Description: For certain software a version changing may matter. In that case this notice will be generated. Software that matters if the version changes can be configured.
Severity Level: Low
Reason: A new version of the software was released.
Investigation: Ask your system administrator.
Mitigation: Ask your system administrator.
Description: Indicates that a vulnerable version of software was detected.
Severity Level: Medium
Reason: A vulnerable version of the software is being used.
Investigation: Check for available software updates.
Mitigation: Update the software version.
Description: Indicates that a host was seen running trace routes. For more detail about specific trace routes that were run refer to the traceroute log.
Severity Level: Medium
Reason: The MUNINN system has detected a traceroute from the device. Traceroute is a tool normally used for network diagnostics, such as route path and round-trip times for connections. See https://en.wikipedia.org/wiki/Traceroute for more information. This type of traffic is normally only seen from system administrator systems.
Investigation: Check if the device is expected to run traceroute, for example if this is an administrator workstation. If not, then investigate the destination of the traceroute, is a known server/IPdomain/. Check MUNINN metadata for other connections to this destination.
Mitigation: Deny traceroute on your firewalls both outbound and between internal segments if possible, except for specific validated users and devices.
Description: Address scans detect that a host appears to be scanning some number of destinations on a single port.
Severity Level: Medium
Reason: A device on the network has contacted a range of IP-addresses for a specific port on the internal network. The specific port scanned is shown in the description of the notification.
Investigation: Verify if the device is expected to perform an internal scan, e.g an internal vulnerability scanner, or administrator workstation. Verify with the user of the device if this is expected behaviour or not in case this is a true positive, it is important to investigate which tools on the device performed the operation, and how it was installed on the system.
Mitigation: Monitor for scanning tools on device where possible.
Description: Port scans detect that an attacking host appears to be scanning a single victim host on several ports.
Severity Level: Medium
Reason: The host unsuccessfully tried to connect to 50 or more ports on a remote machine on the local network.
Investigation:
Check if the host is supposed to do the scan.
Check if there is a misconfiguration on the machine.
Check if there are any other signs of suspicious activity using Notification Search and Metadata Search.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Cut the network access to the infected machine.
Initiate Incident Response: Find out which software is causing the scans and remove if possible.
Description: Indicates a host brute forcing FTP logins by watching for too many rejected usernames or failed passwords.
Severity Level: High
Reason: The FTP server has seen more than 20 failed attempts within the last 15 minutes from the source machine.
Investigation: As FTP is unencrypted, it is possible to see information about the attempts.
Verify the usernames
Check if it is a misconfiguration
Investigate the source device or IP-address
Mitigation:
Limit the amount of login attempts possible from a single source.
Limit access to the FTP-server so it is only relevant devices/IP’s which can communicate with the server.
Validate that the data transferred over FTP isn’t confidential, as all data is unencrypted in transit.
Description: Indicates that a successful response to a SITE EXEC command/arg pair was seen.
Severity Level: High
Reason: Indicates that a successful response to a SITE EXEC command was seen. This feature enables a user on the FTP server to execute command on the server, as the FTP daemon process.
Investigation: Investigate which command/executable was run and validate whether it was expected. This is not normally a feature which is used, so will be very uncommon to see.
Mitigation: Disable the SITE EXEC feature on the FTP server.
Description: Indicates that a host performing SQL injection attacks was detected.
Severity Level: High
Reason: This notification is triggered when an attacker is seen performing more than 42 SQL injection (SQLI) request against a server within 5 minutes. The definition of a SQL injection request is based upon a complex regular expression, however there is a small chance for false positives.
Investigation:
Verify that the request is an actual SQLi request.
Verify if any of the requests had a positive response (HTTP code 200).
Check if the attacking ip has had any other connection to the company.
Mitigation: There are several things which can be done to mitigate a SQLi attack.
Perform web application test against the website to uncover all SQLI.
Setup web application firewall in front of website.
Block access to the website from the attacking IP-if this isn’t part of any common hosting IP-ranges such as Amazon or Cloudflare.
Description: Indicates that a host was seen to have SQL injection attacks against it. This is tracked by IP address as opposed to hostname.
Severity Level: High
Reason: This notification is triggered when more than 42 SQL Injection (SQLI) request are performed against a server within 5 minutes. The definition of a SQL Injection request is based upon a complex regular expression, however is a small change for false positives.
Investigation:
Verify that the request is an actual SQLI request.
Verify if any of the requests had a positive response (HTTP code 200).
Check if the attacking $IP(s)$ has had any other connection to the company.
Mitigation: There are several things which can be done to mitigate a SQLi attack:
Perform web application test against the website to uncover all SQLI.
Setup web application firewall in front of website.
Block access to the website from the attacking IP-if this isn’t part of any common hosting ip-ranges such as Amazon or Cloudflare.
Description: Indicates that a host has been crossed the password guessing limit.
Severity Level: High
Reason: A device has performed too many unsuccessful login requests against an SSH server. The limit is 40 attempts within a 5 minutes period.
Investigation: SSH is encrypted, however it is still possible to investigate the login attempts.
Check if it is a misconfiguration.
Investigate the attempts are coming from a trusted source.
Check if the source device, has performed other actions against the infrastructure.
Mitigation: SSH is encrypted, however it is still possible to investigate the login attempts.
Check if it is a misconfiguration.
Investigate the attempts are coming from a trusted source.
Check if the source device has performed other actions against the infrastructure.
