Redis service publicly accessible

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1133-external-remote-services

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when multiple external connections are made to the port for Redis (6379).

Strategy

Production instances of Redis should not be publicly accessible. Incoming connections from multiple public IP addresses indicate an exposed instance.

Triage and response

  1. Review all events for connections from unexpected IP addresses.
  2. Move the Redis service to a private network.
  3. Review Related Signals and relevant logs for additional malicious activity.

This detection is based on data from Network Performance Monitoring.