LoFP LoFP / t1046

t1046

TitleTags
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
blocked connection events are generated via an access control policy on the firewall management console. hence no false positives should be present.
internal vulnerability scanners will trigger this detection.
legitimate administration activities
legitimate administrative use
legitimate administrator activity
legitimate python scripts using the socket library or similar will trigger this. apply additional filters and perform an initial baseline before deploying.
misconfigured applications or automated scripts may generate repeated blocked traffic, particularly if attempting to reach decommissioned or restricted resources. vulnerability scanners or penetration testing tools running in authorized environments may trigger this alert. tuning may be required to exclude known internal tools or scanner ips from detection.
some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. use of `nping` by non-engineers or ordinary users is uncommon.
tools with similar commandline (very rare)
unlikely