP server. A DHCP (Dynamic Host Configuration Protocol) server is a network server that automatically assigns IP addresses and other network configuration parameters to devices (clients) on a network. This automation allows devices to communicate on an IP network without the need for manual configuration. This is a new value alert and here it checks if that IP was assigned as a DHCP server in the past 3 months. Please feel free to modify the time duration as per your business requirements to limit the false positives. Impact Misconfigurations in a DHCP (Dynamic Host Configuration Protocol) server can have significant security impacts, affecting both the functionality and security of a network. Here are the potential security issues associated with DHCP misconfiguration: 1. IP Address Conflicts: a) Network Disruptions: Incorrect IP address allocation can result in IP address conflicts, where two devices are assigned the same IP address. This leads to network connectivity issues and can disrupt services. b) Denial of Service (DoS): Conflicting IP addresses can cause a denial of service for affected devices, preventing them from accessing network resources. 2. Exposure of Sensitive Information: a) Incorrect DNS Server Configuration: If the DHCP server is misconfigured to provide incorrect or malicious DNS server addresses, users may be directed to fraudulent websites, leading to phishing attacks or man-in-the-middle attacks. b) Default Gateway Misconfiguration: Incorrectly assigning a default gateway can result in network traffic being routed through an unintended or compromised device, exposing sensitive information to interception. 3. Man-in-the-Middle Attacks: a) Rogue DHCP Servers: An attacker can set up a rogue DHCP server on the network. This rogue server can assign incorrect network configurations, redirecting traffic through the attacker's device and enabling man-in-the-middle attacks. b) DHCP Spoofing: Attackers can use DHCP spoofing techniques to respond to DHCP requests faster than the legitimate server, causing clients to receive malicious configurations. Mitigation Check the source host/s and the destination host in the Zeek DHCP log to find out the hosts involved in the communication. Validate the legitimacy of the destination host. If the legitimacy can not be confirmed, investigate further to track recent IP address assignments and identify any unusual or unauthorized activities. MITRE Tactic: TA0003 MITRE Technique: T1505
STA - Exfiltration - New File MIME Type Detected
MIME is a standard originally developed for transferring files over SMTP (emails) but todays is also being used by other protocols (such as HTTP) do indicate the type of the file being transmitted. This alert will fire if a file of a type that wasn't seen in the past three months has been received or downloaded from outside the network and was seen by Zeek. If this alert fires it is recommended that the file's hash will be searched for in services such as VirusTotal or Malwr to see if it has been reported there and if possible, to find the file either on the host that had ran it (by using the hash mentioned in the event) or on the network by extracting it from the pcap file and then attempt to run it in a safe environment and also scan it by using the aforementioned services.
STA - Zeek - FTP Session Observed with an External IP Address
This alert triggers whenever an FTP session is established between a local machine and an external IP address. The File Transfer Protocol (FTP) is a standard network protocol used for transferring files between a client and a server over a TCP/IP network. Impact Establishing an FTP (File Transfer Protocol) session with an IP address outside of your organization can have several security impacts. Here are the key considerations: 1. Unencrypted Data Transmission: a) Data Interception: Traditional FTP transmits data, including usernames and passwords, in plain text. This makes it susceptible to interception by attackers, who can eavesdrop on the session and capture sensitive information. 2. Man-in-the-Middle (MitM) Attacks: a) Data Manipulation: Without encryption, FTP sessions can be intercepted and manipulated by attackers. They can alter the data being transferred or inject malicious content into the data stream. 3. Unauthorized Access: a) Credential Theft: If an attacker captures the FTP credentials, they can gain unauthorized access to the FTP server, potentially leading to data breaches or further attacks on the network. b) Account Compromise: Compromised FTP credentials can be used to upload malicious files or delete critical data, disrupting operations and compromising data integrity. 4. Malware Distribution: a) Infection of Systems: FTP sessions with external IP addresses can be used to distribute malware, infecting both the client and server systems. This can lead to widespread security incidents within the organization. Mitigation Check the IP address with which the session was established and if found unknown, block the IP at the Gateway. Investigate Zeek notice logs and insight logs to check if any other alerts were triggered for the same internal host or the destination IP address. Also, investigate further for the files transmitted using Zeek files and PE logs (if it's an executable). Check if similar alerts were triggered for other hosts around the same time. MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 002
STA - C2 Connectivity - New FTP Command Used
The FTP command can be also be used to many harmful activies such as: Exfiltration of data, Ransomware. This alert will fire if Zeek or Suricata detects a new FTP command that wasn't previously used in the past three months'
STA - Ransomware - Many Changes to Files with Similar File Paths
Many ransomware tools will create, modify and then delete files with very similar file names (with an extension that will indicate the ransomware tool.
STA - Privilege Escalation - New process running as root
Many types of malware will attempt to run new processes under the root user. This alert will trigger if a new process name that wasn't seen in the entire organization in the past 72 hours, was detected as running as root
STA - C2 Connectivity - New FTP User Used
The FTP protocol although originally designed to be the main protocol for transferring files over the Internet (or any network), is rarely used for that purpose nowadays. It is still sometimes used for software updates for some services but event those become less and less common. This alert will fire if Zeek detects a new FTP user that wasn't previously used in the past three months. If this alert fires it is recomended to investigate what that user was used for in FTP, which hosts were involved, which files were transferred, deleted or modified. If files were modified by using that user, it is also recommended to scan them to better understand the change or to restore them from previous backup.
STA - Exfiltration - New HTTP Method Used
In HTTP, the HTTP_METHOD used determines whether the request is to delete, create, update or retrieve an item on/from the target system. Although the actual meaning of an HTTP method is implementaion depended, a new HTTP method that wasn't seen in the past three months, especially if no new system was recently installed, can mean that someone is trying to find out which HTTP methods are supported by the target system. This can then be used to execute unintended actions on the target system. This alert will fire if a new HTTP method that wasn't seen in the past three months has been detected. It is recommended to clone this alert to target high profile HTTP based systems of the organization (by adding 'AND uri:/some_uri_regex_of_target_system/'to the alert query). If this alert fires, it is recommended to inspect the user-agent used, the source host and the process used to understand if this is an expected behaviour.
STA - Credential Access - New Kerberos AS Detected
The Kerberos authentication protocol defines two types of tickets that can be passed: a ticket-granting-ticket (TGT) and ticket-granting-service (TGS), the first one is passed to the authenticating service (AS). In Microsoft Active Directory, this role is served by the Domain Controller. This alert will fire if a new target address for the authenticating service has been seen which hasn't been seen in the past three months. If this alert fires it is recommended to investigate the mentioned address to understand if it is a valid and authorized AS server.'''
STA - Zeek - New Kerberos Cipher Detected
This alert triggers when the Kerberos encryption uses new cipher suites for the authentication mechanism. Kerberos is a widely used network authentication protocol designed to provide strong security for authentication and communication. It relies on cryptographic ciphers to secure the data exchanged during the authentication process. Impact If the newly detected cipher is weaker than the previous one, the following can be the impacts: 1. Increased Risk of Cryptographic Attacks: a. Brute Force Attacks: Weaker ciphers are more susceptible to brute force attacks, where an attacker systematically tries all possible keys until the correct one is found. This can lead to the compromise of encrypted data. b. Cryptanalysis: Advanced cryptanalytic techniques can exploit weaknesses in weaker ciphers, potentially allowing attackers to decrypt communications or forge authentication tokens. 2. Loss of Confidentiality a. Data Exposure: If a weaker cipher is compromised, sensitive data exchanged during the Kerberos authentication process, such as user credentials and session keys, can be exposed to attackers. b. Eavesdropping: Attackers can intercept and decrypt communications protected by weaker ciphers, gaining access to confidential information transmitted over the network. 3. Integrity Compromise a. Message Tampering: Weaker ciphers may not provide robust mechanisms to ensure data integrity, allowing attackers to alter messages without detection. b. Token Forgery: Attackers could forge or tamper with Kerberos tickets and authentication tokens, potentially gaining unauthorized access to network resources. 4. Authentication Bypass a. Replay Attacks: Weaker ciphers might be more vulnerable to replay attacks, where an attacker captures a valid authentication token and reuses it to gain unauthorized access. b. Man-in-the-Middle Attacks: Weaker ciphers can make it easier for attackers to perform man-in-the-middle attacks, intercepting and manipulating communications between the client and the Kerberos server. 5. Non-compliance with Security Standards a. Regulatory Violations: Many security standards and regulations (e.g., GDPR, HIPAA) require the use of strong encryption to protect sensitive data. Using weaker ciphers can result in non-compliance, leading to legal and financial penalties. b. Industry Best Practices: Deviation from industry best practices, which mandate the use of strong cryptographic algorithms, can reduce the overall security posture of an organization. Mitigation Check whether the new cipher is weaker than the previous one. If yes, check if it was a genuine mistake from the admin side, if not, then revert the action and investigate further for any other malicious actions. MITRE Tactic: TA0005 MITRE Technique: T1600 MITRE Sub-Technique: 001
STA - Execution - Executable File Targeted at a New OS Type Was Seen
An executable file designed for an operating system that wasn't seen in the past three months can, especially in organizations that use a limited set of operating systems, indicate that a file that is not designed for this organization has been downloaded. If this alert has fired it is recommended to use Zeek's PE and Files logs, as well as audit logs from the machine that executed the file to get a better understanding of what the file was designed to do. If possible, it is recommended to scan the file in services such as VirusTotal and Malwr to understand if the file is known to be malicious and if the file's designed behaviour is allowed and expected in the organization.
STA - Resource Development - New Certificate Issuer
The number of CA companies remains pretty much fixed over time. A new certificate issuer in a certificate can mean that someone is doing what is known as SSL-stripping, that is decrypting the data, inspecting it and then encrypting it back and sending it to the target server. If this alert fires it is recommended to inspect the specific certificate, to understand whether it should be trusted or not, whethert the certificate of the target website has changed to a new certificated issued by this issuer or not, if not, which equipment or computer provided it on behalf of the target website. This can be investigated by inspecting the configuration of all inline devices between the source machine and the target service/website. Also, it is recommended to inspect the value of the security.san_dns, if it contains multiple domain names that do not appear to belong to the same organization that can also be an indication of foul play.
Building Block - STA - Zeek - Connection to a Domain with a Suspicious Certificate Issuer
This alert triggers whenever an accessed domain has a certificate issuer that is found suspicious based on the STA's NLP analysis and looks computer generated. The purpose of this alert is to detect a C2 server that was computer generated (or DGA).
STA - Lateral Movement - New SSH Server (By Hassh)
The security.hasshServer field contains a fingerprint value that identifies the SSH server regardless of its address. This alert fires when a new SSH server was identified. If that's unexpected it is recommended to investigate that further by using audit logs or netstat outputs from the relevant instance to determine which process is hosting the server service and to scan that file with services such as VirusTotal or Malwr and Zeek PE and Files logs to determine if its behaviour is acceptable in the organization.
Building Block - STA - Zeek - Multiple SSH Connection Attempts by a Source IP
This alert triggers when multiple SSH connection attempts are made from the same source IP. Please note that for this alert, the threshold value set is more than 10 connections from the source IP within a time interval of 10 minutes. Please feel free to change the threshold value as per your business requirements.
STA - C2 Connectivity - New Tunnel Type
Tunnelling of all types has become the prefered method for attackers today to communicate with command and control servers. This alert will fire if a new type of tunnelling has been detected that hasn't been seen in the past three months. If this alert fires, it is recommended to inspect the source machine to understand what process is creating that tunnel and for what purpose. Also it is recommended to inspect the packets in that stream to understand which types of data are being transmitted and recieved using that tunnel (not all types of tunnelling are also encrypted)
Building Block - STA - Zeek - Unusual Number of SNMP Set Requests Seen
This alert triggers if the number of SNMP set requests is more than the usual number. SNMP (Simple Network Management Protocol) is a widely used protocol for managing and monitoring network devices. SNMP provides capabilities to gather information from network devices, and to configure them. One of the critical functions of SNMP is the ability to perform "set" requests. SNMP set requests allow network management systems (NMS) to modify the values of specific parameters on managed devices. This capability is essential for configuration management, allowing administrators to change device settings remotely. Anomalous SNMP (Simple Network Management Protocol) set requests can have significant security impacts on a network environment. These impacts can range from unauthorized configuration changes to severe network disruptions and data breaches.
