Network Security
Access
Brute Force Access Attempt (CLI)
An anomalously high number of failed connection attempts were observed to common remote CLI ports (SSH, telnet, etc.). This can indicate a brute force login attack.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_brute_force_cli |
| Job for ECS | elastiflow_ecs_netsec_brute_force_cli |
| Analysis Type | population |
| Required Data | client IP & port, server IP & port |
| MITRE ATT&CK Technique | Brute Force (T1110) |
| MITRE ATT&CK Sub-Technique | Password Guessing (T1110.001) |
| MITRE ATT&CK Tactic | Credential Access (TA0006) |
Activity
Rare Client-Side Autonomous System
This anomaly detector identifies client-side traffic to/from a rare autonomous system. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_rare_asn_client |
| Job for ECS | elastiflow_ecs_netsec_rare_asn_client |
| Analysis Type | temporal |
| Required Data | client AS, layer-4 session establishment |
Rare Server-Side Autonomous System
This anomaly detector identifies server-side traffic to/from a rare autonomous system. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_rare_asn_server |
| Job for ECS | elastiflow_ecs_netsec_rare_asn_server |
| Analysis Type | temporal |
| Required Data | server AS, layer-4 session establishment |
Rare Conversation (inbound)
This anomaly detector identifies rare inbound (public to private) conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_rare_conversation_inbound |
| Job for ECS | elastiflow_ecs_netsec_rare_conversation_inbound |
| Analysis Type | temporal |
| Required Data | conversation ID, client AS, server AS, layer-4 session establishment |
Rare Conversation (outbound)
This anomaly detector identifies rare outbound (private to public) conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_rare_conversation_outbound |
| Job for ECS | elastiflow_ecs_netsec_rare_conversation_outbound |
| Analysis Type | temporal |
| Required Data | conversation ID, client AS, server AS, layer-4 session establishment |
Rare Conversation (private)
This anomaly detector identifies rare private conversations. Rarely occuring network traffic can indicate recent malicious activity, such as malware exfiltrating data or communicating with a command & control server. While such traffic doesn't directly indicate malicious activity, it should be further investigated.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_rare_conversation_private |
| Job for ECS | elastiflow_ecs_netsec_rare_conversation_private |
| Analysis Type | temporal |
| Required Data | conversation ID, client AS, server AS, layer-4 session establishment |
Amplification Attacks
Generic DDoS Attack (UDP Amplification)
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open UDP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_ddos_generic_udp_amplification |
| Job for ECS | elastiflow_ecs_netsec_ddos_generic_udp_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
CHARGEN Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Character Generator Protocol (CHARGEN) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_chargen_amplification |
| Job for ECS | elastiflow_ecs_netsec_chargen_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
DNS Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open DNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_dns_amplification |
| Job for ECS | elastiflow_ecs_netsec_dns_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
Kad Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Kademlia DHT peers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_kad_amplification |
| Job for ECS | elastiflow_ecs_netsec_kad_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
LDAP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open LDAP servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_ldap_amplification |
| Job for ECS | elastiflow_ecs_netsec_ldap_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
mDNS Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open mDNS resolvers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_mdns_amplification |
| Job for ECS | elastiflow_ecs_netsec_mdns_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
Memcached Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Memcached servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_memcached_amplification |
| Job for ECS | elastiflow_ecs_netsec_memcached_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
MSSQL Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open MSSQL servers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_mssql_amplification |
| Job for ECS | elastiflow_ecs_netsec_mssql_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
NETBIOS Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open NETBIOS services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_netbios_amplification |
| Job for ECS | elastiflow_ecs_netsec_netbios_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
NTP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open NTP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_ntp_amplification |
| Job for ECS | elastiflow_ecs_netsec_ntp_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
QOTD Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Quote of the Day (QOTD) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_qotd_amplification |
| Job for ECS | elastiflow_ecs_netsec_qotd_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
Quake Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Quake services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_quake_amplification |
| Job for ECS | elastiflow_ecs_netsec_quake_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
RADIUS Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open RADIUS services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_radius_amplification |
| Job for ECS | elastiflow_ecs_netsec_radius_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
RIP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Routing Information Protocol (RIP) enabled routers in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_rip_amplification |
| Job for ECS | elastiflow_ecs_netsec_rip_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
RPC Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Remote Procedure Call (RPC) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_rpc_amplification |
| Job for ECS | elastiflow_ecs_netsec_rpc_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
Sentinel SPSS Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SPSS (Sentinel RMS) License Manager services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_sentinel_spss_amplification |
| Job for ECS | elastiflow_ecs_netsec_sentinel_spss_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
SNMP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SNMP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_snmp_amplification |
| Job for ECS | elastiflow_ecs_netsec_snmp_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
SSDP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open SSDP services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_ssdp_amplification |
| Job for ECS | elastiflow_ecs_netsec_ssdp_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
Steam Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Steam services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_steam_amplification |
| Job for ECS | elastiflow_ecs_netsec_steam_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
TFTP Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Trivial File Transfer Protocol (TFTP) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_tftp_amplification |
| Job for ECS | elastiflow_ecs_netsec_tftp_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
WSD Amplification Attack
This DDoS attack is a reflection-based volumetric distributed denial-of-service (DDoS) attack in which an attacker leverages the functionality of open Web Services for Devices (WSD) services in order to overwhelm a target server or network with an amplified amount of traffic, rendering the server and its surrounding infrastructure inaccessible.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_wsd_amplification |
| Job for ECS | elastiflow_ecs_netsec_wsd_amplification |
| Analysis Type | temporal |
| Required Data | source IP, port & AS, destination IP, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Reflection Amplification (T1498.002) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
Data Exfiltration
DNS Exfiltration
COMING SOON!
