communication_to_bad_rep

Explanation

The communication_to_bad_rep NDM is designed to detect successful outbound connections to a known bad IP. The NDM triggers when a connection is made to an IP address that is on a deny list or has been identified as a malicious IP.

What to Look For

The communication_to_bad_rep NDM Event may indicate that a host on your network is compromised. IP Reputation, Reverse DNS, and Whois information for the remote IP address identified by the event may add valuable additional context for your investigation. Check your endpoint security solutions for signs of infected systems and take action to remediate any identified security threats.

Related MITRE ATT&CK Categories

Command and Control TA0011