LoFP
/
t1571
t1571
Title
Tags
if you work in a public sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"
t1095
t1571
zeek
sigma
internal or legitimate external domains using dnssec. verify if these are legitimate dnssec domains and then exclude them.
t1095
t1571
zeek
sigma
legitimate administrative script
t1059
t1059.001
t1098
t1132
t1132.001
t1136
t1136.002
t1553
t1553.004
t1571
t1573
t1574
t1574.011
t1574.012
windows
sigma
some legitimate applications may download files over custom ports (e.g., cdn mirrors, apis). apply additional filters accordingly.
t1105
t1571
endpoint
splunk
some legitimate services or custom applications may use non-standard ports for development, remote management, or internal communication. ephemeral ports in test environments may occasionally overlap with ports used in this detection. additional context such as process name, user behavior, or endpoint telemetry should be used to validate suspicious sessions before escalation.
t1021
t1055
t1059.001
t1105
t1219
t1571
network
splunk
ssh over ports apart from the traditional port 22 is highly uncommon. this rule alerts the usage of the such uncommon ports by the ssh service. tuning is needed to have higher confidence. if this activity is expected and noisy in your environment, consider adding exceptions — preferably with a combination whitelisted ports for such legitimate ssh activities.
t1571
cross-platform
elastic