REVIEWED by Sophos
US-Cert published AA20-183A on 2020-07-01, titled "Defending Against Malicious Cyber Activity Originating from Tor"
Use this query to identify non-browser traffic to the ports specified in the alert - www.us-cert.gov/.../aa20-183a
|
-- US-Cert AA20-183A 2020-07-01 notification on "Defending Against Malicious Cyber Activity Originating from Tor" -- This query identifies non-browser traffic to the ports specified in the alert - www.us-cert.gov/.../aa20-183a SELECT sophos_ip_journal.sophosPID, destination, destinationPort, processName, cmdLine, CASE WHEN sophos_ip_journal.protocol = 6 then 'TCP' WHEN sophos_ip_journal.protocol = 17 then 'UDP' ELSE 'Error' END AS protocol FROM sophos_ip_journal LEFT JOIN sophos_process_journal ON sophos_process_journal.sophosPID = sophos_ip_journal.sophosPID WHERE ( destinationPort = '9001' OR destinationPort = '9030' OR destinationPort = '9040' OR destinationPort = '9050' OR destinationPort = '9051' OR destinationPort = '9150' OR destinationport = '8443') AND ( protocol = '6' OR protocol = '17' ) AND sophos_ip_journal.TIME > STRFTIME('%s','NOW','-1 days') AND processName != 'swi_fc.exe'; -- -- Suggested next steps: -- -- 1. Use the 'Process tree for a SophosPID' query to identify the processes leading to and originating from the suspect sophosPID. See https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/120567/live-discovery-query-process-tree-for-a-sophospid. -- 2. Use the 'Processes that created a file' built in query to identify how the executable associated to the suspect sophosPID was created. -- 3. Use the 'Process activity history' built in query to identify file i/o and proceess launches for the suspect sophosPID or adjacent suspicious processes. |
This thread was automatically locked due to age.