Environment
- CB Defense Web Console: All Versions
- CB Defense Sensor: All Supported Versions
- Microsoft Windows: All Supported Versions
- MacOS: All Supported Versions
Question
Why Are There Multiple "System Attempted To Accept (PROTOCOL/PORT) Connection From Address (IP)" Events In The CB Defense Web Console?"
Answer
These events are presented in the web console under the ATTEMPTED_SERVER TTP which indicates there was an inbound connection attempt being made to the local machine. These connection attempts could be related to incorrect / invalid credential attempts, vulnerability scans or potentially malicious applications.
Additional Notes
Incorrect / Invalid credential attempts:
- Review local logs and remote machine logs for access failures
- Use the port information to help identify likely applications
- Use Wireshark to view connection attempts
Vulnerability Scans:
- These scans generally run quickly and generate a lot of connection attempts. Local firewalls and or applications may have mechanisms builtin to block or drop this activity which could cause many new connection attempts.
- If the inbound connection IPs are on your internal network, verify whether the remote system is being used to perform vulnerability assessments, or using asset management tools.
- If the inbound connection IPs are off of your network:
- Evaluate the IPs for known web based scanners: (zmap.io, shodan.io, censys.io, wappalyzer.com, wpscans.com, quttera.com, shadowserver.org, etc.)
- Check local IIS / Web logs for get requests
- Consider creating firewall block rules based on findings
Potentially Malicious Applications:
- Review sensor data for local and remote systems within the CbD web console
- Review the Alerts page
- Search for interesting TTPs such as: TTP:ACTIVE_SERVER OR TTP:NON_STANDARD_PORT OR TTP:BEACON
- Evaluate your findings
Related Content