CB Defense: Why Are There Multiple System Attempted To Accept Connection Events In The Defense Web Console?
CB Defense Web Console: All Versions
CB Defense Sensor: All Supported Versions
Microsoft Windows: All Supported Versions
MacOS: All Supported Versions
Why Are There Multiple "System Attempted To Accept (PROTOCOL/PORT) Connection From Address (IP)" Events In The CB Defense Web Console?"
These events are presented in the web console under the ATTEMPTED_SERVER TTP which indicates there was an inbound connection attempt being made to the local machine. These connection attempts could be related to incorrect / invalid credential attempts, vulnerability scans or potentially malicious applications.
Incorrect / Invalid credential attempts:
Review local logs and remote machine logs for access failures
Use the port information to help identify likely applications
Use Wireshark to view connection attempts
These scans generally run quickly and generate a lot of connection attempts. Local firewalls and or applications may have mechanisms builtin to block or drop this activity which could cause many new connection attempts.
If the inbound connection IPs are on your internal network, verify whether the remote system is being used to perform vulnerability assessments, or using asset management tools.
If the inbound connection IPs are off of your network:
Evaluate the IPs for known web based scanners: (zmap.io, shodan.io, censys.io, wappalyzer.com, wpscans.com, quttera.com, shadowserver.org, etc.)
Check local IIS / Web logs for get requests
Consider creating firewall block rules based on findings
Potentially Malicious Applications:
Review sensor data for local and remote systems within the CbD web console
Review the Alerts page
Search for interesting TTPs such as: TTP:ACTIVE_SERVER OR TTP:NON_STANDARD_PORT OR TTP:BEACON