DarktraceReport2022-04-01T05 00 00 2022-05-01T04 59 00

Darktrace UV Summary Report
2022/04/01 05:00:00 — 2022/05/01 04:59:00

Deployment Summary  Health Check
The following is a summary of the Darktrace deployment status on your network over the last month. The report shows the
Antigena
distribution of possible attacks and potential vulnerabilities in the network infrastructure, and off ers recommendations to network is deployed
address these risks.
Average bandwidth received:
28893 22659 4299 9.75 gbps (probe: 3)
active devices on the network modelled devices on the new devices detected in the
101.45 mbps (probe: 1)
in the last 4 weeks network last 4 weeks

Average bandwidth processed:
802 5.24
6 10
gbps (probe: 3)
subnets monitored across the

48.45
instances running Darktrace probes actively processing data
organisation mbps (probe: 4)
Attack Phase: Distribution of Model Breaches
Phases of an Attack
Darktrace models can be organized according to the attack phase they are most likely to detect. Monitoring models according to these categories can allow the
characteristic behavior pattern of an ongoing attack to be observed.
Summary of model breaches per Attack Phase

Lateral Movement ‣ 46.15%
A total of 30 model breaches of 4 different models triggered by 29 unique devices
Top scoring devices: MNTNBCAREYES · 172.19.166.20 · f8:0d:ac:c7:4a:e7 94.70%
Bruteforce ‣ 35.38%

Top scoring devices: 172.30.24.19 72.20%
Exploit ‣ 9.23%
Top scoring devices: pdcar-wssfv.ccu.arg · 172.19.170.78 83.20%
Internal Recon ‣ 4.62%
A total of 3 model breaches of 1 model triggered by 3 unique devices

Top scoring devices: serveurscalya.ccu.local · 172.17.57.62 · d0:94:66:27:3a:d6 99.40%
Scanning ‣ 4.62%
A total of 3 model breaches of 1 model triggered by 3 unique devices
Top scoring devices: serveurscalya.ccu.local · 172.17.57.62 · d0:94:66:27:3a:d6 99.40%
Overall Score: Devices
Top Devices by Overall Score
Devices highlighted here have exhibited the greatest overall degree of unusual activity over the course of the reporting period. Device overall score gives an indication
of which devices are at highest risk in the organisation.
Devices Model Breach Summary

serveurscalya.ccu.local Overall score: 99.40%
Suspicious Network Scan Activity 100.0%
172.18.33.50 Overall score: 98.60%
New User Agent and POST 100.0%
sf e-li3013.ccu.arg Overall score: 96.50%
SSL or HTTP Beacon 100.0%
ECUNBJDRIQUE2 Overall score: 95.10%
CCUNBFRPINO Overall score: 95.10%
srvlv3adaudit.ccu.arg Overall score: 94.80%
MNT NBCAREYES Overall score: 94.70%
SMB Lateral Movement 88.66%
mntnbsmorenog.ccu.local Overall score: 93.80%
SMB Lateral Movement 88.76%

High Priority Models: Devices
Top Devices Breaching High Priority Models
Devices highlighted here have breached models assessed to represent behaviors regarded as high priority for the organisation. This also includes models tagged by
the customer using the 'Autoreporting' tag or model breaches with a score over 80%.
Devices Model Breach Summary

tccpcmalquin Overall score: 99.80%
Large DNS Volume for Suspicious Domain 89.94%

Connections with Suspicious DNS 89.94%
vsppcpemolin.ccu.local Overall score: 99.70%
Large DNS Volume for Suspicious Domain 89.82%

Connections with Suspicious DNS 89.82%
serveurscalya.ccu.local Overall score: 99.40%
172.18.33.50 Overall score: 98.60%
New User Agent and POST 100.0%
sf e-li3013.ccu.arg Overall score: 96.50%
ECUNBJDRIQUE2 Overall score: 95.10%
CCUNBFRPINO Overall score: 95.10%
srvlv3adaudit.ccu.arg Overall score: 94.80%

Compliance Models: Model Breaches
Highest Frequency Compliance Model Breaches
Compliance models can be used to monitor whether devices and users are breaching security policy. Some remote management tools, for instance, can be exploited
to gain control over devices in a similar manner to a remote access trojan, while others are commonly used in tech support scams so their presence can be an
indicator of compromise. Monitoring this type of device behavior across the network helps companies track risk more eff ectively.
No breaches to report in your chosen time period

Compliance Models: Devices
Top Devices Breaching Compliance Models
Devices highlighted here have breached compliance models multiple times over the reporting period. Devices may be using third-party file sharing service, privacy
VPN providers, encrypted messaging application or involved in other moderate risk network activities.
No breaches to report in your chosen time period

Categories: Distribution of Model Breaches
Top Directories with Model Breaches
Directories highlighted here have the highest number of model breaches.
Directory Breaches
Antigena 320
Compromise 109
Device 31
Anomalous Connection 1
Anomalous File 1
Antigena: Antigena Actions
Antigena Actions Summary
The following actions were triggered by Antigena in response to anomalous behavior in your network environment. The actions taken range from interrupting
communications between distinct endpoint/port combinations up to complete quarantine - actions are proportional to threat and may be escalated if granular blocks
are not sufficient.
Antigena Network Actions (LICENSED)
In the last 7 days, 263 act ions were created and a minimum of 0 connect ions
blocked.
blocked.
blocked.
Antigena Firewall Actions (LICENSED)
In the last 7 days, 0 act ions were created and a minimum of 0 connect ions blocked.
In the last 28 days, 0 act ions were created and a minimum of 0 connect ions blocked.
blocked.
Appendix
Table of Contents
A. Attack Phases
B. Top Model Breaching Devices
C. Enhanced Monitoring
D. Compliance Model Breaches
Attack Phases
Details
SMB Lateral Movement — [AP: Lateral Movement]
mntnbsmorenog.ccu.local · 10.100.26.166
2022-04-13 21:03:55 UTC

NTLM (Login Fail) to portaldtews.ccu.cl · 128.84.0.191 on port 445 — smbecer
Detail: domain=CCUCL hostname=CCUNBSMBECER2 auth_successful=F result=logon_failure
2022-04-13 21:03:55 UTC
SMB (Session Failure) to portaldtews.ccu.cl · 128.84.0.191 on port 445 — smbecer
Detail: client_hostname=CCUNBSMBECER2 domain=CCUCL mechType=NTLMSSP version=smb2 reason=The attempted logon is invalid. This is either due to a bad username or
authentication information. details= result=logon_failure
2022-04-13 21:03:55 UTC
2022-04-13 21:03:55 UTC
2022-04-13 21:03:55 UTC
2022-04-13 21:03:55 UTC

