IRC (Internet Relay Chat) Protocol Activity to the Internet
editIRC (Internet Relay Chat) Protocol Activity to the Internet
editDetects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.
Rule type: query
Rule indices:
- filebeat-*
- packetbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
Tags:
- Elastic
- Host
- Network
- Threat Detection
- Command and Control
Version: 7 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
Potential false positives
editIRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule’s conditions.
Rule query
editevent.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 ) and not destination.ip:( 10.0.0.0/8 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.168.0.0/16 or 224.0.0.0/4 or "::1" or "FE80::/10" or "FF00::/8" )
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
-
Technique:
- Name: Exfiltration Over Alternative Protocol
- ID: T1048
- Reference URL: https://attack.mitre.org/techniques/T1048/
Rule version history
edit- Version 7 (7.11.2 release)
-
- Formatting only
- Version 6 (7.11.0 release)
-
-
Updated query, changed from:
event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
-
- Version 5 (7.10.0 release)
-
- Formatting only
- Version 4 (7.9.0 release)
-
-
Updated query, changed from:
network.transport:tcp and destination.port:(6667 or 6697) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
-
- Version 3 (7.7.0 release)
-
-
Updated query, changed from:
network.transport: tcp and destination.port:(6667 or 6697) and ( network.direction: outbound or ( source.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ) )
-
- Version 2 (7.6.1 release)
-
- Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.