Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
2 Hours |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Uncommon HTTP communication was performed by the host that might indicate its attempt to hide malicious activities.
Attacker's Goals
Data exfiltration, attack tool staging or command and control channel through a trusted service.
Investigative actions
- Examine the legitimacy of the application that produced this uncommon connection.
- Examine the parent process of this application.
- Check for anomalies at the time when the communication occurred.
Variations
HTTP with suspicious characteristics which is repetitiveHTTP with suspicious characteristics to an IP address
HTTP with suspicious characteristics that always fails