cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21389
Views
5
Helpful
5
Replies

Category=CnC Connected, Event Type=Intrusion Event - malware-cnc

wwanjohi
Level 1
Level 1

Hello,

On one of my host I see 3 threats

1. Category=CnC Connected, Event Type=Intrusion Event - malware-cnc and Description= The host may be under remote control.

2. Category=Impact 2 Attack, Event Type= Impact 2 Intrusion Event - attempted-admin and Description= The host was attacked and is potentially vulnerable.

3. Category=Impact 2 Attack, Event Type= Impact 2 Intrusion Event - attempted-user and Description= The host was attacked and is potentially vulnerable.

 

My question: How can i know if this is a real attack or if the threat has been blocked.

 

5 Replies 5

rick11
Level 1
Level 1
You should investigate on the reported host with some AV, or suspicious network traffic/processes

Marvin Rhoads
Hall of Fame
Hall of Fame

Look at Connections and/or Intrusion Event Tables and filter on that host IP address. Then look at whether the connection was allowed or blocked.

I know this thread has some age, but I'm curious about your recommendation to "look at whether the connection was allowed or blocked."  I'm still relatively new with the FMC, but I can easily look at connections and intrusion events using the host IP; however, that's going to give me a huge list of connections, with many allowed and many blocked.  How can I relate any of those back to the logged intrusion event?

 

If it's reporting communication to a CnC, why doesn't it show the IP that triggered it?

 

I have to assume that if the device knows the target IP is a CnC server, that it would certainly block traffic to that host, but I've yet to find definitive evidence of that and feel like I need the IP in order to follow your recommendation.

 

A blocked connection to a CnC server should normally show up under Security Intelligence events. It should be relatively easy to filter down that table to show only the host that was reported in the Intrusion event.

If a given host has many different Blocked connections, it should be visited in person and remediated rather than try to ascertain everything remotely from FMC.

Jetsy Mathew
Cisco Employee
Cisco Employee
Hello wwanjohi

Also if you have installed AMP connectors on those host , you can verify the device trajectory during the same time and see if there are any malicious activities going on.

Regards
Jetsy
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: