Skip to main content

Netography Detection Model Release – April 11, 2023

 

The Netography Threat Research Team has released its latest detections:

The team creates Netography Detection Models (NDMs) to detect botnets, malware, P2P, data exfiltration, ransomware, phishing, SPAM, DDoS activity and more. These powerful threat and network configuration detection models are included at no additional charge and are continuously refined, with new NDMs being added frequently as threats evolve. There are no packages to download, and no updates to push. All models are completely open, customizable, and transparent to your analysts.  

Netography Detection Model Updates:

cve-2023-2753_port_scan_internal – This NDM locates attempts to scan internal resources for systems potentially vulnerable to CVE-2023-27532 – a vulnerability in the Veeam Backup and Replication product.  This vulnerability “allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts.”  This NDM is enabled by default.

cve-2022-47966_port_scan_internal – This NDM locates attempts to scan internal resources for systems potentially vulnerable to CVE-2022-47966 – a vulnerability in the Zoho ManageEngine product.  This NDM is enabled by default.

cve-2015-4852_port_scan_internal – This NDM locates attempts to scan internal resources for systems potentially vulnerable to CVE-2015-4852 – an older vulnerability in Java.  This NDM is enabled by default.

cve-2020-5735_port_scan_internal – This NDM locates attempts to scan internal resources for systems potentially vulnerable to CVE-2020-5735 – a vulnerability in the Amcrest cameras and NVR products.  An authenticated remote attacker can abuse this issue to crash the device and possibly execute arbitrary code.  This NDM is enabled by default.

cve-2023-23560_lexmark_inbound – This NDM locates attempts to connect to an internal resource on port 65002 from an external IP.  This may indicate attempts to exploit the vulnerability found in Lexmark printers covered under CVE-2023-23560.  This NDM is enabled by default.

cve-2023-23560_lexmark_internal – This NDM locates attempts to connect to an internal resource on port 65002 from an internal IP.  This may indicate attempts to exploit the vulnerability found in Lexmark printers covered under CVE-2023-23560.  This NDM is enabled by default.

rpc_authentication_attack – This NDM locates attempts to abuse authentication methods to RPC ports 135 and 111. This will detect attempts to exploit the Zerologon vulnerability: CVE-2020-1472.  This NDM is enabled by default.

suspected_port_abuse_internal – This NDM detects entities on the internal network attempting to communicate with other internal hosts on an unusual range of ports.  This may indicate a compromised machine or an internally initiated port scan. This NDM is enabled by default.

suspected_port_abuse_external – This NDM detects entities external to the network attempting to communicate with other internal hosts on an unusual range of ports.  This may indicate a compromised machine or non-standard traffic. This NDM is enabled by default.

outbound_smb_traffic – This NDM detects any internal host attempting to communicate external to the network on common SMB ports.  This traffic should not occur between unauthorized hosts.  This NDM works best when network classifications are set properly.  This NDM is enabled by default.

finflood – This NDM was updated to reduce noise and increase accuracy.

The Netography Threat Research Team constantly updates and improves our detection capabilities, seamlessly integrating them into the Netography Fusion® platform, so our customers can write once, then detect everywhere.