LoFP
/
t1048.003
t1048.003
Title
Tags
false positives may be present if dns data exfiltration request look very similar to benign dns requests.
t1048.003
endpoint
splunk
false positives will be present based on legitimate software, filtering may need to occur.
t1048.003
endpoint
splunk
it's possible there can be long domain names that are legitimate.
t1048.003
endpoint
splunk
large outbound transfers may occur due to legitimate activities such as cloud backups, file syncing, os or application updates, or developer build deployments. backup servers, ci/cd pipelines, and enterprise sync tools (e.g., onedrive, dropbox) may exhibit similar patterns. additional validation using user context, scheduled task windows, or endpoint telemetry is recommended to reduce false positives.
t1041
t1048.003
t1567.002
network
splunk
legitimate usage of system.net.networkinformation.ping class
t1048
t1048.003
windows
sigma
legitimate usage of wget utility to post a file
t1048
t1048.003
linux
sigma
network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.
t1048.003
t1566.001
gsuite
splunk
normal archive transfer via http protocol may trip this detection.
t1048.003
endpoint
splunk
other smtp tools
t1048
t1048.003
windows
sigma
some false positive could occur with some applications that change their default communication port for an added layer of obscurity.
t1048.003
endpoint
splunk
LoFP
/
t1048.003