A SOC team should proactively hunt for this behavior as it indicates potential malware communication with command-and-control servers, which is a common indicator of compromise. The use of known malicious callback ports aligns with T1571 and suggests an adversary is maintaining persistent control over compromised systems.
Detection Rule
title: Potentially Suspicious Malware Callback Communication - Linux
id: dbfc7c98-04ab-4ab7-aa94-c74d22aa7376
related:
- id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
type: derived
status: test
description: |
Detects programs that connect to known malware callback ports based on threat intelligence reports.
references:
- https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections
- https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team
- https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html
- https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html
- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
author: hasselj
date: 2024-05-10
tags:
- attack.persistence
- attack.command-and-control
- attack.t1571
logsource:
category: network_connection
product: linux
detection:
selection:
Initiated: 'true'
DestinationPort:
- 888
- 999
- 2200
- 2222
- 4000
- 4444
- 6789
- 8531
- 50501
- 51820
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
imNetworkSession
| where (NetworkDirection =~ "true" and (DstPortNumber in~ ("888", "999", "2200", "2222", "4000", "4444", "6789", "8531", "50501", "51820"))) and (not((ipv4_is_in_range(DstIpAddr, "127.0.0.0/8") or ipv4_is_in_range(DstIpAddr, "10.0.0.0/8") or ipv4_is_in_range(DstIpAddr, "172.16.0.0/12") or ipv4_is_in_range(DstIpAddr, "192.168.0.0/16") or ipv4_is_in_range(DstIpAddr, "169.254.0.0/16") or ipv4_is_in_range(DstIpAddr, "::1/128") or ipv4_is_in_range(DstIpAddr, "fe80::/10") or ipv4_is_in_range(DstIpAddr, "fc00::/7"))))Scenario: System update or patching tool using known callback ports
Filter/Exclusion: Check for process names like yum, apt, or dnf and exclude connections made during scheduled update windows (e.g., crontab -l | grep update).
Scenario: Legitimate remote management tool (e.g., tmux, screen, or ssh) establishing a reverse connection
Filter/Exclusion: Exclude connections initiated by known remote management tools and verify if the destination IP is a trusted internal management server.
Scenario: Scheduled backup job using rsync or tar with remote storage
Filter/Exclusion: Filter connections from processes named rsync, tar, or backup and verify the destination IP is a known backup server within the internal network.
Scenario: Admin task using nc (netcat) for diagnostic purposes
Filter/Exclusion: Exclude connections initiated by nc when the command line includes diagnostic flags like -z or -w, and verify the destination is a known internal diagnostic server.
Scenario: Containerized application using a known callback port for service discovery
Filter/Exclusion: Exclude connections from containers managed by docker or k8s and verify the destination is a known internal service discovery endpoint.