STA - Zeek - New IRC Server Detected
This alert triggers when a new destination IP is found in the IRC communications. This is a new value alert and whenever a new destination IP is seen every 24 hours the alert is triggered. The Internet Relay Chat (IRC) protocol is a real-time messaging protocol that enables communication between users in text-based chat rooms (channels) or via direct private messages. IRC was developed in the late 1980s and has been widely used for group communication and file sharing. Note: Please feel free to modify the threshold value defined in the alert condition as per your business requirements to limit the potential false positives. Impact Some security issues associated with IRC protocol: 1. Unencrypted Communication: Standard IRC communication is unencrypted, making it susceptible to eavesdropping and man-in-the-middle attacks. To mitigate this, IRC can be used over SSL/TLS (typically on port 6697) for encrypted communication. 2. Spam and Abuse: IRC networks can be targets for spam, flooding, and abuse. Network administrators implement measures like user registration, channel modes, and IP bans to control these issues. 3. Botnets and Malware: IRC has been used by attackers to control botnets and distribute malware. Monitoring and security measures are essential to detect and prevent such malicious activities. 4. Identity Spoofing: Without proper authentication mechanisms, attackers can spoof identities by using the same nicknames as legitimate users. Some networks implement NickServ services to register and protect nicknames. Mitigation Check the source host/s and the destination host in the Zeek IRC log to find out the hosts involved in the communication. Validate the legitimacy of the destination host. If the legitimacy can not be confirmed, investigate further using the 'uid' field. Check if there are any entries in the zeek_files or zeek_pe (pe = portable executable) logs to find out the processes making these connection attempts. MITRE Tactic: TA0003 MITRE Technique: T1505
STA - Zeek - Unusual Number of MySQL Login Attempts Detected
This alert triggers whenever the number of login attempts to the MySQL database server is more than the usual number within a specific time interval. MySQL, being one of the most popular relational database management systems (RDBMS), is a lucrative target for attackers Impact Failed SQL login attempts can have various impacts on an organization's security. Here are the key considerations: 1. Brute Force Attacks: a) Credential Stuffing: Repeated failed login attempts may indicate a brute force attack where attackers try multiple username and password combinations to gain unauthorized access to the database. b) Account Lockout: Many systems have account lockout mechanisms to prevent brute force attacks. Frequent lockouts can indicate persistent attack attempts. 2. Reconnaissance and Enumeration: a) User Enumeration: Attackers may be trying to enumerate valid usernames through failed login attempts. This can help them identify which accounts exist, making targeted attacks easier. b) Information Gathering: Failed login attempts can provide attackers with information about the database environment, such as which authentication methods are in use and potential weaknesses. Mitigation Check if the user/admin is aware of the login attempts and that the requesting user is authorized to make the SQL login attempts. Also, check if there was any successful login attempt subsequently. Investigate the source IP, geo details in this case and look for any malicious alerts triggered around the same time. MITRE Tactic: TA0006 MITRE Technique: T1110
STA - Lateral Movement - New RDP Keyboard Layout
RDP is the preferred protocol for remote control in Windows environments. In addition to simple remote desktop connectivity, this protocol also allows transferring files, audio and sharing printers. Each client indicates the keyboard layout it would like to use. By default this value would be set to the keyboard layout used by the client computer. This alert will fire if a new keyboard layout that wasn't seen in the past three months has been used in an RDP connection. This alert will require the attacker, in order to successfully hide his actions, to correctly guess the keyboard layout used by the organization in RDP connections. If this alert fires it is recommended to investigate the connection to verify that the RDP connection came from a trustworthy source.
STA - Lateral Movement - New RDP Security Protocol
RDP is the preferred protocol for remote control in Windows environments. In addition to simple remote desktop connectivity, this protocol also allows transferring files, audio and sharing printers. In each connection the client and the server agree on the security protocol that would be used. Often, an attacker will try to configure his client to ask the server to agree on an outdated security protocol that would be easier to break. This alert will fire if a security protocol that wasn't seen in the past three months has been used in an RDP connection. This alert will require the attacker, in order to successfully hide his actions, to correctly guess the security protocol used by the organization in RDP connections. If this alert fires it is recommended to investigate the connection to verify that the RDP connection came from a trustworthy source and to read about the new security protocol that has been discovered to understand if it is stronger or weaker than the one usually used.
STA - Lateral Movement - New RDP Cookie (Usually Username)
RDP is the preferred protocol for remote control in Windows environments. In addition to simple remote desktop connectivity, this protocol also allows transferring files, audio and sharing printers. This alert will fire if a RDP cookie (usually the username) that wasn't seen in the past three months has been used in an RDP connection. If this alert fires it is recommended to investigate the connection to verify that the RDP connection came from a trustworthy source and, by using audit logs, to understand which process created the new connection
STA - Lateral Movement - New RFB Authentication Method
RFB or Remote Frame Buffer is an open simple protocol for remote access to graphical user interfaces. This protocol is used for remote access to computers running all windowing operating systems. This protocol also allows transferring files and other advanced features. This alert will fire if new RFB authentication method detected.
STA - Building Block - Credential Access - Unusual Number of Failed RFB Login Attempts
RFB or Remote Frame Buffer is an open simple protocol for remote access to graphical user interfaces. This protocol is used for remote access to computers running all windowing operating systems. This protocol also allows transferring files and other advanced features. This alert will fire if the number of failed RFB authentications is exceptionally high for the current time period. If this alert fires it is recommended to investigate the RFB clients that appeared during the alerted time frame for understand the sudden surge in the number of failed RFB authentications and find the process involved.
STA - Defense Evasion - New SIP Useragent Detected
SIP is one of the protocols that are used by most of the Voice Over IP solutions on the market. This alert will fire whenever a new user-agent (logical name identifying the type of device connected to the VOIP network) that was not previously seen in the past three months has been detected. If this alert fires, it is recommended to investigate, by using audit logs and other zeek_conn or suricata_flow logs, which device has generated these SIP connections and whether it is authorized to do so or not.
STA - C2 Connectivity - New SOCKS Proxy Username Detected
SOCKS is a de facto standard for forwarding TCP and UDP traffic today, It is used by many of the most standard tools used by a network administrator such as OpenSSH. This alert will fire if the user specified in the SOCKS proxy authentication hasn't been seen in the past three months. If this alert fires it is recommended to verify that the user is legitmate and the connection with that user from the specific source host from the specific executable is authorized and expected. If not, it is recommended to inspect the zeek_files logs using the hash of the exectuable used to understand if the relevant executable has been sent to other computers on the network.
STA - Zeek - SOCKS Proxy Session Observed with an External IP Address
This alert triggers whenever a SOCKS Proxy session is established between a local machine and an external IP address. The SOCKS (Socket Secure) proxy is a versatile proxy protocol that facilitates the routing of network packets between a client and server through a proxy server. The primary purpose of a SOCKS proxy is to relay traffic from any application that uses TCP or UDP protocols, allowing for a range of use cases such as enhanced security, privacy, and network access control. Impact Establishing a SOCKS proxy session with an IP address outside of your organization can have several security impacts. Here are the key considerations: 1. Data Exposure: a) Unencrypted Traffic: SOCKS proxies do not inherently provide encryption. If sensitive data is transmitted without additional encryption (e.g., SSL/TLS), it can be intercepted and viewed by anyone who can access the data stream between the client and the proxy server. 2. Trust and Control: a) Unknown Security Practices: When using an external SOCKS proxy, you have limited control over the security practices and infrastructure of the proxy server. This can expose your organization to risks if the proxy server is compromised or operated by a malicious entity. b) Data Privacy: The external proxy server can log all traffic passing through it, potentially capturing sensitive information such as login credentials, personal data, and proprietary information. 3. Man-in-the-Middle (MitM) Attacks: a) Interception and Manipulation: An external proxy server could be used to perform MitM attacks, intercepting and potentially modifying the data transmitted between the client and the destination server. 4. Credential Theft: a) Compromised Credentials: If user authentication is required to use the SOCKS proxy and credentials are intercepted, attackers can gain unauthorized access to the proxy service and potentially other services using the same credentials. Mitigation Verify if the session is legitimate and if yes, whitelist the user or the host machine in the alert query. If not, inspect the zeek_conn logs to understand how much data was transferred and the reputation of the external IP address. MITRE Tactic: TA0011 MITRE Technique: T1090
STA - Zeek - MySQL Connection Observed with an External IP Address
This alert triggers whenever a communication takes place either from an external IP to the internal IP on MySQL port (a MySQL session and the MySQL database is internal) or from an internal IP to an external IP on MySQL port (MySQL database is external/public). MySQL, being one of the most popular relational database management systems (RDBMS), is a lucrative target for attackers Impact Allowing database connections directly from the internet or connecting to a database over the internet is generally not considered best practice due to significant security risks. Here are the reasons: 1. Increased Attack Surface: Databases accessible from the internet are exposed to a wide range of attacks, such as SQL injection, brute force attacks, and DDoS attacks. Attackers frequently use automated tools to scan the internet for open database ports, making publicly accessible databases easy targets. 2. Data Breach Risks: Exposing databases to the internet increases the risk of unauthorized access and data breaches. Without proper encryption, data transmitted over the internet can be intercepted by malicious actors. 3. Malware and Exploits: Publicly accessible databases are more susceptible to exploitation of known vulnerabilities, especially if they are not regularly patched. Mitigation Check if the external IP in question is malicious/blacklisted by STA log or any reputation check engine. If found malicious, block the IP on the network gateway. Check if any other alerts were triggered from the same IP or the internal IP involved. If the MySQL port was unintentionally left open, make sure to close it on the internet. MITRE Tactic: TA0001 MITRE Technique: T1190
STA - Zeek - NTLM Session Observed with an External IP Address
This alert triggers whenever an NTLM session is established between a local machine and an external IP address. NTLM (NT LAN Manager) is a suite of security protocols developed by Microsoft to provide authentication, integrity, and confidentiality to users. NTLM is primarily used for authentication in Windows environments, but it can also be used in other network protocols for security purposes. Impact The impact of an NTLM session with an outside IP address can be significant and poses various security risks. Here are the key impacts: 1. Man-in-the-Middle (MitM) Attacks: NTLM sessions are susceptible to man-in-the-middle attacks, where an attacker intercepts and relays messages between the client and server without either party realizing it. This can lead to credential theft. An attacker can capture the authentication handshake and replay it to gain unauthorized access to the network or services. 2. Pass-the-Hash Attacks: NTLM is vulnerable to pass-the-hash attacks, where attackers use the hashed password to authenticate themselves without knowing the actual password. This can be particularly risky if NTLM authentication is allowed from outside the trusted network. 3. Brute Force and Dictionary Attacks: Exposing NTLM authentication to the internet increases the risk of brute force and dictionary attacks, where attackers attempt to guess passwords using automated tools. 4. Relay Attacks: In an NTLM relay attack, an attacker forwards the authentication request from one machine to another, gaining unauthorized access to network resources. Mitigation Check the IP address with which the session was established and if found unknown, block the IP at the Gateway. Investigate zeek notice logs and insight logs to check if any other alerts were triggered for the same internal host or the destination IP address. If found, investigate for any other malicious actions and check if any other hosts were infected. Administrators should use Kerberos authentication instead of NTLM wherever possible, as it provides mutual authentication and is less susceptible to certain types of attacks. Configure network policies to restrict NTLM authentication to internal networks only, preventing its use from outside IP addresses. MITRE Tactic: TA0006 MITRE Technique: T1556
STA - Zeek - Kerberos Session Observed with an External IP Address
This alert triggers whenever a Kerberos session is established between a local machine and an external IP address. Kerberos is a network authentication protocol designed to provide secure authentication for user and service interactions over insecure networks. Kerberos uses secret-key cryptography to provide strong authentication, ensuring that both the user and the service are who they claim to be. Impact A Kerberos session with an IP address outside of your organization can have several security impacts. While Kerberos is a robust authentication protocol, using it in an external context introduces various risks and considerations. Here are the key impacts: 1. Exposure to Attacks: a) Man-in-the-Middle (MitM) Attacks: Communicating over an untrusted network increases the risk of MitM attacks, where an attacker could intercept and manipulate the traffic between the client and the server. b) Replay Attacks: Although Kerberos includes protections against replay attacks, exposure to external networks can increase the risk if time synchronization and other protections are not perfectly maintained. 2. Credential Theft: a) Kerberos Ticket Interception: An attacker on the external network could potentially intercept Kerberos tickets and attempt to use them to gain unauthorized access. 3. Vulnerability Exploitation: a) Service Exposure: Exposing Kerberos services to the internet can make them a target for exploitation of vulnerabilities, such as those in the Kerberos protocol itself or in the implementation of the Key Distribution Center (KDC). Mitigation Check the IP address with which the session was established and if found unknown, block the IP at the Gateway. Investigate Zeek notice logs and insight logs to check if any other alerts were triggered for the same internal host or the destination IP address. If found, investigate for any other malicious actions and check if any other hosts were infected. MITRE Tactic: TA0006 MITRE Technique: T1558
STA - Zeek - SMB Session Observed with an External IP Address
This alert triggers whenever an SMB session is established between a local machine and an external IP address. The SMB (Server Message Block) protocol is a network file-sharing protocol that allows applications and users to read and write to files and request services from server programs in a computer network. Impact Establishing an SMB (Server Message Block) session with an external IP address can pose significant security risks. Here are the key considerations: 1. Exposure to Attacks: a) Brute Force and Password Guessing: Exposing SMB services to the internet can lead to brute force attacks where attackers attempt to guess user credentials. b) Exploitation of Vulnerabilities: Known vulnerabilities in SMB, particularly in older versions like SMB1, can be exploited by attackers. Notorious exploits like EternalBlue, used in the WannaCry ransomware attack, highlight the dangers of exposed SMB services. 2. Man-in-the-Middle (MitM) Attacks: a) Intercepting Traffic: External SMB sessions are susceptible to MitM attacks, where an attacker can intercept and manipulate the traffic between the client and server. This can lead to data theft, credential capture, and data tampering. 3. Data Exfiltration: a) Unauthorized Access to Files: Attackers who gain access to SMB shares can exfiltrate sensitive data. This risk is heightened when file shares are exposed to external networks. 4. Ransomware and Malware Distribution: a) Propagation of Malware: Attackers can use SMB to distribute ransomware or other malware across connected systems. Once an SMB session is established, malware can spread quickly within the network. Mitigation Check the IP address with which the session was established and if found unknown, block the IP at the Gateway. Investigate zeek notice logs and insight logs to check if any other alerts were triggered for the same internal host or the destination IP address. If found, investigate for any other malicious actions and check if any other hosts were infected. MITRE Tactic: TA0008 MITRE Technique: T1021 MITRE Sub-Technique: 002
STA - Resource Development - New OCSP Hashing Algorithm Detected
OSCP is a protocol that is used by clients and web servers to verify that the X.509 certificates they either provide or download, haven't been reported as revoked. It serves as a replacement to the CRL protocol previously used for the same purpose. This alert will fire if the hashing algorithm used in the OCSP transaction hasn't been seen in OCSP transactions in the past three months. If this alert fires, it is recommended to read about the newly discovered hashing algorithm to understand if it is weaker or stronger than the hashing algorithms previously used. If it is weaker than those used before it is recommended to investigate the audit logs from the source machine to find the specific process that generated that query and either update it, remove it (if it is not needed) or prevent it from running..
