Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use Case - Detecting C2/Backdoor Activity

No ratings


This use case demonstrates using McAfee Active Response to investigate suspicious activity on an endpoint that is potentially related to Command & Control (C2) behavior.

1. This e-mail has provided an initial IoC “IP-0A00778E” which is the Hostname. This initial breadcrumb will be the start of the investigation.


2. Navigate to Active Response’s Search Engine and use the initial IoC “IP-0A00778E

[Processes where Hostname hostname equals “IP-0A00778E]

“Processes” collector shows the current processes that are active on the host “IP-0A00778E” What stands out? Note the process “ncat.exe” and the cmdline “ncat.exe

Ncat is a common tool used to establish rudimentary backdoor connections between Host & Targets.


3. Use the “CurrentFlow” collector which is a real time look at an endpoint’s NetFlow traffic vs. the “NetworkFlow” collector which is a historical look into an endpoint’s NetFlow.

[CurrentFlow where CurrentFlow process contains “ncat” ]

"Ncat" is the next IoC that can be leveraged from the previous search that used the “Processes” collector. Note the process “ncat.exe” that is running on two endpoints: on port 31337 and on port 51790. This pair of results shows there is an active or “Established” connection between the two endpoints.

What else could be used as an IoC for further investigation?


4. Next use the NetworkFlow collector to look at the historical netflow data between the two endpoints in question.

[NetworkFlow where NetworkFlow src_port equals 31337 or NetworkFlow src_port equals 51790]


5. This is a screenshot of the endpoints in question. is on the left, and currently set to “—listen” which means it is waiting for commands to be sent from the C2 server. is on the right, and has established the connection to and is currently communicating.


6. Using the “NetworkFlow” collector, investigate if there were any prior connections between “” and “”

[NetworkFlow where NetworkFlow dst_ip equals and NetworkFlow src_ip equals]

Note in Red – This is the established connection between the two endpoints that are currently being investigated, “Connected” shows there is an active connection between them, and what ports are being used. Each time the src port is “31337”, which leads to the next step of the investigation. Determining if there are any other endpoints currently using “31337”.


7. Using the “NetworkFlow” collector and the newfound IoC of the src_port that “ncat.exe” is currently using for communication, enables searching across the entire network environment. In this case, it is still only the two endpoints “” and “” using “31337”. At this point, its determined to kill off the connection between these two endpoints, as well as create a “Trigger” to alert the incident response team to the presence of “ncat.exe”.


8. Now we are going to leverage McAfee Active Response’s trigger functionality to build a trigger in response to “Ncat” presence on the network.

Under the Trigger Configuration:

              Select “Enable” for Status and “Alert” for Event Severity

Under Detection:

              1. Select “Network” for Trigger Type

              2. Select “Port Opened” for Trigger Event (Anytime a Port matching the condition opens, it will    cause the trigger to fire)

              Note: The Trigger Outputs changes based on the Event selected, showing the conditions allowed for that Event type

              3. “src_port equals 31337” should be entered into the Conditions field (In the course of the investigation, Ncat uses “31337” as its backdoor, we want to be alerted to its presence moving forward)

              4. Select “Send Event to ePO” for the Reaction and save the Trigger.

              Note: There are many variations that you can do to be alerted to Ncat’s presence, such as triggering off of running processes named “ncat” or its MD5/SHA1, experiment with these options.


9. Referring to the Threat Event Log – The Trigger we created for “Ncat” has successfully deployed, as well as been triggered due to the backdoor listener still being active. Let’s take a deeper look into the event to see what exactly is shown.


10.  In Red – Take note of the category “Threat Name”, for this instance it is “Remote Port – Ncat” which is what the trigger was named during creation. In Blue – Threat Source & Threat Target are Source / Destination for this event, which enables investigators to quickly pinpoint the issue, and reduce the amount of time needed for investigation.


Version history
Revision #:
1 of 1
Last update:
‎08-07-2015 10:12 AM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community