Data Source: pfSense

IPSEC NAT Traversal Port Activity

Jun 26, 2026 · Tactic: Command and Control Domain: Endpoint Use Case: Threat Detection Data Source: PAN-OS Data Source: Network Traffic Data Source: pfSense Data Source: Zeek Resources: Investigation Guide ·

Share on:

This rule detects outbound IPSEC NAT Traversal (NAT-T) tunnels established from an internal host to an external destination. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal encapsulates IPSEC ESP traffic in UDP and, once a NAT device is detected, both peers float to UDP port 4500 for the tunnel data channel. The rule keys on this NAT-T signature, UDP traffic where both the source and destination port are 4500, from an internal source to an external destination, rather than on any UDP traffic to port 4500. This may be common on your network, but this technique is also used by threat actors to tunnel command and control or exfiltration traffic over the Internet to avoid detection.

SMTP to the Internet on Port 26/TCP

Jun 26, 2026 · Tactic: Command and Control Tactic: Exfiltration Domain: Endpoint Use Case: Threat Detection Data Source: Corelight Data Source: PAN-OS Data Source: Network Traffic Data Source: pfSense Data Source: Zeek Resources: Investigation Guide ·

Share on:

This rule detects events that may indicate use of SMTP on TCP port 26 from an internal host to an external destination. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems. The rule is scoped to outbound traffic (internal source to external destination) to focus on the command and control and exfiltration use cases, rather than benign internal mail relays or unrelated transit traffic observed by the sensor.

RDP (Remote Desktop Protocol) from the Internet

Jun 24, 2026 · Tactic: Command and Control Tactic: Lateral Movement Tactic: Initial Access Domain: Endpoint Use Case: Threat Detection Data Source: Corelight Data Source: PAN-OS Data Source: Network Traffic Data Source: pfSense Data Source: Zeek Resources: Investigation Guide ·

Share on:

This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.

RPC (Remote Procedure Call) from the Internet

Jun 24, 2026 · Tactic: Initial Access Domain: Endpoint Use Case: Threat Detection Data Source: Corelight Data Source: Network Traffic Data Source: PAN-OS Data Source: pfSense Data Source: Zeek Resources: Investigation Guide ·

Share on:

This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.

RPC (Remote Procedure Call) to the Internet

Jun 24, 2026 · Tactic: Initial Access Tactic: Lateral Movement Domain: Endpoint Use Case: Threat Detection Data Source: Corelight Data Source: PAN-OS Data Source: Network Traffic Data Source: pfSense Data Source: Zeek Resources: Investigation Guide ·

Share on:

This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.

SMB (Windows File Sharing) Activity to the Internet

Jun 24, 2026 · Tactic: Initial Access Tactic: Exfiltration Domain: Network Use Case: Threat Detection Data Source: Corelight Data Source: PAN-OS Data Source: Network Traffic Data Source: pfSense Data Source: Zeek Resources: Investigation Guide ·

Share on:

This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.

Accepted Default Telnet Port Connection

Jun 24, 2026 · Domain: Endpoint Use Case: Threat Detection Tactic: Command and Control Tactic: Lateral Movement Tactic: Initial Access Data Source: Fortinet Data Source: PAN-OS Data Source: pfSense Data Source: SonicWall Data Source: Suricata Resources: Investigation Guide ·

Share on:

This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.

VNC (Virtual Network Computing) from the Internet

Jun 24, 2026 · Tactic: Command and Control Tactic: Initial Access Domain: Endpoint Use Case: Threat Detection Data Source: PAN-OS Data Source: pfSense Resources: Investigation Guide ·

Share on:

This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.

VNC (Virtual Network Computing) to the Internet

Jun 24, 2026 · Tactic: Command and Control Tactic: Lateral Movement Domain: Endpoint Use Case: Threat Detection Data Source: PAN-OS Data Source: pfSense Resources: Investigation Guide ·

Share on:

This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.