Connection to red team domain

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1190-exploit-public-facing-application

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

WARNING: This rule will be deprecated on 20 October 2025.

See the announcement for more information.

Goal

Detect when a connection is established to a domain used for penetration testing.

Strategy

Some application security testing tools use common domains. For example, the web application security platform Burp Suite uses burpcollaborator[.]net in some payloads. These services assist in determining if an attack was successful. This detection contains a list of known domains used for penetration testing.

The tools in this rule are free to use or open-source. Use is not limited to ethical penetration testing teams.

Triage and response

  1. Determine the process that made the connection.
  2. Review related signals, application traces, and related logs to understand the full timeline of the incident.
  3. Isolate the workload, preserving it for analysis.
  4. Find and repair the root cause of the incident.

This detection is based on data from Cloud Network Monitoring.