2022-04-13 21:03:55 UTC
2022-04-13 21:03:56 UTC
DT (Model Breach) — Device / Anomaly Indicators / SMB Session Brute Force Non-Admin Indicator
2022-04-13 21:03:57 UTC
DT (Model Breach) to portaldtews.ccu.cl · 128.84.0.191 on port 445 — Device / SMB Session Brute Force (Non-Admin)
2022-04-13 21:03:58 UTC
Model Breach: Device / SMB Lateral Movement — 88.8%
MNTNBCAREYES · 172.19.166.20 · f8:0d:ac:c7:4a:e7
2022-04-05 17:02:06 UTC
MNTNBCAREYES · 172.19.166.20 · f8:0d:ac:c7:4a:e7 made an SMB,NTLM,GSSAPI connection to serv-documentos.ccu.local · 172.20.184.20 · ec:a8:6b:f9:00:8f on TCP port 445.
2022-04-05 17:02:06 UTC
2022-04-05 17:02:07 UTC
2022-04-05 17:02:07 UTC
2022-04-05 17:02:07 UTC
SMB (Session Failure) to serv-documentos.ccu.local · 172.20.184.20 · ec:a8:6b:f9:00:8f on port 445 — jmpugad
Detail: client_hostname=MNTNBCAREYES domain=CCUCL mechType=NTLMSSP version=smb2 reason=The attempted logon is invalid. This is either due to a bad username or
2022-04-05 17:02:07 UTC
2022-04-05 17:02:07 UTC
NTLM (Login Fail) to serv-documentos.ccu.local · 172.20.184.20 · ec:a8:6b:f9:00:8f on port 445 — jmpugad
Detail: domain=CCUCL hostname=MNTNBCAREYES auth_successful=F result=logon_failure
2022-04-05 17:02:07 UTC
2022-04-05 17:02:08 UTC
DT (Model Breach) — Device / Anomaly Indicators / Possible SMB/NTLM Brute Force Indicator
2022-04-05 17:02:09 UTC
allen-pchp004.ccu.arg · 172.30.79.18
2022-04-29 17:35:26 UTC
SMB (Session Failure) to srvsfeprn.ccu.arg · 172.30.24.157 on port 445 — German
Detail: client_hostname=GERMAN-PC domain=German-PC mechType=NTLMSSP version=smb2 reason=The attempted logon is invalid. This is either due to a bad username or
2022-04-29 17:35:26 UTC
allen-pchp004.ccu.arg · 172.30.79.56 was still making an SMB1,NTLM,GSSAPI connection to srvsfeprn.ccu.arg · 172.30.24.157 on TCP port 445.
2022-04-29 17:35:31 UTC
2022-04-29 17:35:31 UTC
NTLM (Login Fail) to srvsfeprn.ccu.arg · 172.30.24.157 on port 445 — german
Detail: domain=German-PC hostname=GERMAN-PC auth_successful=F result=logon_failure
2022-04-29 17:35:32 UTC

2022-04-29 17:35:33 UTC

DT (Model Breach) to Internal Traffic · 172.30.24.157 on port 445 — Device / SMB Session Brute Force (Non-Admin)
2022-04-29 17:35:34 UTC
2022-04-29 17:35:34 UTC
2022-04-29 17:35:34 UTC
2022-04-29 17:35:34 UTC
Suspicious HTTP Redirect — [AP: Exploit, OT Engineer]

LAPTOP-QVK3FGNA · 172.19.208.190 · b8:9a:2a:07:7d:f3
2022-04-04 20:44:29 UTC
LAPTOP-QVK3FGNA · 172.19.208.190 · b8:9a:2a:07:7d:f3 made an HTTP connection to dl-us01.magix.net · 207.244.76.203 on TCP port 80.
2022-04-04 20:44:29 UTC to 2022-04-04 20:44:30 UTC
LAPTOP-QVK3FGNA · 172.19.208.190 · b8:9a:2a:07:7d:f3 made an HTTP connection to dl04.magix.net · 195.214.216.215 on TCP port 80.
2022-04-04 20:44:29 UTC
File Transfer (Exe) to dl-us01.magix.net · 207.244.76.203 on port 80 — Windows Portable Executable seen in plain text, direction: Incoming
New activity
2022-04-04 20:44:29 UTC

File Transfer (Exe) to dl-us01.magix.net · 207.244.76.203 on port 80 — FileTransfer::Exe file found with filetype (application/x-dosexec)
Detail: File: http://dl-us01.magix.net//2019/VEGASPro17/VEGAS_Pro_17.0.0.455_DE-EN-FR-ES_15427790.exe, total seen size: 12420B, direction: Incoming
2022-04-04 20:44:29 UTC

File Transfer (Exe Transfer Start) to dl-us01.magix.net · 207.244.76.203 on port 80 — FileTransfer::Exe file transfer started with filetype (application/x-dosexec)
Detail: File: http://dl-us01.magix.net//2019/VEGASPro17/VEGAS_Pro_17.0.0.455_DE-EN-FR-ES_15427790.exe, total reported size: 724524544B, direction: Incoming
New activity
2022-04-04 20:44:30 UTC

Model Breach: Anomalous File / Suspicious HTTP Redirect — 92.6%
Suspicious Internal Use Of Web Protocol — [, AP: Exploit, AP: Lateral Movement]
sfe-ger012 · 172.30.68.34 · c8:5a:cf:7a:ce:3e
2022-04-19 12:04:40 UTC
sfe-ger012 · 172.30.68.34 · c8:5a:cf:7a:ce:3e made an SSL connection to 172.30.67.2 on TCP port 443.
2022-04-19 12:04:40 UTC
sfe-ger012 · 172.30.68.34 · c8:5a:cf:7a:ce:3e made an SSL connection to 172.30.67.2 on TCP port 443.
2022-04-19 12:04:41 UTC
Unusual Activity (meta-classifier) 58.0% — Internal Connections, Internal Connections to Closed Ports, Internal Active Connections
2022-04-19 12:04:42 UTC
sfe-ger012 · 172.30.68.34 · c8:5a:cf:7a:ce:3e failed to make an Unknown connection to 172.30.67.2 on TCP port 135.
2022-04-19 12:04:42 UTC

