LoFP / legitimate use of portmap.io domains

Techniques

• t1041
• t1090
• t1090.002

Sample rules

Network Communication Initiated To Portmap.IO Domain

• source: sigma
• technicques:
  • t1041
  • t1090
  • t1090.002

Description

Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors

Detection logic

condition: selection
selection:
  DestinationHostname|endswith: .portmap.io
  Initiated: 'true'