Professional Documents
Culture Documents
The following is a summary of the Darktrace deployment status on your network over the last month. The report shows the
Antigena
distribution of possible attacks and potential vulnerabilities in the network infrastructure, and off ers recommendations to network is deployed
address these risks.
active devices on the network modelled devices on the new devices detected in the
101.45 mbps (probe: 1)
802 5.24
6 10
gbps (probe: 3)
48.45
instances running Darktrace probes actively processing data
organisation mbps (probe: 4)
Attack Phase: Distribution of Model Breaches
Phases of an Attack
Darktrace models can be organized according to the attack phase they are most likely to detect. Monitoring models according to these categories can allow the
characteristic behavior pattern of an ongoing attack to be observed.
Bruteforce ‣ 35.38%
Exploit ‣ 9.23%
A total of 6 model breaches of 4 different models triggered by 6 unique devices
Top scoring devices: pdcar-wssfv.ccu.arg · 172.19.170.78 83.20%
Scanning ‣ 4.62%
A total of 3 model breaches of 1 model triggered by 3 unique devices
Top scoring devices: serveurscalya.ccu.local · 172.17.57.62 · d0:94:66:27:3a:d6 99.40%
Overall Score: Devices
Top Devices by Overall Score
Devices highlighted here have exhibited the greatest overall degree of unusual activity over the course of the reporting period. Device overall score gives an indication
of which devices are at highest risk in the organisation.
Directory Breaches
Antigena 320
Compromise 109
Device 31
Anomalous Connection 1
Anomalous File 1
Antigena: Antigena Actions
Antigena Actions Summary
The following actions were triggered by Antigena in response to anomalous behavior in your network environment. The actions taken range from interrupting
communications between distinct endpoint/port combinations up to complete quarantine - actions are proportional to threat and may be escalated if granular blocks
are not sufficient.
In the last 7 days, 263 act ions were created and a minimum of 0 connect ions
blocked.
In the last 28 days, 1142 act ions were created and a minimum of 0 connect ions
blocked.
In the last 365 days, 12564 act ions were created and a minimum of 0 connect ions
blocked.
In the last 7 days, 0 act ions were created and a minimum of 0 connect ions blocked.
In the last 28 days, 0 act ions were created and a minimum of 0 connect ions blocked.
In the last 365 days, 17 act ions were created and a minimum of 0 connect ions
blocked.
Appendix
Table of Contents
A. Attack Phases
B. Top Model Breaching Devices
C. Enhanced Monitoring
D. Compliance Model Breaches
Attack Phases
Details
SMB Lateral Movement — [AP: Lateral Movement]
mntnbsmorenog.ccu.local · 10.100.26.166
Suspicious Internal Use Of Web Protocol — [, AP: Exploit, AP: Lateral Movement]
sfe-ger012 · 172.30.68.34 · c8:5a:cf:7a:ce:3e
2022-04-19 12:04:40 UTC
sfe-ger012 · 172.30.68.34 · c8:5a:cf:7a:ce:3e made an SSL connection to 172.30.67.2 on TCP port 443.
2022-04-19 12:04:40 UTC
sfe-ger012 · 172.30.68.34 · c8:5a:cf:7a:ce:3e made an SSL connection to 172.30.67.2 on TCP port 443.
2022-04-19 12:04:41 UTC
Unusual Activity (meta-classifier) 58.0% — Internal Connections, Internal Connections to Closed Ports, Internal Active Connections
2022-04-19 12:04:42 UTC
sfe-ger012 · 172.30.68.34 · c8:5a:cf:7a:ce:3e failed to make an Unknown connection to 172.30.67.2 on TCP port 135.
Suspicious Network Scan Activity — [, AP: Internal Recon, AP: Scanning, Enhanced Monitoring, OT Engineer]
serveurscalya.ccu.local · 172.17.57.62 · d0:94:66:27:3a:d6
2022-04-06 09:19:09 UTC
serveurscalya.ccu.local · 172.17.57.62 · d0:94:66:27:3a:d6 failed to make an Unknown connection to VSPNBMVILLAR1 · 192.168.1.92 · e4:e7:49:1e:15:db on TCP port 80.
RDP Brute Force — [, AP: Bruteforce, AP: Lateral Movement, OT Engineer]
172.30.24.19
2022-04-24 05:57:15 UTC
172.30.24.19 was still making an Unknown connection to 38.91.100.7 on TCP port 3389.