STA - Resource Development - A certificate has been revoked
OSCP is a protocol that is used by clients and web servers to verify that the X.509 certificates they either provide or download, haven't been reported as revoked. It serves as a replacement to the CRL protocol previously used for the same purpose. This alert will fire if the a certificate has been detected as revoked. If this alert fires, it is recommended to create (or update if already exist) an alert based on zeek_ssl or zeek_x509 about access to sites that presented the revoked certificate.
STA - Building Block - Reconnaissance - An Item Matched an IOC From the Intelligence Framework
This alert will fire if an item that was seen in the traffic by Zeek matched an IOC listed in one of the configured intelligence data sources.
STA - Reconnaissance - A Traffic Matched a Zeek Signature
This alert will fire if the traffic seen by Zeek matched a Zeek script's signature.
STA - Reconnaissance - A Dangling DNS Record Has Been Detected
In cloud environments, a dangling DNS record is a DNS A record that points to an IP address that the organization no longer controls (for example if the EIP has been deleted). This issue can lead to the hijacking of the domain name by an attacker that will launch his own server on the target IP. The STA detects such cases by periodically comparing the list of DNS records to the list of EIPs. If this alert fires it is recommended that the relevant DNS records will be removed or modified to point to EIPs that the organization has control over.
Building Block - STA - Insight - Outbound Connection Observed From a Database Server
This alert triggers whenever an outbound connection (outside the organization) is observed from a Database server. Allowing outbound connections from a database server is generally not considered a best practice due to several security risks.
STA insight - Resource Development - Connection to new TLD
Top Level Domain (TLD) represents the first stop after the root area, for example, in the domain name u2018google.comu2019, u2018.comu2019 is the TLD. This alert will fire when new top level domain detected.
STA Insight - Defense Evasion - New Source/Destination Country
This alert will fire whenever a country that hasn't been seen before has connected to Local IP as a source country. Or, alternatively, whenever a local IP has connected to a country that hasn't been seen before as a destination country in the past three months. If this alert fires, it is recommended to analyze the connections to the detected country by using Zeek's conn logs and/or Suricata's flow logs and related logs to understand what type of connections was observed, what types of data were transferred, in which direction and by which service, contact the relevant service owners and understand whether this connection is expected.
STA insight - Impact - Incoming SSH/RDP connection from a new country
RDP is the preferred protocol for remote control in Windows environments. In addition to simple remote desktop connectivity, this protocol also allows transferring files, audio and sharing printers. SSH is a software package that enables secure system administration and file transfers over insecure networks. This alert fires when ssh or rdp connection detected from new country
STA - Insight - New Outbound Connection Observed
This STA insight alert triggers whenever a host is seen communicating for the first time (outbound connection) with any IP address outside the organization. This alert makes use of AWS name tag enrichment done by STA. Impact The first or a new outbound connection from an internal host that usually doesn't communicate with an external IP address can be a significant security event. This type of activity can have various potential impacts and warrants careful investigation. Here are some key considerations and potential impacts: 1. Indicator of Compromise (IoC): a) Malware Infection: A new outbound connection to an unfamiliar external IP address could indicate that the internal host has been compromised by malware attempting to communicate with a command and control (C2) server. b) Data Exfiltration: The connection might be used to exfiltrate sensitive data from the internal host to an external attacker-controlled server. 2. Unauthorized Access: a) Potential Breach: The connection could indicate an unauthorized attempt to access external resources or services, potentially exposing internal systems and data to external threats. b) Lateral Movement: If an attacker has compromised the host, they might be using it to pivot to other internal systems and expand their foothold within the network. 3. Policy Violation: a) Non-Compliance: The connection could be a violation of network policies that restrict outbound traffic to known and trusted destinations, potentially leading to non-compliance with regulatory or organizational security policies. b) User Behavior: It might also indicate unauthorized user activity, such as the installation of unapproved software that attempts to connect to external services. Mitigation Validate if the session with the external IP address is legitimate. Also, investigate the destination IP, geolocation, etc. Check if this host is supposed to be having communication with the outside world, and what is the port number the session was established on. Report any suspicious findings for further investigation. MITRE Tactic: TA0011 MITRE Technique: T1071
STA insight - Impact - New MySQL command
MySQL is one of the most used database system today. Since it usually holds the most sensitive information on an organization such as users, passwords (at least hashes) as well as the actual business information, that makes it a lucrative target for an attack. This alert fires when new MySQL command is detected.
STA insight - Exfiltration - New instance making MySQL queries per DB
MySQL is one of the most used database system today. Since it usually holds the most sensitive information on an organization such as users, passwords (at least hashes) as well as the actual business information, that makes it a lucrative target for an attack. This alert fires when database is making new MySQL query.
STA insight - Lateral Movement - First incoming SSH/RDP connection per destination
RDP is the preferred protocol for remote control in Windows environments. In addition to simple remote desktop connectivity, this protocol also allows transferring files, audio and sharing printers. SSH is a software package that enables secure system administration and file transfers over insecure networks. This alert fires when new ssh or rdp connection detected to new destination per AWS name tag.
STA Insight - Lateral Movement - More Than 10 Lateral Connections in 10 Minutes
An unusual number of connections in short period of time is often an indication of lateral movement.
STA insight - Command and Control - Outbound TLS connection with an invalid cert
TLS is a cryptographic protocol that provides end-to-end security of data sent between applications over the Internet. Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. This alert will fire when TLS connection outside the organization is detects with invalid certificate.
STA insight - Resource Development - Connection to URL redirecting to another domain
URL Redirection is a vulnerability which allows an attacker to force users of your application to an untrusted external site. This alert will fire when connection to URL is redirecting to another domain.
STA - Insight - SSH Session Observed with an External IP Address
This alert triggers whenever an SSH session is established between a local machine and an external IP address. The SSH (Secure Shell) protocol is a cryptographic network protocol used for securing data communication over an unsecured network. Its primary purposes include secure remote login, secure file transfer, and secure execution of commands. Impact Establishing an SSH (Secure Shell) session with an IP address outside of your organization can have several security impacts. Here are the key considerations: 1. Exposure to External Threats: a) Man-in-the-Middle (MitM) Attacks: External SSH sessions are susceptible to MitM attacks, where an attacker intercepts and manipulates the communication between the client and server. Even though SSH encrypts the connection, MitM attacks can still be a risk if the initial connection is not properly authenticated. b) Brute Force Attacks: Exposing SSH to the internet can invite brute force attacks, where attackers attempt to gain access by systematically trying different usernames and passwords. 2. Credential Theft: a) Phishing and Social Engineering: Attackers may use phishing or social engineering techniques to steal credentials, which can then be used to establish SSH sessions with external IPs. b) Key Theft: If private keys are stored insecurely, they could be stolen and used to establish unauthorized SSH sessions. 3. Data Exfiltration: a) Sensitive Data Leakage: SSH sessions with external IP addresses can be used to exfiltrate sensitive data from the organization. This risk is heightened if the session is established from compromised systems within the network. 4. Malware and Command and Control (C2) Channels: a) Remote Control: Compromised SSH sessions can be used to set up C2 channels, allowing attackers to remotely control systems and execute malicious activities. Mitigation Check the IP address with which the session was established and if found unknown, block the IP at the Gateway. Investigate Zeek notice logs and insight logs to check if any other alerts were triggered for the same internal host or the destination IP address. If found, investigate for any other malicious actions and check if any other hosts were infected. MITRE Tactic: TA0008 MITRE Technique: T1021 MITRE Sub-Technique: 004
STA - Zeek - LDAP Session Observed with an External IP Address
This alert triggers whenever an LDAP session is established between a local machine/server and an external IP address. The LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and managing directory services over a network. Directory services store information about users, groups, devices, applications, and other resources in a hierarchical, organized manner. LDAP is widely used in enterprise environments for authentication, authorization, and information storage. Impact Establishing an LDAP (Lightweight Directory Access Protocol) session with an IP address outside of your organization can pose several significant security risks. Here’s an overview of the potential impacts: 1. Exposure to Unauthorized Access: a) Credential Theft: LDAP sessions often involve the transmission of sensitive information, such as user credentials. If these sessions are not encrypted, attackers could intercept and steal credentials, gaining unauthorized access to your directory services and potentially to other systems. 2. Man-in-the-Middle (MitM) Attacks: a) Data Interception and Manipulation: External LDAP sessions are susceptible to MitM attacks, where an attacker intercepts and potentially alters the communication between the client and the server. Even if encrypted, improper implementation of encryption can still leave the session vulnerable. 3. Directory Enumeration: a) Information Disclosure: Attackers could use LDAP queries to enumerate users, groups, and other directory objects. This information can be used for further attacks, such as spear phishing, brute force attacks, or social engineering. 4. Denial of Service (DoS) Attacks: a) Service Disruption: An attacker could flood the LDAP server with queries, overwhelming the server and causing it to become unresponsive, thereby disrupting services for legitimate users. Mitigation Check the IP address with which the session was established and if found unknown, block the IP at the Gateway. Investigate Zeek notice logs and insight logs to check if any other alerts were triggered for the same internal host or the destination IP address. If found, investigate for any other malicious actions and check if any other hosts were infected. MITRE Tactic: TA0007 MITRE Technique: T1018
STA insight - C2 Connectivity - More than 100 NXDOMAIN responses in 10 minutes
High number of NXDOMAIN responses by DNS servers is often an indication of a DGA (Domain Generation Algorithms) activity. It is recommends that if this alert has fired, you'll investigate further the source hosts, processes and files involved in attempting to connect to the domains which resulted in NXDOMAIN response. Links for more information: https://en.wikipedia.org/wiki/Domain_generation_algorithm, https://beta.darkreading.com/attacks-breaches/monitor-dns-traffic-you-just-might-catch-a-rat'
STA - Zeek - Notice Log Detected DNS Anomaly
This alert triggers whenever Zeek Notice logs contain entries for abnormal DNS behavior. These Zeek notice entries can detect tunneling and C&C through connection duration (long duration of connection) and volume (number of packets sent to or received from an outbound server exceeds a certain threshold), DNS request, and answer size (query sent to a public server is extremely long which may indicate an attempt to exfiltrate data), etc. Impact DNS (Domain Name System) is a crucial component of the internet's infrastructure, translating human-readable domain names into IP addresses. However, its central role makes it a target for various types of attacks. Here are some common DNS attacks and their characteristics: 1. DNS Spoofing (Cache Poisoning) Description: Attackers inject false information into the DNS cache of a resolver, causing it to return incorrect IP addresses for domain names. Impact: Users are redirected to malicious sites, potentially leading to phishing attacks, malware infections, or data theft. 2. DNS Amplification Attack Description: A type of Distributed Denial of Service (DDoS) attack where attackers use open DNS resolvers to flood a target with a large amount of traffic. Impact: Overwhelms the target server with traffic, causing service disruption and potentially taking it offline. 3. DNS Tunneling Description: Exploits DNS to tunnel other protocols and data through DNS queries and responses, often used to exfiltrate data or for command-and-control communication by malware. Impact: Bypasses network security controls, allowing covert data transfer and communication with compromised systems. 4. DNS Hijacking Description: Attackers take control of a DNS server or modify its settings, redirecting DNS queries to malicious servers. Impact: Redirects traffic to malicious sites, leading to phishing, malware distribution, or surveillance. Mitigation Below are some mitigation strategies for the above possible attacks: 1. Use DNS Filtering: Employ DNS filtering services to block access to known malicious domains. 2. Rate Limiting: Apply rate limiting to DNS requests to mitigate the impact of amplification and NXDOMAIN attacks. 3. Regular Audits: Conduct regular audits of DNS configurations and records to identify and fix vulnerabilities. 4. Security Awareness: Educate users about the risks of typosquatting and other DNS-related threats. MITRE Tactic: TA0010 MITRE Technique: T1048
STA insight - Exfiltration - over 1 hour long connection
Long duration connections may indicate ongoing data exfiltration, such as extracting small chunks over a long period. It could also indicate for an attempt to create Denial-of-service condition - depending on how much of those connections were found. This alert will be fired when Zeek detects a connection that had a duration more that 1 hour.
