Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
An attacker can easily create a self-signed certificate for a well-known domain to spoof an identity. But self-signed certificates are easily detected, making this activity less likely when compared to other techniques, such as obtaining a certificate signed by a Certificate Authority (CA). Any connection that is made to a well-known domain with an invalid certificate should be examined.
The system might change the risk score for this detection.
Kill Chain
Risk Score
56
Attackers communicate with compromised devices through command-and-control (C&C) techniques. One technique is for malware, installed on the compromised device, to connect to a C&C server. Attackers can disguise these connections by spoofing the identity of the C&C server as a legitimate owner of a well-known domain (such as google.com). To accomplish this, the attacker creates a self-signed TLS certificate for the well-known domain. When the malware attempts to establish the connection, the C&C server presents the spoofed certificate. After the connection is established, C&C-related traffic appears to be sent to a legitimate domain, enabling the traffic to bypass firewalls and intrusion detection and prevention systems.
Quarantine the device while checking for indicators of compromise
Block inbound and outbound traffic from suspicious hosts at the network perimeter
