This alert is triggered when detecting unusually fast Remote desktop protocol (RDP) communication from an asset in the network. RDP uses port 3389 to create a remote connection between devices. This alert may be triggered when an adversary has infected an asset.
This alert is triggered when detecting unusually fast Remote desktop protocol (RDP) communication to an asset in the network. RDP uses port 3389 to create a remote connection between devices. This alert may be triggered when an adversary is scanning the network for devices to connect to remotely.
This alert is triggered when detecting communication on port 445 between devices in the network. Port 445 is used for SMB communication, which allows systems of the same network to share files. the SMB protocol is known to be vulnerable, communication on port 445 can be an indication of Potential scanning or attempted attack by an adversary. However, port 445 (SMB) is commonly used for communication in OT systems.
This alert is triggered when detecting communication on port 135 between devices in the network. Port 135 is used by the Remote Procedure Call service, this service enables other systems to identify what services are available on an asset and which port they use. communication on port 135 can be an indication of Potential scanning of the network by an adversary.
The rule is designed to trigger an alert when it detects an invalid SSL client hello message. The client hello message is the first message sent by a client when initiating an SSL handshake with a server. It includes various parameters and cipher suites supported by the client, allowing the server to negotiate a secure connection.