Suspicious Network Connections

These detections identify suspicious activity from Firewall Activity collected and sent to InsightIDR.

Suspicious Network Connection - Destination Address in Brute Ratel C2 List

Description

This detection identifies network flow records that have a destination address that is in Brute Ratel C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Brute Ratel C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
  • Remote Access Software - T1219
Suspicious Network Connection - Destination Address in Cobalt Strike C2 List

Description

This detection identifies firewall records that have a destination address that is in Cobalt Strike C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to serve Cobalt Strike beacon payload.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Network Connection - Destination Address in Covenant C2 List

Description

This detection identifies network flow records that have a destination address that is in Covenant C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Covenant C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
  • Remote Access Software - T1219
Suspicious Network Connection - Destination Address In Darknet

Description

This detection identifies network connections where the destination address is in a defined darknet range of IP addresses. This can be used to identify when malicious actors, penetration testers or approved internally scanning devices are attempting to scan or map out a network.

Recommendation

Review the alert in question and validate if the source of the traffic is a known network scanning device.

MITRE ATT&CK Techniques

  • Active Scanning - T1595
  • Scanning IP Blocks - T1595.001
Suspicious Network Connection - Destination Address in Deimos C2 List

Description

This detection identifies firewall records that have a destination address that is in Deimos C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Deimos C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
  • Remote Access Software - T1219
Suspicious Network Connection - Destination Address in Mythic C2 List

Description

This detection identifies firewall records that have a destination address that is in Mythic C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Mythic C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
  • Remote Access Software - T1219
Suspicious Network Connection - Destination Address in Posh C2 List

Description

This detection identifies firewall records that have a destination address that is in Posh C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Posh C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
  • Remote Access Software - T1219
Suspicious Network Connection - Destination Address in Sliver C2 List

Description

This detection identifies firewall records that have a destination address that is in Sliver C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints using Sliver C2 Framework.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Application Layer Protocol - T1071
Suspicious Network Connection - Destination Address in Solarmarker C2 List

Description

This detection identifies firewall records that have a destination addresses known by Rapid7 to be associated with SolarMarker. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to serve information-stealing payloads.

Recommendation

Investigate the host that is the source of the web traffic. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Web Protocols - T1071.001