Jump to content

User21000

Members
 View Profile  See their activity

  • Posts

    9

  • Joined

  • Last visited

 Content Type 

Posts posted by User21000

    Need help understanding Botnet.CnC.Generic detection event

    in General Discussion

    Posted

    Interesting theory, thanks for trying I appreciate it. Turns out the dev was forwarding from his edge at home and that subnet is what he uses on his internal LAN so the event was triggered locally and reported back to the ESMC server when he reconnected to the production network at our office.

    So, it looks like ESET is basing this on the fact that the traffic came from known botnet IP space? Is that it? I'm not implying I think that it's inaccurate I'm just trying to make sure I understand the classification of the event.

    Need help understanding Botnet.CnC.Generic detection event

    in General Discussion

    Posted · Edited by User21000
    Better title + tags

    Folks, as others have talked about recently there is an uptick in detections of this definition Botnet.CnC.Generic. I have a dev who has a couple of these events triggered on his machine which I have seen in my logs. Some questions:

    1. If the Action = "Detected" and Inbound = "Yes" does that mean that the endpoint thinks the dev's machine is a C2 server and that it detected (but allowed) an inbound connection matching such a profile?

    2. How can the target address make sense? Source is 45.141.87.11 (russian ip space) and target address is a 10.0.0.0/24 address (RFC1918) but on a subnet that we do not use. How can a connection be made to an address that is non-routable in our network? We do not use that address space.

    3. There is a "Process Name" parameter for the event that marks a java executable (java.exe) as the culprit, but again I don't understand what this means. The target port was 8443, and it is certainly feasible that this dev has java listening on that port but NOT on the address in the target field. Am I correct in thinking that the process name is supposed to indicate the process that was listening at the time and accepted the inbound request to the target port on the target address?

    I would seriously appreciate some help in understanding this event. Full event details (somewhat cleaned, only the Computer name and Account fields have been modified for my privacy) are pictured below. 

    •  Computer name
hostname.domain.lan
•  Computer description
•  Threat name
Botnet.CnC.Generic
•  Rule name
•  Rule ID
•  Occurred
2020 Jan 18 14:43:40
•  Event
Security vulnerability exploitation
•  Source address
45.141.87.11
•  Source port
1936
•  Target address
10.0.0.25
•  Target port
8443
•  Protocol
TCP
•  Inbound
Yes
•  Process name
C:\Program Files\Java\jdk1.8.0_201\bin\java.exe
•  Account
DOMAIN\DevAccount
•  Count
1

     

    When Creating Installer I get "Invalid Certificate Passphrase"

    in ESET PROTECT On-prem (Remote Management)

    Posted

    When I try creating an all-in-one installer, I go through all the configuration choices. When I'm done and ready to download the installer for Windows clients I get this error message "Failed to download installer: Invalid certificate or certificate password provided."

    Why am I getting this error? I entered the passphrase that I entered when I first deployed the Virtual Appliance and also tried using a different passphrase but neither will work.

    Purpose of Linking Virtual Appliance to Active Directory Domain?

    in ESET PROTECT On-prem (Remote Management)

    Posted

    I would just like to know what the purpose of linking the ERA Virtual Appliance to an Active Directory Domain would be. Would that be used so I can sign in to the VA with domain credentials? Is there some sort of feature to synchronize endpoints with AD users? Will joining the VA create a Computer Account in the AD? To be clear, I'm using the ESET Remote Administrator Server Appliance.

    Any information is appreciated, thanks.

×
×
  • Create New...