STA - Suricata - A Suspicious String Was Detected
This alert triggers when Suricata identifies a string or pattern in the network traffic that matches known suspicious or malicious content. For example: "admin:admin", this string represents a common default username and password combination for administrative access to systems or applications. It could indicate an attempt to gain unauthorized access to a device or service." Impact A suspicious string could indicate a potential malicious activity in a network. The impact depends on the string that was detected by Suricata. Mitigation Examine the Suricata alert for the suspicious string or the payload. Correlate it with other network and endpoint activity to understand the scope of the potential attack. Check the reputation of the IP/domain involved. Check if any other alerts were triggered for the same host around this time. Correlate logs and alerts from various sources (network, endpoint, firewall, etc.) to get a comprehensive view of the event. MITRE Tactic: TA0002 MITRE Technique: T1204 MITRE Sub-Technique: 002
STA - Collection - NIDS alert detected - Inappropriate Content was Detected
This classification indicates the identification of content that is deemed inappropriate or violates established policies or guidelines. This alert suggests the detection of content, such as websites, files, or media, that contains explicit, offensive, or prohibited material. Detecting inappropriate content is important as it helps maintain a secure and compliant environment, especially in organizations or networks where content filtering is in place.
STA - Collection - NIDS alert detected - Generic ICMP event
This classification indicates the detection of a security event related to ICMP (Internet Control Message Protocol) traffic that does not fit into specific predefined attack classifications. This alert suggests the identification of ICMP activity that may be anomalous or suspicious but does not have a well-defined signature or pattern associated with known attacks. ICMP is commonly used for network troubleshooting and communication purposes, but it can also be exploited for malicious activities such as ICMP flooding or ICMP-based attacks.
STA - Collection - NIDS alert detected - Web Application Attack
This classification indicates the detection of a security event involving an attack specifically targeting a web application. This alert suggests that Suricata has identified suspicious or malicious activities aimed at exploiting vulnerabilities in the web application's code, infrastructure, or configuration. Web application attacks can include various techniques, such as SQL injection, cross-site scripting (XSS), remote code execution, or directory traversal, with the goal of compromising the application's security, gaining unauthorized access, or extracting sensitive information.
STA - Suricata - A Potential Vulnerable Web Application Was Accessed
This alert triggers when Suricata detects/identifies network traffic that is accessing a web application known to have vulnerabilities. This alert serves as a warning that an attempt is being made to interact with a web application that may be susceptible to exploitation. Impact Accessing a vulnerable web application can have significant security implications for both the organization hosting the application and the users accessing it. Vulnerabilities in web applications can be exploited by attackers to compromise the integrity, confidentiality, and availability of the application and its associated data. Mitigation Detecting such access is crucial as it highlights the need for immediate investigation and remediation to address the vulnerabilities, patch any security gaps, and ensure the overall security of the web application. Check if any other alerts were triggered for the same web application (domain or the IP address). Correlate this activity with Zeek logs such as Zeek notice and Zeek insight logs. Check any other suspicious activities for the internal host that accessed the web application. MITRE Tactic: TA0001 MITRE Technique: T1190
Building Block - STA - Suricata - Internal Host Used Unusual Port
This alert triggers when a host is not using the usual service port/uncommon port for communication. This alert indicates that the client is establishing a connection or communicating through a port that is not commonly associated with the specific service or protocol being used. This activity may indicate potential security risks or attempts to bypass standard security measures.
STA - Collection - NIDS alert detected - Unsuccessful User Privilege Gain
This classification indicates the detection of an event where an unauthorized user or entity attempted to gain higher levels of privileges or access within a system or network but was unsuccessful. This alert suggests that an attacker made an effort to escalate their privileges or gain unauthorized access to restricted resources, but their attempts were thwarted or blocked. Detecting unsuccessful user privilege gain is crucial as it provides valuable insights into potential security threats and unauthorized access attempts.
STA - Collection - NIDS alert detected - Unknown Traffic
This classification indicates the detection of network traffic that cannot be classified or identified based on predefined signatures or known patterns. This alert suggests the presence of network communication or data that does not match any recognized protocols or expected behaviors. Detecting unknown traffic is important as it can indicate the presence of new or emerging threats, zero-day vulnerabilities, or unauthorized activities that have not been previously encountered or analyzed. It highlights the need for further investigation and analysis to determine the nature and potential risks associated with the unknown traffic.
Building Block - STA - Suricata - Possible Network Trojan Detected
This alert triggers when Suricata detects a possible network Trojan. Trojan is a type of malicious software (malware) that disguises itself as legitimate or benign software to deceive users into installing and executing it. Network Trojans are often used by attackers to gain unauthorized access, control compromised systems remotely, exfiltrate sensitive data, or launch further attacks within the network.
STA - Collection - NIDS alert detected - Targeted Malicious Activity was Detected
This classification indicates the identification of specific and intentional malicious actions aimed at a particular target or entity. This alert suggests the detection of sophisticated and purposeful attacks directed towards compromising the security, integrity, or availability of a specific system, network, or organization. Targeted malicious activity often involves advanced techniques, customized exploits, or social engineering tactics to bypass defenses and achieve specific objectives, such as data theft, unauthorized access, or disruption of services. Detecting targeted malicious activity is crucial as it highlights a high-level threat that requires immediate attention and response.
STA - Collection - NIDS alert detected - A system call was detected
This classification refers to the identification of a system call, which is a request made by a program or process to the operating system for a specific service or action. This alert suggests that Suricata has observed and analyzed a system call being made within the monitored system or network. System calls are essential for normal operation but can also be exploited by attackers to perform unauthorized actions or gain privileged access. Detecting system calls allows for monitoring and analyzing potential security threats, ensuring proper system behavior, and enhancing overall system security. It provides valuable insights into the activities and interactions happening at the operating system level, facilitating timely response and mitigation measures if any malicious or unauthorized behavior is detected.
STA - Building Block - Collection - NIDS Alert Detected - An Attempted Login Using a Suspicious Username Was Detected
This classification indicates the identification of an event where an unauthorized login attempt was made using a username that raises suspicions or exhibits characteristics associated with potentially malicious activities. This alert suggests the presence of an unusual or suspicious username that deviates from regular naming conventions or is associated with known malicious actors or hacking attempts. Detecting such an attempted login is crucial as it signifies a potential security threat. Immediate investigation and appropriate action are necessary to prevent unauthorized access, strengthen authentication mechanisms, and protect the integrity and security of the system or network.
STA - Suricata - A Suspicious Filename Was Detected
This alert triggers when Suricata has detected/identified a filename in the network traffic that matches patterns known to be associated with malicious activity. This type of alert is generally triggered when filenames are used that are commonly associated with malware, exploits, or other forms of malicious content. Impact The presence of a suspicious filename in network traffic can indicate various potential security risks and impacts, depending on the nature of the file and how it is handled within the network. Here are the key potential impacts: 1. Malware Infection a) Payload Delivery: Suspicious filenames often indicate files that contain malware payloads. If executed, these files can compromise systems by installing malicious software such as viruses, worms, trojans, ransomware, or spyware. b) Persistent Threats: Once malware is installed, it can create backdoors for persistent access, making it difficult to detect and remove. 2. Lateral Movement: a) Spread Within Network: Once a system is infected, malware can use network shares and other vulnerabilities to spread to other systems within the network, increasing the scope of the compromise. b) Reconnaissance: Malware can perform internal network reconnaissance to identify additional targets and sensitive resources. 3. Command and Control (C2) Communication: a) External Connections: Infected systems may establish connections with C2 servers to receive commands and send back stolen data, potentially exposing the network to further attacks. b) Botnet Inclusion: Infected systems can become part of a botnet, which can be used to conduct distributed denial-of-service (DDoS) attacks or other malicious activities. Mitigation Check the source IP, destination IP, file name, its extension, and the URI (if present) in the logs. Check the reputation of the domain (if any) and the external IP. Correlate the activity with the Zeek files log for further investigation. Check if any other alters triggerd for the same IP around this time. Also, check if any entries were found in the Zeek notice and pe logs for the same file. MITRE Tactic: TA0002 MITRE Technique: T1204 MITRE Sub-Technique: 002
STA - Collection - NIDS alert detected - Successful User Privilege Gain
This classification indicates the detection of an event where an unauthorized user or entity has successfully obtained higher levels of privileges or access within a system or network. This alert suggests that an attacker has managed to escalate their privileges, gaining greater control over resources, data, or functionalities that were originally restricted. Successful user privilege gain allows the attacker to perform unauthorized actions, access sensitive information, or manipulate system configurations. Detecting this event is crucial as it signals a significant security breach. Immediate investigation and remedial actions are necessary to revoke the unauthorized privileges, close security gaps, and prevent further compromise or unauthorized activities within the affected system or network.
STA - Collection - NIDS alert detected - Information Leak
This classification refers to the detection of a security event where sensitive or confidential information has been unintentionally or maliciously disclosed to unauthorized entities or systems. This alert suggests the identification of a potential breach or vulnerability that has led to the unauthorized exposure of valuable data. Information leaks can occur through various means, including misconfigured systems, software vulnerabilities, or intentional data exfiltration. Detecting information leaks is essential as it enables prompt investigation and remediation to prevent further data compromise, protect sensitive information, and ensure compliance with privacy regulations.
