Suspicious Network Connections

These detection rules identify suspicious activity from Firewall Activity collected and sent to InsightIDR.

Suspicious Network Connection - Destination Address in Cobalt Strike C2 List

Description

This detection identifies firewall records that have a destination address that is in Cobalt Strike C2 IP List. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to serve Cobalt Strike beacon payload.

Recommendation

Review the endpoint in question that is generating the network traffic to verify if it is. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Network Connection - Destination Address in Solarmarker C2 List

Description

This detection identifies firewall records that have a destination addresses known by Rapid7 to be associated with SolarMarker. These destination network addresses are actively being used by attackers to command and control infected endpoints primarily to serve information-stealing payloads.

Recommendation

Investigate the host that is the source of the web traffic. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Web Protocols - T1071.001