Folks, as others have talked about recently there is an uptick in detections of this definition Botnet.CnC.Generic. I have a dev who has a couple of these events triggered on his machine which I have seen in my logs. Some questions:
1. If the Action = "Detected" and Inbound = "Yes" does that mean that the endpoint thinks the dev's machine is a C2 server and that it detected (but allowed) an inbound connection matching such a profile?
2. How can the target address make sense? Source is 126.96.36.199 (russian ip space) and target address is a 10.0.0.0/24 address (RFC1918) but on a subnet that we do not use. How can a connection be made to an address that is non-routable in our network? We do not use that address space.
3. There is a "Process Name" parameter for the event that marks a java executable (java.exe) as the culprit, but again I don't understand what this means. The target port was 8443, and it is certainly feasible that this dev has java listening on that port but NOT on the address in the target field. Am I correct in thinking that the process name is supposed to indicate the process that was listening at the time and accepted the inbound request to the target port on the target address?
I would seriously appreciate some help in understanding this event. Full event details (somewhat cleaned, only the Computer name and Account fields have been modified for my privacy) are pictured below.
• Computer name
• Computer description
• Threat name
• Rule name
• Rule ID
2020 Jan 18 14:43:40
Security vulnerability exploitation
• Source address
• Source port
• Target address
• Target port
• Process name