Connection to red team domain

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1190-exploit-public-facing-application

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when a connection is established to a domain used for penetration testing.

Strategy

Some application security testing tools use common domains. For example, the web application security platform Burp Suite uses burpcollaborator[.]net in some payloads. These services assist in determining if an attack was successful. This detection contains a list of known domains used for penetration testing.

The tools in this rule are free to use or open-source. Use is not limited to ethical penetration testing teams.

Triage and response

  1. Determine the process that made the connection.
  2. Review related signals, application traces, and related logs to understand the full timeline of the incident.
  3. Isolate the workload, preserving it for analysis.
  4. Find and repair the root cause of the incident.

This detection is based on data from Network Performance Monitoring.