LoFP LoFP / t1496

t1496

TitleTags
a dns lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those ips. b) verify if http, ssl, or tls activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
legitimate crypto coin mining
legitimate use of crypto miners
service principal credential additions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. credential additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
some build frameworks
unlikely