⇤ Compromised Systems Findings
The Potentially Exploited risk vector indicates that a device on a company’s network is running a potentially unwanted program (PUP) or potentially unwanted application (PUA).
Finding Details
*Availability varies based on the detection mechanism.
The details include the data in Findings, Compromised Systems details, and also the following information:
Field | Description |
---|---|
Details | An overview of the finding. |
Duration | The duration of the finding. |
Infection | The name of the PUP or PUA. |
Remediation Instructions | Instructions and resources to remediate the finding. |
Risks | Possible risks. |
Targeted Platform | The type of operating system (OS) that was targeted by the infection. |
User Agent | The user’s browser details. Malware can use the HTTP header to transmit information about itself or the compromised system to C&C servers. |
Forensics
The following details are also included with the Forensics add-on package:
Field | Description |
---|---|
C&C IP | The destination IP address. |
Destination Port | The port identified as the destination of traffic coming from the affected device. |
Detection Mechanism | The method used to detect the finding. |
GeoIP Location | The geographical location where the involved IP address resides. |
Observed Behavior | The type of behavior that indicated that the device was compromised. |
Observation Count | The number of times the potentially exploited system was observed during a 24-hour period, between midnight UTC one day and midnight UTC the next day. |
Potentially Exploited | Shows the type or name of the detected unwanted application. |
Request Method | The HTTP request method (GET, POST, etc) used by the compromised device to communicate with its C&C server. |
Server Name* | The domain name of the server, which is a known C&C server, sinkhole, or adware host. A device was observed connecting to this server. |
Source Port | The port identified as the source of traffic from a compromised device. |
User Agent | The user’s browser details. Malware can use the HTTP header to transmit information about itself or the compromised system to C&C servers. |
Filters
The following filters are available:
Field | Description |
---|---|
Admogo | An Android app that displays advertisements and may steal the user’s personal information. |
CrossRider | A piece of malware created using the CrossRider browser extension tool. |
Grayware | A potentially unwanted application that may be indicative of weak security practices or other compromises. |
Mobile Spy | Tracks mobile usage behavior and sends reports to a server. |
Port Scanner | A botnet is scanning the Internet looking for new devices to infect. |
Techsnab | Malicious adware designed to trick users into engaging in click fraud. |
- October 29, 2024: Findings Table navigation instructions moved from Risks to a new Findings section in the menu.
- January 19, 2024: Findings Table navigation by application.
- May 11, 2021: To allow for faster identification of infected machines, destination IP addresses of Compromised System findings for your organization are now unmasked.
Feedback
0 comments
Please sign in to leave a comment.