Description: Generated if a login originates or responds with a host where interesting hostname the reverse hostname lookup resolves to a name matched by a predefined list including DNS, www, SMTP, POP, IMAP FTP
Severity Level: Low
Reason: A reverse lookup is performed, and either the source or destination has a name which contains one of the following DNS, www, SMTP, pop, imap, ftp. These names are normally part of a service, and not expected to perform any manual actions, such as an SSH login.
Investigation: Check that the connection is legitimate, and if the destination host is supposed to be accessible by SSH.
Mitigation:
Limit access to the SSH server so it is only relevant devices/IP’s which can communicate with the server.
Only allow SHH host key-based logins.
Disable root login.
Description: This indicates that the OCSP response was not deemed to be valid.
Severity Level: Low
Reason: An Online Certificate Status Protocol (OCSP) response couldn’t be validated.
Investigation: Investigate why the OCSP response was invalid and determine if the notification can be reproduced from another host.
Mitigation: Fix any cornfiguration issues, or if responses from the OCSP server are mistakenly deened invalid, whitelist as narrowly as possible.
Description: Indicates that a server is using a potentially unsafe key.
Severity Level: Medium
Reason: A short key (less than 2048 bit for non elliptic curve ciphers) was detected.
Investigation: Investigate whether some software or malware was installed on either of the endpoints of the weakly encrypted connection.
Mitigation: Enforce at least TLS v1.2 for all internal servers and for workstations. If a site frequently used by your company employs a lower SSL/TLS version, consider contacting the webmaster of the site in question to request an upgrade.
Description: Indicates that a server is using a potentially unsafe cipher.
Severity Level: Medium
Reason: An RC4 cipher was detected. RC4 is considered insecure.
Investigation: Investigate whether some software or malware was installed on either of the endpoints of the weakly encrypted connection.
Mitigation: Enforce at least TLS v1.2 for all internal servers and for workstations. If a site frequently used by your company employs a lower SSL/TLS version, consider contacting the webmaster of the site in question to request an upgrade.
Description: A host is using the encrypted Tor network. If the IT security department is not aware of its usage this could be product of malicious activities such as illegal peer2peer data exfiltration or malware/ ransomware.
Severity Level: High
Reason: Multiple certificates looking like Tor certificates were seen. Tor usage is generally unwanted because it hides network activity, which may be an attempt to cover up copyright infringement, Illegal activity, data exfiltration, malware or ransomware.
Investigation: Investigate the remote hosts to see if they match known Tor relays.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Investigate whether the user of the workstation is aware of Tor usage.
If user is unaware of Tor usage, a breach may have occurred and the Tor connection is being used for exfiltration.
Initiate Incident Response.
Description: A file with a filename or hash value that is blacklisted is observed in the network communication with the given host.
Severity Level: High
Reason: A file matching a known malicious file hash or filename was transferred over the network.
Investigation: Make a full anti virus scan on the source host and find info about the file being transferred and the two endpoints to determine if this transfer is legitimate or not. If one endpoint is a remote host, find info on the domain and other interactions with that domain.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Investigate malware severity from online resources, such as Virustotal Look for other notifications from the host that can indicate that other hosts in the network are infected.
If the malware type is linked to an Advanced Persistent Threat, initiate Incident Response.
Description: A domain name that is blacklisted is observed in the network communication with the given host.
Severity Level: Medium
Reason: The host made a DNS request for a known malicious domain. This can indicate that the host has been infected and is trying to communicate with a Command & Control server or download additional malware modules.
Investigation: Investigate the domain using e.g. VirusTotal. Do a full anti virus scan to discover whether the malware is still on the host and attempt to remove it Search for context using the Notification Search and the Metadata Search to determine whether the has shown other suspicious activity indicating spread in the network.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Block the domain in your firewall.
Description: An HTTP request and response that contains data is blacklisted is observed in the network communication with the given host.
Severity Level: Medium
Reason: An Indicator of Compromise was found In an HTTP connection in one of the following fields: host header, referrer header, user agent header, x-forwarded-for header or in the URL.
Investigation: Look in the metadata of the associated HTTP connection, and search for the offending field using the Metadata Search to determine whether the activity looks benign or malicious. Validate the information using for example Virustotal.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Block the value in your firewall, DNS filter and web proxies.
Description: An encrypted connection containing data (handshake) that is blacklisted is observed in the network communication with the given host.
Severity Level: High
Reason: The Server Name Indication (SNI) of the SSL/TLS connection matches a known malicious domain.
Investigation: Make a full anti virus scan of the source host to detect if the machine has downloaded malicious software from the domain. Search for more notifications and metadata regarding the source host to determine if other suspicious activity has occurred.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Investigate if other hosts have contacted the domain or any related domains.
Description: An SSH server’s public key is known to be related to malicious activity.
Severity Level: High
Reason: The SSH host key of a host is known to be connected to malicious activity.
Investigation:
Search more information on the SSH host key and the IP address of the offending host to determine if this could be legitimate
Check the data attached to the notification or search for more using the Metadata search to find more details on the connection and other connections made by the host, or search for more suspicious behaviour by searching for other notifications for the same host.
Mitigation:
- Benign behaviour:
Whitelist as narrowly as possible, so be sure to include the SSH host key that generated a false positive as a description match.
- Malicious behaviour:
Cut off network connection to infected machine.
Consider enabling FREKI Autoprevent for this notification type so that the connection can be cut off in the future.
Initiate Incident Response.
Description: The host presented a certificate known to be used by malware.
Severity Level: Medium
Reason: The certificate used in an SSL connection is known to be connected to malicious activity.
Investigation: Search more information on the certificate to determine if this could be legitimate. Check the data attached to the notification or search for more using the Metadata search to find more details on the connection and other connections made by the host, or search for more suspicious behaviour by searching for other notifications for the same host.
