LoFP LoFP / t1046

t1046

TitleTags
as the script block is a blob of text. false positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
internal vulnerability scanners will trigger this detection.
legitimate administration activities
legitimate administrative use
legitimate administrator activity
legitimate python scripts using the socket library or similar will trigger this. apply additional filters and perform an initial baseline before deploying.
some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. use of `nping` by non-engineers or ordinary users is uncommon.
there is a potential for false positives if the container is used for legitimate tasks that require the use of network utilities, such as network troubleshooting, testing or system monitoring. it is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
tools with similar commandline (very rare)
unlikely