-
Notifications
You must be signed in to change notification settings - Fork 4
/
ap_detection_descriptions.json
93 lines (93 loc) · 12.2 KB
/
ap_detection_descriptions.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
[
"The only indicators of successful Blind SQL Injection are the application or database logs that show similar queries with slightly differing logical conditions that increase in complexity over time. However, this requires extensive logging as well as knowledge of the queries that can be used to perform such injection and return meaningful information from the database.",
"If the application does bound checking, it should fail when the data source is larger than the size of the destination buffer. If the application's code is well written, that failure should trigger an alert.",
"An example of indicator is when the client software crashes after executing code downloaded from a hostile server.",
"Many invalid login attempts are coming from the same machine (same IP address) or for the same log in name. The login attempts use passwords that are dictionary words.",
"None. This attack happens offline.",
"Many exceptions are thrown by the application's filter modules in a short period of time. Check the logs. See if the probes are coming from the same IP address.",
"A lot of invalid data is fed to the system. Data that cannot have been generated through a legitimate transaction/request. Data is coming into the system within a short period of time and potentially from the same IP.",
"Differences in requests processed by the two agents. This requires careful monitoring or a capable log analysis tool.",
"Differences in responses processed by the two agents with multiple responses to a single request in the web logs. This requires careful monitoring or a capable log analysis tool.",
"Control characters are being detected by the filters repeatedly.",
"An attacker creating or modifying Symbolic links is a potential signal of attack in progress.",
"An attacker deleting temporary files can also be a sign that the attacker is trying to replace legitimate resources with malicious ones.",
"Many incorrect login attempts are detected by the system.",
"Many incorrect attempts to answer the security question.",
"Null characters are observed by the filter. The filter needs to be able to understand various encodings of the Null character, or only canonical data should be passed to it.",
"Repeated errors generated by the same piece of code are an indication, although it requires careful monitoring of the application and its associated error logs, if any.",
"This is a completely offline attack that an attacker can perform at their leisure after the password hashes are obtained.",
"A client can be suspicious if a received link contains preset session identifiers. However, this depends on the client's knowledge of such an issue. Also, fixation through Cross Site Scripting or hidden form fields is usually difficult to detect.",
"There are no indicators for the server since a fixated session identifier is similar to an ordinarily generated one. However, too many invalid sessions due to invalid session identifiers is a potential warning.",
"Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.",
"If the first decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.",
"Too many false or invalid queries to the database, especially those caused by malformed input.",
"The log can have a trace of abnormal activity. Also if abnormal activity is detected on the host target. For instance flooding should be seen as abnormal activity and the target host may decide to take appropriate action in order to mitigate the attack (data filtering or blocking). Resource exhaustion is also a sign of abnormal activity.",
"Many incorrect login attempts are detected by the system.",
"Unicode encoded data is passed to APIs where it is not expected",
"If the first decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.",
"Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.",
"A web penetration tool probing a web server may generate abnormal activities recorded on log files. Abnormal traffic such as a high number of request coming from the same client may also rise the warnings from a monitoring system or an intrusion detection tool.",
"An attacker can use a fuzzer in order to probe for this vulnerability. The fuzzer should generate suspicious network activity noticeable by an intrusion detection system.",
"An attacker can use a fuzzer in order to probe for a UTF-8 encoding vulnerability. The fuzzer should generate suspicious network activity.",
"Traffic filtering with IDS (or proxy) can detect request with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.",
"If the first path decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.",
"An attacker can use a fuzzer in order to probe for a UTF-8 encoding vulnerability. The fuzzer should generate suspicious network activity noticeable by an intrusion detection system.",
"An IDS filtering network traffic may be able to detect illegal UTF-8 characters.",
"A web page that contains overly long UTF-8 codes constitute a protocol anomaly, and could be an indication that an attacker is attempting to exploit a vulnerability on the target host.",
"Too many exceptions generated by the application as a result of malformed XPath queries",
"You receive any e-mail that provides you with a link which takes you to a website on which you need to enter your log in information.",
"You receive an e-mail from an entity that you are not even a customer of prompting you to log into your account.",
