⇤ Compromised Systems Findings
The Botnet Infections risk vector is an indication of a host participating in a botnet, including active bots and Command and Control servers (C&C servers).
Botnet Infections are categorized and given names (e.g., Zeus, Gamarue, AndroidBauts). Filter by the various names to quickly identify systems and devices that have been compromised by a particular botnet.
❖ Availability varies based on the detection mechanism.
Details
Field | Description |
---|---|
Details | Details of the event. |
Duration | The duration when the system was compromised. |
Infection | The name of the infection. |
Packet Evidence | Download a packet capture (PCAP or libpcap) containing the raw forensic evidence. |
Remediation Instructions | Resources for remediation. |
Risks | Potential risk to the organization. |
Targeted Platform | The targeted operating system. |
User Agent | The user’s browser details. Malware can use the HTTP header to transmit information about itself or the compromised system to C&C servers. |
Status History
Issue Tracking history. Issue Tracking establishes a remediation process framework so you can monitor, track, and report your progress on remediating your findings.
Forensics
The following details are also included with the Forensics add-on package:
Field | Description |
---|---|
❖ C&C Domain | A device acting as part of a botnet was seen communicating with this server. It's likely to be the command and control server or a sinkhole. For HTTP-based bots, this is taken from the HTTP Host header and is sometimes an IP address instead of a domain. To evade firewall filtering, this field occasionally lists a non-malicious domain. |
❖ C&C IP | The IP address of the command and control server for this botnet, which sends instructions to all connected bots. |
Detection Mechanism | The method used to detect the infection. |
Destination IP | The destination IP address that observed the event. It is not malicious; Blocking access to it from your organization's network does not provide any security benefit. Learn more… |
Destination Port | The port that’s identified as the destination of traffic from a compromised device. |
GeoIP Location | Country code where the IP address involved in the event resides. |
Observation Count | Number of times the event was observed in a 24-hour period, between midnight UTC one day and midnight UTC the next day. |
Observations | Number of times the botnet was observed in a 24-hour period, between midnight UTC one day and midnight UTC the next day. |
Occurrence First Seen | The first time the event was seen. |
Occurrence Last Seen | The last time the event was seen. |
Representative Event Timestamp | The date and time when the event was observed. |
Request Method | The HTTP request method (GET, POST, etc) used by the compromised system to communicate with its command and control center. |
❖ Server Name | The domain name of the server, which is a known C&C server, sinkhole, or adware host. A device was observed connecting to this server. |
Source Port | The port that’s identified as the source of traffic to a compromised device. |
Assets
Field | Description |
---|---|
Asset | The asset attributed to the event. |
Calculated Importance | The Bitsight-calculated asset importance. |
View findings | View all findings in the asset. |
IP Attributions
The reason for attributing the IP address to the organization.
Comments
Finding comments for having discussions about findings.
- October 29, 2024: Findings Table navigation instructions moved from Risks to a new Findings section in the menu.
- January 19, 2024: Navigation by application.
- February 22, 2022: Added fields and detail sections – Details, Duration, Infection, Packet Evidence, Remediation Instructions, Risks, Targeted Platform, GeoIP Location, Observation Count, Occurrence First Seen, Occurrence Last Seen, Representative Event Timestamp, Status History, Assets, IP Attributions, & Comments.
Feedback
0 comments
Please sign in to leave a comment.