Mitigation:
- Benign behaviour:
Whitelist as narrowly as possible, so be sure to include the certificate hash that generated an FP as a description match.
- Malicious behaviour:
Cut off network connection to infected machine
Consider enabling FREKI Autoprevent for this notification type so that the connection can be cut off in the future.
Initiate Incident Response.
Description: The given host has communicated with a known malicious IP address.
Severity Level: Medium
Reason: The source IP or destination IP of a connection is known to be malicious.
Investigation: Search more information on the IP address to determine if this could be legitimate. Check the data attached to the notification or search for more using the Metadata search to find more details on the connection and other connections made by the host, or search for more suspicious behaviour by searching for other notifications for the same host.
Mitigation:
- Benign behaviour:
Whitelist as narrowly as possible, so be sure to include the IP that generated an FP as a description match.
- Malicious behaviour:
Cut off network connection to infected machine.
Consider enabling FREKI Autoprevent for this notification type so that the connection can be cut off in the future.
Initiate Incident Response.
Description: A host made a number of connections to a port known to be related to another Peer-to-Peer protocol than BitTorrent.
Severity Level: Low
Reason: Peer-to-peer traffic is suspected because a host transferred more than 100kb to 5 or more ports known to be associated with usage of other peer-to-peer protocols than Bittorrent. This is unwanted because it is often used to break copyright laws. Ports of interest are the following: 6346 TCP+UDP, 32285 TCP+UDP, 4661 TCP+UDP, 4662/TCP, 4672/UDP.
Investigation: Investigate the remote IPs or domains to determine whether the connection has been correctly flagged as peer-to-peer traffic.
Mitigation:
Prevent the use of peer-to-peer clients on workstations.
Block the specified ports in your firewall.
Description: Bittorrent traffic is suspected because a host transferred more than 100kb to 5 or more ports known to be associated with usage of Bittorrent. This is unwanted because it is often used to break copyright laws. Ports of interest are the following: 6881-6969 TCP+UDP, 5353 TCP+UDP, 5355 TCP+UDP 1540-1542 TCP+UDP, 1545 TCP+UDP, 1550 TCP+UDP, 1626 TCP, 1627 TCP, 1900 UDP, 6653 TCP, 7946 TCP+UDP, 7946 UDP, 19812 TCP.
Severity Level: Low
Reason: Bittorrent traffic is suspected because a host transferred more than 100kb to 5 or more ports known to be associated with Bittorrent usage. This is unwanted because it is often used to break copyright laws. Ports of interest are the following: 6881-6969 TCP+UDP, 5353 TCP+UDP, 5355 TCP+UDP, 1540-1542 TCP+UDP, 1545 TCP+UDP, 1550 TCP+UDP, 1626 TCP, 1627 TCP, 1900 UDP, 6653 TCP, 7946 TCP+UDP, 7946 UDP, 19812 TCP.
Investigation: Investigate the remote IPs or domains to determine whether the connection has been correctly flagged as Bittorrent traffic.
Mitigation:
Prevent the use of Bittorrent clients on workstations.
Block the specified ports in your firewall.
Description: Peer-to-peer traffic is suspected because a host transfers a high amount of data on many connections at once. Peer-to-peer traffic is unwanted because it is often used to break copyright laws.
Severity Level: Low
Reason: Peer-to-peer traffic is suspected because a host transfers a high amount of data on many connections at once. Peer-to-peer traffic is unwanted because it is often used to break copyright laws.
Investigation: Investigate the remote IPs or domains to determine whether the connection has been correctly flagged as peer-to-peer.
Mitigation: Prevent the use of peer-to-peer clients on workstations.
Description: An outgoing Remote Desktop connection was made from inside the network to a remote server.
Severity Level: Low
Reason: An RDP connection was made between an internal host and an external. The connection may be either inbound or outgoing.
Investigation: Investigate the remote IP or domain to see whether the connection is legitimate or not. Investigate any IPs or domains you don’t know
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Cut off network connection to infected machine.
Find and disable the malware making the connection.
Consider enabling FREKI Autoprevent for this notification type so that the connection can be cut off in the future.
Initiate Incident Response.
Description: Excessive domain-not-found responses from the DNS server could be an indicator of malware or misconfigured application. Pay attention in the host/domain names provided by this notification.
Severity Level: Low
Reason: Domain not found responses seen for multiple unique domains in a short time frame for a single IP. This can reveal some types of C2 servers.
Investigation: Look at the domain names and investigate any domains looking suspicious.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Cut off network connection to infected machine.
Find and disable the malware making the connection.
Consider enabling FREKI Autoprevent for this notification type so that the connection can be cut off in the future.
Initiate Incident Response.
Description: DNS as a tunnel can be established to hide data inside DNS requests. This can turn into a real threat when malicious software uses DNS to get data out of the network or receive commands/updates from a command and control server.
Severity Level: Medium
Reason: Multiple large DNS requests (>90 bytes) or large DNS responses with a large payload (>512 bytes) were detected.
Investigation: Look at the DNS queries to determine if the traffic looks benign or malicious by looking for known domains. Investigate any domains you don’t know.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Cut off network connection to infected machine.
Find and disable the malware making the connection.
Consider enabling FREKI Autoprevent for this notification type so that the connection can be cut off in the future.
Initiate Incident Response.
Description: Anomaly at a given point in time detected by the Machine Learning algorithm. You can adjust the sensitivity of the anomaly detection in the settings menu.
Severity Level: Low
Reason: A connection was deemed anomalous on account of having an unusual combination of sent bytes, received bytes and duration for the network.
