LoFP LoFP / zeek

zeek rule

TitleTags
a dns lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those ips. b) verify if http, ssl, or tls activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
although it is recommended to not have rdp exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. work to secure the server if you are unable to remove it from being exposed to the internet.
domain controllers that are sometimes, commonly although should not be, acting as printer servers too
exploits that were attempted but unsuccessful.
help desk operator doing backup or re-imaging end user machine or backup software
if you work in a public sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"
internal or legitimate external domains using dnssec. verify if these are legitimate dnssec domains and then exclude them.
legitimate remote alteration of a printer driver.
normal enterprise spn requests activity
scanning attempts with the abnormal use of the http post method with no indication of code execution within the http client (request) body. an example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. see description for investigation tips.
transferring sensitive files for legitimate administration work by legitimate administrator
uncommon but legitimate windows administrator or software tasks that make use of the encrypting file system rpc calls. verify if this is common activity (see description).
update the excluded named pipe to filter out any newly observed legit named pipe
users working with these data types or exchanging message files
windows administrator tasks or troubleshooting
windows management scripts or software