Skip to main content

Traffic to a suspicious IP destination

ID:suspicious_ip
Data type:IP
Severity:
Low
-
Medium
MITRE ATT&CK:TA0011:T1071

Description

AlphaSOC detected network traffic to an IP address with a low reputation score on an uncommon port. This behavior may indicate malicious activity, such as command and control (C2) communication or data exfiltration attempts. The low-reputation IP may be associated with known malware infrastructure or other malicious activities.

Impact

Communication with low-reputation IPs can signify a compromised system within the network. This may lead to data theft, further lateral movement, or the execution of malicious commands. The attacker could maintain persistent access to the network, potentially resulting in long-term compromise and significant damage to the organization's assets and reputation.

Severity

SeverityCondition
Low
Traffic to a suspicious IP destination
Medium
Multiple connections to suspicious IP destinations

Investigation and Remediation

Review logs and network traffic to identify the destination of suspicious activity and determine whether the connection is authorized. Isolate compromised systems, terminate malicious processes, and remove any identified malware. Block the suspicious IP address to prevent further communication.