Egress over IRC port



Detect when an egress connection is made over port 6667 (IRC).


Egress connections to unknown hosts over port 6667 should be rare. Internet Relay Chat (IRC) is a protocol that is commonly abused by malicious botnet operators. Malicious commands built into the malware include methods to fetch system information, download additional malware, or execute attacks targeting other hosts.

Triage and response

  1. Determine the process making the connection.
  2. Verify if there is a legitimate reason for the host to communicate over this port. Search network flows to determine whether the activity is happening on other hosts.
  3. Isolate the workload, preserving it for analysis.
  4. Review related signals to understand the full timeline of the incident.
  5. Find and repair the root cause of the incident.

This detection is based on data from Network Performance Monitoring.