2022-04-19 12:04:42 UTC
2022-04-19 12:04:42 UTC

2022-04-19 12:04:42 UTC
2022-04-19 12:04:42 UTC
2022-04-19 12:04:42 UTC

Model Breach: Compromise / Suspicious Internal Use Of Web Protocol — 78.3%
SFE-SAPCAP062 · 172.30.74.50 · 50:81:40:bc:32:9c
2022-04-27 19:16:59 UTC

SFE-SAPCAP062 · 172.30.69.28 · 50:81:40:bc:32:9c made a DNS connection to Internal Multicast Traffic · 224.0.0.251 on UDP port 5353.
2022-04-27 19:16:59 UTC
SFE-SAPCAP062 · 172.30.69.28 · 50:81:40:bc:32:9c made an SSL connection to wpad.ccu.arg · 172.30.67.3 on TCP port 443.
2022-04-27 19:16:59 UTC

2022-04-27 19:16:59 UTC
2022-04-27 19:16:59 UTC

2022-04-27 19:17:36 UTC
SFE-SAPCAP062 · 172.30.69.28 · 50:81:40:bc:32:9c made an Unknown connection to wpad.ccu.arg · 172.30.67.3 on UDP port 137.
2022-04-27 19:17:39 UTC

SFE-SAPCAP062 · 172.30.69.28 · 50:81:40:bc:32:9c made an Unknown connection to wpad.ccu.arg · 172.30.67.3 on UDP port 137.
2022-04-27 19:21:22 UTC
SFE-SAPCAP062 · 172.30.69.28 · 50:81:40:bc:32:9c made an Unknown connection to wpad.ccu.arg · 172.30.67.3 on TCP port 443.
2022-04-27 19:21:22 UTC

SSL (Protocol_Error) to wpad.ccu.arg · 172.30.67.3 on port 443 — Invalid SSL seen - protocol violation
Detail: Non-TLS/Invalid TLS traffic on TLS-related ports
2022-04-27 19:21:23 UTC
Model Breach: Compromise / Suspicious Internal Use Of Web Protocol — 65.9%
Suspicious Netlogon RPC Calls — [AP: Exploit]

srvsfeprn.ccu.arg · 172.30.24.157
2022-04-13 14:58:57 UTC to 2022-04-13 14:59:09 UTC
srvsfeprn.ccu.arg · 172.30.24.157 was still making a DCE_RPC,NETLOGON connection to pdcar-wssfv.ccu.arg · 172.19.170.78 on TCP port 51642.
2022-04-13 14:58:58 UTC to 2022-04-13 14:59:58 UTC
2022-04-13 14:58:58 UTC to 2022-04-13 14:59:19 UTC

srvsfeprn.ccu.arg · 172.30.24.157 was still making an SOCKS,DCE_RPC,NETLOGON connection to pdcar-wssfv.ccu.arg · 172.19.170.78 on TCP port 51642.
2022-04-13 15:00:13 UTC
srvsfeprn.ccu.arg · 172.30.24.157 made a DCE_RPC,NETLOGON connection to pdcar-wssfv.ccu.arg · 172.19.170.78 on TCP port 51642.
2022-04-13 15:00:14 UTC

DCERPC (Bind) to pdcar-wssfv.ccu.arg · 172.19.170.78 on port 51642 — RequestedService: Net logon, status: SUCCESS
Detail: endpoint_uuid: 12345678-1234-abcd-ef00-01234567cff b, SecAddr: 51642
2022-04-13 15:00:15 UTC

DT (Model Breach) — Device / Anomaly Indicators / Anomalous Netlogon RPC Calls
2022-04-13 15:00:16 UTC

Model Breach: Compromise / Suspicious Netlogon RPC Calls — 100.0%
Suspicious Network Scan Activity — [, AP: Internal Recon, AP: Scanning, Enhanced Monitoring, OT Engineer]
serveurscalya.ccu.local · 172.17.57.62 · d0:94:66:27:3a:d6
2022-04-06 09:19:09 UTC
serveurscalya.ccu.local · 172.17.57.62 · d0:94:66:27:3a:d6 failed to make an Unknown connection to VSPNBMVILLAR1 · 192.168.1.92 · e4:e7:49:1e:15:db on TCP port 80.
2022-04-06 09:19:09 UTC

serveurscalya.ccu.local · 172.17.57.62 · d0:94:66:27:3a:d6 failed to make an Unknown connection to 192.168.1.82 on TCP port 80.
2022-04-06 09:19:09 UTC
serveurscalya.ccu.local · 172.17.57.62 · d0:94:66:27:3a:d6 failed to make an Unknown connection to Internal Traffic · 192.168.1.40 on TCP port 80.
2022-04-06 09:19:09 UTC

2022-04-06 09:19:09 UTC
2022-04-06 09:19:10 UTC

Unusual Activity (meta-classifier) 69.0% — Internal Connection Spread, Internal Connections to Closed Ports
2022-04-06 09:19:10 UTC
2022-04-06 09:19:10 UTC

Unusual Activity (meta-classifier) 17.0% — Internal Connection Spread
2022-04-06 09:19:11 UTC
DT (Model Breach) — Device / Network Scan
2022-04-06 09:19:12 UTC
Model Breach: Device / Suspicious Network Scan Activity — 100.0%
ECUNBJDRIQUE2 · 172.17.91.86 · 18:26:49:b3:a8:da
2022-04-06 21:36:49 UTC

ECUNBJDRIQUE2 · 172.20.112.73 · 18:26:49:b3:a8:da failed to make an Unknown connection to Internal Traffic · 192.168.70.226 on TCP port 445.
2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC to 2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC to 2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC
2022-04-06 21:36:49 UTC

srvlv3adaudit.ccu.arg · 172.30.101.31
2022-04-20 14:54:14 UTC to 2022-04-20 14:54:17 UTC

srvlv3adaudit.ccu.arg · 172.30.101.31 made an Unknown connection to Internal Traffic · 192.168.1.182 on TCP port 135.
2022-04-20 14:54:17 UTC

srvlv3adaudit.ccu.arg · 172.30.101.31 failed to make an Unknown connection to Internal Traffic · 192.168.1.182 on TCP port 135.
2022-04-20 14:54:22 UTC to 2022-04-20 14:54:25 UTC

