The Cortex XDR – Analytics Reverse Connection alert indicates that an endpoint is performing successive connections in a manner that exceeds baseline expectations for the endpoint.
An endpoint is creating successive sessions within a short period of time. The connections are created from a source endpoint to a destination, and then from the destination back to the endpoint again. The sessions are also not related to legitimate services; such as active FTP servers, network management servers, or Microsoft SCCM servers; which are expected to routinely create overlapping sessions, or that make use of ports which are useful to exploits of this type.
The overlapping sessions could be symptomatic of reverse shells. To create the reverse shell, the attacker has caused the remote (victim) endpoint to create a shell back to the previously compromised endpoint that the attacker is using. The attacker can then execute commands on the victim endpoint using this reverse connection.
When creating reverse shells, an attacker will usually connect to the remote endpoint on a well known port in order to bypass firewall restrictions, and gain access using an exploit or stolen credentials (phase 1). They will then create a reverse connection from the remote endpoint to their endpoint (phase 2).
The port the attacker uses locally for phase 2 might be a well-known port due to firewall restrictions, but the port must be otherwise unused by the local endpoint. For this reason, the phase 2 port is usually an ephemeral port, a short-lived port somewhere between 1024 and 65535 that the operating system makes available when a program requests any available port. However, Cortex XDR – Analytics has detected that the destination port for both phases is not a port known to be used by various services that can mimic reverse shell behavior.
For phase 1, the attacker can use any network protocol to access the remote, victim endpoint, and so Cortex XDR – Analytics does not base its detection algorithms on the protocol in use here. Phase 2 will usually use TCP. In raising this alert, Cortex XDR – Analytics has specifically ensured that the phase 2 networking protocol is not a protocol used by various services that can mimic reverse shell behavior.
In addition to time overlap, server type, ports, and protocol, Cortex XDR – Analytics also examines the amount of data per connection, the historical usage of the ports for each connection, and how frequently the two endpoints in question have connected in the past.
The attacker is expanding their reach into your network by executing commands on a remote endpoint over a reverse shell.
- Examine Alert DetailsOverview to identify the source endpoint, source process, process owner, and destination endpoint.
- Look at ProcessEndpoint Instances to identify the location of the source malware file, if any.
Possible Cortex XDR – Analytics Alerts
All possible Cortex XDR – Analytics alerts grouped by attack category. ...
Port Scan The Cortex XDR – Analytics Port Scan alert indicates that an endpoint is scanning remote endpoints for open privileged ports. Synopsis Detection Frequency Every ...
Consecutive Connections The Cortex XDR – Analytics Consecutive Connects alert indicates that the app detected multiple connections between endpoints, which is unusual behavior. Synopsis Detection Frequency ...
Remote Command Execution
Remote Command Execution The Cortex XDR – Analytics Remote Command Execution alert indicates that an account is performing remote command execution from a endpoint that historically ...
High Connection Rate
High Connection Rate The Cortex XDR – Analytics High Connection Rate alert indicates that an endpoint is performing an unusually high number of successful connections to ...
Failed Connections The Cortex XDR – Analytics Failed Connections alert indicates that a endpoint has an abnormally high level of failed connections to other endpoints which ...
Uncommon Local Scheduled Task Creation via schtasks.exe
Uncommon Local Scheduled Task Creation via schtasks.exe The Cortex XDR – Analytics Uncommon Local Scheduled Task Creation via schtasks.exe alert indicates an uncommonly scheduled task ...
Cortex XDR – Analytics's Coverage of the Attack Lifecycle
Cortex XDR – Analytics Coverage of the Attack Tactics Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will ...