Try in Splunk Security Cloud

Description

Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Resolution, Network_Traffic
  • Last Updated: 2017-09-11
  • Author: Rico Valdez, Splunk
  • ID: 6d13121c-90f3-446d-8ac3-27efbbc65218

Narrative

A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.

Detections

Name Technique Type
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol, Remote Services TTP
Allow Inbound Traffic In Firewall Rule Remote Desktop Protocol, Remote Services TTP
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP
Enable RDP In Other Port Number Remote Services TTP
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
TOR Traffic Proxy, Multi-hop Proxy TTP

Reference

source | version: 1