"An attack designed to leverage a buffer overflow and redirect execution as per the adversary's bidding is fairly difficult to detect. An attack aimed solely at bringing the system down is usually preceded by a barrage of long inputs that make no sense. In either case, it is likely that the adversary would have resorted to a few hit-or-miss attempts that will be recorded in the system event logs, if they exist.",
"Differences in requests processed by the two agents. This requires careful monitoring or a capable log analysis tool.",
"If the attacker is able to perform the checking offline then there will likely be no indication that an attack is ongoing.",
"Attempts to download files protected by secrets (usually using encryption) may be a precursor to an offline attack to break the file's encryption and read its contents. This is especially significant if the file itself contains other secret values, such as password files.",
"Repeated submissions of incorrect secret values may indicate a brute force attack. For example, repeated bad passwords when accessing user accounts or repeated queries to databases using non-existent keys.",
"You receive a text message from an entity that you are not even a customer of prompting you to log into your account.",
"You receive any text message that provides you with a link that takes you to a website which requires you to enter your credentials.",
"Bad data is passed to the data parser (possibly repeatedly), possibly making it crash or execute arbitrary code.",
"Bad data is passed to the serialized data parser (possibly repeatedly), possibly making it crash or execute arbitrary code.",
"Too many exceptions generated by the application as a result of malformed queries",
"Differences in responses processed by the two agents. This requires careful monitoring or a capable log analysis tool.",
"Credential or permission elevation prompts that appear illegitimate or unexpected.",
"A large amount of data is passed to the XML parser possibly making it crash or otherwise unavailable to end users.",
"Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.",
"Suspicious or Malicious software is downloaded/installed on systems within the domain.",
"Data is being transferred and/or removed from systems/applications within the network.",
"Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.",
"Authentication attempts use credentials that have been used previously by the account in question.",
"Suspicious or Malicious software is downloaded/installed on systems within the domain.",
"Data is being transferred and/or removed from administrative network shares.",
"Suspicious or Malicious software is executed within administrative network shares.",
"Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.",
"Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.",
"The login attempts use passwords that have been used previously by the user account in question.",
"Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.",
"Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.",
"The login attempts use passwords that have been used previously by the user account in question.",
"Output observed from processes, API calls, or Self-Monitoring, Analysis and Reporting Technology (SMART) may provide insight into malicious modifications of MBRs.",
"Digital forensics tools may produce output that indicates an attack of this nature has occurred. Examples include unexpected disk partitions and/or unusual strings.",
"Authentication attempts use credentials that have been used previously by the account in question.",
"Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.",
"Data is being transferred and/or removed from systems/applications within the network.",
"Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.",
"Suspicious or Malicious software is downloaded/installed on systems within the domain.",
"Suspicious or Malicious software is downloaded/installed on systems within the domain.",
"Authentication attempts use expired or invalid credentials.",
"Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.",
"Authentication attempts are originating from IP addresses or locations that are inconsistent with an account's normal IP addresses or locations.",
"Data is being transferred and/or removed from systems/applications within the network.",
"Authentication attempts are originating from IP addresses or locations that are inconsistent with a user's normal IP addresses or locations.",
"Data is being transferred and/or removed from systems/applications within the network.",
"Suspicious or Malicious software is downloaded/installed on systems within the domain.",
"Authentication attempts use credentials that have been used previously by the account in question.",
"Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.",
"Credential prompts that appear illegitimate or unexpected.",
"You are redirected to a website that instructs you to call the number on-screen to address the call-to-action.",
"You receive a call from an entity that you are not even a customer of prompting you to log into your account.",
"You receive any call that requests you provide sensitive information.",
"File Signatures for Malicious Software capable of abusing Transient Instruction Set Execution",
"Windows Event logs may document the access of Thunderbolt port as a USB 3.0 event as well as any malicious actions taken upon target device as file system and memory events.",
"Performance is degraded or halted by incoming L2CAP packets.",
"Executed queries or commands that appear to malicious in nature or originating from an untrustworthy source.",
"Too many false or invalid queries to the database, especially those caused by malformed input."
]