Investigation: Look at the associated metadata to determine if the activity behind the notification is malicious.
Mitigation: If you are getting a lot of these notifications, consider turning down the sensitivity of the Point Anomaly Event Sensitivity.
Description: Interaction between a client and a server was deemed anomalous on account of when the interaction happened. Had the interaction taken place at another time it might not have been out of the ordinary. You can adjust the sensitivity of the contextual anomaly detection in the settings menu.
Severity Level: Low
Reason: Interaction between a client and a server was deemed anomalous on account of when the interaction happened. Had the interaction taken place at another time, it might not have been out of the ordinary.
Investigation: Investigate the endpoints and type of traffic to find out what type of action was performed, and information about the endpoints to determine if the transfer could be caused by a malicious entity. One example could be a user logging in using a VPN connection late at night, downloading data from a server the user does not usually use at that time of the day. If the transaction looks suspicious, search in Notifications and Metadata to find other suspicious activity relating the originating host.
Mitigation:
Benign behaviour:
If you are getting a lot of these notifications, consider turning down the sensitivity of the machine learning model a bit. This is done in the settings menu, and should be done for the contextual anomaly detection, named Dyadic Anomaly Event Sensitivity.
Malicious behaviour:
Cut off internet access to the infected machine.
Initiate incident response.
Description: Interaction between a client and a server was deemed anomalous on account of how much data was transferred during that interaction. Had there been less data sent and received, it might not have been out of the ordinary. You can adjust the sensitivity of the contextual anomaly detection in the settings menu.
Severity Level: Low
Reason: Interaction between a client and a server was deemed anomalous on account of how much data was transferred during that interaction. Had there been less data sent and received, it might not have been out of the ordinary.
Investigation: Investigate the endpoints and type of traffic to find out more info on the data transfer, including info on the endpoints to determine if the transfer could be caused by a malicious entity. If the transaction looks suspicious, search in Notifications and Metadata to find other suspicious activity relating to the originating host.
Mitigation:
Benign behaviour:
If you are getting a lot of these notifications, consider turning down the sensitivity of the machine learning model a bit. This is done in the settings menu, and should be done for the contextual anomaly detection, named Dyadic Anomaly Event Sensitivity.
Malicious behaviour:
Cut off internet access to the infected machine.
Initiate incident response.
Description: Interaction between a client and a server was deemed anomalous on account of a mix of different circumstances. Had the circumstances been different it might not have been out of the ordinary for them to interact. You can adjust the sensitivity of the contextual anomaly detection in the settings menu.
Severity Level: Low
Reason: Interaction between a client and a server was deerned anomalous on account of a mix of different circumstances. Had the circumstances been different, it might not have been out of the ordinary for them to interact.
Investigation: Investigate the endpoints and type of traffic to find out what type of action was performed. If the transaction looks suspicious, search in Notifications and Metadata to find out if one of the machines is attacking or is being attacked from other devices in the network.
Mitigation:
Benign behaviour:
If you are getting a lot of these notifications, consider turning down the sensitivity of the machine learning model a bit. This is done in the settings menu, and should be done for the contextual anomaly detection, named Dyadic Anomaly Event Sensitivity.
Malicious behaviour:
Cut off Internet access to the infected machine.
Initiate incident response.
Description: Interaction between a client and a server was deemed anomalous on account of those two not having interacted using that service before. Had the service been different, it might not have been out of the ordinary for them to interact. You can adjust the sensitivity of the contextual anomaly detection in the settings menu.
Severity Level: Low
Reason: Interaction between a client and a server was deemed anomalous on account of those two not having interacted using that service before. Had the service been different, it might not have been out of the ordinary for them to interact.
Investigation: Investigate the endpoints and type of traffic to find out what type of action was performed. If the transaction looks suspicious, search in Notifications and Metadata to find out if one of the machines is attacking or is being attacked from other devices in the network.
Mitigation:
Benign behaviour:
If you are getting a lot of these notifications, consider turning down the sensitivity of the machine learning model a bit. This is done in the settings menu, and should be done for the contextual anomaly detection, named Dyadic Anomaly Event Sensitivity.
Malicious behaviour:
Cut off internet access to the infected machine.
Initiate Incident response.
Description: Interaction between a client and a server was deemed anomalous on account of those two not having interacted before. You can adjust the sensitivity of the contextual anomaly detection in the settings menu.
Severity Level: Low
Reason: Interaction between a client and a server was deemed anomalous on account of those two not having interacted before.
Investigation: Investigate the endpoints and type of traffic to find out what type of action was performed. If the transaction looks suspicious, search in Notifications and Metadata to find out if one of the machines is attacking or is being attacked from other devices in the network.
Mitigation:
Benign behaviour:
If you are getting a lot of these notifications, consider turning down the sensitivity of the machine learning model a bit. This is done in the settings. menu, and should be done for the contextual anomaly detection, named Dyadic Anomaly Event Sensitivity.
Malicious behaviour:
Cut off internet access to the infected machine.
Initiate incident response.
Description: Interaction between a client and a server was deemed anomalous on account of those two not having interacted using that port before. Had the port been different it might not have been out of the ordinary for them to interact. You can adjust the sensitivity of the contextual anomaly detection in the settings menu.
Severity Level: Low
Reason: Interaction between a client and a server was deemed anomalous on account of those two not having interacted using that port before. Had the port been different, it might not have been out of the ordinary for them to interact.
Investigation: Investigate the endpoints and type of traffic to find out what type of action was performed. If the transaction looks suspicious, search in Notifications and Metadata to find out if one of the machines is attacking or is being attacked from other devices in the network.