STA - Collection - NIDS alert detected - Large Scale Information Leak
This classification refers to the detection of a security event where a significant amount of sensitive or confidential information has been disclosed or leaked. This alert suggests the identification of unauthorized access, data breaches, or other malicious activities that have resulted in the exposure of valuable data on a substantial scale. Large scale information leaks can have severe consequences, including compromised personal information, intellectual property theft, or reputation damage. Detecting such leaks is crucial as it enables immediate investigation and response to mitigate further data exposure, secure affected systems, and implement measures to prevent future breaches.
STA - Collection - NIDS alert detected - Denial of Service
This classification refers to the identification of a security event involving the intentional disruption or prevention of legitimate users' access to a system, service, or network resource. This alert suggests the detection of malicious activities aimed at overwhelming the targeted infrastructure, causing service degradation or complete unavailability. Denial of Service attacks can be carried out through various means, such as flooding the network with excessive traffic, exploiting vulnerabilities in network protocols, or exhausting system resources. Detecting Denial of Service attacks is crucial as it allows for immediate response and mitigation to restore normal operations, protect system availability, and ensure uninterrupted access for legitimate users.
STA - Collection - NIDS alert detected - Successful Administrator Privilege Gain
This classification indicates the detection of an event where an unauthorized individual or entity has successfully acquired administrator-level privileges on a system or network. This alert suggests that an attacker has bypassed security measures or exploited vulnerabilities, gaining extensive control and access to critical resources and settings. Administrator privileges provide elevated levels of authority and control, enabling the attacker to perform unauthorized actions, install malicious software, manipulate configurations, or compromise sensitive data. Detecting a successful administrator privilege gain is of utmost importance as it highlights a significant security breach. Immediate investigation and remedial actions are essential to revoke the unauthorized access, close security gaps, and prevent further compromise or damage to the affected system or network.
STA - Collection - NIDS alert detected - Possible Social Engineering Attempted
This classification refers to the identification of suspicious activities or indicators that suggest the presence of a social engineering attempt. This alert indicates that certain actions, behaviors, or communication patterns have been detected that align with tactics commonly used in social engineering attacks. Social engineering involves manipulating human psychology to deceive individuals into revealing sensitive information, performing unauthorized actions, or compromising security measures. Detecting possible social engineering attempts allows for immediate investigation, raising awareness among potential targets, and implementing necessary countermeasures to prevent successful attacks and protect against social engineering-related risks.
STA - Collection - NIDS alert detected - Executable code was detected
This classification indicates the identification of executable code within the network traffic or system that has been analyzed. This alert suggests the presence of binary files or code that can be executed on a computer or device. Detecting executable code helps in monitoring and analyzing potential security threats, as it may signify the presence of malware, malicious scripts, or other forms of unauthorized code execution. By promptly detecting and analyzing executable code, security measures can be implemented to mitigate risks, prevent further compromise, and safeguard the integrity and security of the network or system.
STA - Collection - NIDS alert detected - Decode of an RPC Query
This classification refers to the successful decoding and analysis of a Remote Procedure Call (RPC) query. This alert indicates that Suricata has identified and processed an RPC query, which is a communication protocol used by networked computers to allow programs to request services from other programs located on remote systems. By decoding the RPC query, Suricata gains visibility into the content and structure of the network communication, enabling further analysis and potential detection of malicious activity or vulnerabilities within the RPC protocol. Detecting and decoding RPC queries helps in understanding network behavior, ensuring proper functioning of network services, and enhancing overall network security.
STA - Collection - NIDS alert detected - Possibly Unwanted Program Detected
This classification refers to the identification of a program or software that exhibits characteristics suggesting it may be unwanted or potentially harmful. This alert indicates the detection of behavior or attributes that align with potentially malicious or undesirable software, such as adware, spyware, or potentially unwanted applications. These programs may exhibit intrusive or unwanted behaviors, compromise user privacy, or negatively impact system performance. Detecting a possibly unwanted program allows for further investigation and appropriate action to prevent potential harm, such as removing or quarantining the program, and enhancing overall system security.
STA - Collection - NIDS alert detected - Potential Corporate Privacy Violation
This classification refers to the identification of an event that suggests a potential breach or violation of corporate privacy. This alert indicates the detection of activities or behaviors that could potentially compromise sensitive information, such as confidential corporate data, personal identifiable information (PII), or intellectual property. It raises concerns about unauthorized access, data leakage, or suspicious activities that may pose a threat to the privacy and security of the organization.
STA - Building Block - Collection - NIDS Alert Detected - Detection of a non-standard Protocol or Event
The detection of a non-standard protocol or event refers to the identification of unusual or uncommon network protocols or events that deviate from established standards. This alert indicates the detection of network traffic or system behavior that does not conform to the expected or widely recognized protocols and patterns. It suggests the presence of potentially unauthorized or suspicious activities, which may indicate an attempt to bypass security measures or exploit vulnerabilities. Detecting non-standard protocols or events is crucial for maintaining network security as it allows for immediate investigation and remediation to prevent potential threats or unauthorized access.
STA - Building Block - Collection - NIDS Alert Detected - Detection of a Network Scan
The detection of a network scan refers to the identification of suspicious activity indicating an attempt to scan a network for potential vulnerabilities or open ports. This alert suggests that an entity or automated system is systematically probing the network infrastructure to gather information about the available services or devices. Network scanning can be performed for legitimate purposes, such as network administration and security auditing. However, it can also be employed by malicious actors seeking to identify weak points for potential exploitation. Detecting network scans is crucial as it allows network administrators to investigate and address any vulnerabilities promptly, enhancing the overall security posture of the network.
STA - Collection - NIDS alert detected - Misc Attack
A miscellaneous (misc) attack refers to a type of security event that encompasses various unauthorized activities targeting a system or network, which cannot be easily classified into specific attack categories. These attacks often involve unusual or anomalous behavior, such as unauthorized port scanning, atypical network traffic patterns, or suspicious system actions that do not fit into predefined attack signatures. Due to their unpredictable nature, misc attacks can be challenging to identify and mitigate. They require thorough investigation to understand their specific nature and potential impact on the affected system or network, allowing appropriate security measures to be implemented.
STA - Collection - NIDS alert detected - Device Retrieving External IP Address Detected
This classification refers to the detection of a security event where a device is observed retrieving its external IP address. This alert suggests that the device is attempting to determine the public-facing IP address that is assigned to it by the Internet Service Provider (ISP). This information can be used by both legitimate users and potentially malicious actors for various purposes, such as establishing network connectivity or identifying the device's location on the internet.
STA - Suricata - Possible Exploit Kit Activity Detected
This alert triggers when Suricata detects an exploit kit in a network. It indicates that Suricata has identified network traffic patterns or signatures associated with the use of an exploit kit. Impact Exploit kits are designed to automate the process of finding and exploiting vulnerabilities in target systems. They often target common software such as web browsers, Flash, Java, and other plugins. Mitigation Examine the Suricata alert for exploit kit signatures. Correlate it with other network and endpoint activity to understand the scope of the potential attack. Correlate logs and alerts from various sources (network, endpoint, firewall, etc.) to get a comprehensive view of the incident. Review system and application logs for signs of compromise, such as unauthorized changes, unusual processes, or failed login attempts. MITRE Tactic: TA0042 MITRE Technique: T1588 MITRE Sub-Technique: 005
STA - Suricata - Domain Associated with Possible Command & Control Server Detected
This alert triggers when Suricata has detected network traffic involving a domain that is known to be associated with command and control (C2) activities. Impact A Command and Control (C2 or C&C) server is a central server used by cybercriminals and threat actors to manage and control malware-infected systems within a targeted network. C2 servers enable attackers to maintain communication with compromised devices, issue commands, exfiltrate data, and orchestrate coordinated attacks. Mitigation Check the domain/domains that were accessed from the host machine. Check the reputation of the domain. Use Zeek conn logs, notice logs, and Zeek insight logs to further analyze the traffic to and from that domain, data transferred or any files transferred using the Zeek files log. Use the 'uid' field to correlate all these activities. If needed, initiate an incident response activity. MITRE Tactic: TA0010 MITRE Technique: T1041
STA - Suricata - Possible Denial of Service Detected
This alert triggers when Suricata detects network traffic patterns consistent with a Denial of Service (DoS) attack. Impact A DoS/DDoS attack aims to make a system, service, or network resource unavailable to its intended users by overwhelming it with a flood of illegitimate requests or exploiting vulnerabilities. Mitigation Check the source IP/IPs causing a high flood of requests on your servers. Check which endpoints are being targeted and from which locations. Check the response codes from your firewall if any are placed on the perimeter. Additionally, Implement rate limiting to restrict the number of requests or connections per second that can be made to the targeted service or network. Use firewall rules or access control lists (ACLs) to block IP addresses that are identified as sources of the DoS/DDoS attack. MITRE Tactic: TA0040 MITRE Technique: T1498
STA - Suricata - Login Attempts Using Default Credentials
This alert triggers whenever someone tries to authorize/authenticate themselves using a default username and password. One such example can be, username: admin and password: admin. Impact Attempting to log in using default usernames and passwords is a common indicator of malicious activity for several reasons. Default credentials are often known and published, making them an easy target for attackers seeking unauthorized access to systems. So, detection of such an attempt might indicate an ongoing brute force attack. Mitigation Check if the login attempts are legitimate and are known to the user. If not, investigate for any possible brute force attempts. It is a best practice to change the default credentials as soon as these are assigned. MITRE Tactic: TA0006 MITRE Technique: T1110
STA - Suricata - Possible Credential Theft Detected
This alert triggers when Suricata detects/identifies network traffic or patterns that suggest a successful theft of user credentials. Impact This type of alert is critical as it means that attackers may have obtained valid usernames and passwords, potentially giving them unauthorized access to systems, applications, or data. Mitigation Detecting and responding to this alert promptly is crucial to mitigate the potential misuse of stolen credentials and prevent unauthorized access to systems or sensitive data. Check the source IP and destination IP involved. if any external IP is involved, check its reputation and if required block it on the perimeter. If further investigation shows that credentials were indeed dumped, to avoid misuse of these, it is advised to rotate them immediately. MITRE Tactic: TA0006 MITRE Technique: T1003
STA - Collection - NIDS alert detected - Malware Command and Control Activity Detected
This alert indicates the presence of malicious software that is actively communicating with a remote command and control server. This classification suggests that the malware is receiving instructions or transmitting sensitive data to the external server.
STA - Collection - NIDS alert detected - Crypto Currency Mining Activity Detected
This alert signifies the detection of activities related to the unauthorized mining of cryptocurrencies. This classification suggests that there are attempts to utilize system resources for mining purposes without proper authorization. Detecting and responding to this alert promptly is crucial to prevent excessive resource consumption, potential performance degradation, and unauthorized use of computing power.
STA - Building Block - Collection - NIDS Alert Detected - Potentially Bad Traffic
This alert indicates the detection of suspicious network activity that may pose a security risk. This classification suggests that the observed traffic exhibits patterns or characteristics commonly associated with malicious or unwanted behavior. By identifying and investigating this alert, administrators can take appropriate measures to analyze and mitigate any potential threats, ensuring the integrity and security of the network.
STA - Collection - NIDS alert detected - Attempted User Privilege Gain
This alert indicates an active security event where an unauthorized entity or malware is attempting to gain higher privileges or elevate their access level within a system or network. This classification suggests that the attacker aims to acquire greater control and permissions, potentially enabling them to perform unauthorized actions or access sensitive resources. Detecting and responding to this alert promptly is crucial to prevent unauthorized privilege escalation and mitigate the risk of compromised systems or data.
STA - Collection - NIDS alert detected - Attempted Information Leak
This alert indicates an ongoing security event where there are deliberate attempts to disclose sensitive or confidential information. This classification suggests that an unauthorized entity or malware is actively trying to access and exfiltrate valuable data from the system or network. It is critical to respond promptly and implement appropriate measures to prevent unauthorized disclosure and protect the integrity of sensitive information.
