LoFP LoFP / _deprecated

_deprecated rule

TitleTags
administrators may use the tasklist command to display a list of currently running processes. by itself, it does not indicate malicious activity. after obtaining a foothold, it's possible adversaries may use discovery commands like tasklist to get information about running processes.
automated tools such as jenkins may encode or decode files as part of their normal behavior. these events can be filtered by the process executable or username values.
because these ports are in the ephemeral range, this rule may false under certain conditions such as when a nated web server replies to a client which has used a port in the range by coincidence. in this case, such servers can be excluded if desired. some cloud environments may use this port when vpns or direct connects are not in use and database instances are accessed directly across the internet.
because this port is in the ephemeral range, this rule may false under certain conditions, such as when a nated web server replies to a client which has used a port in the range by coincidence. in this case, such servers can be excluded. some applications may use this port but this is very uncommon and usually appears in local traffic using private ips, which this rule does not match. some cloud environments, particularly development environments, may use this port when vpns or direct connects are not in use and cloud instances are accessed across the internet.
build systems, like jenkins, may start processes in the `/tmp` directory. these can be exempted by name or by username.
enumeration of files and directories may not be inherently malicious and noise may come from scripts, automation tools, or normal command line usage. it's important to baseline your environment to determine the amount of expected noise and exclude any known fp's from the rule.
exclude dns servers from this rule as this is expected behavior. endpoints usually query local dns servers defined in their dhcp scopes, but this may be overridden if a user configures their endpoint to use a remote dns server. this is uncommon in managed enterprise networks because it could break intranet name resolution when split horizon dns is utilized. some consumer vpn services and browser plug-ins may send dns traffic to remote internet destinations. in that case, such devices or networks can be excluded from this rule when this is expected behavior.
exporting snapshots may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. snapshot exports from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
false-positives (fp) can appear if another remote terminal service is being used to connect to it's listener but typically ssh is used in these scenarios.
ftp servers should be excluded from this rule as this is expected behavior. some business workflows may use ftp for data exchange. these workflows often have expected characteristics such as users, sources, and destinations. ftp activity involving an unusual source or destination may be more suspicious. ftp activity involving a production server that has no known associated ftp workflow or business requirement is often suspicious.
irc activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. irc activity involving an unusual source or destination may be more suspicious. irc activity involving a production server is often suspicious. because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a nat-ed web server replies to a client which has used a port in the range by coincidence. in this case, these servers can be excluded. some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private ips, which does not match this rule's conditions.
legitimate software or scripts using cron jobs for recurring tasks.
mknod is a linux system program. some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. usage by web servers is more likely to be suspicious.
nated servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. consumer and personal devices may send email traffic to remote internet destinations. in this case, such devices or networks can be excluded from this rule if this is expected behavior.
netcat and openssl are common tools used for establishing network connections and creating encryption keys. while they are popular, capturing the stdout and stderr in a named pipe pointed to a shell is anomalous.
network monitoring or management products may have a web server component that runs shell commands as part of normal behavior.
normal use of iodine is uncommon apart from security testing and research. use by non-security engineers is very uncommon.
rdp connections may be made directly to internet destinations in order to access windows cloud server instances but such connections are usually made only by engineers. in such cases, only rdp gateways, bastions or jump servers may be expected internet destinations and can be exempted from this rule. rdp may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected. usage that is unfamiliar to server or network owners can be unexpected and suspicious.
security testing tools and frameworks may run `nmap` in the course of security auditing. some normal use of this command may originate from security engineers and network or server administrators. use of nmap by ordinary users is uncommon.
security testing tools and frameworks may run this command. some normal use of this command may originate from automation tools and frameworks.
security tools and device drivers may run these programs in order to load legitimate kernel modules. use of these programs by ordinary users is uncommon.
socat is a dual-use tool that can be used for benign or malicious activity. some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools, and frameworks. usage by web servers is more likely to be suspicious.
some network security policies allow ssh directly from the internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. ssh services may be exposed directly to the internet in some networks such as cloud environments. in such cases, only ssh gateways, bastions or jump servers may be expected expose ssh directly to the internet and can be exempted from this rule. ssh may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected.
some networks may utilize pptp protocols but this is uncommon as more modern vpn technologies are available. usage that is unfamiliar to local network administrators can be unexpected and suspicious. torrenting applications may use this port. because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server replies to a client that used this port by coincidence. this is uncommon but such servers can be excluded.
some normal applications and scripts may contain no user agent. most legitimate web requests from the internet contain a user agent string. requests from web browsers almost always contain a user agent string. if the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity.
some normal use of this command may originate from server or network administrators engaged in network troubleshooting.
some proxied applications may use these ports but this usually occurs in local traffic using private ips which this rule does not match. proxies are widely used as a security technology but in enterprise environments this is usually local traffic which this rule does not match. if desired, internet proxy services using these ports can be added to allowlists. some screen recording applications may use these ports. proxy port activity involving an unusual source or destination may be more suspicious. some cloud environments may use this port when vpns or direct connects are not in use and cloud instances are accessed across the internet. because these ports are in the ephemeral range, this rule may false under certain conditions such as when a nated web server replies to a client which has used a port in the range by coincidence. in this case, such servers can be excluded if desired.
ssh connections may be made directly to internet destinations in order to access linux cloud server instances but such connections are usually made only by engineers. in such cases, only ssh gateways, bastions or jump servers may be expected internet destinations and can be exempted from this rule. ssh may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected. usage that is unfamiliar to server or network owners can be unexpected and suspicious.
strace is a dual-use tool that can be used for benign or malicious activity. some normal use of this command may originate from developers or sres engaged in debugging or system call tracing.
these programs may be used by windows developers but use by non-engineers is unusual.
tor client activity is uncommon in managed enterprise networks but may be common in unmanaged or public networks where few security policies apply. because these ports are in the ephemeral range, this rule may false under certain conditions such as when a nated web server replies to a client which has used one of these ports by coincidence. in this case, such servers can be excluded if desired.
user group access may be modified by an administrator to allow external access for community purposes. doing so for a user group whom has access to sensitive information or operational resources should be monitored closely.