Mitigation:
Benign behaviour:
If you are getting a lot of these notifications, consider turning down the sensitivity of the machine learning model a bit. This is done in the settings. menu, and should be done for the contextual anomaly detection, named Dyadic Anomaly Event Sensitivity.
Malicious behaviour:
Cut off internet access to the infected machine.
Initiate incident response.
Description: Interaction between a client and a server was deemed anomalous on account of those two not having interacted using that service on that port before. Had either the port or service been different it might not have been out of the ordinary for them to interact. You can adjust the sensitivity of the contextual anomaly detection in the settings menu.
Severity Level: Low
Reason: Interaction between a client and a server was deemed anomalous on account of those two not having interacted using that service on that port before. Had either the port or service been different, it might not have been out of the ordinary for them to interact.
Investigation: Investigate the endpoints and type of traffic to find out what type of action was performed. If the transaction looks suspicious, search in Notifications and Metadata to find out if one of the machines is attacking or is being attacked from other devices in the network.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Find and disable the malware making the connection.
Consider enabling FREKI Autoprevent for this notification type so that the connection can be cut off.
Initiate Incident Response.
Description: Several file rename commands through the SMB protocol were detected within a short amount of time. This activity can be caused by malware that attempts to encrypt files on network shares.
Severity Level: Medium
Reason: More than 14 files on an SMB share were renamed in 60 seconds or less. This can be caused by some types of malware, especially ransomware, which attempts to encrypt files on network shares.
Investigation: From the filenames, and by looking at the changes to the files, determine if an actual attack is going on.
Mitigation:
Benign behaviour:
If this is the result of an automatic operation, whitelist as narrowly as possible (maybe even down to specific file names).
Malicious behaviour:
Consider enabling FREKI AutoPrevent blocking of this notice type.
Cut Internet to the attacking machine and initiate incident response.
Description: Communication between local machines and external mining pools were detected. This activity can be caused by malware that attempts to use the CPU power of hosts to mine crypto currencies.
Severity Level: Medium
Reason: The host made a DNS Metadata or search request matching a known crypto currency mining pool.
Investigation: Look at the attached Metadata or search for more to determine whether this is actual mining activity.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Initiate Incident Response.
Consider enabling FREKI Autoprevent.
Description: Reverse SSH is a technique through which you can access systems that are behind a firewall from the outside world.
Severity Level: Medium
Reason: The host established a Reverse SSH tunnel to an external host, allowing access past the firewall.
Investigation: Ensure the connection is legitimate and search for Metadata to find clues of other malicious activity.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Find and disable the malware making the connection.
Consider enabling FREKI Autoprevent for this notification type so that the connection can be cut off.
Initiate Incident Response.
Description: A Secure Shell has been established with an external address. Ensure the connection is legitimate.
Severity Level: Low
Reason: The host established an SSH connection to an external address.
Investigation: Verify that this specific connection is supposed to happen and check the remote host to find information to whether the connection is malicious.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Find and disable the piece of software making the connections.
Consider enabling FREKI Autoprevent to cut off the connection.
If the connection is made to a malicious server, initiate Incident Response.
Description: A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.
Severity Level: High
Reason: The host made more than 30 unsuccessful NTLM authentication attempts within 1 minute. This could be a configuration error or a brute force attack.
Investigation:
Check whether it’s the same username that is being tried.
Check host configuration to see If a legitimate but incorrectly set up program is generating the failures.
Search for other suspicious activity from the host using a Notification Search.
Mitigation:
Benign behaviour:
Fix any configuration errors.
*Malicious behaviour:
Investigate the source of the bruteforce attack to find out if your network has been compromised.
Description: HTTP Brute-force attack consists of an attacker submitting many passwords/ users to gain access to a system using basic HTTP authentication.
Severity Level: Medium
Reason: The host had more than 15 failed authentication attempts with different user-password combinations within 10 minutes.
Investigation: In Muninn’s Metadata Search, search in the HTTP traffic to check the username being used to see if it looks like benign authentication attempts
Mitigation: Find the piece of software responsible the attempts and fix the problem.
Description: A host has tried to authenticate to an HTTP basic authentication server with the same user-pass indicating a misconfiguration.
Severity Level: Low
Reason: The host had more than 30 failed authentication attempts with the same user-password combination within 15 minutes.
Investigation:
Check if there’s a misconfiguration on the client.
If this occurs for multiple clients connecting to the same server, check if there’s a misconfiguration on the server.
Mitigation: Correct the misconfiguration.
Description: Failed SSH logon attempts indicate a bruteforce attack or a misconfigured server.
Severity Level: Medium
Reason: A count representing a number of SSH login failures has crossed 40 failed attempts per successful attempt within 5 minutes.
Investigation:
Check whether it’s a configuration error.
Check if it’s generated by a user.
Search for more suspicious behaviour from the same host.
Mitigation:
Fix any configuration errors.
Make sure the victim host is only accessible from the Internet if it should be.
Consider restricting SSH access to named IP addresses or ranges on the local network.
If this host should be publicly accessible, enforce strong security measures and whitelist this notification for the externally accessible host.
Description: Sensitive files are observed files whose filename contains words related to passwords and other sensitive data.
Severity Level: Medium
Reason: The host accessed a file on an SMB share with a name which could be sensitive, such as password.txt or the like.
Investigation: Check the file to see if it is actually sensitive.
Mitigation:
If the file contains a password or other sensitive information in clear text, move the data to a safe location such as a password manager.
Whitelist for this exact host + file combination if it is desired that this host can access the file.
If the file is not sensitive, whitelist the file path and server IP.
Description: An HTTP crawler is unwanted because it will often result in a ban of your external IP.
