Docs

ip_lookup_attempt

Suggest Edits

Explanation

The ip_lookup_attempt NDM is designed to detect when a customer network machine attempts to look itself up. This could be an indication of malicious activity on the network.

What to Look For

To examine the results of the iplookup_attempt NDM Event, this is often surrounded by other traffic such as C2 payload downloads, lateral spreading, or attempts to offload data. This is _not normal traffic to the network, and it should be investigated heavily, and treated as highly suspicious.

Related MITRE ATT&CK Categories

System Network Configuration Discovery, Technique T1016 - Enterprise

Traffic Signaling, Technique T1205 - Enterprise

Gather Victim Network Information, Technique T1590 - Enterprise

Updated 4 days ago