The Cortex XDR – Analytics Tunneling Process alert indicates a endpoint has open internal ports at the same time it is communicating with a destination on the internet.
Training also requires Pathfinder to have successfully scanned 15 unique endpoints.
Command and control.
An endpoint has open internal ports at the same time that it is communicating with an historically unusual destination on the internet.
In order to maintain and control a pool of compromised machines, attackers will frequently deploy a C&C server running outside of your network. Usually the malware is designed to contact the C&C server directly, but sometimes the malware is architected so that one process is responsible for malicious tasks; such as obtaining data from compromised endpoints, performing brute-force authentication attacks, and so forth; while a second process is responsible for communicating with the C&C server. In this latter case, the communication process acts as a proxy server. The task process connects to the communication process using a local socket. The communication process then performs a bi-directional data proxy using the local socket and a network connection to a endpoint somewhere on the internet.
This detector will not raise an alert because of activity from some applications where this type of activity is known to be normal.
Communicate with malware running on your network for the purpose of controlling malware activities, performing software updates on the malware, or for taking inventory of infected machines.
- Determine if the process performing the proxy activity is one of the following (these are known to create false positive alerts): Teamviewer, Ammy Admin, Putty, Securecrt, Mobaxterm, Logmein, Javaw.exe, devenv.exe, Chrome plugins, antivirus software, Spotify.
- Identify the process/user of the proxy software, and determine whether the traffic is malicious.
DNS Tunneling The Cortex XDR – Analytics DNS Tunneling alert indicates an endpoint sending and receiving DNS queries and responses in a way that suggests connections ...
Recurring Rare Domain Access
Recurring Rare Domain Access The Cortex XDR – Analytics Recurring Rare Domain Access alert indicates an endpoint is connecting repeatedly to an external domain in a ...
wsmprovhost.exe Rare Child Process
wsmprovhost.exe Rare Child Process The Cortex XDR – Analytics wsmprovhost.exe Rare Child Process alert indicates a remote WMI command executed a binary proxy, wsmprovhost.exe, which ...
Remote Command Execution
Remote Command Execution The Cortex XDR – Analytics Remote Command Execution alert indicates that an account is performing remote command execution from a endpoint that historically ...
Large Upload FTP
Large Upload (FTP) The Cortex XDR – Analytics Large Upload (FTP) alert indicates that a non-FTP server process is transferring an excessive amount of data. Synopsis ...
Recurring Rare IP Access
Recurring Rare IP Access The Recurring Rare IP Access alert indicates an endpoint is repeatedly connecting to an external endpoint IP address in a way ...
Uncommon Remote Scheduled Task Creation via schtasks.exe
Uncommon Remote Scheduled Task Creation via schtasks.exe The Uncommon Remote Scheduled Task Creation via schtasks.exe alert indicates the uncommon scheduling of a task on a ...
Large Upload SMTP
Large Upload (SMTP) The Cortex XDR – Analytics Large Upload (SMTP) alert indicates that an endpoint is emailing an excessive amount of data from your network. ...
SpamBot Traffic The Cortex XDR – Analytics SpamBot Traffic alert indicates that a non-SMTP server is connecting to an excessive number of external endpoints. Synopsis Detection ...