Threat Detection - Alerts

Have we flagged an alert, but you are unsure what it means?  We can help with that!

Active X Attack: A framework created by Microsoft to extend the functionality of the Component Object Model (COM) and Object Linking Embedding (OLE) and apply it to content downloaded from networks. ActiveX are mostly popular for creating add-ons for web browsers, particularly Internet Explorer. ActiveX provides native code execution. Vulnerability in ActiveX is Buffer overflow and file overwriting are some vulnerabilities that are usually exploited.

 

AnomalyAnomaly based detection is the identification of data points, items, observations or events when these are showing any unusual behavior in the network traffic from the Expected normal traffic routine.

Attack Response: Possible when there is lateral movement or file creation request. Or EX: if the attacker is able to fetch the data by executing the sql command at that moment we get response request 200 which means attacker is successful

BOT: Short for “robot”, is a type of software application or script that performs automated tasks on command. Bad bots perform malicious tasks that allow an attacker to remotely take control over an affected computer. Once infected, these machines may also be referred to as zombies.

Blacklisted URLS: Malicious websites which are feed with Malware and virus.

 

Blacklisted: One which may contain IP Address or Domain name which seems to be acting as a Malware or Virus.

Compromised IP: Those IP’s of Machine Infected by Malware like Trojan.

CIARMY: Each time the IP list is changed, modified, or updated we keep track of its size (both number of entries and number of unique IPs matched). Using this information, we can detect what the list maintainers do, get an idea of the list trend and its maintainers habits.

 

DNS Attack: An exploit in which an attacker takes advantage of vulnerabilities in the domain name system (DNS). DNS is a protocol that translates a user-friendly domain name into the computer-friendly IP address.

DOS Attack : A denial-of-service (DoS) attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. The attacker sends several requests to the target server, overloading it with traffic. These service requests are illegitimate and have fabricated return addresses, which mislead the server when it tries to authenticate the requester.

Dshield :Contains set of Malicious IP and URLS

Exploit: Exploit is one which checks for vulnerability in particular machine and Expolits that Vulnerability

FTP Attacker :An exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine, which serves as a proxy for the request.

HTTP: HTTP flood is a type of Distributed Denial of Service (DDoS) attack in which the attacker exploits seemingly legitimate HTTP GET or POST requests to attack a web server or application.

ICMP Attack : An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common Denial-of-Service (DoS) attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings). By flooding the target with request packets, the network is forced to respond with an equal number of reply packets. This causes the target to become inaccessible to normal traffic.

IMAP Attack: An attacker exploits weaknesses in input validation on IMAP/SMTP servers to execute commands on the server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user.

 

NETBIOS Attack:  NetBIOS attack is a hacking type that exploits a bug in Windows. They do not require you to have any hidden backdoor program running on your computer. This makes NetBIOS the worst attack. NetBIOS is meant to be used on local area networks, so machines on that network can share information. The bug in NetBIOS is that it can also be used across the Internet, this gives the hacker a chance to access your machine remotely. The Port used here is 139.

 

P2P Attack: Peer-to-Peer attacks exploit the fabric of peering technology to perform attacks. These attacks distinguish themselves from other types of attacks because of the following:
a. Attacker does not have to communicate with the clients for subversion.
b. The automated nature of Peer-to-Peer technology can allow for BOT like amplification of an attack with the permission of the victim.

SMTP Attack: Scripting this attack can test thousands of e-mail address combinations. The SMTP command EXPN might allow attackers to verify what mailing lists exist on a server. You can simply telnet to your e-mail server on port 25 and try EXPN on your system.

Another way to somewhat automate the process is to use the EmailVerify program in. By Using a Port number 25

SNMP Attack: SNMP reflection, like other reflection attacks, involves eliciting a flood of responses to a single spoofed IP address. During an SNMP reflection attack, the perpetrator sends out a large number of SNMP queries with a forged IP address (the victim’s) to numerous connected devices that, in turn, reply to that forged address. The attack volume grows as more and more devices continue to reply, until the target network is brought down under the collective volume of these SNMP responses.

 

SQL Attack: SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve.

 

TELNET Attack: Every communication from remote device to networking device that we are configuring is sent in plain text. Of course, that is big security issue and in situations where we use telnet we are making our command vulnerable to frame sniffing.

TROJAN: Trojan is a type of malware that is often disguised as legitimate software. Trojans can be employed by hackers trying to gain access to users’ systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system.

TFTP Attack: TFTP uses client and server software to make connections between two devices. From a TFTP client, individual files can be copied (uploaded) to or downloaded from the server. The server hosts the files and the client requests or sends files. TFTP can also be used to remotely start a computer and back up network or router configuration files.

 

WORM:A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers.

 

TELNET Attack: Every communication from remote device to networking device that we are configuring is sent in plain text. Of course, that is big security issue and in situations where we use telnet we are making our command vulnerable to frame sniffing.

RPC Attack: RPC (Remote Procedure Call) protocol. This protocol allows remote procedure calls through data transferred in the XML format. These calls enable different platforms to communicate with websites. But it also enabled malicious hackers to send arbitrary XML data that forced websites to execute certain code or ex-filtrate data.

 SCAN: Any Suspicious scan over network like Mysql port 1433