LoFP
/
t1048.003
t1048.003
Title
Tags
false positives may be present if dns data exfiltration request look very similar to benign dns requests.
t1048.003
endpoint
splunk
false positives will be present based on legitimate software, filtering may need to occur.
t1048.003
endpoint
splunk
it's possible that an enterprise has more than five dns servers that are configured in a round-robin rotation. please customize the search, as appropriate.
t1048.003
endpoint
splunk
it's possible that legitimate txt record responses can be long enough to trigger this search. you can modify the packet threshold for this search to help mitigate false positives.
t1048.003
endpoint
splunk
it's possible that normal dns traffic will exhibit this behavior. if an alert is generated, please investigate and validate as appropriate. the threshold can also be modified to better suit your environment.
t1048.003
endpoint
splunk
it's possible there can be long domain names that are legitimate.
t1048
t1048.003
endpoint
splunk
legitimate script
t1018
t1021
t1021.006
t1048
t1048.003
t1059
t1218
t1218.007
t1562
t1562.001
windows
sigma
legitimate usage of system.net.networkinformation.ping class
t1048
t1048.003
windows
sigma
legitimate usage of wget utility to post a file
t1048
t1048.003
linux
sigma
network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.
t1048
t1048.003
t1566
t1566.001
gsuite
splunk
none identified
t1048
t1048.003
t1070
t1204.002
t1546
t1546.011
t1566
t1566.001
splunk server
endpoint
splunk
normal archive transfer via http protocol may trip this detection.
t1048
t1048.003
endpoint
splunk
other smtp tools
t1048
t1048.003
windows
sigma
LoFP
/
t1048.003