# Suspect Protocol Activity detection descriptions

Vectra Suspect Protocol Activity detections are detections which Vectra can rapidly create and deploy to customers who are not air-gapped. For more information on enabling SPA detections see: [Suspect Protocol Activity Detections (Feature Overview)](https://docs.vectra.ai/operations/general/suspect-protocol-activity-detections-feature-overview)

## Scored vs Info SPA Detections

SPA detections can either be scored, while others are provided as informational. Scored detections influence host prioritization and are typically used when the underlying behavior is both meaningful and not overly noisy. Informational detections, on the other hand, highlight notable activity without directly contributing to risk scores. This distinction helps ensure that scoring remains focused on high-confidence behaviors that warrant immediate attention, while still surfacing valuable context through information detections.

## SPA Detection Descriptions

Please expand/collapse each section below to see descriptions of the triggers, possible root causes, business impact, and steps to verify for each SPA detection type:

{% hint style="info" %}
**Please Note:**

When you see \[NAME] in the below detection descriptions, this represents the name the specific type of Suspect Protocol Activity detection that triggered.

For example, you might see detection names such as these:

* Suspect Protocol Activity: RDPassSpray tool
* Suspect LDAP Activity: No Kerberos Pre-Auth Query
* Suspect HTTP Activity: Cobalt Strike C2 Beacon
  {% endhint %}

### Suspect HTTP Activity: \[NAME]

<details>

<summary>Expand for details</summary>

\*\*Triggers: \*\*

* Suspect HTTP Activity Detections are based upon the HTTP protocol.
* These are high fidelity indicators which are usually looking for malicious User-Agents, specific unique byte values within HTTP payloads, or other positive indicators in the HTTP headers.

\*\*Possible Root Causes: \*\*

* A host is compromised with malware and initiates a connection to an external resource over the HTTP protocol.
* Breach simulation software which may emulate known malware and C2 frameworks over the C2 protocol.

**Business Impact:**

* Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment. These should be investigated to determine if they are malicious true positives, and acted upon promptly.

**Steps to Verify:**

* Examine the Detection page to validate whether the HTTP detection details is consistent with public resources of threat information.
* Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.
* Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.
* Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.
* Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

</details>

### Suspect HTTPS Activity: \[NAME]

<details>

<summary>Expand for details</summary>

\*\*Triggers: \*\*

* Suspect HTTPS Activity Detections are based upon the HTTPS (TLS/SSL) protocol.
* These are high fidelity indicators which are usually looking for known certificates or attributes of the TLS/SSL negotiation associated with malware and attack tools.

\*\*Possible Root Causes: \*\*

* A host is compromised with malware and initiates a connection to an external resource over the HTTPS protocol.
* Breach simulation software which may emulate known malware and C2 frameworks over the C2 protocol.

**Business Impact:**

* Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment. These should be investigated to determine if they are malicious true positives, and acted upon promptly.

**Steps to Verify:**

* Examine the Detection page to validate whether the HTTPS detection details is consistent with public resources of threat information.
* Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.
* Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.
* Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.
* Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

</details>

### Suspect TCP Activity: \[NAME]

<details>

<summary>Expand for details</summary>

\*\*Triggers: \*\*

* Suspect TCP Activity Detections are based upon the TCP protocol not associated with HTTP or HTTPS detections which are covered by the respective Suspect HTTP and Suspect HTTPS Activity detections.

\*\*Possible Root Causes: \*\*

* A host is compromised with malware and initiates a connection to an external resource over the TCP Protocol.
* Breach simulation software which may emulate known malware and C2 frameworks over the TCP protocol

**Business Impact:**

* Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment. These should be investigated to determine if they are malicious true positives, and acted upon promptly.

