Detects command and control (C2) communication patterns including suspicious periodic connections, non-standard ports, encrypted channels on unusual ports, DNS tunneling, and known C2 infrastructure ...
Detects indicators of lateral movement within the network including SMB/RDP scanning, authentication attempts across multiple systems, suspicious remote access patterns, and administrative tool usage.