Possible Brute-Force Activity — [, AP: Bruteforce, AP: Lateral Movement, OT Engineer]
NT-ANW-025 · 172.20.116.57 · b0:7b:25:4f:64:f9
10.172.192.224
2022-04-22 19:08:58 UTC
10.172.192.224 made an SSL connection to meta4win7-1.ccu.local · 10.235.105.36 on TCP port 443.
2022-04-22 19:08:58 UTC
10.172.192.224 made an SSL connection to meta4win7-1.ccu.local · 10.235.105.36 on TCP port 443.
2022-04-22 19:08:58 UTC
10.172.192.224 was still making an SSL connection to meta4win7-1.ccu.local · 10.235.105.36 on TCP port 443.
New activity
New activity
pdcar-wssfv.ccu.arg · 172.19.170.78
2022-04-06 14:27:47 UTC
Protocol Detector (Server_Found) to srvlv3dc.ccu.arg · 192.168.15.4 on port 49154 — 192.168.15.4: DCE_RPC server on port 49154/tcp
Detail: DCE_RPC
New activity
New activity
Devices Affected
ecunbtbinari.ccu.local — breached: High Priority Crypto Currency Mining (first seen: 2022-04-04 15:09:37 UTC)
ccunbkrriazan.ccu.local — breached: Internet Facing Device with High Priority Alert (first seen: 2022-04-20 15:45:50 UTC)
172.18.33.50 — breached: New User Agent and POST (first seen: 2022-04-08 15:05:25 UTC)
172.30.24.19 — breached: RDP Brute Force (first seen: 2022-04-24 05:57:18 UTC)
allen-pchp004.ccu.arg — breached: SMB Lateral Movement (first seen: 2022-04-29 17:35:34 UTC)
MNTNBCAREYES — breached: SMB Lateral Movement (first seen: 2022-04-05 17:02:09 UTC)
mntnbsmorenog.ccu.local — breached: SMB Lateral Movement (first seen: 2022-04-13 21:03:58 UTC)
sfe-li3013.ccu.arg — breached: SSL or HTTP Beacon (first seen: 2022-04-12 21:48:59 UTC)
CCUNBFRPINO — breached: SSL or HTTP Beacon (first seen: 2022-04-25 11:58:10 UTC)
LAPTOP-QVK3FGNA — breached: Suspicious HTTP Redirect (first seen: 2022-04-04 20:44:30 UTC)
srvsfeprn.ccu.arg — breached: Suspicious Netlogon RPC Calls (first seen: 2022-04-13 15:00:16 UTC)
srvlv3adaudit.ccu.arg — breached: Suspicious Network Scan Activity (first seen: 2022-04-20 14:54:52 UTC)
serveurscalya.ccu.local — breached: Suspicious Network Scan Activity (first seen: 2022-04-06 09:19:12 UTC)
ECUNBJDRIQUE2 — breached: Suspicious Network Scan Activity (first seen: 2022-04-06 21:36:49 UTC)
CCUnbAPARDO — breached: Tor Domain DNS Requests (first seen: 2022-04-01 12:46:34 UTC)
ecunbelira.ccu.local — breached: Tor Domain DNS Requests (first seen: 2022-04-20 15:22:48 UTC)
Details
SMB Lateral Movement
mntnbsmorenog.ccu.local · 10.100.26.166
allen-pchp004.ccu.arg · 172.30.79.18
New activity
New activity
New activity
ecunbelira.ccu.local · 10.100.30.117
2022-04-20 14:48:23 UTC
ecunbelira.ccu.local · 10.100.30.117 failed to look up <strong>ozahtqwp25chjdjd.onion</strong> in a DNS connection to 128.84.0.199 on UDP port 53.