**Steps to Verify:**

* Examine the Detection page to validate whether the TCP detection details is consistent with public resources of threat information.
* Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.
* Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.
* Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.
* Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

</details>

### Suspect DNS Activity: \[NAME]

<details>

<summary>Expand for details</summary>

\*\*Triggers: \*\*

* Suspect DNS Activity Detections are based upon the DNS protocol and can be over TCP or UDP DNS

\*\*Possible Root Causes: \*\*

* A host is compromised with malware and initiates a connection to an external resource over the DNS.
* Breach simulation software which may emulate known malware and C2 frameworks over the DNS protocol

**Business Impact:**

* Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment. These should be investigated to determine if they are malicious true positives, and acted upon promptly.

**Steps to Verify:**

* Examine the Detection page to validate whether the DNS detection details is consistent with public resources of threat information.
* Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.
* Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.
* Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.
* Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

</details>

### Suspect LDAP Activity: \[NAME]

<details>

<summary>Expand for details</summary>

**Triggers:**

* Suspect LDAP Activity Detections are based upon the LDAP protocol.
* These are high fidelity indicators which are usually looking for malicious LDAP Request/Responses

**Possible Root Causes:**

* A host is compromised and performs a query for directory information in the Active Directory environment over LDAP
* Scheduled scripts or automation using service accounts

**Business Impact:**

* Reconnaissance allows attackers to map their position within the network and identify other hosts or accounts with higher privileges. Once they understand the role and access level of the compromised system, they can move laterally—especially if they obtain credentials for more privileged accounts. These detections should be promptly investigated to determine if they represent malicious activity and require immediate response.

**Steps to Verify:**

* Check if the source Host/IP is expected to perform LDAP directory queries.
* Check for recent login activity or changes on the source Host/IP.
* Check if the LDAP queries match known administrative scripts or job schedules.
* Examine the query volume and timestamps for abnormal behaviors.
* Look for follow-on behavior like remote logins or privilege escalation.

</details>

### Suspect Kerberos Activity: \[NAME]

<details>

<summary>Expand for details</summary>

**Triggers:**

* Suspect Kerberos Activity Detections are based upon the Kerberos protocol and can be over TCP, UDP, or HTTP

**Possible Root Causes:**

* A host is compromised and performs a query for directory information in the Active Directory environment over Kerberos
* Scheduled scripts or automation using service accounts

**Business Impact:**

* Reconnaissance allows attackers to map their position within the network and identify other hosts or accounts with higher privileges. Once they understand the role and access level of the compromised system, they can move laterally—especially if they obtain credentials for more privileged accounts. These detections should be promptly investigated to determine if they represent malicious activity and require immediate response.

**Steps to Verify:**

* Check if the source Host/IP is expected to perform Kerberos directory queries.
* Check for recent login activity or changes on the source Host/IP.
* Check if the Kerberos queries match known administrative scripts or job schedules.
* Examine the query volume and timestamps for abnormal behaviors.
* Look for follow-on behavior like remote logins or privilege escalation.

</details>

### Suspect NTLM Activity: \[NAME]

<details>

<summary>Expand for details</summary>

**Triggers:**

* Suspect NTLM Activity Detections are based upon the NTLM protocol and can be over SMB, HTTP, TLS, LDAP or DCERPC

**Possible Root Causes:**

* A host is compromised and captures the NTLM handshake and relays the credentials to other services
* Legacy systems or applications relying on NTLM

**Business Impact:**

* Reconnaissance allows attackers to map their position within the network and identify other hosts or accounts with higher privileges. Once they understand the role and access level of the compromised system, they can move laterally—especially if they obtain credentials for more privileged accounts. These detections should be promptly investigated to determine if they represent malicious activity and require immediate response.

**Steps to Verify:**

* Check if the source Host/IP is expected to use NTLM.
* Check for recent login activity or changes on the source Host/IP.
* Check if the NTLM queries match known administrative scripts or job schedules.
* Examine the query volume and timestamps for abnormal behaviors.
* Look for follow-on behavior like remote logins or privilege escalation.

</details>

### Suspect SMB Activity: \[NAME]

<details>

<summary>Expand for details</summary>

**Triggers:**

* Suspect SMB Activity Detections are based upon the SMB protocol

**Possible Root Causes:**

* A host is compromised and attempts to move laterally throughout the organization using SMB
* A host is compromised and attempts to exfiltrate data using SMB
* Expected file sharing between users or departments

**Business Impact:**

* Reconnaissance allows attackers to map their position within the network and identify other hosts or accounts with higher privileges. Once they understand the role and access level of the compromised system, they can move laterally—especially if they obtain credentials for more privileged accounts. These detections should be promptly investigated to determine if they represent malicious activity and require immediate response.

**Steps to Verify:**

* Check if the source Host/IP is expected to use SMB.
* Check for recent login activity or changes on the source Host/IP.
* Check if the SMB queries match known administrative scripts or job schedules.
* Examine the query volume and timestamps for abnormal behaviors.
* Look for follow-on behavior like remote logins or privilege escalation.

</details>

### Suspect Brute Force Activity: \[NAME]

<details>

<summary>Expand for details</summary>

**Triggers:**

* Suspect Brute Force Activity Detections require multiple authentication requests to the same account in a short period and can target various protocols such as SMB, LDAP, FTP, RDP, SSH, and HTTP

**Possible Root Causes:**

* A host is compromised and attempts to gain unauthorized access to a single account by guessing credentials

**Business Impact:**

* Reconnaissance allows attackers to map their position within the network and identify other hosts or accounts with higher privileges. Once they understand the role and access level of the compromised system, they can move laterally—especially if they obtain credentials for more privileged accounts. These detections should be promptly investigated to determine if they represent malicious activity and require immediate response.

**Steps to Verify:**

* Determine if login attempts were to privileged accounts (e.g., admin, service accounts).
* Review login success/failure pattern — is there a successful login after many failures?
* Look for known brute force tools (e.g., Hydra, Medusa, CrackMapExec) in logs or telemetry.
* Check if this user or IP has triggered similar detections previously.

</details>

### Suspect Protocol Activity: \[NAME]

<details>

<summary>Expand for details</summary>

**Triggers:**

* Suspect Protocol Activity Detections are based on application-layer protocols observed across the network.
* These detections leverage a flexible template to identify suspicious or anomalous protocol usage, including:
  * Protocols operating on non-standard ports
  * Unusual or unexpected external communications
  * Known tool- or behavior-specific payload patterns
  * Indicators of remote monitoring and management tools (RMM), credential access tools, or data exfiltration techniques
* Detections can apply to multiple protocols depending on the specific derived detection (e.g., HTTP, TCP, SSH, or proprietary protocols).

**Possible Root Causes:**

* A host is compromised and is using a legitimate protocol in a suspicious or malicious way (e.g., remote access tools, credential dumping tools, or exfiltration mechanisms).
* Unauthorized or unapproved use of remote monitoring and management tools such as TeamViewer or AnyDesk.
* Security testing tools, red team activity, or breach simulation software emulating attacker behavior.
* Misconfigured or non-standard applications using uncommon ports or protocols.

**Business Impact:**

* Suspect Protocol Activity detections may indicate a wide range of attacker behaviors, including reconnaissance, lateral movement, credential access, command-and-control (C2), or data exfiltration.
* Because these detections often map to specific tools or techniques (e.g., Mimikatz, RMM tools, password spraying utilities), they can represent high-value indicators of compromise when confirmed.
* If malicious, this activity may allow attackers to maintain persistence, expand access, or extract sensitive data from the environment. These detections should be investigated to determine whether they represent true positive malicious activity and require prompt response.

**Steps to Verify:**

* Review the Detection page to understand the specific SPA detection name and associated behavior (e.g., tool or technique identified).
* Validate whether the protocol, destination, and port usage are expected for the source host.
* Examine the destination IP/domain to determine reputation, ownership, and whether it is associated with known tools or services.
* Analyze PCAP or payload data (if available) to confirm whether the traffic matches the behavior described in the detection.
* Determine whether the tool or activity (e.g., TeamViewer, SSH on a non-standard port) is authorized within the environment.
* Correlate with endpoint telemetry (EDR) to identify the process responsible for the network activity.
* Investigate for related detections or follow-on activity, such as lateral movement, authentication anomalies, or data transfer.

</details>