https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403224#M1080797 <P>Firepower will both block the CNC traffic as well as alert you to the hosts generating it. It is useful to remediate the endpoints so that they are no longer a source of traffic that needs to be blocked. The CNC compromise on them may have other effects that aren't apparent on the firewall (lateral movement in the network, potential for a more serious breach if the device is mobile and goes off-network at some point, etc.)</P> Fri, 14 May 2021 16:52:39 GMT Marvin Rhoads 2021-05-14T16:52:39Z https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403164#M1080789 <P>Hello Team,</P><P>Getting Alarm for 25 Host compromised by SI system of FTD/FMC.</P><P>&nbsp;</P><P>Source of the hit is showing CNC.. which is already blocked by the policy..</P><P>&nbsp;</P><P>Not sure then why compromised host is showing.</P><P>&nbsp;</P><P>This&nbsp; devices are not there in prefilter policy..</P><P>&nbsp;</P><P>The customer don't have Malware license..</P><P>&nbsp;</P><P>Cisco FMC 6.4.0 version</P><P>&nbsp;</P><P>Kindly advise the next action or suggestion..</P> Fri, 14 May 2021 15:18:56 GMT https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403164#M1080789 anilkumar.cisco 2021-05-14T15:18:56Z https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403224#M1080797 <P>Firepower will both block the CNC traffic as well as alert you to the hosts generating it. It is useful to remediate the endpoints so that they are no longer a source of traffic that needs to be blocked. The CNC compromise on them may have other effects that aren't apparent on the firewall (lateral movement in the network, potential for a more serious breach if the device is mobile and goes off-network at some point, etc.)</P> Fri, 14 May 2021 16:52:39 GMT https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403224#M1080797 Marvin Rhoads 2021-05-14T16:52:39Z https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403364#M1080803 <P>Hello Marvin,</P><P>&nbsp;</P><P>In view of that.. how should we confirm the followings:-</P><UL><LI>no connections established between CnC and inside IP’s.</LI><LI>FW performing as designed in response to malicious connection attempts by dropping traffic even though we don't have malware license in FMC, but we are seeing traffic is block in between.</LI><LI>&nbsp;CnC alerts are a false alarm with no exposure to the customer base.</LI></UL><P>Best Regards</P><P>Anil Singh</P> Sat, 15 May 2021 02:09:03 GMT https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403364#M1080803 anilkumar.cisco 2021-05-15T02:09:03Z https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403650#M1080811 <P>It's not a false alarm - FMC is showing you that it blocked (dropped) an attempted CnC connection.</P> Sun, 16 May 2021 02:48:34 GMT https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403650#M1080811 Marvin Rhoads 2021-05-16T02:48:34Z https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403667#M1080813 <P>ok, I got it..</P><P>&nbsp;</P><P>Was also going through the below thread about the same subject line..</P><P>&nbsp;</P><P><A href="https://community.cisco.com/t5/endpoint-security/category-cnc-connected-event-type-intrusion-event-malware-cnc/m-p/3227116/highlight/true" target="_blank">Category=CnC Connected, Event Type=Intrusion Event - malware-cnc - Cisco Community</A></P><P>&nbsp;</P><P><A href="https://community.cisco.com/t5/network-security/firepower-blocking-cnc/td-p/3051975" target="_blank">Solved: Firepower blocking CnC - Cisco Community</A></P><P>&nbsp;</P><P><A href="https://community.cisco.com/t5/network-security/the-host-may-be-under-remote-control/m-p/3203475" target="_blank">Solved: Re: The host may be under remote control - Cisco Community</A></P><P>&nbsp;</P><P>my plan is :-</P><P>&nbsp;</P><P>To&nbsp;&nbsp;run NMAP Scan on the client and from FMC and check any open ports &nbsp;that are there at the client side etc.</P><P>&nbsp;</P><P>Similarly, we need to advise the local IT team to scan the such clients for virus and malware.</P><P>&nbsp;</P><P>Need to monitor any additional alerts from the same client (host profile).</P><P>&nbsp;</P><P>lookup destination ip whois, talos intelligence.</P><P>&nbsp;</P><P>We need to do this exercise with all compromise hosts..</P><P>&nbsp;</P><P>Any other suggestion from you!!</P> Sun, 16 May 2021 07:45:46 GMT https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403667#M1080813 anilkumar.cisco 2021-05-16T07:45:46Z https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403872#M1080823 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/166962">@anilkumar.cisco</a></P> <P>I don't think scanning with nmap will help much since the nature of CnC communications is that the communications are usually initiated from the infected host to the CnC server(s). As such, it will use an ephemeral port (i.e. 1025-65534) and not show up as an open port tom an external scan).</P> <P>Your steps 2-4 look pretty good.</P> Mon, 17 May 2021 03:01:03 GMT https://community.cisco.com/t5/network-security/25-compromise-host-ftd-fmc/m-p/4403872#M1080823 Marvin Rhoads 2021-05-17T03:01:03Z