Tunneling ProcessAnalytics alert indicates an endpoint has open internal ports at the same time it is communicating with a destination on the internet.
Training also requires Pathfinder to have successfully scanned 15 unique endpoints
Either of the following:
Varies by activity (High, Medium, or Low).
An endpoint has open internal ports at the same time that it is communicating with an historically unusual destination on the internet.
In order to maintain and control a pool of compromised endpoints, attackers will frequently deploy a C&C server running outside of your network. Usually the malware is designed to contact the C&C server directly, but sometimes the malware is architected so that one process is responsible for malicious tasks; such as obtaining data from compromised endpoints or performing brute-force authentication attacks; while a second process is responsible for communicating with the C&C server. In this latter case, the
communicationprocess acts as a proxy server. The
taskprocess connects to the communication process using a local socket. The communication process then performs a bi-directional data proxy using the local socket and a network connection to an endpoint somewhere on the internet.
This detector will not raise an alert because of activity from applications where this type of activity is known to be normal.
Communicate with malware running on your network for the purpose of controlling malware activities, performing software updates on the malware, or for taking inventory of infected endpoints.
- Determine if the process performing the proxy activity is one of the following (these are known to create false positive alerts): Teamviewer, Ammy Admin, Putty, Securecrt, Mobaxterm, Logmein, Javaw.exe, devenv.exe, Chrome plugins, antivirus software, Spotify.
- Identify the process or user of the proxy software, and determine whether the traffic is malicious.
Recommended For You
Recommended videos not found.