⇤ Compromised Systems Findings
The Botnet Infections risk vector is an indication of a host participating in a botnet, including active bots and Command and Control servers (C&C servers).
Navigation Options
SPM App: Findings ➔ Findings Table
- Select a company from your Companies List.
- Go to
Vendor Risk ➔ Findings
- Select a company from your Companies List.
- Go to
Client Risk ➔ Findings
Botnet Infections are categorized and given names (e.g., Zeus, Gamarue, AndroidBauts). Filter by the various names to quickly identify systems and devices that have been compromised by a particular botnet.
❖ Availability varies based on the detection mechanism.
Details
| Field | Description |
|---|---|
| Details | Details of the event. |
| Duration | The duration when the system was compromised. |
| Infection | The name of the infection. |
| Packet Evidence | Download a packet capture (PCAP or libpcap) containing the raw forensic evidence. |
| Remediation Instructions | Resources for remediation. |
| Risks | Potential risk to the organization. |
| Targeted Platform | The targeted operating system. |
| User Agent | The user’s browser details. Malware can use the HTTP header to transmit information about itself or the compromised system to C&C servers. |
Status History
Issue Tracking history. Issue Tracking establishes a remediation process framework so you can monitor, track, and report your progress on remediating your findings.
Forensics
The following details are also included with the Forensics add-on package:
| Field | Description |
|---|---|
| ❖ C&C Domain | A device acting as part of a botnet was seen communicating with this server. It's likely to be the command and control server or a sinkhole. For HTTP-based bots, this is taken from the HTTP Host header and is sometimes an IP address instead of a domain. To evade firewall filtering, this field occasionally lists a non-malicious domain. |
| ❖ C&C IP | The IP address of the command and control server for this botnet, which sends instructions to all connected bots. |
| Detection Mechanism | The method used to detect the infection. |
| Destination IP | The destination IP address that observed the event. It is not malicious; Blocking access to it from your organization's network does not provide any security benefit. Learn more… |
| Destination Port | The port that’s identified as the destination of traffic from a compromised device. |
| GeoIP Location | Country code where the IP address involved in the event resides. |
| Observation Count | Number of times the event was observed in a 24-hour period, between midnight UTC one day and midnight UTC the next day. |
| Observations | Number of times the botnet was observed in a 24-hour period, between midnight UTC one day and midnight UTC the next day. |
| Occurrence First Seen | The first time the event was seen. |
| Occurrence Last Seen | The last time the event was seen. |
| Representative Event Timestamp | The date and time when the event was observed. |
| Request Method | The HTTP request method (GET, POST, etc) used by the compromised system to communicate with its command and control center. |
| ❖ Server Name | The domain name of the server, which is a known C&C server, sinkhole, or adware host. A device was observed connecting to this server. |
| Source Port | The port that’s identified as the source of traffic to a compromised device. |
Assets
| Field | Description |
|---|---|
| Asset | The asset attributed to the event. |
| Calculated Importance | The Bitsight-calculated asset importance. |
| View findings | View all findings in the asset. |
IP Attributions
The reason for attributing the IP address to the organization.
Comments
Finding comments for having discussions about findings.
- October 29, 2024: Findings Table navigation instructions moved from Risks to a new Findings section in the menu.
- January 19, 2024: Navigation by application.
- February 22, 2022: Added fields and detail sections – Details, Duration, Infection, Packet Evidence, Remediation Instructions, Risks, Targeted Platform, GeoIP Location, Observation Count, Occurrence First Seen, Occurrence Last Seen, Representative Event Timestamp, Status History, Assets, IP Attributions, & Comments.
Feedback
0 comments
Please sign in to leave a comment.