T1573.002 | LoFP

T1573.002

Title	Tags
certain ssl certificates may be flagged in threat intelligence feeds due to historical misuse, yet still be used by legitimate services, particularly in content delivery or shared hosting environments. internal or self-signed certificates used in testing or development environments may inadvertently match known blacklisted fingerprints. it is recommended to validate the connection context (destination ip, domain, clientapplication) and correlate with other indicators before taking action.	t1071.001 T1573.002 T1587.002 T1588.004 network splunk
some benign applications may exhibit behaviors that resemble encrypted threat patterns, especially if they use uncommon encryption libraries or custom protocols. custom-developed or internal tools may trigger high eve confidence scores depending on how they encrypt data. it is recommended to validate the associated process (`eve_process`) and destination context, and correlate with other logs (e.g., endpoint or threat intel) before taking response action.	t1041 t1071.001 t1105 T1573.002 network splunk

Title

Tags