Category: Radiflow
( 189 Alerts)ET SCAN Potential VNC Scan 5800-5820
This alert is triggered when detecting communication on ports 5800-5820 from an external source. Ports 5800-5820 are used by the virtual network computing service (VNC), which creates a screen-sharing system opening the network to remote communication. This alert may be triggered when an adversary is attempting to scan the network or gain initial access.
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
This alert is triggered when detecting communication on port 445 between devices in the network. Port 445 is used for SMB communication, which allows systems of the same network to share files. the SMB protocol is known to be vulnerable, communication on port 445 can be an indication of Potential scanning or attempted attack by an adversary. However, port 445 (SMB) is commonly used for communication in OT systems.
ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)
This alert is triggered when detecting unusually fast Remote desktop protocol (RDP) communication to an asset in the network. RDP uses port 3389 to create a remote connection between devices. This alert may be triggered when an adversary is scanning the network for devices to connect to remotely.
ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)
This alert is triggered when detecting unusually fast Remote desktop protocol (RDP) communication from an asset in the network. RDP uses port 3389 to create a remote connection between devices. This alert may be triggered when an adversary has infected an asset.
ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
This alert is triggered when detecting communication on port 135 between devices in the network. Port 135 is used by the Remote Procedure Call service, this service enables other systems to identify what services are available on an asset and which port they use. communication on port 135 can be an indication of Potential scanning of the network by an adversary.
NF – TTL below 30 – TTL Expiry Attack from inside to outside
A TTL (Time To Live) below 30 attack refers to a specific type of network attack where an attacker intentionally sets the TTL value to a very low value (typically below 30) in packets they send out. This attack aims to exploit the Time To Live mechanism in the IP protocol to perform reconnaissance or evade network security measures.
NF – Don’t Fragment bit set – check for covert channel
The purpose of this rule is to potentially detect patterns associated with covert channels that abuse ICMP echo requests with the Don't Fragment bit set
NF – POLICY – AnyDesk – BOOT domain lookup
A DNS request for AnyDesk (remote control tool) was made from the internal network to the internet.
NF – POLICY – AnyDesk – Replay domain lookup
A DNS reply from AnyDesk (remote control tool) was made from the internal network to the internet.
NF – POLICY – LLMNR – Link-local Multicast name resolution in use – Unsafe to use
Traffic of LLMNR was detected. LLMNR (Link-Local Multicast Name Resolution) is a protocol used in modern Windows operating systems (starting from Windows Vista and later) to resolve the names of neighboring computers on the same local network (link-local) when traditional DNS (Domain Name System) resolution fails