# communication\_to\_malware

**Explanation**

The communication\_to\_malware NDM is designed to detect outbound connections to identified malware command and control (C2) nodes. The NDM triggers when a connection is made to an IP address that is in the malware\_command\_and\_control Threat Intelligence category and should be treated as a serious event.

**What to Look For**

Internal hosts involved in a communication\_to\_malware event should be scanned evaluated for malware infections as soon as possible, and isolated from other internal hosts if possible. External hosts should be blocked to prevent other internal infected hosts from communicating with C2 nodes.

**Related MITRE ATT\&CK Categories**

[Command and Control: Application Layer Protocol, Technique T1071 - Enterprise](https://attack.mitre.org/techniques/T1071)

[Command and Control: Non-Application Layer Protocol, Technique T1095 - Enterprise](https://attack.mitre.org/techniques/T1095)

[Command and Control: Non-Standard Port, Technique T1571 - Enterprise](https://attack.mitre.org/techniques/T1571)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fusion.vectra.ai/detection-models/library/post-compromise/communication_to_malware.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.