2022-04-20 14:54:25 UTC

2022-04-20 14:54:47 UTC

2022-04-20 14:54:50 UTC

srvlv3adaudit.ccu.arg · 172.30.101.31 failed to make an Unknown connection to 172.30.119.20 on TCP port 135.
2022-04-20 14:54:51 UTC
2022-04-20 14:54:52 UTC
RDP Brute Force — [, AP: Bruteforce, AP: Lateral Movement, OT Engineer]
172.30.24.19
2022-04-24 05:57:15 UTC
172.30.24.19 was still making an Unknown connection to 38.91.100.7 on TCP port 3389.
2022-04-24 05:57:15 UTC

2022-04-24 05:57:15 UTC
2022-04-24 05:57:15 UTC to 2022-04-24 05:57:17 UTC

172.30.24.19 made an Unknown connection to 38.91.100.7 on TCP port 3389.
2022-04-24 05:57:16 UTC
2022-04-24 05:57:16 UTC

2022-04-24 05:57:17 UTC
DT (Model Breach) — Device / Anomaly Indicators / RDP Brute Force Indicator
2022-04-24 05:57:18 UTC

Model Breach: Anomalous Connection / RDP Brute Force — 88.1%
Possible Brute-Force Activity — [, AP: Bruteforce, AP: Lateral Movement, OT Engineer]
NT-ANW-025 · 172.20.116.57 · b0:7b:25:4f:64:f9
2022-04-08 13:30:18 UTC to 2022-04-08 13:30:27 UTC

NT-ANW-025 · 172.20.116.57 · b0:7b:25:4f:64:f9 made an SSL connection to CVRPCCONTRE1 · 172.21.28.4 · 04:0e:3c:1c:70:5f on TCP port 443.
2022-04-08 13:30:27 UTC

NT-ANW-025 · 172.20.116.57 · b0:7b:25:4f:64:f9 was still making an SSL connection to CVRPCCONTRE1 · 172.21.28.4 · 04:0e:3c:1c:70:5f on TCP port 443.
2022-04-08 13:30:27 UTC

2022-04-08 13:30:33 UTC

2022-04-08 13:30:36 UTC
2022-04-08 13:30:36 UTC

2022-04-08 13:32:19 UTC
2022-04-08 13:32:20 UTC

Unusual Activity (meta-classifier) 39.0% — Internal Data Transfer, Internal Connections, Internal Connections to Closed Ports, Internal Active Connections
2022-04-08 13:32:21 UTC
Model Breach: Device / Possible Brute-Force Activity — 79.5%
sfe-man004 · 172.30.74.37 · 04:0e:3c:c1:dc:2b

2022-04-07 15:58:39 UTC to 2022-04-07 15:58:54 UTC
sfe-man004 · 172.30.74.37 · 04:0e:3c:c1:dc:2b made an SSL connection to 172.30.71.18 on TCP port 443.
2022-04-07 15:58:54 UTC

2022-04-07 15:58:54 UTC
2022-04-07 15:58:54 UTC

sfe-man004 · 172.30.74.37 · 04:0e:3c:c1:dc:2b was still making an SSL connection to 172.30.71.18 on TCP port 443.
2022-04-07 15:58:54 UTC
2022-04-07 15:58:54 UTC

2022-04-07 15:58:54 UTC
2022-04-07 15:58:55 UTC

2022-04-07 15:58:56 UTC
10.172.192.224
2022-04-22 19:08:58 UTC
10.172.192.224 made an SSL connection to meta4win7-1.ccu.local · 10.235.105.36 on TCP port 443.
2022-04-22 19:08:58 UTC
2022-04-22 19:08:58 UTC
10.172.192.224 was still making an SSL connection to meta4win7-1.ccu.local · 10.235.105.36 on TCP port 443.
2022-04-22 19:08:59 UTC

10.172.192.224 made an Unknown connection to meta4win7-1.ccu.local · 10.235.105.36 on TCP port 443.
2022-04-22 19:08:59 UTC
10.172.192.224 failed to make an Unknown connection to meta4win7-1.ccu.local · 10.235.105.36 on TCP port 443.
2022-04-22 19:08:59 UTC

2022-04-22 19:08:59 UTC

2022-04-22 19:08:59 UTC

2022-04-22 19:09:01 UTC

Unusual Activity (meta-classifier) 39.0% — Internal Connections, Internal Connections to Closed Ports, Internal Active Connections
2022-04-22 19:09:02 UTC

Unusual DRS Activity — [AP: Exploit]

pdcar-wssfv.ccu.arg · 172.19.170.78
2022-04-06 14:28:11 UTC
DCERPC (Bind) to srvlv3dc.ccu.arg · 192.168.15.4 on port 49154 — RequestedService: IWbemWCOSmartEnum interface, status: SUCCESS
Detail: endpoint_uuid: 423ec01e-2e35-11d2-b604-00104b703efd, SecAddr:
New activity
2022-04-06 14:28:12 UTC

DT (Model Breach) — Device / Anomaly Indicators / New or Uncommon WMI Activity Indicator
2022-04-06 14:28:13 UTC

DT (Model Breach) to Internal Traffic · 192.168.15.4 on port 49154 — Device / New or Uncommon WMI Activity
2022-04-06 15:11:44 UTC
pdcar-wssfv.ccu.arg · 172.19.170.78 made a DCE_RPC connection to srvlv3dc.ccu.arg · 192.168.15.4 on TCP port 49200.
2022-04-06 15:12:08 UTC

DCERPC (Request) to srvlv3dc.ccu.arg · 192.168.15.4 on port 49200 — operation: DRSGetNCChanges, endpoint: drsuapi, status: SUCCESS
Detail: opnum: 0x3, endpoint_uuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2, SecAddr: 49200
2022-04-06 15:12:08 UTC
DCERPC (Bind) to srvlv3dc.ccu.arg · 192.168.15.4 on port 49200 — RequestedService: drsuapi, status: SUCCESS
Detail: endpoint_uuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2, SecAddr: 49200
2022-04-06 15:12:08 UTC
2022-04-06 15:12:08 UTC

Detail: endpoint_uuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2, SecAddr:
2022-04-06 15:12:08 UTC
Detail: opnum: 0x3, endpoint_uuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2
New activity
2022-04-06 15:12:09 UTC

