05-14-2021 08:18 AM
Hello Team,
Getting Alarm for 25 Host compromised by SI system of FTD/FMC.
Source of the hit is showing CNC.. which is already blocked by the policy..
Not sure then why compromised host is showing.
This devices are not there in prefilter policy..
The customer don't have Malware license..
Cisco FMC 6.4.0 version
Kindly advise the next action or suggestion..
Solved! Go to Solution.
05-16-2021 08:01 PM
I don't think scanning with nmap will help much since the nature of CnC communications is that the communications are usually initiated from the infected host to the CnC server(s). As such, it will use an ephemeral port (i.e. 1025-65534) and not show up as an open port tom an external scan).
Your steps 2-4 look pretty good.
05-14-2021 09:52 AM
Firepower will both block the CNC traffic as well as alert you to the hosts generating it. It is useful to remediate the endpoints so that they are no longer a source of traffic that needs to be blocked. The CNC compromise on them may have other effects that aren't apparent on the firewall (lateral movement in the network, potential for a more serious breach if the device is mobile and goes off-network at some point, etc.)
05-14-2021 07:09 PM
Hello Marvin,
In view of that.. how should we confirm the followings:-
Best Regards
Anil Singh
05-15-2021 07:48 PM
It's not a false alarm - FMC is showing you that it blocked (dropped) an attempted CnC connection.
05-16-2021 12:45 AM
ok, I got it..
Was also going through the below thread about the same subject line..
Category=CnC Connected, Event Type=Intrusion Event - malware-cnc - Cisco Community
Solved: Firepower blocking CnC - Cisco Community
Solved: Re: The host may be under remote control - Cisco Community
my plan is :-
To run NMAP Scan on the client and from FMC and check any open ports that are there at the client side etc.
Similarly, we need to advise the local IT team to scan the such clients for virus and malware.
Need to monitor any additional alerts from the same client (host profile).
lookup destination ip whois, talos intelligence.
We need to do this exercise with all compromise hosts..
Any other suggestion from you!!
05-16-2021 08:01 PM
I don't think scanning with nmap will help much since the nature of CnC communications is that the communications are usually initiated from the infected host to the CnC server(s). As such, it will use an ephemeral port (i.e. 1025-65534) and not show up as an open port tom an external scan).
Your steps 2-4 look pretty good.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide