Tunneling Process

The Cortex XDR – Analytics Tunneling Process alert indicates a endpoint has open internal ports at the same time it is communicating with a destination on the internet.


10 minutes
10 days.
10 days.
Training also requires Pathfinder to have successfully scanned 15 unique endpoints.
14 days.
Traffic logs.
Command and control.


An endpoint has open internal ports at the same time that it is communicating with an historically unusual destination on the internet.
In order to maintain and control a pool of compromised machines, attackers will frequently deploy a C&C server running outside of your network. Usually the malware is designed to contact the C&C server directly, but sometimes the malware is architected so that one process is responsible for malicious tasks; such as obtaining data from compromised endpoints, performing brute-force authentication attacks, and so forth; while a second process is responsible for communicating with the C&C server. In this latter case, the communication process acts as a proxy server. The task process connects to the communication process using a local socket. The communication process then performs a bi-directional data proxy using the local socket and a network connection to a endpoint somewhere on the internet.
This detector will not raise an alert because of activity from some applications where this type of activity is known to be normal.

Attacker's Goals

Communicate with malware running on your network for the purpose of controlling malware activities, performing software updates on the malware, or for taking inventory of infected machines.

Investigative Actions

  • Determine if the process performing the proxy activity is one of the following (these are known to create false positive alerts): Teamviewer, Ammy Admin, Putty, Securecrt, Mobaxterm, Logmein, Javaw.exe, devenv.exe, Chrome plugins, antivirus software, Spotify.
  • Identify the process/user of the proxy software, and determine whether the traffic is malicious.

Related Documentation