Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CB Defense: Why Are There Multiple System Attempted To Accept Connection Events In The Defense Web Console?

CB Defense: Why Are There Multiple System Attempted To Accept Connection Events In The Defense Web Console?

Environment

  • CB Defense Web Console: All Versions
  • CB Defense Sensor: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • MacOS: All Supported Versions

Question

Why Are There Multiple "System Attempted To Accept (PROTOCOL/PORT) Connection From Address (IP)" Events In The CB Defense Web Console?"


Answer

These events are presented in the web console under the ATTEMPTED_SERVER TTP which indicates there was an inbound connection attempt being made to the local machine. These connection attempts could be related to incorrect / invalid credential attempts, vulnerability scans  or potentially malicious applications.


Additional Notes

Incorrect / Invalid credential attempts:
  •     Review local logs and remote machine logs for access failures
  •     Use the port information to help identify likely applications
  •     Use Wireshark to view connection attempts

Vulnerability Scans:

  • These scans generally run quickly and generate a lot of connection attempts. Local firewalls and or applications may have mechanisms builtin to block or drop this activity which could cause many new connection attempts.
  • If the inbound connection IPs are on your internal network, verify whether the remote system is being used to perform vulnerability assessments, or using asset management tools.
  • If the inbound connection IPs are off of your network:
    •     Evaluate the IPs for known web based scanners: (zmap.io,  shodan.io, censys.io, wappalyzer.com, wpscans.com, quttera.com, ​sh​ad​ow​se​rv​er​.o​rg, etc.)
    •     Check local IIS / Web logs for get requests
    •     Consider creating firewall block rules based on findings

Potentially Malicious Applications:

  •     Review sensor data for local and remote systems within the CbD web console
  •     Review the Alerts page
  •     Search for interesting TTPs such as: TTP:ACTIVE_SERVER OR TTP:NON_STANDARD_PORT OR TTP:BEACON
  •     Evaluate your findings
     

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-13-2019
Views:
375
Contributors