Analytics Alerts
Browse the Cortex analytics alert reference.
6 alerts match the current filters. technique: T1571 ✕
Show ATT&CK heatmapAbnormal network communication through TOR using an uncommon port Low 2 variations
Suspicious connection from a known TOR IP to an uncommon port.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: XDR AgentAttacker's goals: Attackers might use TOR IP combined with random ports.to hide C2 inbound communication from inside a host.Investigative actions: Investigate the network configuration related to the participating port.Investigate processes that were listening to that port.Variations
Abnormal network communication through TOR using an uncommon port and App-id
Low overridden
Suspicious connection from a known TOR IP to an uncommon port and App-id. overridden
Abnormal network communication through TOR using a suspicious port
Low overridden
Suspicious connection from a known TOR IP to an uncommon potential C2 communication port. overridden
Abnormal process connection to default Meterpreter port Informational 1 variation
This process has probably been compromised by Meterpreter and is now used by it to run malicious commands.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Hour
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Non-Standard Port (T1571)Required data: XDR AgentAttacker's goals: Run Metasploits's malicious post-exploitation tool named Meterpreter to further compromise the host.Investigative actions: Verify if the destination IP is running a Metasploit server. Look for malicious action being done by the suspicious process.Variations
Abnormal process connection to default Meterpreter port on an internet-facing server
Low overridden
This process has probably been compromised by Meterpreter and is now used by it to run malicious commands. overridden
Download pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.Rare AppID usage to a rare destination Informational 2 variations
Rare AppID with port usage to rare destination.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 14 Days
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsAttacker's goals: Attackers might use well-known ports with uncommon applications to avoid being detected by a non-application aware firewall or to bypass firewall rules based only on ports.Investigative actions: Investigate the endpoints participating in the session.Variations
Rare AppID usage to a rare destination using an unsigned process
Low overridden
Rare AppID with port usage to rare destination. overridden
Rare AppID usage to a rare destination from an internet-facing server
Low overridden
Rare AppID with port usage to rare destination. overridden
Uncommon SSH session was established Low 14 variations
An uncommon SSH session was established.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571)Required data: Palo Alto Networks Firewall traffic Logs XDR Agent Third-Party FirewallsDetector tags: NDR Lateral Movement AnalyticsAttacker's goals: Attackers may use SSH or any similar utility to create a network tunnel to allow an attacker to covertly connect to an internal host.Investigative actions: Review the external IP/domain using known intelligence tools. Investigate the causality of the process and its user ID to find uncommon behaviors. Search for processes or files that were created by this SSH instance.Variations
An Uncommon SSH session was established using a rare server HASSH for the ssh server
Low overridden
An Uncommon SSH session was established using a rare server HASSH for the ssh server. overridden
An Uncommon SSH session was established using a rare client HASSH for the agent
Low overridden
An uncommon SSH session was established using a rare client HASSH for the agent. overridden
An Uncommon SSH session was established using a rare request banner for the agent
Low overridden
An Uncommon SSH session was established using a rare request banner for the agent. overridden
An Uncommon SSH session was established using a rare Response banner for the ssh server
Low overridden
An Uncommon SSH session was established using a rare Response banner for the ssh server. overridden
An Uncommon SSH session was established using a rare Response banner
Low overridden
An Uncommon SSH session was established using a rare Response banner. overridden
An Uncommon SSH session was established using a rare request banner
Low overridden
An Uncommon SSH session was established using a rare request banner. overridden
An Uncommon SSH session was established using a rare Client HASSH
Low overridden
An uncommon SSH session was established using a rare client HASSH. overridden
An Uncommon SSH session was established using a rare Server HASSH
Low overridden
An Uncommon SSH session was established using a rare Server HASSH. overridden
A suspicious SSH session was established
Low overridden
A suspicious SSH session was established to a globally rare external IP using a nonstandard SSH port. overridden
An Uncommon SSH session was established to a rare IP address
Low overridden
An uncommon SSH session was established to a rare remote IP address. overridden
An Uncommon SSH session was established using a nonstandard SSH port
Low overridden
An uncommon SSH session was established with a destination port using a nonstandard SSH port. overridden
Uncommon SSH session was established to a rare internal IP
Low overridden
An uncommon SSH session was established to a rare internal IP. overridden
Uncommon SSH session was established that involved a higher than usual volume
Low overridden
Uncommon SSH session was established that involved a higher than usual volume. overridden
Uncommon SSH session was established to an internal IP
Informational overridden
An uncommon SSH session was established to an internal IP. overridden
Upload pattern that resembles Peer to Peer traffic Informational
A possible P2P protocol was spotted from an internal host.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Command and Control (TA0011) Initial Access (TA0001)ATT&CK techniques: Application Layer Protocol (T1071) Non-Standard Port (T1571) Trusted Relationship (T1199) Phishing (T1566)Required data: Palo Alto Networks Firewall traffic Logs XDR AgentAttacker's goals: An attacker may use peer-to-peer communication to gain initial access, as a C&C tool, or an exfiltration tool.Investigative actions: Confirm that the port accessed is a P2P port/ is run by a P2P application. View the downloaded content and determine it's not malicious. Check for large uploads from this host and check for sensitive information that might not be required on the host.