24. ProcessConnection
The ProcessConnections
module checks the network connections of
a process and generates alerts and warnings based on C2 signature
matches and suspicious GEO IP lookups.
24.1. Samples
Oct 25 17:33:17 server66.local.net/147.2.20.16
THOR: Notice: MODULE: ProcessConnections
MESSAGE: Established connection
PID: 3012
NAME: dfssvc.exe
COMMAND: C:\Windows\system32\dfssvc.exe
LIP: 147.2.20.16
LPORT: 56513
RIP: 147.2.21.188
RPORT: 53389
Oct 25 17:33:17 server66.local.net/10.1.30.2
THOR: Notice: MODULE: ProcessConnections
MESSAGE: Relevant remote region GEO IP lookup
PID: 3012
NAME: p.exe
COMMAND: C:\Windows\system32\p.exe
LIP: 10.1.30.2
LPORT: 56513
RIP: 14.102.172.144
RPORT: 6022
COUNTRY: PK
24.2. Typical False Positives
A Legitimate software updater that receive updates directly from 3rd party systems
OS or AV telemetry services (often related to Microsoft, Google, Symantec, McAfee, etc.)
Legitimate connections to service providers or branch office servers
24.3. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
COMMAND |
See chapter File Path Checks |
|||
RIP |
Is the remote IP (RIP) known for malicious activity? (Check the platforms listed in chapter Tools for Event Analysis) |
Yes |
Bad |
Medium |
No |
Good |
Medium |
||
RIP |
Does the remote IP lookup point to a service provider or branch office network? (e.g. stock exchange server range in a banking environment, travel data provider network in an aviation environment) |
Yes |
Good |
High |
COUNTRY |
Is the endpoint in the given country plausible? (e.g. Web server and endpoint in Pakistan = website visitor) |
Yes |
Good |
Medium |
No |
Bad |
Medium |
||
RPORT |
Does a Google search on the remote port show only suspicious, malware or hacking related results? (e.g. lookup for port |
Yes |
Bad |
High |
LPORT/RPORT |
Does the remote port correspond with the local port and is this form of connection legitimate? (e.g. local port is |
Yes |
Good |
Medium |
LPORT/RPORT |
Does the remote port correspond with the local port and is this form of connection suspicious? (e.g. remote port is |
Yes |
Bad |
Medium |
LIP/RIP |
Is the remote system a system in a public IP range that is not related to the company and is the local system an internal system that shouldn't communicate with the Internet directly? |
Yes |
Bad |
High |