DDI RULE 2889


 DESCRIPTION NAME:

ANTSWORD - HTTP (Request)

 CONFIDENCE LEVEL:
 SEVERITY INBOUND:
 SEVERITY OUTBOUND:
Informational
Low
Medium
High

  OVERVIEW

This is Trend Micro detection for packets passing through HTTP network protocol that manifests hacking tool actions that can generally crack or break systems and network security measures. Hacking tools have different capabilities depending on the systems they have been designed to penetrate. System administrators and malicious actors may have the same approach in using hacking tools but have different intent. Both wanted to identify possible avenues for intrusion, but for system administrators it is to test the security of the system while malicious actors take advantage of this.

  TECHNICAL DETAILS

Attack Phase: Intelligence Gathering

Protocol: HTTP

Risk Type: SPYWARE

Threat Type: Grayware

Confidence Level: High

Severity: Medium(Inbound)

DDI Default Rule Status: Disable

Event Class: Grayware

Event Sub Class: Hack Tool

Behavior Indicator: Hack Tool

APT Related: YES

  SOLUTION

Network Content Inspection Pattern Version: 1.14709.00
Network Content Inspection Pattern Release Date: 18 Oct 2021
Network Content Correlation Pattern Version: 1.13863.00
Network Content Correlation Pattern Release Date: 24 Oct 2019

Immediate Action

  • If the host exhibiting this kind of network behavior is within the internal network, change all passwords of the host and ensure the use of strong passwords.
  • Strong passwords should contain upper case letters, lower case letters, digits, punctuation marks, and other symbols. Remove any unrecognizable files, software, or services.
  • Update your Trend Micro products and pattern files to the latest version.
  • Scan the host for possible malware detection and to clean any detected items.

Secondary Action

If scanning fails to detect a malware infection:

  1. If possible, disconnect the host from the network to prevent any further communication or malicious activities the malware may attempt.
  2. Run RootkitBuster to check through hidden files, registry entries, processes, drivers, and hooked system services.
  3. Use the Anti-Threat Toolkit (ATTK) tools to collect undetected malware information.
  4. Identify and clean threats with Rescue Disk, specific to suspected threats that are persistent or difficult-to-clean. Rescue Disk allows you to use a CD, DVD, or USB drive to examine your computer without launching Microsoft Windows.
  5. If the host exhibiting this kind of network behavior is in the external network, ensure the following to prevent risk of attacks:
    • Systems are not in default configuration
    • Firewall is enabled
    • Change all passwords of the host and ensure the use of strong passwords. Strong passwords should contain upper case letters, lower case letters, digits, punctuation marks, and other symbols.
    • Firmware of devices, routers, and other hardware are up to date. As well as the hosts and others that are visible to the external network, have their browsers, plugins, and operating systems fully updated with the latest patches.


    Did this description help? Tell us how we did.