MITRE ATT&CK
25 rules detecting network flows that match MITRE ATT&CK v18.1 techniques across 5 tactics: Initial Access, Command and Control, Lateral Movement, Exfiltration, and Discovery.
Initial Access
| Rule ID | Severity | Technique | Category | Summary |
|---|---|---|---|---|
| ATK-T1133-01 | CRITICAL | T1133 | External Remote Services | RDP exposed to external/any source |
| ATK-T1133-02 | HIGH | T1133 | External Remote Services | SSH exposed to external/any source |
| ATK-T1133-03 | HIGH | T1133 | External Remote Services | VNC exposed to external/any source |
| ATK-T1133-04 | HIGH | T1133 | External Remote Services | WinRM exposed to external/any source |
| ATK-T1133-05 | HIGH | T1133 | External Remote Services | Citrix ICA/HDX exposed to external/any source |
Command and Control
| Rule ID | Severity | Technique | Category | Summary |
|---|---|---|---|---|
| ATK-T1071-01 | MEDIUM | T1071.001 | Application Layer Protocol | Unrestricted outbound HTTP/HTTPS to external |
| ATK-T1071-02 | HIGH | T1071.004 | Application Layer Protocol | Direct external DNS (UDP) bypassing internal resolvers |
| ATK-T1071-03 | HIGH | T1071.004 | Application Layer Protocol | Direct external DNS (TCP) bypassing internal resolvers |
Lateral Movement
| Rule ID | Severity | Technique | Category | Summary |
|---|---|---|---|---|
| ATK-T1021-01 | HIGH | T1021.001 | Remote Services | RDP from broad internal source |
| ATK-T1021-02 | CRITICAL | T1021.002 | Remote Services | SMB from external/any source |
| ATK-T1021-03 | HIGH | T1021.002 | Remote Services | SMB from broad internal source |
| ATK-T1021-04 | HIGH | T1021.002 | Remote Services | NetBIOS from external/any source |
| ATK-T1021-05 | CRITICAL | T1021.006 | Remote Services | WinRM HTTP from external/any source |
| ATK-T1021-06 | HIGH | T1021.006 | Remote Services | WinRM HTTPS from external/any source |
| ATK-T1021-07 | HIGH | T1021.006 | Remote Services | WinRM from broad internal source |
| ATK-T1021-08 | HIGH | T1021.003 | Remote Services | DCOM/RPC from broad internal source |
| ATK-T1021-09 | MEDIUM | T1021.004 | Remote Services | SSH from broad internal source |
| ATK-T1021-10 | HIGH | T1021.005 | Remote Services | VNC from broad internal source |
Exfiltration
| Rule ID | Severity | Technique | Category | Summary |
|---|---|---|---|---|
| ATK-T1048-01 | HIGH | T1048 | Exfiltration Over Alternative Protocol | Outbound FTP to external |
| ATK-T1048-02 | HIGH | T1048 | Exfiltration Over Alternative Protocol | Outbound SMTP to external |
| ATK-T1048-03 | CRITICAL | T1048 | Exfiltration Over Alternative Protocol | Outbound SMB to external |
| ATK-T1048-04 | HIGH | T1048 | Exfiltration Over Alternative Protocol | Outbound DNS to external |
Discovery
| Rule ID | Severity | Technique | Category | Summary |
|---|---|---|---|---|
| ATK-T1018-01 | MEDIUM | T1018 | Remote System Discovery | ICMP from broad source to broad/any destination |
| ATK-T1046-01 | HIGH | T1046 | Network Service Discovery | Wide TCP port range between internal hosts |
| ATK-T1046-02 | MEDIUM | T1046 | Network Service Discovery | Wide UDP port range between internal hosts |