Egress over IRC port

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1071-application-layer-protocol

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an egress connection is made over port 6667 (IRC).

Strategy

Egress connections to unknown hosts over port 6667 should be rare. Internet Relay Chat (IRC) is a protocol that is commonly abused by malicious botnet operators. Malicious commands built into the malware include methods to fetch system information, download additional malware, or execute attacks targeting other hosts.

Triage and response

  1. Determine the process making the connection.
  2. Verify if there is a legitimate reason for the host to communicate over this port. Search network flows to determine whether the activity is happening on other hosts.
  3. Isolate the workload, preserving it for analysis.
  4. Review related signals to understand the full timeline of the incident.
  5. Find and repair the root cause of the incident.

This detection is based on data from Network Performance Monitoring.