Table 1 Nodes in the example represented in Fig. 7, containing the propagation steps in WannaCry
From: OMMA: open architecture for Operator-guided Monitoring of Multi-step Attacks
Level | Node | Matched event | Origin |
|---|---|---|---|
0 | κ 0 | Unsuccessful HTTP request from a host, called A, to long domain name | Proxy |
1 | κ 1 | Successful connection in port TCP 445 from A to any another endpoint (B) in the local network | Internal firewall |
1 | κ 2 | Successful HTTP request to the same domain name as in κ0 | Proxy |
2 | κ 3 | SMBv1 communication between A and other machine using command “transaction2_secondary” | Internal firewall |
2 | κ 4 | Malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST from A to B (CVE-2009-3103) | Endpoint B |
2 | κ 5 | SQL injection alert coming from A | IDS |