comm_with_malware_internal_external

Explanation

The comm_with_malware_internal_external NDM is designed to detect outbound connections to identified malware command and control (C2) nodes. The NDM triggers when a connection is made to an IP address that is in the malware_command_and_control Threat Intelligence category and should be treated as a serious event.

What to Look For

Internal hosts involved in a comm_with_malware_internal_external event should be evaluated for malware infections as soon as possible, and isolated from other internal hosts if possible. External hosts should be blocked to prevent other internal infected hosts from communicating with C2 nodes.

Related MITRE ATT&CK Categories

Command and Control, Application Layer Protocol
Command and Control, Non-Standard Port
Command and Control, Non-Application Layer Protocol