- The service/application being used is administrative in nature, such as Remote Desktop Protocol (RDP) or Secure Shell (SSH).
- The endpoints are geographically far apart.
- Distance between hosts: >= 3000 miles (configurable)
- Total bytes transferred: >= 4KB (so we can focus on meaningful sessions, also configurable)
- Client and Server service: One of RDP, SSH, VNC, telnet, etc.
- Protocol: TCP (to remove any lingering UDP traffic related to DNS, NTP, etc.)
Read the next post in this series: HTTP(s) Exfiltration.
Visit the Series Intro to see a complete list of the analytics covered.