IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« IPSEC NAT Traversal Port Activity Inbound Connection to an Unsecure Elasticsearch Node »

› › ›

IRC (Internet Relay Chat) Protocol Activity to the Internet

edit

IRC (Internet Relay Chat) Protocol Activity to the Internet

edit

Detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.

Rule type: query

Rule indices:

filebeat-*
packetbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Network
Threat Detection
Command and Control

Version: 5 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positives

edit

IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule’s conditions.

Rule query

edit

event.category:(network or network_traffic) and network.transport:tcp
and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and
source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not
destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
192.168.0.0/16 or "::1")

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Commonly Used Port
- ID: T1043
- Reference URL: https://attack.mitre.org/techniques/T1043/
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Technique:
- Name: Exfiltration Over Alternative Protocol
- ID: T1048
- Reference URL: https://attack.mitre.org/techniques/T1048/

Rule version history

edit

Version 5 (7.10.0 release)

Formatting only

Version 4 (7.9.0 release)

Updated query, changed from:

network.transport:tcp and destination.port:(6667 or 6697) and
source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not
destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
192.168.0.0/16 or "::1")

Version 3 (7.7.0 release)

Updated query, changed from:

network.transport: tcp and destination.port:(6667 or 6697) and (
network.direction: outbound or ( source.ip: (10.0.0.0/8 or
172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8
or 172.16.0.0/12 or 192.168.0.0/16) ) )

Version 2 (7.6.1 release)

Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.

« IPSEC NAT Traversal Port Activity Inbound Connection to an Unsecure Elasticsearch Node »