comm_with_malware_external_internal

Explanation

The comm_with_malware_external_internal NDM is designed to detect connections from identified malware command and control (C2) nodes to hosts on your network. Because flows occur in both directions within a TCP/IP connection, this NDM determines the direction of a connection by comparing source and destination ports - usually TCP/IP connections flow from a higher port to a lower port. This NDM triggers on the response traffic flows from the server that received the connection (the source host) back to the malware command and control (C2) node that initiated it (the destination host).

These detections can indicate a serious event. In some cases, malware, and especially web-shells, are controlled by attackers using inbound traffic. However, these detections may also be the result of probing and scanning of your external infrastructure from a malware command and control node. That scenario may be a lower risk than an infection.

What to Look For

Internal hosts involved in a comm_with_malware_external_internal event should be reviewed for unknown or unauthorized ports exposed to inbound Internet traffic, and web server logs should be reviewed for suspicious requests. External hosts should be blocked to prevent further communication with C2 nodes.

Related MITRE ATT&CK Categories

Command and Control, Application Layer Protocol
Command and Control, Non-Standard Port
Command and Control, Non-Application Layer Protocol