topic Re: The host may be under remote control in Network Security

The host may be under remote control

enidvallja — Fri, 21 Feb 2020 14:33:04 GMT

Hello,

I've had this problem even before where FireSIGHT was indicating this message from a host. I did a full scan to the host with its anti-virus but nothing was captured.

CnC Connected

Intrusion Event - malware-cnc

Now I'm seeing this message again from 3 hosts, and one of the hosts is the public DNS (from ISP). I don't know what to do because the option "Scan Host" is not available in my FireSIGHT.

Thank you.

Enid.

Re: The host may be under remote control

mikael.lahtela — Mon, 23 Oct 2017 09:36:38 GMT

Hi,

You need to configure an instance of nmap scanner under Policy>Actions>Scanners before you can use "scan" button under host view.

Configuration example:

br, Micke

Re: The host may be under remote control

enidvallja — Mon, 23 Oct 2017 12:59:48 GMT

Hello Micke,

Thank you so much, I found the results of the scanning and I see only the host's ports if they are filtered or opened but not anything about any possible intrusion.

Enid.

Re: The host may be under remote control

mikael.lahtela — Mon, 23 Oct 2017 18:08:22 GMT

Hi again,

If you get security event CnC Connected (and Actions is blocked) it doesn't need to be a real threat.
Your client might have just got flagged cause they are surfing on the internet.
I see this alert a lot and most of the times it's just the responding ip/dns that is blacklisted by Talos.
Just do your regular security check on the client:
- check if there is other alerts from same client (host profil).
- check what type of traffic it is, source ports, destination ports, drill-down.
- scan with nmap to see any unnecessary open ports on the client.
- scan the client for virus, malware.
- lookup destination ip whois, talos intelligence.
- if you don't find anything, make a note, clear the client and see if it appears again.

br, Micke