Model Breach: Compromise / Unusual DRS Activity — 88.2%
2022-04-06 14:27:47 UTC
Protocol Detector (Server_Found) to srvlv3dc.ccu.arg · 192.168.15.4 on port 49154 — 192.168.15.4: DCE_RPC server on port 49154/tcp
Detail: DCE_RPC
New activity
2022-04-06 14:27:47 UTC

pdcar-wssfv.ccu.arg · 172.19.170.78 was still making a DCE_RPC connection to srvlv3dc.ccu.arg · 192.168.15.4 on TCP port 49154.
2022-04-06 15:11:44 UTC
2022-04-06 15:11:48 UTC

2022-04-06 15:11:48 UTC
2022-04-06 15:11:48 UTC

2022-04-06 15:11:48 UTC
New activity
2022-04-06 15:11:48 UTC

2022-04-06 15:11:48 UTC

2022-04-06 15:11:49 UTC

Top Model Breaching Devices
Devices Affected
ecunbtbinari.ccu.local — breached: High Priority Crypto Currency Mining (first seen: 2022-04-04 15:09:37 UTC)
ccunbkrriazan.ccu.local — breached: Internet Facing Device with High Priority Alert (first seen: 2022-04-20 15:45:50 UTC)
172.18.33.50 — breached: New User Agent and POST (first seen: 2022-04-08 15:05:25 UTC)
172.30.24.19 — breached: RDP Brute Force (first seen: 2022-04-24 05:57:18 UTC)
allen-pchp004.ccu.arg — breached: SMB Lateral Movement (first seen: 2022-04-29 17:35:34 UTC)
MNTNBCAREYES — breached: SMB Lateral Movement (first seen: 2022-04-05 17:02:09 UTC)
mntnbsmorenog.ccu.local — breached: SMB Lateral Movement (first seen: 2022-04-13 21:03:58 UTC)
sfe-li3013.ccu.arg — breached: SSL or HTTP Beacon (first seen: 2022-04-12 21:48:59 UTC)
CCUNBFRPINO — breached: SSL or HTTP Beacon (first seen: 2022-04-25 11:58:10 UTC)
LAPTOP-QVK3FGNA — breached: Suspicious HTTP Redirect (first seen: 2022-04-04 20:44:30 UTC)
srvsfeprn.ccu.arg — breached: Suspicious Netlogon RPC Calls (first seen: 2022-04-13 15:00:16 UTC)
srvlv3adaudit.ccu.arg — breached: Suspicious Network Scan Activity (first seen: 2022-04-20 14:54:52 UTC)
serveurscalya.ccu.local — breached: Suspicious Network Scan Activity (first seen: 2022-04-06 09:19:12 UTC)
ECUNBJDRIQUE2 — breached: Suspicious Network Scan Activity (first seen: 2022-04-06 21:36:49 UTC)
CCUnbAPARDO — breached: Tor Domain DNS Requests (first seen: 2022-04-01 12:46:34 UTC)
ecunbelira.ccu.local — breached: Tor Domain DNS Requests (first seen: 2022-04-20 15:22:48 UTC)
Details
SMB Lateral Movement
2022-04-13 21:03:55 UTC

2022-04-13 21:03:55 UTC

2022-04-13 21:03:55 UTC

2022-04-13 21:03:55 UTC
2022-04-13 21:03:55 UTC

2022-04-13 21:03:55 UTC
2022-04-13 21:03:55 UTC

2022-04-13 21:03:56 UTC

2022-04-13 21:03:57 UTC
2022-04-13 21:03:58 UTC

2022-04-05 17:02:06 UTC

2022-04-05 17:02:06 UTC

2022-04-05 17:02:07 UTC
2022-04-05 17:02:07 UTC

2022-04-05 17:02:07 UTC
2022-04-05 17:02:07 UTC

2022-04-05 17:02:07 UTC
2022-04-05 17:02:07 UTC

2022-04-05 17:02:08 UTC

2022-04-05 17:02:09 UTC

2022-04-29 17:35:26 UTC

2022-04-29 17:35:26 UTC

2022-04-29 17:35:31 UTC
2022-04-29 17:35:31 UTC

2022-04-29 17:35:32 UTC
2022-04-29 17:35:33 UTC

2022-04-29 17:35:34 UTC
2022-04-29 17:35:34 UTC

2022-04-29 17:35:34 UTC
2022-04-29 17:35:34 UTC
High Priority Crypto Currency Mining

ecunbtbinari.ccu.local · 192.168.112.123
2022-04-04 15:08:58 UTC
ecunbtbinari.ccu.local · 192.168.112.123 made a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-04 15:08:59 UTC

2022-04-04 15:09:03 UTC
2022-04-04 15:09:23 UTC

ecunbtbinari.ccu.local · 192.168.112.123 failed to look up pool.supportxmr.com in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-04 15:09:23 UTC
2022-04-04 15:09:26 UTC

2022-04-04 15:09:34 UTC
2022-04-04 15:09:35 UTC

2022-04-04 15:09:36 UTC
DT (Model Breach) — Compromise / Monero Mining
2022-04-04 15:09:37 UTC

Model Breach: Compromise / High Priority Crypto Currency Mining — 100.0%
Suspicious HTTP Redirect

2022-04-04 20:44:29 UTC
2022-04-04 20:44:29 UTC to 2022-04-04 20:44:30 UTC

2022-04-04 20:44:29 UTC
New activity
2022-04-04 20:44:29 UTC

2022-04-04 20:44:29 UTC

New activity
2022-04-04 20:44:30 UTC

Internet Facing Device with High Priority Alert

ccunbkrriazan.ccu.local · 172.18.22.105 · 84:2a:fd:bd:05:3d
2022-04-20 15:45:42 UTC

131.55.20.56 made an SMB,NTLM,GSSAPI connection to ccunbkrriazan.ccu.local · 172.18.22.105 · 84:2a:fd:bd:05:3d on TCP port 445.
2022-04-20 15:45:48 UTC

Unusual Credential Use to ccunbkrriazan.ccu.local · 172.18.22.105 · 84:2a:fd:bd:05:3d on port 445 — Unusual source for use of jdrique from AS385 AFCONC-BLOCK1-AS
Detail: jdrique has logged into 3 devices in the last 2 hours
New activity
2022-04-20 15:45:48 UTC

SMB (Session Success) to ccunbkrriazan.ccu.local · 172.18.22.105 · 84:2a:fd:bd:05:3d on port 445 — jdrique
Detail: client_hostname=ECUNBJDRIQUE2 domain=CCUCL mechType=NTLMSSP server_signed version=smb2
2022-04-20 15:45:48 UTC
NTLM (Login) to ccunbkrriazan.ccu.local · 172.18.22.105 · 84:2a:fd:bd:05:3d on port 445 — jdrique
Detail: domain=CCUCL hostname=ECUNBJDRIQUE2 auth_successful=T result=success
2022-04-20 15:45:49 UTC

DT (Model Breach) — User / Unusual External Source for Credential Use
2022-04-20 15:45:50 UTC
Model Breach: Device / Internet Facing Device with High Priority Alert — 88.2%
SSL or HTTP Beacon

sfe-li3013.ccu.arg · 172.30.74.78 · a0:d3:c1:1e:99:fd
2022-04-12 21:47:55 UTC
sfe-li3013.ccu.arg · 172.30.74.78 · a0:d3:c1:1e:99:fd made an SSL connection to chupa6.site · 185.209.15.36 on TCP port 443.
2022-04-12 21:47:56 UTC

2022-04-12 21:47:57 UTC
DT (Model Breach) — Device / Anomaly Indicators / Spike in SSL or HTTP Connections to New Location
2022-04-12 21:48:49 UTC

2022-04-12 21:48:51 UTC

2022-04-12 21:48:53 UTC
2022-04-12 21:48:55 UTC

2022-04-12 21:48:57 UTC

2022-04-12 21:48:58 UTC

2022-04-12 21:48:59 UTC
Model Breach: Compromise / SSL or HTTP Beacon — 100.0%
CCUNBFRPINO · 172.19.92.42 · 08:5b:d6:ce:0a:d1
2022-04-25 11:57:53 UTC to 2022-04-25 11:57:58 UTC

CCUNBFRPINO · 172.19.92.42 · 08:5b:d6:ce:0a:d1 made an SSL connection to rastreo.gpslocker.cl · 88.198.205.81 on TCP port 443.
2022-04-25 11:57:57 UTC

2022-04-25 11:57:59 UTC to 2022-04-25 11:58:04 UTC

2022-04-25 11:58:05 UTC to 2022-04-25 11:58:10 UTC
2022-04-25 11:58:08 UTC

2022-04-25 11:58:09 UTC

2022-04-25 11:58:10 UTC

New User Agent and POST

172.18.33.50 · a2:0d:cb:05:b4:10
2022-04-08 15:05:24 UTC

172.18.33.50 · a2:0d:cb:05:b4:10 made an HTTP connection to 45.79.179.111 on TCP port 80.
2022-04-08 15:05:24 UTC
DT (Post With No Get) to 45.79.179.111 on port None — /python-ios/compile_python_version_dir_acc.php
New activity
2022-04-08 15:05:24 UTC

DT (New Device User Agent) to 45.79.179.111 on port 80 — Python Compiler/3.8.1 (iPhone; iOS 15.1; Scale/3.00)
New activity
2022-04-08 15:05:25 UTC

Model Breach: Compromise / New User Agent and POST — 100.0%
Suspicious Netlogon RPC Calls

2022-04-13 14:58:57 UTC to 2022-04-13 14:59:09 UTC

2022-04-13 14:58:58 UTC to 2022-04-13 14:59:58 UTC
2022-04-13 14:58:58 UTC to 2022-04-13 14:59:19 UTC
2022-04-13 15:00:13 UTC

2022-04-13 15:00:14 UTC

2022-04-13 15:00:15 UTC

2022-04-13 15:00:16 UTC

Suspicious Network Scan Activity

2022-04-06 09:19:09 UTC

2022-04-06 09:19:09 UTC

2022-04-06 09:19:09 UTC

2022-04-06 09:19:09 UTC
2022-04-06 09:19:09 UTC

2022-04-06 09:19:10 UTC

2022-04-06 09:19:10 UTC

2022-04-06 09:19:10 UTC
2022-04-06 09:19:11 UTC

2022-04-06 09:19:12 UTC

2022-04-06 21:36:49 UTC
2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC to 2022-04-06 21:36:49 UTC
2022-04-06 21:36:49 UTC to 2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC

2022-04-20 14:54:14 UTC to 2022-04-20 14:54:17 UTC

2022-04-20 14:54:17 UTC
2022-04-20 14:54:22 UTC to 2022-04-20 14:54:25 UTC

2022-04-20 14:54:25 UTC

2022-04-20 14:54:47 UTC

2022-04-20 14:54:50 UTC
2022-04-20 14:54:51 UTC
2022-04-20 14:54:52 UTC

RDP Brute Force

172.30.24.19
2022-04-24 05:57:15 UTC

2022-04-24 05:57:15 UTC

2022-04-24 05:57:15 UTC

2022-04-24 05:57:15 UTC to 2022-04-24 05:57:17 UTC
2022-04-24 05:57:16 UTC

2022-04-24 05:57:16 UTC

2022-04-24 05:57:17 UTC

2022-04-24 05:57:18 UTC
Tor Domain DNS Requests

CCUnbAPARDO · 172.18.18.13 · 30:24:a9:a2:d4:da
2022-04-01 12:10:25 UTC
CCUnbAPARDO · 172.18.18.13 · 30:24:a9:a2:d4:da failed to look up qtornadoklbgdyww.onion in a DNS connection to srv-dc-03-.ccu.local · 172.19.170.8 on UDP
port 53.
2022-04-01 12:46:33 UTC

CCUnbAPARDO · 172.18.18.13 · 30:24:a9:a2:d4:da failed to look up qtornadoklbgdyww.onion in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-01 12:46:34 UTC
Model Breach: Compromise / Tor Domain DNS Requests — 87.1%
ecunbelira.ccu.local · 10.100.30.117
2022-04-20 14:48:23 UTC
ecunbelira.ccu.local · 10.100.30.117 failed to look up ozahtqwp25chjdjd.onion in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-20 15:22:47 UTC

