Skip to main content

Suspicious hosting provider traffic

ID:suspicious_hosting_provider
Data type:DNS,HTTP
Severity:
Medium
MITRE ATT&CK:TA0011:T1071

Description

AlphaSOC detected traffic to a hosting provider fully-qualified domain name (FQDN) with suspicious properties. These properties can include a positive sandbox engine score (e.g., known malware samples associated with the FQDN according to VirusTotal), presence on a threat feed or blocklist, or poor reputation online.

Impact

Threat actors often exploit subdomains of reputable hosting providers, to create a false sense of legitimacy which can help evade detection. This can be used to host malicious content, exfiltrate data, or communicate with command and control (C2) servers.

Severity

SeverityCondition
Medium
Suspicious hosting provider traffic

Investigation and Remediation

Analyze the traffic patterns and identify affected systems. If malicious activity is confirmed, isolate compromised endpoints and block communication with the malicious domain. Conduct a thorough security assessment to detect and remove any malware, and assess the extent of potential data loss.