Abnormal network communication through TOR using an uncommon port

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Severity

Low

Description

Suspicious connection from a known TOR IP to an uncommon port.

Attacker's Goals

Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.

Investigative actions

Investigate the network configuration related to the participating port.
Investigate processes that were listening to that port.

Variations

Abnormal network communication through TOR using an uncommon port and App-id

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Severity

Low

Description

Suspicious connection from a known TOR IP to an uncommon port and App-id.

Attacker's Goals

Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.

Investigative actions

Investigate the network configuration related to the participating port.
Investigate processes that were listening to that port.


Abnormal network communication through TOR using a suspicious port

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Severity

Low

Description

Suspicious connection from a known TOR IP to an uncommon potential C2 communication port.

Attacker's Goals

Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.

Investigative actions

Investigate the network configuration related to the participating port.
Investigate processes that were listening to that port.