LoFP
/
t1095
t1095
Title
Tags
false positives may be present based on proxy usage internally. filter as needed.
t1090
t1095
endpoint
splunk
false-positives (fp) can appear if another remote terminal service is being used to connect to it's listener but typically ssh is used in these scenarios.
t1095
t1548
_deprecated
elastic
icmp packets are used in a variety of ways to help troubleshoot networking issues and ensure the proper flow of traffic. as such, it is possible that a large icmp packet could be perfectly legitimate. if large icmp packets are associated with command and control traffic, there will typically be a large number of these packets observed over time. if the search is providing a large number of false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific ip addresses to an allow list.
t1095
endpoint
splunk
if you work in a public sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"
t1095
t1571
zeek
sigma
internal or legitimate external domains using dnssec. verify if these are legitimate dnssec domains and then exclude them.
t1095
t1571
zeek
sigma
legitimate ncat use
t1095
windows
sigma
LoFP
/
t1095