Consecutive Connections

The Cortex XDR – Analytics Consecutive Connects alert indicates that the app detected multiple connections between endpoints, which is unusual behavior.

Synopsis

1 hour.
13 days.
14 days.
1 day.
Traffic logs.
Enhanced Application logs can increase detection accuracy and provide additional context for the alert.
Lateral movement.

Description

Two connections between endpoints have been detected that might be indicative of an attacker establishing an interactive shell with a remote endpoint. The first connection probably is short in duration, with a data volume that is consistent with exploitation traffic. The second connection occurs a brief period of time after the first is established, and is to the same endpoint but with a different port. This connection pattern is unusual when compared against the baseline for the endpoint and its peer group.

Attacker's Goals

The attacker has established a connection to a remote machine. It is possible that they are using the connection to control that machine.
This might be symptomatic of an attacker moving from one endpoint to another as part of a manually-operated attack. If true, the attacker is using the initial connection to open a new socket on the destination, either through legitimate use of a service running on the destination, or by exploiting a service vulnerability. In this scenario, the attacker then uses a second, follow-on connection to the destination in order to continue the attack; such as by uploading a new stage in a staged payload or accessing the new bind shell.

Investigative Actions

Make sure the identified endpoint is not legitimately running an application that routinely creates a control and data channel as these can result in a false-positive for this alert. Examples of this type of application are Skype, and FTP in active mode.

Related Documentation