User21000 0 Posted January 20, 2020 Posted January 20, 2020 (edited) Folks, as others have talked about recently there is an uptick in detections of this definition Botnet.CnC.Generic. I have a dev who has a couple of these events triggered on his machine which I have seen in my logs. Some questions: 1. If the Action = "Detected" and Inbound = "Yes" does that mean that the endpoint thinks the dev's machine is a C2 server and that it detected (but allowed) an inbound connection matching such a profile? 2. How can the target address make sense? Source is 45.141.87.11 (russian ip space) and target address is a 10.0.0.0/24 address (RFC1918) but on a subnet that we do not use. How can a connection be made to an address that is non-routable in our network? We do not use that address space. 3. There is a "Process Name" parameter for the event that marks a java executable (java.exe) as the culprit, but again I don't understand what this means. The target port was 8443, and it is certainly feasible that this dev has java listening on that port but NOT on the address in the target field. Am I correct in thinking that the process name is supposed to indicate the process that was listening at the time and accepted the inbound request to the target port on the target address? I would seriously appreciate some help in understanding this event. Full event details (somewhat cleaned, only the Computer name and Account fields have been modified for my privacy) are pictured below. • Computer name hostname.domain.lan • Computer description • Threat name Botnet.CnC.Generic • Rule name • Rule ID • Occurred 2020 Jan 18 14:43:40 • Event Security vulnerability exploitation • Source address 45.141.87.11 • Source port 1936 • Target address 10.0.0.25 • Target port 8443 • Protocol TCP • Inbound Yes • Process name C:\Program Files\Java\jdk1.8.0_201\bin\java.exe • Account DOMAIN\DevAccount • Count 1 Edited January 20, 2020 by User21000 Better title + tags
itman 1,806 Posted January 21, 2020 Posted January 21, 2020 (edited) I would say the attacker found an open port, 8443, on the WAN side of your gateway and trying to do a brute force attack to get access to your internal network. At this point, he is just trying to find a used local subnet address. Hence the targeting of IP address 10.0.0.25. If left unchecked, the attacked would try all known subnet addresses until he found one assigned to a device. Edited January 21, 2020 by itman
User21000 0 Posted January 21, 2020 Author Posted January 21, 2020 Interesting theory, thanks for trying I appreciate it. Turns out the dev was forwarding from his edge at home and that subnet is what he uses on his internal LAN so the event was triggered locally and reported back to the ESMC server when he reconnected to the production network at our office. So, it looks like ESET is basing this on the fact that the traffic came from known botnet IP space? Is that it? I'm not implying I think that it's inaccurate I'm just trying to make sure I understand the classification of the event.
itman 1,806 Posted January 21, 2020 Posted January 21, 2020 10 minutes ago, User21000 said: So, it looks like ESET is basing this on the fact that the traffic came from known botnet IP space? Eset does use a blacklist of known botnet C&C servers. Only they know what it contains. However, Eset also uses this Botnet detection for inbound brute force attacks. Another thread on same alert here: https://forum.eset.com/topic/21967-increasing-botnetcncgeneric-detections/ User21000 1
User21000 0 Posted January 21, 2020 Author Posted January 21, 2020 Interesting thread. Wish ESET would open up that list of theirs. Thanks for your help.
Recommended Posts