Severity Level: Medium
Reason: The host made more than 5 HTTP requests for a robots.txt file within 1 minute.
Investigation: If an internal host is crawling a website, investigate which piece of software is causing these requests. If an external attacker is crawling a web server on your network, check reputation of the IP.
Mitigation:
Uninstall the responsible piece of software as quickly as possible, as this behaviour can get your public IP banned.
For external attackers, consider blocking their IP in your firewall.
Description: An internal host is scanning external addresses.
Severity Level: High
Reason: The host unsuccessfully tried connecting to more 48 or more IP-addresses in 3 minutes for a specific port outside of the internal network. The specific port scanned is shown in the description of the notification.
Investigation:
Check if the host is supposed to do the scan, e.g.a vulnerability scanner, or administrator workstation.
Verify with the user of the device if this is expected behaviour or not.
If this is a true positive, it is important to investigate which tools on the device performed the operation, and how it was installed on the system.
Check if the host has a misconfiguration.
Check if there are any other signs of suspicious activity using Notification Search and Metadata Search.
If this may be due to malicious activity, investigate the remote IP or domain to see if it matches known malicious servers.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Monitor for scanning tools on device where possible.
Description: An internal host is doing port scan against an external machine.
Severity Level: High
Reason: The host unsuccessfully tried connecting to 48 or more ports on a remote machine on the internet in 3 minutes.
Investigation:
Check if the host is supposed to do the scan, e.g. a vulnerability scanner, or administrator workstation.
Verify with the user of the device if this is expected behaviour or not
If this is a true positive, it is important to investigate which tools on the device performed the operation, and how it was installed on the system.
Check if there is a misconfiguration on the machine.
Check if there are any other signs of suspicious activity using Notification Search and Metadata Search.
If this may be due to malicious activity, investigate the remote IP or domain to see if it matches known malicious servers.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Monitor for scanning tools on device where possible.
Description: A host connected to a domain which is known to be used for online filesharing. This is mainly unwanted for compliance reasons, and also because it is often beneficial to be able to control where company data is stored. If this particular service should be allowed, whitelist it.
Severity Level: Low
Reason: A host tried connecting to a domain which is known to be used for online file sharing. Watched services include: Google Drive, Dropbox, Box, iCloud, MediaFire, mega.nz etc.
Investigation: From Muninn’s Metadata Search, find amount of data and DNS requests to determine how many files and how much data was transferred. Determine whether the use of this file sharing service complies with company policy.
Mitigation: Hosts service use does not comply with policies: consider blocking traffic in firewall.
Description: A connection to an external SMTP e-mail server was made.
Severity Level: Medium
Reason: The host made a connection to an external SMTP e-mail server. Some malware types use SMTP to communicate with an adversary-controlled server or exfiltrate data.
Investigation: If this machine doesn’t usually use the SMTP protocol, investigate whether it has generated other suspicious notifications or requests to the remote host using Muninn’s Notification Search or Metadata Search. Investigate the remote host to see if it’s a known malicious serveror IP or domain.
Mitigation:
Benign behaviour:
Enforce the use of internal SMTP servers and whitelist them.
If this external SMTP server is approved, whitelist this category for the remote host.
If the use of external SMTP servers is allowed under company policy, whitelist this category.
Malicious behaviour:
Block outbound SMTP for all hosts except SMTP servers.
Investigate the SMTP traffic.
Make a full anti virus scan on the potentially infected machine.
Look for other notifications for the machine which indicate spread of malware in the network.
Description: A connection to an external IMAP e-mail server was made.
Severity Level: Medium
Reason: The host made a connection to an external IMAP e-mail server. Some malware uses IMAP to communicate with an adversary-controlled server.
Investigation: If this machine doesn’t usually external IMAP servers, investigate whether it has generated other suspicious notifications or requests to the remote host using Muninn’s Notification Search or Metadata Search.
Mitigation:
Benign behaviour:
Enforce the use of internal IMAP servers.
If this external IMAP server is approved, whitelist this category for the remote host.
If use of external IMAP servers is allowed under company policy, whitelist this category.
Malicious behaviour:
Make a full anti virus scan on the potentially infected device.
Description: A connection to an external POP3 e-mail server was made.
Severity Level: Low
Reason: The host made a connection to an external POP3 e-mail server. Some malware uses POP3 to communicate with an adversary-controlled server.
Investigation: If this machine doesn’t usually external POP3 servers, investigate whether it has generated other suspicious notifications or requests to the remote host using Muninn’s Notification Search or Metadata Search.
Mitigation:
Benign behaviour:
Enforce the use of Internal POP3 servers.
If this external POP3 server is approved, whitelist this category for the remote host.
If use of external POP3 servers is allowed under company policy, whitelist this category.
Malicious behaviour:
Make a full anti virus scan on the potentially infected device.
Description: A host queried a DNS server outside the local network. This is unwanted, as it can be an attempt to circumvent monitoring of network activity or blockages of certain sites.
Severity Level: Low
Reason: A host queried a DNS server outside the local network. This is unwanted, as it can be an attempt to circumvent monitoring of network activity or blockages of certain sites.
Investigation: Check whether it’s a legitimate internal DNS server. If strict DNS policies are already in place, investigate if the host has made any other unusual notifications or requests using Muninn’s Notification Search or Metadata Search.
Mitigation:
Block DNS requests to external servers in your firewall for all hosts except DNS servers.
Enforce use of internal DNS servers on all workstations.
Whitelist for validated internal DNS servers, as they should be allowed to query externally.
If one or more specific external DNS servers are approved, whitelist them specifically for all hosts.
