Reverse Connection

The Cortex XDR – Analytics Reverse Connection alert indicates that an endpoint is performing successive connections in a manner that exceeds baseline expectations for the endpoint.

Synopsis

10 minutes.
14 days.
14 days.
10 minutes.
Traffic logs.
Lateral movement.

Description

An endpoint is creating successive sessions within a short period of time. The connections are created from a source endpoint to a destination, and then from the destination back to the endpoint again. The sessions are also not related to legitimate services; such as active FTP servers, network management servers, or Microsoft SCCM servers; which are expected to routinely create overlapping sessions, or that make use of ports which are useful to exploits of this type.
The overlapping sessions could be symptomatic of reverse shells. To create the reverse shell, the attacker has caused the remote (victim) endpoint to create a shell back to the previously compromised endpoint that the attacker is using. The attacker can then execute commands on the victim endpoint using this reverse connection.
When creating reverse shells, an attacker will usually connect to the remote endpoint on a well known port in order to bypass firewall restrictions, and gain access using an exploit or stolen credentials (phase 1). They will then create a reverse connection from the remote endpoint to their endpoint (phase 2).
The port the attacker uses locally for phase 2 might be a well-known port due to firewall restrictions, but the port must be otherwise unused by the local endpoint. For this reason, the phase 2 port is usually an ephemeral port, a short-lived port somewhere between 1024 and 65535 that the operating system makes available when a program requests any available port. However, Cortex XDR – Analytics has detected that the destination port for both phases is not a port known to be used by various services that can mimic reverse shell behavior.
For phase 1, the attacker can use any network protocol to access the remote, victim endpoint, and so Cortex XDR – Analytics does not base its detection algorithms on the protocol in use here. Phase 2 will usually use TCP. In raising this alert, Cortex XDR – Analytics has specifically ensured that the phase 2 networking protocol is not a protocol used by various services that can mimic reverse shell behavior.
In addition to time overlap, server type, ports, and protocol, Cortex XDR – Analytics also examines the amount of data per connection, the historical usage of the ports for each connection, and how frequently the two endpoints in question have connected in the past.

Attacker's Goals

The attacker is expanding their reach into your network by executing commands on a remote endpoint over a reverse shell.

Investigative Actions

  • Examine Alert DetailsOverview to identify the source endpoint, source process, process owner, and destination endpoint.
  • Look at ProcessEndpoint Instances to identify the location of the source malware file, if any.

Related Documentation