News

Alert Pack: Command and Control Released for Devo

Related products: Devo Platform
Alert Pack: Command and Control Released for Devo

The Devo SciSec Team (Devo’s Threat Research Team) has released this latest alert pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage. 

 

Alert Pack - Command and Control

This alert pack focuses on providing coverage for the most commonly used attacks for the Command and Control Mitre Attack tactic.  Command and control is used when the adversary has your system under control and is trying to steal, or disrupt. information from your company. These alerts will let our customers know when the attacker tries to seize control, use their control, or try to control more systems. Here's more information from the Mitre website:

 

Complete information on this threat vector.

 

"Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses."

 

Download now directly from Devo Exchange by clicking here.

 

Full release notes and details of every alert in this Alert Pack.

 

Here is a sample of a few of the alerts included:

SecOpsFWSMBTrafficOutbound - Detects SMB traffic from internal to external sources allowed through the firewall.

SecOpsFWTrafficOnUnassignedLowPort - Identifies traffic across a port lower than 1024 that is unassigned by IANA. These ports are rarely used by legitimate services and may indicate malicious activity or traffic.

SecOpsFWExcessFirewallDeniesOutbound - Detects excessive firewall blocks for outbound traffic from a single IP in a short period of time; this activity may be indicative of C2 traffic and should be reviewed.

SecOpsFWIcmpExcessivePackets - Since ICMP packets are typically very small, this alert will detect ICMP packets that are larger than expected. A large amount of data sent over ICMP may indicate the presence of command and control traffic or data exfiltration.

SecOpsFWRdpTrafficUnauthorized - Detects RDP traffic to hosts, not within an allowed list.

 

Full list alerts available here in our docs!

 

Be the first to reply!