Whitelist this category if using external DNS servers allowed under company policy.
Description: The host made a Remote Procedure. Call used for dumping the credentials of a remote host.
Severity Level: High
Reason: The host made a Remote Procedure Call used in credential dumping attacks as well as normal Domain Controller operation.
Investigation: Disregard notice if the originator and responder are both Domain Controllers, or if the originator is an administrator workstation doing diagnostics.
Mitigation:
Benign behaviour:
Whitelist as narrowly as possible.
Malicious behaviour:
Verify that FREKI Autoprevent is blocking further attempts.
If not, consider enabling FREKI Autoprevent or check blocking settings.
Initiate incident response.
Description: The host made a Remote Procedure Call used for clearing event logs or forcing a shutdown/reboot. Clearing event logs can be an attempt towards covering the traces of malicious activity.
Severity Level: Medium
Reason: The host made a Remote Procedure Call which can be used clear event logs remotely or force a reboot to hide traces of malicious activity.
Investigation: Investigate the originating host. Check if it’s a Domain Controller or an administrator workstation, and whether the machine is supposed to do this. Use Muninn’s metadata search to find other traffic to or from the machine, and determine from the circumstances whether it’s a true positive.
Mitigation:
Benign behaviour:
Whitelist the behaviour as narrowly as possible.
Malicious behaviour:
Verify that FREKI Autoprevent is blocking further attempts.
If not, consider enabling FREKI Autoprevent or check blocking settings.
Initiate incident response.
Description: The host made a Remote Procedure Call used to execute code on a remote machine.
Severity Level: High
Reason: A Remote Procedure Call used for executing code on a remote machine has been executed.
Investigation: Find information on the RPC endpoint and operation specified in the notification. Check whether the source of the request is a domain controller or an IT administrator, and if any legitimate domain policies could have generated this activity.
Mitigation: If this notice appears repeatedly from the same host when making legitimate requests, whitelist this notification category for this source. If it only appears between a couple of host pairs, whitelist these individually to whitelist as narrowly as possible.
Description: A file was written to an SMB admin share, and an execute command was issued. This is dangerous and can be a sign of malicious activity in the network.
Severity Level: High
Reason: A write command was issued to an SMB admin share (Windows hidden admin shares are most commonly c$, admins and ipc$) followed by an RPC execute.command. This is dangerous and can be an attacker’s attempt at remote code execution on the target machine.
Investigation: Find information on the RPC endpoint and operation specified in the notification. Check whether the source of the request is a domain controller or an IT administrator, and if any legitimate domain policies could have generated this activity.
Mitigation: If this notice appears repeatedly from the same host when making legitimate requests, whitelist this notification category for this source. If it only appears between a couple of host pairs, whitelist these individually to whitelist as narrowly as possible.
Description: A Remote Procedure Call used for establishing persistent access to a host has been executed. These comprise port monitors and DLLs used for remote access.
Severity Level: Medium
Reason: A Remote Procedure Call (RPC) associated with establishing persistent access to a host has been executed. These comprise port monitors and DLLs used for remote access. A port monitor is a technique. allowing a malicious actor to open a listening port on an infected machine by sending a special packet to the ports even though it’s closed. This allows for persistence on the machine. The RPC endpoint and operation can be seen in the notification details.
Investigation: Find information on the RPC endpoint and operation specified in the notification. Check whether the source of the request is a domain controller or an IT administrator, and if any legitimate domain policies could have generated this activity.
Mitigation: If this notice appears repeatedly from the same host when making legitimate requests, whitelist this notification category for this source. If it only appears between a couple of host pairs, whitelist these individually to whitelist as narrowly as possible.
Description: An external server presented an expired SSL certificate.
Severity Level: Low
Reason: An external server presented an expired SSL certificate. Specifically, the NotValidAfter date value has lapsed.
Investigation: Verify that the certificate is invalid and find out whether it’s a service under your control If it is, renew the certificate or remove the service. If not, check the metadata to make sure the notification was generated for a legitimate website by looking for suspicious domains.
Mitigation:
Your services:
Create a procedure for logging lifespan of certificates, and renew before expire date.
Use an automate process to renew certificates, such as the ACME protocol, which is also used for Let’s Encrypt certificates.
Respond to the notification in MUNINN which creates a notification when certificates are about to expire. For example, by raising the severity of these types of notifications.
External services:
If the website was legitimate but has an expired SSL certificate, temporarily block the domain in your firewall and notify the website owner.
If the website was malicious, permanently block it in your firewall and/or upgrade this notification to high for the specific server and enable FREKI Autoprevent for the notification type.
Description: An internal server presented an expired SSL certificate.
Severity Level: Medium
Reason: An internal server presented an expired SSL/TLS certificate.
Investigation: Check the metadata to make sure the notification was generated for a legitimate internal server. If you cannot recognize the server, it might be an attacker in the network who has set up a rogue server in an attempt to move around laterally in the network.
Mitigation:
Benign behaviour:
Create a procedure for logging lifespan of certificates, and renew before expire date.
Use an automate process to renew certificates, such as the ACME protocol, which is also used for Let’s Encrypt certificates.
Respond to the notification in MUNINN which creates a notification when certificates are about to expire. For example, by raising the severity of these types of notifications.
Malicious behaviour:
Launch Incident Response.
Description: An external server presented an SSL certificate which will expire soon.
Severity Level: Low
Reason: An external server presented an SSL certificate which is about to expire.
Investigation: Check the metadata associated with the notification or do a metadata search to find the traffic causing the notification. Look for suspicious domain names.
Mitigation:
If the site is legitimate but has a configuration. error, notify the domain owner so the can correct the error.
