24. ProcessConnection

The ProcessConnections module checks the network connections of a process and generates alerts and warnings based on C2 signature matches and suspicious GEO IP lookups.

24.1. Samples

Oct 25 17:33:17 server66.local.net/147.2.20.16
THOR: Notice: MODULE: ProcessConnections
MESSAGE: Established connection
PID: 3012
NAME: dfssvc.exe
COMMAND: C:\Windows\system32\dfssvc.exe
LIP: 147.2.20.16
LPORT: 56513
RIP: 147.2.21.188
RPORT: 53389

Oct 25 17:33:17 server66.local.net/10.1.30.2
THOR: Notice: MODULE: ProcessConnections
MESSAGE: Relevant remote region GEO IP lookup
PID: 3012
NAME: p.exe
COMMAND: C:\Windows\system32\p.exe
LIP: 10.1.30.2
LPORT: 56513
RIP: 14.102.172.144
RPORT: 6022
COUNTRY: PK

24.2. Typical False Positives

  • A Legitimate software updater that receive updates directly from 3rd party systems

  • OS or AV telemetry services (often related to Microsoft, Google, Symantec, McAfee, etc.)

  • Legitimate connections to service providers or branch office servers

24.3. Attribute Evaluation

Attribute

Question

Answer

Indication

Weight

COMMAND

See chapter File Path Checks

RIP

Is the remote IP (RIP) known for malicious activity? (Check the platforms listed in chapter Tools for Event Analysis)

Yes

Bad

Medium

No

Good

Medium

RIP

Does the remote IP lookup point to a service provider or branch office network? (e.g. stock exchange server range in a banking environment, travel data provider network in an aviation environment)

Yes

Good

High

COUNTRY

Is the endpoint in the given country plausible? (e.g. Web server and endpoint in Pakistan = website visitor)

Yes

Good

Medium

No

Bad

Medium

RPORT

Does a Google search on the remote port show only suspicious, malware or hacking related results? (e.g. lookup for port 4444)

Yes

Bad

High

LPORT/RPORT

Does the remote port correspond with the local port and is this form of connection legitimate? (e.g. local port is 22 (ssh) and remote port is 14560, local port is 80 (http) and remote port is 34283)

Yes

Good

Medium

LPORT/RPORT

Does the remote port correspond with the local port and is this form of connection suspicious? (e.g. remote port is 4444, remote port is 22/tcp (ssh) and outgoing SSH is forbidden)

Yes

Bad

Medium

LIP/RIP

Is the remote system a system in a public IP range that is not related to the company and is the local system an internal system that shouldn't communicate with the Internet directly?

Yes

Bad

High