STA - Suricata - Attempted Administrator Privilege Gain
This alert triggers when Suricata detects an attempt to escalate privileges to an administrator or root level. This type of alert signifies that an attacker is trying to gain elevated access on a target system, which could allow them to execute critical operations, access sensitive data, or take control of the system. Impact Key Aspects of "Attempted Administrator Privilege Gain" in Suricata: 1. Privilege Escalation: Privilege escalation is the act of exploiting a vulnerability, misconfiguration, or other weaknesses in a system to gain higher levels of access than originally permitted. This can be either horizontal (gaining access to another user's resources) or vertical (gaining administrator/root privileges). 2. Types of Activities Detected: a) Exploitation of Vulnerabilities: Using known exploits or vulnerabilities to gain administrative privileges. b) Abuse of Legitimate Functions: Leveraging legitimate but misconfigured services or functions to escalate privileges. c) Credential Theft and Usage: Using stolen administrative credentials to attempt unauthorized administrative actions. d) Malware and Exploits: Using malware or exploit kits that include privilege escalation capabilities. Mitigation Check if the access attempts are legitimate and are known to the user. Check if user should have these permissions. If not, investigate further and revoke extra user privileges which should not be assigned to the user. Check for other users who are overly privileged and reassign their privileges. Investigate for any changes made by these users. MITRE Tactic: TA0004 MITRE Technique: T1068
STA - Collection - NIDS alert detected - Attempted Denial of Service
This alert indicates an ongoing security event where there are active attempts to disrupt or impair the availability of a system or network. This classification signifies that an attacker is deliberately targeting the resources or services, aiming to overwhelm them and render them inaccessible to legitimate users. the continuity and reliability of the system or network.
STA - Exfiltration - New Connection to AS number
An autonomous system (AS) number is a unique identifier that is globally available and allows its autonomous system to exchange routing information with other systems. This alert will fire whenever a public IP represented by AS number has connected to AS number that hasn't been seen before as a destination AS number in the past three months. If this alert fires, it is recommended to analyze the connections to the detected AS number by using Zeek's conn logs and/or Suricata's flow logs and related logs to understand what type of connections was observed, what types of data were transferred, in which direction and by which service, contact the relevant service owners and understand whether this connection is expected.
STA - Initial Access - New Connection from AS number
An autonomous system (AS) number is a unique identifier that is globally available and allows its autonomous system to exchange routing information with other systems. This alert will fire whenever a public IP represented by AS number has connected from AS number that hasn't been seen before as a source AS number in the past three months. If this alert fires, it is recommended to analyze the connections from the detected AS number by using Zeek's conn logs and/or Suricata's flow logs and related logs to understand what type of connections was observed, what types of data were transferred, in which direction and by which service, contact the relevant service owners and understand whether this connection is expected.
STA - Health Status - The instance is using more than 95% CPU for more than 30 minutes
STA - Health Status - The Instance is using more than 95% of its root disk space for more than 30 minutes
STA - Health Status - The instance is using more than 95% memory for more than 30 minutes
STA - Health Status - The instance is using more than 95% of its metrics disk space for more than 30 minutes
STA - Health Status - Data sent to Coralogix is less than 100 events in 1 hr
STA - Health Status - Data sent to Coralogix is less than 100 zeek_conn events in 1 hr
STA - Health Status - Seeing less than 1 mirrored instances
STA - Health Status - Seeing less than 5 unique IPs in 1 hr
Correlation Alert - STA - Zeek - Access to a Suspicious Baby Domain Detected
This alert triggers whenever a queried domain is identified as suspicious by STA and it was also logged as a baby domain. "Baby domains" is a term used to describe newly registered domain names. These domains are often very young, sometimes only a few hours or days old. They are considered "babies" in the sense that they are fresh and have not yet developed a history or reputation. Impact Monitoring baby domains is crucial from a security perspective for several reasons: 1. Malicious Activities a) Phishing Attacks: Cybercriminals frequently use newly registered domains to carry out phishing attacks. These domains are less likely to be blacklisted, allowing attackers to deceive users and steal sensitive information such as login credentials, credit card details, and other personal data. b) Malware Distribution: Attackers use baby domains to host and distribute malware. Since these domains are new, they can evade detection by traditional security measures and blacklist services, which may not have updated information on them yet. c) Command and Control (C2) Servers: Newly registered domains are often used as command and control servers for botnets. Monitoring these domains helps in identifying and blocking communication channels used by malware to receive commands and exfiltrate data. 2. Domain Generation Algorithms (DGAs) a) Evasion Techniques: Some malware families use Domain Generation Algorithms (DGAs) to create a large number of new domains. By monitoring baby domains, security teams can detect patterns consistent with DGA activity and preemptively block these domains, disrupting the operation of the malware. 3. DNS Tunneling and Data Exfiltration a) Covert Channels: Baby domains can be used for DNS tunneling, a technique for bypassing network security controls to exfiltrate data. By monitoring these domains, security teams can detect and block such attempts at data theft. Mitigation Inspect the data that was sent to that domain. Correlate with other Zeek logs for that "uid" to check if any files were downloaded as part of that connection, and types of DNS queries to further understand the intention of that DNS query. Please see the below link for more detail on baby domains and the mitigation strategies: https://unit42.paloaltonetworks.com/newly-registered-domains-malicious-abuse-by-bad-actors/ MITRE Tactic: TA0011 MITRE Technique: T1568 MITRE Sub-Technique: 002
STA Flow Alert - Credential Access - Unusual Number of Failed RFB Login Attempts From Blacklisted IP
RFB or Remote Frame Buffer is an open simple protocol for remote access to graphical user interfaces. This protocol is used for remote access to computers running all windowing operating systems. This protocol also allows transferring files and other advanced features. This alert will fire if the number of failed RFB authentications is exceptionally high for the current time period. If this alert fires it is recommended to investigate the RFB clients that appeared during the alerted time frame for understand the sudden surge in the number of failed RFB authentications and find the process involved.
Correlation Alert - STA - Zeek - Notice Log Detected Connections From a Suspicious IP
This alert triggers whenever more than the usual number of connections are seen from the blacklisted IPs within a short interval of time and an entry is logged in the Zeek notice logs for the same IP. Zeek notice logs are log files generated by Zeek to record and store information about security-related events and alerts. Uses of Notice Logs: 1. Incident Response: Security teams use notice logs to investigate and respond to potential security incidents. 2. Forensic Analysis: Notice logs provide a historical record that can be analyzed to understand past security events and patterns. 3. Threat Detection: Automated systems and analysts use notice logs to identify and correlate signs of malicious activity. Please see the below link for more details on Zeek notice logs: https://docs.zeek.org/en/master/frameworks/notice.html Impact Connections from blacklisted IPs can have significant and potentially harmful impacts on servers. Blacklisted IPs are often associated with malicious activities such as spamming, phishing, Distributed Denial of Service (DDoS) attacks, malware distribution, and unauthorized access attempts. Mitigation Investigate the malicious IPs and if possible, block them at the gateway for several hours (because IPs can change if they are DHCP-based or behind NAT). Check any other relevant related zeek logs using the corresponding 'uid' if further investigation is required. MITRE Tactic: TA0043 MITRE Technique: T1595 MITRE Sub-Technique: 001
Correlation Alert - STA - Zeek - Notice Log Detected Connections to a Suspicious IP
This alert triggers whenever more than the usual number of connections are seen to the blacklisted/suspicious IPs within a short interval of time and an entry is logged in the Zeek notice logs for the same IP. Zeek notice logs are log files generated by Zeek to record and store information about security-related events and alerts. Uses of Notice Logs: 1. Incident Response: Security teams use notice logs to investigate and respond to potential security incidents. 2. Forensic Analysis: Notice logs provide a historical record that can be analyzed to understand past security events and patterns. 3. Threat Detection: Automated systems and analysts use notice logs to identify and correlate signs of malicious activity. Please see the below link for more details on Zeek notice logs: https://docs.zeek.org/en/master/frameworks/notice.html Impact Connections to blacklisted IPs can have significant and potentially harmful impacts on servers. Blacklisted IPs are often associated with malicious activities such as spamming, phishing, Distributed Denial of Service (DDoS) attacks, malware distribution, and unauthorized access attempts. Mitigation Investigate the malicious IPs for their legitimacy or possible false positives. If the legitimacy can not be verified investigate why the host was making connections to the suspicious IPs. Check any other relevant related zeek logs using the corresponding 'uid' for further investigation. MITRE Tactic: TA0043 MITRE Technique: T1595 MITRE Sub-Technique: 001
Correlation Alert - STA - Zeek - Too Many Unique DNS Queries to Baby Domains
This alert triggers when a host makes multiple unique DNS queries for a specific domain and these DNS queries are also identified as DNS queries to baby domains by STA. The purpose is to detect the C2 communication over DNS. It is based on the attack method when threat actors want the infected machine to communicate with their registered domain over DNS. The infected machine will send details to the C2 server using DNS queries. The DNS query itself will have unusual resource records. For example, a malicious FQDN will look like: “bas64-encodedstring.evil.com”. So, this will result in multiple such unique DNS queries from the infected host. "Baby domains" is a term used to describe newly registered domain names. These domains are often very young, sometimes only a few hours or days old. They are considered "babies" in the sense that they are fresh and have not yet developed a history or reputation. Impact DNS queries to random subdomains of a domain, especially when these subdomains are "baby domains" (newly registered or rarely used domains), can have significant impacts. Here are the key considerations: 1. Malware and Botnet Communication: Malware and botnets often use DNS queries to random subdomains as a means of communicating with C2 servers. This technique helps them avoid detection and maintain control over infected machines. Attackers use fast flux techniques where the IP addresses associated with a domain change rapidly. This helps hide malicious activities behind an ever-changing network of compromised hosts. 2. DNS Tunneling: DNS tunneling can use random subdomains to encode and transmit data. This method can bypass traditional security controls and exfiltrate data from the network covertly. By using DNS queries to random subdomains, attackers can create a stealthy communication channel that is harder to detect with standard network monitoring tools. Mitigation Investigate the DNS queries to check if these are indeed malicious. Check any reputation platform to check the legitimacy of the domain. If these DNS queries are base 64 encoded, try to decode them using CyberChef. If found malicious, isolate the host and check if any other hosts were found infected and initiate an incident response process. MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 004
Correlation Alert - STA - Zeek - Multiple Unique DNS Queries Made for a Suspicious Domain
This alert triggers when a host makes multiple unique DNS queries for a specific domain and these domains are identified as suspicious by STA. The purpose is to detect the C2 communication over DNS. It is based on the attack method when threat actors want the infected machine to communicate with their registered domain over DNS. The infected machine will send details to the C2 server using DNS queries. The DNS query itself will have unusual resource records. For example, a malicious FQDN will look like: “bas64-encodedstring.evil.com”. So, this will result in multiple such unique DNS queries from the infected host. Impact DNS queries to random subdomains of a domain, especially when these domains are identified as suspicious by STA can have significant impacts. Here are the key considerations: 1. Malware and Botnet Communication: Malware and botnets often use DNS queries to random subdomains as a means of communicating with C2 servers. This technique helps them avoid detection and maintain control over infected machines. Attackers use fast flux techniques where the IP addresses associated with a domain change rapidly. This helps hide malicious activities behind an ever-changing network of compromised hosts. 2. DNS Tunneling: DNS tunneling can use random subdomains to encode and transmit data. This method can bypass traditional security controls and exfiltrate data from the network covertly. By using DNS queries to random subdomains, attackers can create a stealthy communication channel that is harder to detect with standard network monitoring tools. Mitigation Investigate the DNS queries to check if these are indeed malicious. Check any reputation platform to check the legitimacy of the domain. If these DNS queries are base 64 encoded, try to decode them using CyberChef. If found malicious, isolate the host and check if any other hosts were found infected and initiate an incident response process. MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 004
Correlation Alert - STA - Zeek - Connection Observed to a Suspicious Domain and a Suspicious IP