If the site is malicious, block it in your firewall.
Description: An internal server presented an SSL certificate which will expire soon.
Severity Level: Low
Reason: An internal server presented an SSL certificate which will expire within 30 days.
Investigation: Find the IP of the server in this notification and find the hostname by searching for the IP in MUNINN’s asset table.
Mitigation: Renew the certificate for services.
Description: An external server presented an SSL certificate which is not valid yet.
Severity Level: Low
Reason: An external server presented an SSL certificate which is not yet valid. This could be a misconfiguration, but visiting such a site poses a security risk, especially if it is a frequently visited site as they should have their certificates under control
Investigation: Check the metadata associated with the notification or do a metadata search to find the traffic causing the notification. Look for suspicious domain names.
Mitigation:
If the site is legitimate but has a configuration error, notify the domain owner so that they can correct the error.
If the site is malicious, block it in your firewall.
Description: An internal server presented an SSL certificate which is not valid yet.
Severity Level: Low
Reason: An internal server presented an SSL certificate which is not yet valid. This could be a misconfiguration, or it could be an attacker who has set up a rogue webserver. Check whether the server is legitimate or not.
Investigation:
Check when the server has come online using MUNINN’s asset table.
Make sure that the server is legitimate.
Mitigation:
If the site is legitimate but has a configuration error, fix the certificates.
If the site is malicious, start incident response.
Description: An external server presented an invalid certificate.
Severity Level: Medium
Reason: For some reason, the validity of the certificate from the external server could not be verified. The reason it is considered invalid is detailed in the notification.
Investigation:
Find out why the certificate was invalid.
Find out which webserver has supplied the malformed certificate from the notification.
Gather more details on the traffic flowing to the server by searching for metadata for the host.
Make sure the local host hasn’t connected to a malicious site-few legitimate sites provide invalid SSL certificates.
Mitigation: If this is a company owned external IP and the server’s certificate is considered invalid because it is issued by your own root CA, whitelist this notification category for that server, but be sure to include the reason it is not considered valid and the CommonName of the certificates which are in fact valid for the best whitelisting.
Description: An internal server presented an invalid certificate.
Severity Level: Low
Reason: For some reason, the validity of the certificate from the internal server could not be verified. The reason it is considered invalid is detailed in the notification.
Investigation:
Find out why the certificate was invalid.
Find out which of your internal services has supplied the malformed certificate by checking MUNINN’s asset table.
Gather more details on the traffic flowing to the server by searching for metadata for the host.
Mitigation:
Make sure all certificates are valid.
If you have your own root CA, which MUNINN doesn’t trust, whitelist these notifications for all hosts but be sure to include the reason it is not considered valid and the CommonName of the certificates which are in fact valid for the best whitelisting.
Description: An SSL connection to an internal host uses an insecure SSL/TLS version. Is vulnerable to known attacks.
Severity Level: Medium
Reason: An SSL/TLS version of TLS 1.0 or any SSL version was detected on a connection to an internal server. These encryption protocols are considered insecure.
Find out which website uses an old encryption version by looking at metadata associated with this notification and by searching for SSL metadata associated with the host.
Using MUNINN’s asset table, find out which software has been seen on the client in order to know where to implement the steps suggested in the Mitigation section.
Mitigation:
Always use TLS 1.2 or higher Harden systems and browsers to only allow secure ciphers.
Request support for newer encryption protocols or consider switching to an alternative service supporting better encryption.
Description: An SSL connection to an internal host uses an insecure SSL/TLS version. Is vulnerable to known attacks.
Severity Level: Medium
Reason: An SSL/TLS version of TLS 1.0 or any SSL version was detected on a connection to an internal server. These encryption protocols are considered insecure.
Investigation:
Find out which internal service uses an old encryption version by looking at metadata associated with this notification and by searching for SSL metadata associated with the host.
Using MUNINN’s asset table, find out which software has been seen on the client in order to know where to implement the steps suggested in the Mitigation section.
Mitigation:
Make the newest TLS versions available server-side.
If all clients support it, enforce only TLS 1.2 on the server.
Harden systems and browsers to only allow secure ciphers.
Description: A large transfer was sent to an internal host.
Severity Level: Low
Reason: More than 1GB was uploaded to an internal host.
Investigation: Verify that the host is authorized to upload data to this server. Check related metadata to search for protocol-specific data to gain further insights in the data upload.
Mitigation: Whitelist servers for which large uploads are tolerable.
Description: A large transfer was sent to an external host.
Severity Level: Medium
Reason: More than 300MB was uploaded to an external host.
Investigation: Verify that the host is authorized to upload data to this server. Check related metadata to search for protocol-specific data to gain further insights in the data upload.
Mitigation: Whitelist servers for which large uploads are tolerable.
Description: A large amount of data was downloaded from an internal host to source IP.
Severity Level: Medium
Reason: More than 300MB was downloaded from an internal host.
Investigation: Verify that the host is authorized to download data from this server.
Mitigation: Whitelist servers for which large downloads are tolerable.
Description: A large amount of data waS downloaded from an external host to source IP.
Severity Level: Low
Reason: More than 300MB was downloaded from an external host.
Investigation: Verify that the host is authorized to download data from this server.
Mitigation: Whitelist servers for which large downloads are tolerable.
Description: A device used DOH to get DNS answers.
Severity Level: Low
Reason: A device used DOH to get DNS answers. DOH can be used by malware to hide its communication.
Investigation: If DOH isn’t expected, investigate which process on the device is responsible, and find out if is malicious usage.
Mitigation: Change severity of notification to high, and block known DH providers in proxies and DNS filters.