Egress over IRC port

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an egress connection is made over port 6667 (IRC).

Strategy

Egress connections to unknown hosts over port 6667 should be rare. Internet Relay Chat (IRC) is a protocol that is commonly abused by malicious botnet operators. Malicious commands built into the malware include methods to fetch system information, download additional malware, or execute attacks targeting other hosts.

Triage and response

  1. Determine the process making the connection.
  2. Verify if there is a legitimate reason for the host to communicate over this port. Search network flows to determine whether the activity is happening on other hosts.
  3. Isolate the workload, preserving it for analysis.
  4. Review related signals to understand the full timeline of the incident.
  5. Find and repair the root cause of the incident.

This detection is based on data from Cloud Network Monitoring.

PREVIEWING: brett.blue/embedded-collector-release