This alert triggers whenever a connection/query is made to a suspicious domain and around the same time a connection was seen to a blacklisted IP and the domain the connection was made to resolves to this blacklisted IP. The suspicious domain can be a C2 server or any type of domain-generated algorithm (DGA) domain, however, not necessarily be malicious. Note: The blacklisted IP information is present in a different Zeek log file and the domain information is present in a different log file and this flow alert binds both activities together based on the destination IP information. Impact Connecting to a malicious domain can have severe consequences for an individual or organization. Here are the key impacts: 1. Malware Infection: Visiting a malicious domain can result in the automatic download and installation of malware, such as viruses, trojans, ransomware, or spyware. This can compromise the affected system and, by extension, the entire network. Some malicious domains use drive-by download attacks, which exploit browser vulnerabilities to download malware without any user interaction. 2. Phishing and Credential Theft: Malicious domains often host phishing pages designed to mimic legitimate websites. Unsuspecting users may enter sensitive information such as usernames, passwords, and credit card details, which attackers can then steal. Attackers can use malicious domains to harvest credentials through various means, including fake login forms, keyloggers, and other malicious scripts. 3. Data Exfiltration: Once a system is compromised, attackers can exfiltrate sensitive data, including personal information, financial data, intellectual property, and confidential business information. Malicious domains can be used to maintain a persistent connection with compromised systems, enabling continuous data theft over an extended period. Mitigation Investigate the domain the connection was made to for its legitimacy. If the legitimacy can not be verified and is found indeed malicious by prominent reputation check platforms such as VirusTotal then investigate further for the blacklisted IP as well. Check other Zeek logs using 'UID' for any other process involved or if the infection was spread to other hosts as well and if there were other alerts for the same host around this time. MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 004
Correlation Alert - STA - Zeek - Unusual High Volume of DNS Requests to Suspicious Domains Returned NXDOMAIN
This alert triggers whenever an unusually high number of DNS queries result in failure with the NXDOMAIN response code and the queried domains are flagged as suspicious/malicious by STA's automated NLP analysis. A high number of NXDOMAIN response codes in DNS queries indicates that there are many requests being made for domain names that do not exist. Impact A high number of DNS queries resulting in NXDOMAIN error codes can have several security implications, ranging from indicative of misconfigurations to potential malicious activities. Here are the key security impacts: 1. Command and Control (C2) Communication: Malware and botnets often use DNS to communicate with their command and control servers. They may generate DNS queries for non-existent domains as part of their attempt to find an active C2 server. High NXDOMAIN responses can indicate such activities. 2. Domain Generation Algorithms (DGAs): Some malware uses DGAs to generate numerous domain names to avoid detection and ensure resilience. These generated domains are queried, resulting in many NXDOMAIN responses until an active domain is found. 3. DNS Tunneling and Data Exfiltration: Attackers might use DNS tunneling to exfiltrate data or communicate covertly. High NXDOMAIN responses can be a byproduct of attempts to establish or maintain these channels. Mitigation Check if the queried domains are indeed malicious or legitimate. Check if the domains look machine-generated. If the legitimacy can not be confirmed or if the domains are malicious, investigate further for any possible C2 sever or data exfiltration attempts. Investigate further to find if any other hosts also triggered similar alerts and have the same pattern. MITRE Tactic: TA0037 MITRE Technique: T1637 MITRE Sub-Technique: 001
Correlation Alert - STA - Zeek - Connection to a Suspicious Domain with a Suspicious Certificate Issuer
This alert triggers whenever an accessed domain has a certificate issuer that is found suspicious based on the STA's NLP analysis and looks computer generated and this domain resolves to an IP that is tagged as suspicious by STA. Please note that the certificate information and the suspicious IP information may be present in 2 different Zeek logs. Impact Connecting to a domain that has a suspicious or unknown certificate issuer can have several significant impacts, primarily related to security risks. Here are the key impacts: 1. Man-in-the-Middle (MitM) Attacks: An attacker could intercept and read sensitive data transmitted between the client and the server. This includes personal information, login credentials, financial data, and other confidential information. Attackers could alter the data being transmitted, leading to data corruption, unauthorized changes, or injection of malicious content. 2. Phishing and Malware: A website with a suspicious certificate issuer might be a phishing site designed to steal credentials or personal information. These websites could host and distribute malware, infecting the user's device and potentially compromising further systems. 3. Loss of Data Integrity: Communications with the website might be tampered with, leading to data integrity issues where the received data is not what was originally sent. Mitigation Investigate the relevant domain and check for its reputation. Also, check the reputation of the IP address the domain resolves to since it was identified as suspicious by STA. Review the certificate and if the certificate issuer is unknown investigate further using the 'uid' in relevant Zeek logs. MITRE Tactic: TA0042 MITRE Technique: T1587 MITRE Sub-Technique: 003
Correlation Alert - STA - Zeek - Multiple SSH Connection Attempts Followed by MySQL Login Attempt (By Source IP)
This alert triggers whenever multiple SSH connection attempts are seen from a source IP to a destination IP/IPs and it was subsequently observed that the same source IP was attempting multiple login attempts on a MySQL database server. Impact Multiple SSH connection attempts followed by multiple MySQL login attempts can have significant security impacts. Here are the key considerations: 1. Brute Force and Credential Stuffing Attacks: Multiple SSH and MySQL login attempts are strong indicators of brute force attacks or credential stuffing, where attackers systematically try different username and password combinations to gain unauthorized access. Successful brute force attacks can lead to the compromise of SSH accounts, which can then be used to launch further attacks on MySQL databases. 2. Potential Intrusion and Lateral Movement: Once an attacker gains SSH access, they can move laterally within the network, targeting other systems including MySQL servers. Compromising SSH access can lead to privilege escalation, allowing attackers to gain administrative control over the server and subsequently attempt to access MySQL databases. 3. Database Breach: Multiple MySQL login attempts following SSH access can indicate attempts to exfiltrate sensitive data stored in the database. Attackers may attempt to manipulate or corrupt data within the MySQL database once access is gained. Mitigation Check if the user/admin is aware of the login attempts and that the requesting user is authorized to make the connection/ login attempts. Also, check if there was any successful login attempt subsequently. Investigate the source IP, geo details in this case and look for any malicious alerts triggered around the same time. If needed, block the source IP and if there is no business in the country where this connection originated from, put a geo-blocking in place. MITRE Tactic: TA0006 MITRE Technique: T1110
Correlation Alert - STA - Zeek - Multiple SSH Connections Detected From a Blacklisted IP
This flow alert triggers whenever multiple SSH connections are seen from an IP within a specific time interval and around the same time a connection/multiple connections was/were seen from a blacklisted IP and this IP is same as the IP seen earlier attempting SSH connections. Notes: 1. Here, the threshold value set is more than 10 connections from the IP address within a time interval of 10 minutes. Please feel free to change the threshold value as per your business requirements. 2. The blacklisted IP information is present in a different Zeek log file and the SSH connections information could be present in a different log file and this flow alert binds both activities together based on the destination IP information. Impact SSH connections from a malicious IP address can have several significant impacts, including but not limited to the following: 1. Unauthorized Access: Malicious actors can gain unauthorized access to the server or network. This can lead to data breaches, data theft, or the compromise of sensitive information. 2. Privilege Escalation: Once inside, attackers can exploit vulnerabilities to escalate their privileges, gaining administrative or root access. This allows them to make system-wide changes, install malicious software, or further compromise other systems. 3. Data Exfiltration: Attackers can transfer sensitive data out of the network, leading to data loss and potential financial or reputational damage to the organization. 4. Deployment of Malware: Malicious actors can install various types of malware, such as ransomware, trojans, or spyware, which can further compromise the integrity and security of the system. 5. Creation of Backdoors: Malicious users often create backdoors to maintain persistent access to the compromised system, making it difficult to fully remove their presence and regain control over the system. Mitigation Validate if the connection attempts are legitimate and that the IP address is falsely flagged as malicious. If this is the case, whitelist the IP or the IP block. If the connection attempts are not legitimate, block the IP address and if the connection is successful, investigate further for any other malicious activities. MITRE Tactic: TA0008 MITRE Technique: T1021 MITRE Sub-Technique: 004
STA Flow Alert - DNS Exfiltration/C2 Connectivity - DNS Activity on TCP Detected and Unusual Reconnaissance Activity
NS requests should always be transmitted over UDP. DNS requests over TCP are usually used for either DNS zones transfer or for transferring large quantities of data using the DNS protocol. Both can be an indication of a malicious activity. It is recommended that if this alert fired, the data that has been transmitted to or received in those DNS calls over TCP. Also, it is recommended to inspect the processes and machines involved in those queries by using audit logs from these machines.
STA Flow Alert - C2 Connectivity - Unusual TOR Activity
Connection attempts from TOR network (https://en.wikipedia.org/wiki/Tor_(network)) nodes to publicly accessible servers is unfortunately a common behavior. This alert will fire only if the number of such attempts is higher than normal. It is recommended that if this alert fires, the IPs involved would be inspected (which connections from/to the organization involved them, what data was received/sent from/to them) and if possible block them at the gateway for several hours (because IPs can change if they are DHCP based or behind NAT).
Building Block - STA - Zeek - Connections to Blacklisted IPs
This alert triggers whenever a connection is made to a blacklisted/malicious IP. Please fine-tune this alert to limit the potential false positives.
Correlation Alert - STA - Zeek - DNS Activity for a Suspicious Domain Observed on TCP Protocol
This alert triggers whenever a DNS query is made to a suspicious domain over TCP rather than the usual UDP protocol. DNS requests over TCP are usually used for either DNS zone transfer or for transferring large quantities of data using the DNS protocol. The suspicious domain can be a C2 server or any type of domain-generated algorithm (DGA) domain. This alert is based on an automated NLP analysis. Impact Attackers use DNS over TCP to exfiltrate large amounts of data for several reasons: 1. Bypassing Network Monitoring and Filtering: a. Evasion of Detection: Traditional network security tools often focus on monitoring and filtering HTTP/HTTPS traffic more rigorously than DNS traffic. By using DNS, attackers can evade these defenses and exfiltrate data without raising immediate alarms. b. Less Scrutiny: DNS traffic is typically given less scrutiny because it is essential for network operations. This makes it an attractive channel for attackers to use for data exfiltration. 2. Handling Large Payloads: a. Overcoming UDP Size Limits: DNS over UDP has a size limit of 512 bytes for responses (though this limit can be extended with EDNS0). However, larger responses require TCP. Attackers use DNS over TCP to bypass these size limitations and exfiltrate larger chunks of data in fewer packets. b. Reliable Transmission: TCP ensures reliable delivery of packets, which is essential when transferring large amounts of data. The connection-oriented nature of TCP guarantees that data is received in the correct order and without loss, which is not assured with UDP. 3. Stealth and Covert Channels: a. Blend with Legitimate Traffic: DNS queries and responses are common on any network. Attackers exploit this by embedding data within DNS traffic, making it difficult for network defenders to distinguish between legitimate DNS traffic and exfiltration attempts. b. DNS Tunneling: Attackers use DNS tunneling techniques to encode data within DNS queries and responses. This data is then transmitted to an external server controlled by the attacker. DNS over TCP is particularly useful for DNS tunneling due to its ability to handle larger payloads. Mitigation Check if the queried domain is indeed malicious or legit. Check if there was a high amount of data transfer to that domain. Check for the legitimacy of this data transfer. If it cannot be confirmed, investigate further for possible data exfiltration scenarios. MITRE Tactic: TA0011 MITRE Technique: T1572
STA - Zeek - DNS Query to a Suspicious Domain
This alert triggers whenever a connection/query is made to a suspicious domain. The suspicious domain can be a C2 server or any type of domain-generated algorithm (DGA) domain. This alert is based on an automated NLP analysis. Impact A DNS query to a suspicious domain can have significant security implications, indicating potential malicious activity or network compromise. Here are the key potential impacts: 1. Malware Communication: a) Command and Control (C2): Many malware families use DNS to communicate with C2 servers. A DNS query to a suspicious domain can indicate that an infected machine is attempting to reach out to its C2 infrastructure for instructions. b) Data Exfiltration: DNS can be used as a covert channel for data exfiltration, where sensitive data is encoded in DNS queries and sent to an attacker-controlled domain. 2. Botnet Activity: a) Botnet Coordination: Infected machines often use DNS to locate and connect to botnet controllers. DNS queries to suspicious domains can indicate botnet activity within the network. 3. Phishing Campaigns: a) Phishing Sites: DNS queries to suspicious domains can indicate attempts to access phishing sites designed to steal user credentials, financial information, or other sensitive data. Mitigation Investigate the DNS queries to check if these are indeed malicious. Check any reputation platform to check the legitimacy of the domain. If these DNS queries are base 64 encoded, try to decode them using CyberChef. If found malicious, isolate the host and check if any other hosts were found infected and initiate an incident response process. MITRE Tactic: TA0011 MITRE Technique: T1071 MITRE Sub-Technique: 004
STA Flow Alert - DNS Exfiltration/C2 Connectivity - DNS Activity on TCP Detected to Blacklist IP
NS requests should always be transmitted over UDP. DNS requests over TCP are usually used for either DNS zones transfer or for transferring large quantities of data using the DNS protocol. Both can be an indication of a malicious activity. It is recommended that if this alert fired, the data that has been transmitted to or received in those DNS calls over TCP. Also, it is recommended to inspect the processes and machines involved in those queries by using audit logs from these machines.