2022-04-20 15:22:48 UTC

Enhanced Monitoring
Devices Affected
vsppcvtamoli2.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-04-17 22:23:04 UTC)
crvnbfaaguile.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-04-10 21:31:15 UTC)
pc791 — breached: Connections with Suspicious DNS (first seen: 2022-04-26 18:35:26 UTC)
vsppclcorvals.ccu.local — breached: DGA Beacon (first seen: 2022-04-29 21:31:17 UTC)
luj-bar7102.ccu.arg — breached: Fast Beaconing to DGA (first seen: 2022-04-06 22:05:59 UTC)
192.168.101.53 — breached: Fast Beaconing to DGA (first seen: 2022-04-09 07:27:35 UTC)
ecunbiandia.ccu.local — breached: Fast Beaconing to DGA (first seen: 2022-04-12 20:59:28 UTC)
Galaxy-S20 — breached: Fast Beaconing to DGA (first seen: 2022-04-13 21:01:53 UTC)
A20s-de-Cedric — breached: Fast Beaconing to DGA (first seen: 2022-04-12 23:17:33 UTC)
S20-FE-de-Benjamin — breached: Fast Beaconing to DGA (first seen: 2022-04-12 21:07:34 UTC)
ecunbtbinari.ccu.local — breached: High Priority Crypto Currency Mining, Monero Mining (first seen: 2022-04-04 15:09:36 UTC)
crenb idalg — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-06 14:55:46 UTC)
crvpclablunoa.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-27 02:43:44 UTC)
tccpcbodega2.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-16 19:38:39 UTC)
ecupcporsanm3.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-27 02:36:19 UTC)
crenb idalg.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-08 15:04:12 UTC)
ccunbarodrigl.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-01 21:37:47 UTC)
tccnbanrubiot.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-05 00:27:03 UTC)
kunnbcmiller.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-08 22:14:15 UTC)
10.100.21.14 — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-04-09 16:38:14 UTC)
vsppcpemolin.ccu.local — breached: Large DNS Volume for Suspicious Domain, Connections with Suspicious DNS (first seen: 2022-04-27 23:10:35 UTC)
tccpcmalquin — breached: Large DNS Volume for Suspicious Domain, Connections with Suspicious DNS (first seen: 2022-04-09 21:13:25 UTC)
vsppcz2l1.ccu.local — breached: Large DNS Volume for Suspicious Domain, DGA Beacon (first seen: 2022-04-09 13:09:06 UTC)
172.30.22.26 — breached: Monero Mining (first seen: 2022-04-25 16:12:27 UTC)
172.18.33.50 — breached: New User Agent and POST (first seen: 2022-04-08 15:05:25 UTC)
172.30.24.19 — breached: RDP Brute Force (first seen: 2022-04-24 05:57:18 UTC)
allen-pchp004.ccu.arg — breached: SMB Lateral Movement (first seen: 2022-04-29 17:35:34 UTC)
MNTNBCAREYES — breached: SMB Lateral Movement (first seen: 2022-04-05 17:02:09 UTC)
mntnbsmorenog.ccu.local — breached: SMB Lateral Movement (first seen: 2022-04-13 21:03:58 UTC)
tccnbdrojasc.ccu.local — breached: SMB Lateral Movement (first seen: 2022-04-13 18:20:15 UTC)
comnbfmramire.ccu.local — breached: SMB Lateral Movement (first seen: 2022-04-13 00:17:26 UTC)
sfe-li3013.ccu.arg — breached: SSL or HTTP Beacon (first seen: 2022-04-12 21:48:59 UTC)
CCUNBFRPINO — breached: SSL or HTTP Beacon (first seen: 2022-04-25 11:58:10 UTC)
LAPTOP-QVK3FGNA — breached: Suspicious HTTP Redirect (first seen: 2022-04-04 20:44:30 UTC)
srvsfeprn.ccu.arg — breached: Suspicious Netlogon RPC Calls (first seen: 2022-04-13 15:00:16 UTC)
srvlv3adaudit.ccu.arg — breached: Suspicious Network Scan Activity (first seen: 2022-04-20 14:54:52 UTC)
serveurscalya.ccu.local — breached: Suspicious Network Scan Activity (first seen: 2022-04-06 09:19:12 UTC)
ECUNBJDRIQUE2 — breached: Suspicious Network Scan Activity (first seen: 2022-04-06 21:36:49 UTC)
CCUnbAPARDO — breached: Tor Domain DNS Requests (first seen: 2022-04-01 12:46:34 UTC)
ecunbelira.ccu.local — breached: Tor Domain DNS Requests (first seen: 2022-04-20 15:22:48 UTC)
pdcar-wssfv.ccu.arg — breached: Unusual DRS Activity (first seen: 2022-04-06 15:12:09 UTC)
Details
Large DNS Volume for Suspicious Domain — [AP: C2 Comms]
10.100.21.14
2022-04-09 16:36:11 UTC

10.100.21.14 successfully looked up 76236osm1.ru in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-09 16:36:11 UTC
2022-04-09 16:37:12 UTC

2022-04-09 16:37:12 UTC
2022-04-09 16:37:12 UTC
2022-04-09 16:37:12 UTC

2022-04-09 16:38:13 UTC

2022-04-09 16:38:13 UTC

2022-04-09 16:38:13 UTC
2022-04-09 16:38:14 UTC

Model Breach: Compromise / Large DNS Volume for Suspicious Domain — 89.9%
ccunbarodrigl.ccu.local · 10.100.19.155
2022-04-01 21:37:34 UTC

ccunbarodrigl.ccu.local · 10.100.20.93 failed to look up www.thenewsystemsetup.online in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-01 21:37:34 UTC

2022-04-01 21:37:35 UTC

2022-04-01 21:37:35 UTC
2022-04-01 21:37:35 UTC

2022-04-01 21:37:35 UTC

2022-04-01 21:37:46 UTC

2022-04-01 21:37:46 UTC
2022-04-01 21:37:46 UTC

2022-04-01 21:37:47 UTC
crenb idalg · 172.19.8.215 · d0:c6:37:71:d2:98, crenb idalg · 172.19.8.200 · d0:c6:37:71:d2:98

2022-04-12 15:33:41 UTC
crenb idalg · 172.19.8.200 · d0:c6:37:71:d2:98 failed to look up www.thenewsystemsetup.online in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-12 15:33:41 UTC

