Connection to red team domain

Goal

Detect when a connection is established to a domain used for penetration testing.

Strategy

Some application security testing tools use common domains. For example, the web application security platform Burp Suite uses burpcollaborator[.]net in some payloads. These services assist in determining if an attack was successful. This detection contains a list of known domains used for penetration testing.

The tools in this rule are free to use or open-source. Use is not limited to ethical penetration testing teams.

Triage and response

  1. Determine the process that made the connection.
  2. Review related signals, application traces, and related logs to understand the full timeline of the incident.
  3. Isolate the workload, preserving it for analysis.
  4. Find and repair the root cause of the incident.

This detection is based on data from Network Performance Monitoring.

PREVIEWING: safchain/fix-custom-agent