Devices Affected
vsppcvtamoli2.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-04-17 22:23:04 UTC)
crvnbfaaguile.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-04-10 21:31:15 UTC)
pc791 — breached: Connections with Suspicious DNS (first seen: 2022-04-26 18:35:26 UTC)
vsppclcorvals.ccu.local — breached: DGA Beacon (first seen: 2022-04-29 21:31:17 UTC)
luj-bar7102.ccu.arg — breached: Fast Beaconing to DGA (first seen: 2022-04-06 22:05:59 UTC)
192.168.101.53 — breached: Fast Beaconing to DGA (first seen: 2022-04-09 07:27:35 UTC)
ecunbiandia.ccu.local — breached: Fast Beaconing to DGA (first seen: 2022-04-12 20:59:28 UTC)
Galaxy-S20 — breached: Fast Beaconing to DGA (first seen: 2022-04-13 21:01:53 UTC)
A20s-de-Cedric — breached: Fast Beaconing to DGA (first seen: 2022-04-12 23:17:33 UTC)
S20-FE-de-Benjamin — breached: Fast Beaconing to DGA (first seen: 2022-04-12 21:07:34 UTC)
ecunbtbinari.ccu.local — breached: High Priority Crypto Currency Mining, Monero Mining (first seen: 2022-04-04 15:09:36 UTC)
crenb idalg — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-06 14:55:46 UTC)
crvpclablunoa.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-27 02:43:44 UTC)
tccpcbodega2.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-16 19:38:39 UTC)
ecupcporsanm3.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-27 02:36:19 UTC)
crenb idalg.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-08 15:04:12 UTC)
ccunbarodrigl.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-01 21:37:47 UTC)
tccnbanrubiot.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-05 00:27:03 UTC)
kunnbcmiller.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-08 22:14:15 UTC)
10.100.21.14 — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-09 16:38:14 UTC)
vsppcpemolin.ccu.local — breached: Large DNS Volume for Suspicious Domain, Connections with Suspicious DNS (first seen: 2022-04-27 23:10:35 UTC)
tccpcmalquin — breached: Large DNS Volume for Suspicious Domain, Connections with Suspicious DNS (first seen: 2022-04-09 21:13:25 UTC)
vsppcz2l1.ccu.local — breached: Large DNS Volume for Suspicious Domain, DGA Beacon (first seen: 2022-04-09 13:09:06 UTC)
172.30.22.26 — breached: Monero Mining (first seen: 2022-04-25 16:12:27 UTC)
172.18.33.50 — breached: New User Agent and POST (first seen: 2022-04-08 15:05:25 UTC)
172.30.24.19 — breached: RDP Brute Force (first seen: 2022-04-24 05:57:18 UTC)
allen-pchp004.ccu.arg — breached: SMB Lateral Movement (first seen: 2022-04-29 17:35:34 UTC)
MNTNBCAREYES — breached: SMB Lateral Movement (first seen: 2022-04-05 17:02:09 UTC)
mntnbsmorenog.ccu.local — breached: SMB Lateral Movement (first seen: 2022-04-13 21:03:58 UTC)
tccnbdrojasc.ccu.local — breached: SMB Lateral Movement (first seen: 2022-04-13 18:20:15 UTC)
comnbfmramire.ccu.local — breached: SMB Lateral Movement (first seen: 2022-04-13 00:17:26 UTC)
sfe-li3013.ccu.arg — breached: SSL or HTTP Beacon (first seen: 2022-04-12 21:48:59 UTC)
CCUNBFRPINO — breached: SSL or HTTP Beacon (first seen: 2022-04-25 11:58:10 UTC)
LAPTOP-QVK3FGNA — breached: Suspicious HTTP Redirect (first seen: 2022-04-04 20:44:30 UTC)
srvsfeprn.ccu.arg — breached: Suspicious Netlogon RPC Calls (first seen: 2022-04-13 15:00:16 UTC)
srvlv3adaudit.ccu.arg — breached: Suspicious Network Scan Activity (first seen: 2022-04-20 14:54:52 UTC)
serveurscalya.ccu.local — breached: Suspicious Network Scan Activity (first seen: 2022-04-06 09:19:12 UTC)
ECUNBJDRIQUE2 — breached: Suspicious Network Scan Activity (first seen: 2022-04-06 21:36:49 UTC)
CCUnbAPARDO — breached: Tor Domain DNS Requests (first seen: 2022-04-01 12:46:34 UTC)
ecunbelira.ccu.local — breached: Tor Domain DNS Requests (first seen: 2022-04-20 15:22:48 UTC)
pdcar-wssfv.ccu.arg — breached: Unusual DRS Activity (first seen: 2022-04-06 15:12:09 UTC)
Details
Large DNS Volume for Suspicious Domain — [AP: C2 Comms]
10.100.21.14
ccunbarodrigl.ccu.local · 10.100.19.155
kunnbcmiller.ccu.local · 10.100.26.163
tccnbanrubiot.ccu.local · 10.100.17.204
New activity
New activity
2022-04-04 20:44:30 UTC
Model Breach: Anomalous File / Suspicious HTTP Redirect — 92.6%
ecunbtbinari.ccu.local · 192.168.112.123
New activity
New activity
New activity
New activity
mntnbsmorenog.ccu.local · 10.100.26.166
tccnbdrojasc.ccu.local · 10.100.27.131
Suspicious Network Scan Activity — [, AP: Internal Recon, AP: Scanning, Enhanced Monitoring, OT Engineer]
ECUNBJDRIQUE2 · 172.17.91.86 · 18:26:49:b3:a8:da
srvlv3adaudit.ccu.arg · 172.30.101.31
New activity
New activity