- February 22, 2022: Added fields and detail sections – Details, Duration, Infection, Packet Evidence, Remediation Instructions, Risks, Targeted Platform, GeoIP Location, Observation Count, Occurrence First Seen, Occurrence Last Seen, Representative Event Timestamp, Status History, Assets, IP Attributions, & Comments.
- May 11, 2021: To allow for faster identification of infected machines, destination IP addresses of Compromised System findings for your organization are now unmasked.
- April 6, 2021: Forensics integrated into Findings.
⇤ Compromised Systems Findings
The Botnet Infections risk vector is an indication of a host participating in a botnet, including active bots and Command and Control servers (C&C servers).
View findings from the Findings page or the Bitsight API. Botnet Infections are categorized and given names (e.g., Zeus, Gamarue, AndroidBauts). Filter by the various names to quickly identify systems and devices that have been compromised by a particular botnet.
*Availability varies based on the detection mechanism.
Details
Field | Description |
---|---|
Details | Details of the event. |
Duration | The duration when the system was compromised. |
Infection | The name of the infection. |
Packet Evidence | Download a packet capture (PCAP or libpcap) containing the raw forensic evidence. |
Remediation Instructions | Resources for remediation. |
Risks | Potential risk to the organization. |
Targeted Platform | The targeted operating system. |
User Agent | The user’s browser details. Malware can use the HTTP header to transmit information about itself or the compromised system to C&C servers. |
Status History
Issue Tracking history. Issue Tracking establishes a remediation process framework so you can monitor, track, and report your progress on remediating your findings.
Forensics
The following details are also included with the Forensics add-on package:
Field | Description |
---|---|
C&C Domain* | A device acting as part of a botnet was seen communicating with this server. It's likely to be the command and control server or a sinkhole. For HTTP-based bots, this is taken from the HTTP Host header and is sometimes an IP address instead of a domain. To evade firewall filtering, this field occasionally lists a non-malicious domain. |
C&C IP* | The IP address of the command and control server for this botnet, which sends instructions to all connected bots. |
Detection Mechanism | The method used to detect the infection. |
Destination IP | The destination IP address that observed the event. It is not malicious; Blocking access to it from your organization's network does not provide any security benefit. Learn more… |
Destination Port | The port that’s identified as the destination of traffic from a compromised device. |
GeoIP Location | Country code where the IP address involved in the event resides. |
Observation Count | Number of times the event was observed in a 24-hour period, between midnight UTC one day and midnight UTC the next day. |
Observations | Number of times the botnet was observed in a 24-hour period, between midnight UTC one day and midnight UTC the next day. |
Occurrence First Seen | The first time the event was seen. |
Occurrence Last Seen | The last time the event was seen. |
Representative Event Timestamp | The date and time when the event was observed. |
Request Method | The HTTP request method (GET, POST, etc) used by the compromised system to communicate with its command and control center. |
Server Name* | The domain name of the server, which is a known C&C server, sinkhole, or adware host. A device was observed connecting to this server. |
Source Port | The port that’s identified as the source of traffic to a compromised device. |
Assets
Field | Description |
---|---|
Asset | The asset attributed to the event. |
Calculated Importance | The Bitsight-calculated asset importance. |
View findings | View all findings in the asset. |
IP Attributions
The reason for attributing the IP address to the organization.
Comments
Finding comments for having discussions about findings.