Docs

communication_to_malware

Suggest Edits

Explanation

The communication_to_malware NDM is designed to detect outbound connections to identified malware command and control (C2) nodes. The NDM triggers when a connection is made to an IP address that is in the malware_command_and_control Threat Intelligence category and should be treated as a serious event.

What to Look For

Internal hosts involved in a communication_to_malware event should be scanned evaluated for malware infections as soon as possible, and isolated from other internal hosts if possible. External hosts should be blocked to prevent other internal infected hosts from communicating with C2 nodes.

Related MITRE ATT&CK Categories

Command and Control, Application Layer Protocol
Command and Control, Non-Standard Port
Command and Control, Non-Application Layer Protocol

Updated about 1 month ago