Suspect TCP Activity

Triggers:

• Suspect TCP Activity Detections are based upon the TCP protocol not associated with HTTP or HTTPS detections which are covered by the respective Suspect HTTP and Suspect HTTPS Activity detections.  

Possible Root Causes:

• A host is compromised with malware and initiates a connection to an external resource over the TCP Protocol.
• Breach simulation software which may emulate known malware and C2 frameworks over the TCP protocol

Business Impact:

• Command and Control channels can enable attackers to carry out malicious activity within an organization and are typically an early indicator that a malicious actor has access to your environment.  These should be investigated to determine if they are malicious true positives, and acted upon promptly.

Steps to Verify:

• Examine the Detection page to validate whether the TCP detection details is consistent with public resources of threat information.
• Examine the destination server to see if it has any known reputation, is newly registered, or is associated with an application that exhibits behaviors similar to the detection.
• Examine the PCAP to see if the artifacts are consistent with the malware / C2 framework identified in the SPA detection title.
• Check if the user has knowingly installed the malware or is using a the tool defined in the detection title.
• Scan the endpoint to look for signs of malware, validate the process that is associated with the network connection documented in the detection.

‍