LoFP LoFP / t1048

t1048

TitleTags
admin nslookup usage
administrative scripts
ftp servers should be excluded from this rule as this is expected behavior. some business workflows may use ftp for data exchange. these workflows often have expected characteristics such as users, sources, and destinations. ftp activity involving an unusual source or destination may be more suspicious. ftp activity involving a production server that has no known associated ftp workflow or business requirement is often suspicious.
irc activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. irc activity involving an unusual source or destination may be more suspicious. irc activity involving a production server is often suspicious. because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a nat-ed web server replies to a client which has used a port in the range by coincidence. in this case, these servers can be excluded. some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private ips, which does not match this rule's conditions.
it's possible there can be long domain names that are legitimate.
legitimate openvpn tap installation
legitimate script
legitimate usage of system.net.networkinformation.ping class
legitimate usage of wget utility to post a file
nated servers that process email traffic may false and should be excluded from this rule as this is expected behavior for them. consumer and personal devices may send email traffic to remote internet destinations. in this case, such devices or networks can be excluded from this rule if this is expected behavior.
network admin and normal user may send this file attachment as part of their day to day work. having a good protocol in attaching this file type to an e-mail may reduce the risk of having a spear phishing attack.
none identified
normal archive transfer via http protocol may trip this detection.
other smtp tools
rdp connections may be made directly to internet destinations in order to access windows cloud server instances but such connections are usually made only by engineers. in such cases, only rdp gateways, bastions or jump servers may be expected internet destinations and can be exempted from this rule. rdp may be required by some work-flows such as remote access and support for specialized software products and servers. such work-flows are usually known and not unexpected. usage that is unfamiliar to server or network owners can be unexpected and suspicious.
servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior.
unlikely