Solved

Vector Endpoint - Connections to other computers

  • 29 September 2021
  • 2 replies
  • 104 views

Badge

Hello, 
We are launching in my company the endpoint vector, and we are detecting many connections to other computers with the user that is doing the launch. 
Is this normal?
The endpoint vector is not a local test?

thanks
Regards

icon

Best answer by David_Barrientos 29 September 2021, 12:24

View original

2 replies

Badge +1

Hi Victor,

 

Despite it’s a local based test ( malicious behavior happens on the endpoint ), some tests in ransomware scenario involves opening a C&C channel over https(MITRE Commonly Used Port - https://attack.mitre.org/techniques/T1043), and other in the worm scenario discover SMB Shares (MITRE Network Share Discovery - https://attack.mitre.org/techniques/T1135, Network Service Scanning - https://attack.mitre.org/techniques/T1046 ….  ).

Also, because is a worm behaviour test it also tries to move laterally to the discovered hosts for example, using DCOM:

“Creating a Remote COM of instance explorer.exe (shellwindows/shellbrowserwindow) for each target discovered using the logged-on user token privileges via RPC protocol (port 135) .”

 

In a CSV Full export you can find useful information about the steps of each asessment.

Regards,

 

David Barrientos

 

Userlevel 2
Badge +2

If you would prefer not to do that particular kind of testing, you can run the pre-built templates for Ransomware and Trojans (and therefore skip worm simulations); or alternately create a new template and select everything except those executions/behaviors that would simulate worm activity.

It is important to test your anti-malware and native OS defenses for the ability to detect malware trying to move from one machine to another, so performing worm simulations in Cymulate (which won’t cause disruption or put things at risk, but can trigger alerts) isn’t a bad idea.  The worm behaviors in Endpoint Security will limit themselves to only communicating with one other device, so the alerts should be minimal - and they’ll be constrained to only the duration of the assessment.

There are options, though, if that’s just not possible in your environment.

Reply