STA - Discovery - Request for Public IP Echo Services Detected
Many types of malicious tools will try to find where geographically the attacked computer is located, in order to do that they will try get their public IP often by using one of the services mentioned below. It is recommended that if this alert fires, the processes and machines that attempted to connect to these services will be inspected by using audit logs as well as Zeek conn and Suricata flow logs and possibly the actual packets to understand which data was sent or received by the processes which attempted to get the computer's public IP by using these services.
STA Flow Alert - Collection - Outbound Connection From a DB Server
Database servers hold sensitive data that must be kept safe and out of reach from all outsiders unless they have permission to access it. If there is a connection from the database servers (recently responded on ports 5432/1433/9200/3306) to outside of the organization its a suspicious activity and this alert will fire.
STA Flow Alert - Reconnaissance - Protocol Anomaly & Reconnaissance
This alert is activated when both a non-standard protocol usage and unusual reconnaissance activity are detected within the same timeframe. The first part, "STA - Collection - NIDS Alert Detected - Detection of a Non-Standard Protocol," identifies activities involving atypical protocols that may be used to bypass typical security measures or exploit specific vulnerabilities. Concurrently, "Reconnaissance - Unusual Reconnaissance Activity Detected," marks an increase in reconnaissance efforts, indicating a heightened risk of upcoming targeted attacks or system probing. This alert framework emphasizes the need for heightened vigilance and rapid response during periods when these dual anomalies arise simultaneously, pointing to a possible escalation in threat level across the network.
STA Flow Alert - Reconnaissance - A Traffic Matched a Zeek Signature From Suspected IP
This alert will fire if the traffic seen by Zeek matched a Zeek script's signature from suspected IP.
STA Flow Alert - Impact - Trojan & SNMP Anomaly
This alert is triggered when two distinct security events linked by the same source IP occur within a short timeframe window. The first event is initiated by the detection of a network Trojan, identified by "STA - Collection - NIDS Alert Detected - A Network Trojan Was Detected." This malware is sophisticated, capable of masquerading as legitimate traffic to facilitate unauthorized access and control of systems, which can lead to data manipulation or escalation of attacks within the network. The second event involves an abnormal spike in SNMP set requests, as indicated by "STA - Impact - Unusual Number of SNMP Set Requests." Such spikes are often exploited in DDoS attacks or for executing XSS and SQL injection attacks, threatening network integrity and data security. The temporal proximity and the same source IP indicate a coordinated attack strategy, demanding immediate investigation and targeted response to prevent widespread network compromise and data loss.
STA Flow Alert - Collection - Trojan & MySQL Intrusion
This alert is configured to trigger when two significant and related security threats are detected within a specific timeframe. The first alert, "STA - Collection - NIDS Alert Detected - A Network Trojan Was Detected," indicates the presence of a network Trojan identified by Suricata. This type of malware is designed to disguise itself as legitimate network traffic, facilitating unauthorized access and control over compromised systems, potentially leading to data exfiltration or further internal attacks. The second alert, "STA - Credential Access - Unusual Number of MySQL Login Attempts," signals a potential breach attempt targeting the MySQL database, which often contains critical and sensitive organizational data. An unusually high number of login attempts can indicate a brute-force attack or an attempt to exploit database vulnerabilities. Together, these alerts highlight a coordinated attack aiming both at network infiltration and data breach attempts, necessitating immediate and comprehensive security measures to investigate and mitigate the threats.
STA Flow Alert - Collection - Network Trojan & RFB Breach
This alert is configured to trigger when two distinct but potentially related security events occur. The first part of the alert sequence concerns a network Trojan detected by Suricata, which camouflages itself within legitimate network traffic. This malware enables unauthorized access, remote control of compromised systems, data exfiltration, and facilitation of further internal attacks, representing a significant threat to network security. Following closely, the alert for "STA - Credential Access - Unusual Number of Failed RFB Login Attempts" suggests an aggressive attempt to access systems via the RFB protocol, commonly used for remote graphical interface access. An abnormal increase in failed login attempts could indicate a brute-force attack or other unauthorized access attempts. This alert implies that the detected network Trojan could be part of a broader strategy to gain remote access and control over critical systems. Immediate investigation into both the source and nature of these alerts is crucial to thwart ongoing attacks and prevent potential data breaches or system compromises.
STA Flow Alert - Collection - Detection of a Network Scan & RFB Breach Attempt
The detection of a network scan refers to the identification of suspicious activity indicating an attempt to scan a network for potential vulnerabilities or open ports. This alert suggests that an entity or automated system is systematically probing the network infrastructure to gather information about the available services or devices. Network scanning can be performed for legitimate purposes, such as network administration and security auditing. However, it can also be employed by malicious actors seeking to identify weak points for potential exploitation. nWhen the alert is fired, it is recommended to immediately isolate the affected network segments to prevent further unauthorized access attempts. Conduct a thorough analysis of the network logs related to the RFB and scan activities to identify the source and method of the attacks.nDetecting network scans is crucial as it allows network administrators to investigate and address any vulnerabilities promptly, enhancing the overall security posture of the network.
STA Flow Alert - Reconnaissance - Suspicious Traffic & Reconnaissance Activity
This alert is specifically designed to identify potential threats when two related security incidents, originating from the same source IP, occur within a short time window. The initial alert, "NIDS Alert Detected - Potentially Bad Traffic," indicates the presence of network traffic that exhibits characteristics typical of malicious or unwanted behavior, such as malware communication or unauthorized data attempts. Following this, the second alert, "STA - Reconnaissance - Zeek Notice Detected," confirms reconnaissance activities detected by Zeek, which may involve scanning for vulnerabilities or probing network defenses. The combination of these alerts, coupled with their temporal proximity and common source IP, highlights a coordinated attempt to explore and possibly exploit network vulnerabilities. Immediate, focused investigation and response are crucial to mitigate any emerging threats and secure network integrity.
STA Flow Alert - Collection - Network Intrusion & Database Threat
This alert is triggered when two related security events are detected simultaneously from the same source IP in short time window. The first event involves detection of potentially bad traffic, as identified by "STA - Collection - NIDS Alert Detected - Potentially Bad Traffic," which indicates suspicious network activity that could signal the onset of an attack. This includes traffic patterns commonly associated with malicious behavior such as scanning, probing, or preliminary exploitation attempts. The second event, "STA - Credential Access - Unusual Number of MySQL Login Attempts," highlights an abnormal surge in login attempts to a MySQL database system, potentially signifying an attempt to exploit found vulnerabilities or perform a brute-force attack. This database often contains critical and sensitive information, making it a prime target for attackers. This flow alert suggests a comprehensive and coordinated attack is underway, combining network manipulation with direct attempts to access valuable data. Immediate investigation and response are imperative to mitigate potential threats and safeguard the integrity and security of the network and its critical databases.
STA Flow Alert - Collection - Bad Traffic & Lateral Movement
This alert is activated when suspicious network activity and unusual lateral movements are detected simultaneously from the same source IPs, suggesting a coordinated attack. The first component, "STA - Collection - NIDS Alert Detected - Potentially Bad Traffic," detects initial unauthorized or malicious activities that could range from scanning to preliminary data breaches. The second component, "STA Insight - Lateral Movement - More than 10 lateral connections in 10 minutes," signals rapid internal expansion within the network, often indicative of an attacker attempting to establish footholds or access sensitive information across multiple systems. This combined alert underscores an urgent, multifaceted security threat that requires immediate, comprehensive defensive actions to prevent widespread network compromise.
STA Flow Alert - Collection - NIDS Alert Detected - Detection of a Network Scan From Blacklisted IP
The detection of a network scan refers to the identification of suspicious activity indicating an attempt to scan a network for potential vulnerabilities or open ports. This alert suggests that an entity or automated system is systematically probing the network infrastructure to gather information about the available services or devices. Network scanning can be performed for legitimate purposes, such as network administration and security auditing. However, it can also be employed by malicious actors seeking to identify weak points for potential exploitation. Detecting network scans is crucial as it allows network administrators to investigate and address any vulnerabilities promptly, enhancing the overall security posture of the network.
STA Flow Alert - Reconnaissance & Network Scan
This alert is triggered when both a network scan and unusual reconnaissance activities are detected concurrently within the same timeframe. This alert signals that an entity or automated system is not only probing the network infrastructure for vulnerabilities and open ports but is also engaging in heightened reconnaissance against publicly accessible servers. The simultaneous occurrence of these alerts suggests a sophisticated attempt to map out and exploit network weaknesses. Immediate and comprehensive security measures are necessary to investigate the scope of the probing and reconnaissance, block any identified malicious sources, and reinforce the network's defenses against further exploitation.
STA Flow Alert - Collection - Login Attempted & RFB Breach Attempt
This alert is triggered when there is simultaneous detection of an attempted login using a suspicious username and a surge in failed RFB login attempts within the same defined period. The first alert points to the use of a username that is either unconventional or linked to previous security incidents, hinting at a deliberate attempt to breach system security. Concurrently, the second alert of numerous failed RFB login attempts suggests an aggressive effort to gain remote access to the network's graphical user interfaces. This simultaneous occurrence of these alerts underlines a potential coordinated attack, necessitating immediate investigation to ascertain the source and intent of these attempts, and to implement enhanced security measures to prevent further unauthorized attempts.
Correlation Alert - STA - Suricata - New Outbound Connection Observed Over a non standard Port
This flow/correlation alert triggers whenever an internal host is seen communicating with an IP address outside of the organization for the first time (The first outbound connection of the host) and the communication takes place over a non-standard port for the corresponding service. Impact Communications over unusual or non-standard ports can have several significant impacts. Here are the key considerations: 1. Evasion of Security Measures: Unusual port communications can bypass firewall rules that are typically configured to monitor and restrict traffic on standard ports. This can allow malicious traffic to enter or leave the network undetected. Intrusion detection and prevention systems (IDS/IPS) are often optimized to monitor traffic on standard ports. Using unusual ports can evade these systems, making it harder to detect malicious activities. 2. Malware Communication: Malware often uses unusual ports to communicate with command and control servers to avoid detection. This can facilitate data exfiltration, remote control of infected systems, and other malicious activities. Attackers can use non-standard ports to exfiltrate data, making it more challenging for security teams to detect and block these actions. 3. Anomaly Detection Challenges: Communications over unusual ports can blend in with legitimate traffic if not properly monitored, complicating the identification of anomalous or suspicious activities. Legitimate applications using non-standard ports can trigger false positives in security monitoring systems, leading to unnecessary alerts and potential alert fatigue among security personnel. Mitigation Check what is the port number and its usage is known. If not, investigate further for any malicious activities. Correlate the activities using 'uid' with other Zeek log files. MITRE Tactic: TA0011 MITRE Technique: T1571
STA Flow Alert - Collection - Admin Intrusion & Trojan Detection
This classification indicates the identification of a malicious program or code specifically designed to infiltrate a network and perform unauthorized activities. This alert suggests that Suricata has detected the presence of a network Trojan, which is a type of malware that disguises itself as legitimate network traffic or software. Network Trojans are often used by attackers to gain unauthorized access, control compromised systems remotely, exfiltrate sensitive data, or launch further attacks within the network. Detecting a network Trojan is crucial as it reveals the presence of a significant security threat that requires immediate investigation and mitigation.
STA Flow Alert - Collection - Scan & SNMP Manipulation
This alert is designed to trigger when suspicious network scanning activity coincides with an unusual volume of SNMP set requests within the same timeframe. The first component, "STA - Collection - NIDS Alert Detected - Detection of a Network Scan" identifies attempts to probe the network, possibly seeking vulnerabilities or open ports which could be exploited. Simultaneously, the second alert, "Impact - Unusual Number of SNMP Set Requests," indicates abnormal SNMP activity, which may be an attempt to change device configurations maliciously or as part of a DDoS attack strategy. This combined alert suggests a sophisticated and potentially harmful attempt to both discover and exploit network weaknesses, necessitating immediate and thorough investigations to secure the network against these dual threats.
Integration
Learn more about Coralogix's out-of-the-box integration with Snowbit STA in our documentation.