- May 11, 2021: To allow for faster identification of infected machines, destination IP addresses of Compromised System findings for your organization are now unmasked.
- April 6, 2021: Forensics integrated into Findings.
⇤ Compromised Systems Findings
The Potentially Exploited risk vector indicates that a device on a company’s network is running a potentially unwanted program (PUP) or potentially unwanted application (PUA).
View findings from the Findings page or the Bitsight API.
Finding Details
*Availability varies based on the detection mechanism.
The details include the data in Findings, Compromised Systems details, and also the following information:
| Field | Description |
|---|---|
| Details | An overview of the finding. |
| Duration | The duration of the finding. |
| Infection | The name of the PUP or PUA. |
| Remediation Instructions | Instructions and resources to remediate the finding. |
| Risks | Possible risks. |
| Targeted Platform | The type of operating system (OS) that was targeted by the infection. |
| User Agent | The user’s browser details. Malware can use the HTTP header to transmit information about itself or the compromised system to C&C servers. |
Forensics
The following details are also included with the Forensics add-on package:
| Field | Description |
|---|---|
| C&C IP | The destination IP address. |
| Destination Port | The port identified as the destination of traffic coming from the affected device. |
| Detection Mechanism | The method used to detect the finding. |
| GeoIP Location | The geographical location where the involved IP address resides. |
| Observed Behavior | The type of behavior that indicated that the device was compromised. |
| Observation Count | The number of times the potentially exploited system was observed during a 24-hour period, between midnight UTC one day and midnight UTC the next day. |
| Potentially Exploited | Shows the type or name of the detected unwanted application. |
| Request Method | The HTTP request method (GET, POST, etc) used by the compromised device to communicate with its C&C server. |
| Server Name* | The domain name of the server, which is a known C&C server, sinkhole, or adware host. A device was observed connecting to this server. |
| Source Port | The port identified as the source of traffic from a compromised device. |
| User Agent | The user’s browser details. Malware can use the HTTP header to transmit information about itself or the compromised system to C&C servers. |
Filters
The following filters are available:
| Field | Description |
|---|---|
| Admogo | An Android app that displays advertisements and may steal the user’s personal information. |
| CrossRider | A piece of malware created using the CrossRider browser extension tool. |
| Grayware | A potentially unwanted application that may be indicative of weak security practices or other compromises. |
| Mobile Spy | Tracks mobile usage behavior and sends reports to a server. |
| Port Scanner | A botnet is scanning the Internet looking for new devices to infect. |
| Techsnab | Malicious adware designed to trick users into engaging in click fraud. |