Flood Attacks
Generic DDoS Attack (TCP)
A Distributed Denial of Service (DDoS) attempts to make a service unavailable by directly sending a high-volume of TCP traffic from multiple sources to the targeted TCP listener.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_ddos_generic_tcp |
| Job for ECS | elastiflow_ecs_netsec_ddos_generic_tcp |
| Analysis Type | temporal |
| Required Data | client IP & AS, server IP & port, layer-4 protocol |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Direct Network Flood (T1498.001) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
ICMP Flood DDoS Attack
An ICMP flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic. When the attack traffic comes from multiple devices, the attack becomes a DDoS or distributed denial-of-service attack.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_icmp_flood_ddos |
| Job for ECS | elastiflow_ecs_netsec_icmp_flood_ddos |
| Analysis Type | temporal |
| Required Data | source IP & AS, destination IP, layer-4 protocol |
| Restrictions | Applies only to Netflow and IPFIX flow records. |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Direct Network Flood (T1498.001) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
ICMP Flood Direct Attack
A ICMP flood is a denial-of-service attack in which the attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_icmp_flood_direct |
| Job for ECS | elastiflow_ecs_netsec_icmp_flood_direct |
| Analysis Type | population |
| Required Data | source IP & AS, destination IP, layer-4 protocol |
| Restrictions | Applies only to Netflow and IPFIX flow records. |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Direct Network Flood (T1498.001) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
SYN Flood DDoS Attack
A SYN flood (half-open attack) DDoS attack is a type of denial-of-service (DDoS) attack in which multiple sources are used with the aim of making a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_syn_flood_ddos |
| Job for ECS | elastiflow_ecs_netsec_syn_flood_ddos |
| Analysis Type | temporal |
| Required Data | client IP & AS, server IP & port, TCP flags |
| Restrictions | Applies only to Netflow and IPFIX flow records. |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Direct Network Flood (T1498.001) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
SYN Flood Direct Attack
A SYN flood (half-open attack) direct attact is a type of denial-of-service (DDoS) attack in which a single source aims to make a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_syn_flood_direct |
| Job for ECS | elastiflow_ecs_netsec_syn_flood_direct |
| Analysis Type | population |
| Required Data | client IP & AS, server IP & port, TCP flags |
| Restrictions | Applies only to Netflow and IPFIX flow records. |
| MITRE ATT&CK Technique | Network Denial of Service (T1498) |
| MITRE ATT&CK Sub-Technique | Direct Network Flood (T1498.001) |
| MITRE ATT&CK Tactic | Impact (TA0040) |
Reconnaissance
Port Scan (fast)
A client accessed an anomalously high number of server ports, over a short period of time, compared to other clients. This can indicate port scanning activity, a reconnaissance method used by malicious actors to find vulnerable systems.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_port_scan_fast |
| Job for ECS | elastiflow_ecs_netsec_port_scan_fast |
| Analysis Type | population |
| Required Data | client IP & AS, server IP & port |
| MITRE ATT&CK Technique | Network Service Scanning (T1046) |
| MITRE ATT&CK Tactic | Discovery (TA0007) |
Port Scan (slow)
A client accessed an anomalously high number of server ports over a long period of time, compared to other clients. This can indicate port scanning activity, a reconnaissance method used by malicious actors to find vulnerable systems.
| Attribute | Description |
|---|---|
| Job for CODEX | elastiflow_codex_netsec_port_scan_slow |
| Job for ECS | elastiflow_ecs_netsec_port_scan_slow |
| Analysis Type | population |
| Required Data | client IP & AS, server IP & port |
| MITRE ATT&CK Technique | Network Service Scanning (T1046) |
| MITRE ATT&CK Tactic | Discovery (TA0007) |