Stage Loader

Stage Loader

Signs of a Stage Loader

  • The detection results from the observation of two closed sessions where an internal host is attacking another internal host by uploading a payload which causes the destination host to connect back to the initial host to download additional stages of software
  • The threat score is higher if the count of connections made back to the initial host’s callback port is low; it is also higher the smaller the time-gap is between the initial payload upload connection and the connection made to download the stage; and callback ports of 4444 or 1337 (commonly used in post-exploit command and control) further boosts the threat score
  • The certainty score is driven by the similarity of the exchange to a model trained on malicious samples—the model includes bytes sent, bytes received, time-gap between initial payload and callback, protocol-difference between the two connections, and the durations for both first and second connection

Possible Root Cause of a Stage Loader

  • The initial host is transmitting an exploit to a destination host which runs a stage loader and connects back to the initial host to load the rest of the malware necessary for the attacker to make progress toward their goal
  • Bidirectional transaction-based protocols where commands or requests are issued over one port/protocol and data is returned shortly thereafter over another port/protocol can also trigger the detection—common protocols which behave in this manner include the WinRM 2.0 Framework (used for Windows remote management), PostgreSQL, and SNPP (Simple Network Paging Protocol)

Business Impact of a Stage Loader

  • Lateral movement within a network expands an attacker’s footprint and exposes an organization to substantial risk of data acquisition and exfiltration
  • Lateral movement through exploits or leveraging stolen credentials is involved in almost all high-profile breaches
  • The destination host which is attacked provides a possible perspective on the potential business impact

How to Investigate Stage Loading Sequences

  1. Determine whether there is any reason for the two hosts involved in a stage loading sequence to be communicating with each other
  2. Check to see whether any connections between the initial and destination host (in either direction) persist after the stage loading sequence
  3. Run all available endpoint checks on both the initial and the destination host to check for unwanted malware, but realize that fileless malware will typically escape detection

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections