topic Re: Category=CnC Connected, Event Type=Intrusion Event - malware-cnc in Endpoint Security

Category=CnC Connected, Event Type=Intrusion Event - malware-cnc

wwanjohi — Sun, 10 Mar 2019 20:17:06 GMT

Hello,

On one of my host I see 3 threats

1. Category=CnC Connected, Event Type=Intrusion Event - malware-cnc and Description= The host may be under remote control.

2. Category=Impact 2 Attack, Event Type= Impact 2 Intrusion Event - attempted-admin and Description= The host was attacked and is potentially vulnerable.

3. Category=Impact 2 Attack, Event Type= Impact 2 Intrusion Event - attempted-user and Description= The host was attacked and is potentially vulnerable.

My question: How can i know if this is a real attack or if the threat has been blocked.

Re: Category=CnC Connected, Event Type=Intrusion Event - malware-cnc

rick11 — Wed, 25 Apr 2018 09:33:48 GMT

You should investigate on the reported host with some AV, or suspicious network traffic/processes

Re: Category=CnC Connected, Event Type=Intrusion Event - malware-cnc

Marvin Rhoads — Wed, 25 Apr 2018 13:44:13 GMT

Look at Connections and/or Intrusion Event Tables and filter on that host IP address. Then look at whether the connection was allowed or blocked.

Re: Category=CnC Connected, Event Type=Intrusion Event - malware-cnc

Jetsy Mathew — Thu, 26 Apr 2018 06:36:33 GMT

Hello wwanjohi

Also if you have installed AMP connectors on those host , you can verify the device trajectory during the same time and see if there are any malicious activities going on.

Regards
Jetsy

Re: Category=CnC Connected, Event Type=Intrusion Event - malware-cnc

jranger_17 — Thu, 21 Feb 2019 17:34:14 GMT

I know this thread has some age, but I'm curious about your recommendation to "look at whether the connection was allowed or blocked." I'm still relatively new with the FMC, but I can easily look at connections and intrusion events using the host IP; however, that's going to give me a huge list of connections, with many allowed and many blocked. How can I relate any of those back to the logged intrusion event?

If it's reporting communication to a CnC, why doesn't it show the IP that triggered it?

I have to assume that if the device knows the target IP is a CnC server, that it would certainly block traffic to that host, but I've yet to find definitive evidence of that and feel like I need the IP in order to follow your recommendation.

Re: Category=CnC Connected, Event Type=Intrusion Event - malware-cnc

Marvin Rhoads — Thu, 21 Feb 2019 17:39:04 GMT

A blocked connection to a CnC server should normally show up under Security Intelligence events. It should be relatively easy to filter down that table to show only the host that was reported in the Intrusion event.

If a given host has many different Blocked connections, it should be visited in person and remediated rather than try to ascertain everything remotely from FMC.