LoFP
/
t1571
t1571
Title
Tags
if you work in a public sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"
t1095
t1571
zeek
sigma
internal or legitimate external domains using dnssec. verify if these are legitimate dnssec domains and then exclude them.
t1095
t1571
zeek
sigma
legitimate administrative script
t1059
t1059.001
t1098
t1132
t1132.001
t1136
t1136.002
t1553
t1553.004
t1571
t1573
t1574
t1574.011
t1574.012
windows
sigma
ssh over ports apart from the traditional port 22 is highly uncommon. this rule alerts the usage of the such uncommon ports by the ssh service. tuning is needed to have higher confidence. if this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.
t1571
cross-platform
elastic
LoFP
/
t1571