Abnormal process connection to default Meterpreter port

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Non-Standard Port (T1571)

Severity

Informational

Description

This process has probably been compromised by Meterpreter, and is now used by it to run malicious commands.

Attacker's Goals

Run Metasploits's malicious post exploitation tool named Meterpreter to further compromise the host.

Investigative actions

  • Verify if the destination IP is running a Metasploit server.
  • Look for malicious action being done by the suspicious process.

Variations

Abnormal process connection to default Meterpreter port on an internet-facing server

Synopsis

ATT&CK Tactic

Command and Control (TA0011)

ATT&CK Technique

Non-Standard Port (T1571)

Severity

Low

Description

This process has probably been compromised by Meterpreter, and is now used by it to run malicious commands.

Attacker's Goals

Run Metasploits's malicious post exploitation tool named Meterpreter to further compromise the host.

Investigative actions

  • Verify if the destination IP is running a Metasploit server.
  • Look for malicious action being done by the suspicious process.