Tunneling Process

The
Tunneling Process
Analytics alert indicates an endpoint has open internal ports at the same time it is communicating with a destination on the internet.

Synopsis

10 minutes
10 days
10 days
Training also requires Pathfinder to have successfully scanned 15 unique endpoints
14 days.
Either of the following:
  • Palo Alto Networks firewall traffic logs
  • Check Point firewall traffic logs
  • Cisco firewall traffic logs
  • Fortinet firewall traffic logs
Severity
Varies by activity (High, Medium, or Low).

Description

An endpoint has open internal ports at the same time that it is communicating with an historically unusual destination on the internet.
In order to maintain and control a pool of compromised endpoints, attackers will frequently deploy a C&C server running outside of your network. Usually the malware is designed to contact the C&C server directly, but sometimes the malware is architected so that one process is responsible for malicious tasks; such as obtaining data from compromised endpoints or performing brute-force authentication attacks; while a second process is responsible for communicating with the C&C server. In this latter case, the
communication
process acts as a proxy server. The
task
process connects to the communication process using a local socket. The communication process then performs a bi-directional data proxy using the local socket and a network connection to an endpoint somewhere on the internet.
This detector will not raise an alert because of activity from applications where this type of activity is known to be normal.

Attacker's Goals

Communicate with malware running on your network for the purpose of controlling malware activities, performing software updates on the malware, or for taking inventory of infected endpoints.

Investigative Actions

  • Determine if the process performing the proxy activity is one of the following (these are known to create false positive alerts): Teamviewer, Ammy Admin, Putty, Securecrt, Mobaxterm, Logmein, Javaw.exe, devenv.exe, Chrome plugins, antivirus software, Spotify.
  • Identify the process or user of the proxy software, and determine whether the traffic is malicious.

Recommended For You