2022-04-12 15:33:41 UTC

2022-04-12 15:33:49 UTC

2022-04-12 15:33:49 UTC
2022-04-12 15:33:49 UTC

2022-04-12 15:33:49 UTC

2022-04-12 15:34:01 UTC

2022-04-12 15:34:01 UTC
2022-04-12 15:34:02 UTC

2022-04-06 14:55:24 UTC

2022-04-06 14:55:24 UTC

2022-04-06 14:55:29 UTC
2022-04-06 14:55:29 UTC

2022-04-06 14:55:35 UTC

2022-04-06 14:55:35 UTC
2022-04-06 14:55:45 UTC

2022-04-06 14:55:45 UTC

2022-04-06 14:55:45 UTC
2022-04-06 14:55:46 UTC

crenb idalg.ccu.local · 10.100.17.33, crenb idalg.ccu.local · 10.100.26.201
2022-04-28 15:49:34 UTC

crenb idalg.ccu.local · 10.100.17.33 failed to look up www.thenewsystemsetup.online in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-28 15:49:34 UTC

2022-04-28 15:49:46 UTC

2022-04-28 15:49:46 UTC
2022-04-28 15:49:46 UTC

2022-04-28 15:49:57 UTC

2022-04-28 15:49:57 UTC

2022-04-28 15:49:57 UTC
2022-04-28 15:49:57 UTC

2022-04-28 15:49:58 UTC

2022-04-08 15:03:59 UTC

2022-04-08 15:04:05 UTC
2022-04-08 15:04:05 UTC

2022-04-08 15:04:05 UTC

2022-04-08 15:04:05 UTC
2022-04-08 15:04:05 UTC

2022-04-08 15:04:11 UTC

2022-04-08 15:04:11 UTC

2022-04-08 15:04:11 UTC
2022-04-08 15:04:12 UTC

crvpclablunoa.ccu.local · 172.19.52.45 · b0:0c:d1:52:53:6c
2022-04-27 02:41:06 UTC

crvpclablunoa.ccu.local · 172.19.52.45 · b0:0c:d1:52:53:6c successfully looked up 5454445.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 02:41:12 UTC

crvpclablunoa.ccu.local · 172.19.52.45 · b0:0c:d1:52:53:6c successfully looked up akamaizedhd.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 02:41:14 UTC

crvpclablunoa.ccu.local · 172.19.52.45 · b0:0c:d1:52:53:6c successfully looked up lhlhlhlhlhlhlhlh.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 02:41:29 UTC
crvpclablunoa.ccu.local · 172.19.52.45 · b0:0c:d1:52:53:6c successfully looked up putin.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 02:41:35 UTC

crvpclablunoa.ccu.local · 172.19.52.45 · b0:0c:d1:52:53:6c successfully looked up xxxxxbvvbbbbbbbbbbbb.gq in a DNS connection to 128.84.0.41 on UDP port
53.
2022-04-27 02:41:48 UTC
crvpclablunoa.ccu.local · 172.19.52.45 · b0:0c:d1:52:53:6c successfully looked up akamaivid.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 02:42:15 UTC
crvpclablunoa.ccu.local · 172.19.52.45 · b0:0c:d1:52:53:6c successfully looked up maxwebvideo.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 02:42:59 UTC

crvpclablunoa.ccu.local · 172.19.52.45 · b0:0c:d1:52:53:6c successfully looked up daddyclick.gq in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 02:43:43 UTC
crvpclablunoa.ccu.local · 172.19.52.45 · b0:0c:d1:52:53:6c successfully looked up uyiuyiyiuyiuyio.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 02:43:44 UTC

ecupcporsanm3.ccu.local · 172.19.64.75 · 30:24:a9:83:8a:96
2022-04-27 02:32:33 UTC

ecupcporsanm3.ccu.local · 172.19.64.75 · 30:24:a9:83:8a:96 successfully looked up mp4.facecast.xyz in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-27 02:32:33 UTC

2022-04-27 02:33:29 UTC

ecupcporsanm3.ccu.local · 172.19.64.75 · 30:24:a9:83:8a:96 successfully looked up www.onlinexlive.xyz in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 02:33:36 UTC
ecupcporsanm3.ccu.local · 172.19.64.75 · 30:24:a9:83:8a:96 successfully looked up www.hdxchannel.xyz in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 02:33:41 UTC

2022-04-27 02:33:41 UTC

2022-04-27 02:34:44 UTC

2022-04-27 02:36:18 UTC
2022-04-27 02:36:18 UTC

ecupcporsanm3.ccu.local · 172.19.64.75 · 30:24:a9:83:8a:96 failed to look up mp4.facecast.xyz in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-27 02:36:19 UTC

2022-04-28 03:09:59 UTC

2022-04-28 03:09:59 UTC
2022-04-28 03:10:42 UTC
2022-04-28 03:10:42 UTC
2022-04-28 03:11:43 UTC

2022-04-28 03:11:43 UTC

ecupcporsanm3.ccu.local · 172.19.64.75 · 30:24:a9:83:8a:96 failed to look up mp4.facecast.xyz in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-28 03:12:54 UTC

2022-04-28 03:12:54 UTC
2022-04-28 03:14:00 UTC

2022-04-28 03:14:01 UTC

kunnbcmiller.ccu.local · 10.100.26.163
2022-04-08 22:12:09 UTC

kunnbcmiller.ccu.local · 10.100.26.163 successfully looked up 76236osm1.ru in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-08 22:12:10 UTC

2022-04-08 22:12:10 UTC
2022-04-08 22:13:11 UTC

2022-04-08 22:13:12 UTC

2022-04-08 22:13:12 UTC

2022-04-08 22:14:13 UTC
2022-04-08 22:14:13 UTC

2022-04-08 22:14:14 UTC
2022-04-08 22:14:15 UTC

tccnbanrubiot.ccu.local · 10.100.17.204
2022-04-05 00:26:39 UTC

tccnbanrubiot.ccu.local · 10.100.17.204 failed to look up www.thenewsystemsetup.online in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-05 00:26:39 UTC

2022-04-05 00:26:39 UTC

2022-04-05 00:26:39 UTC
2022-04-05 00:26:51 UTC

2022-04-05 00:26:51 UTC

2022-04-05 00:26:52 UTC

2022-04-05 00:26:52 UTC
2022-04-05 00:27:02 UTC

2022-04-05 00:27:03 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e
2022-04-16 19:37:17 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up dfgdhdfghdg .gq in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-16 19:37:29 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up cloudfrontws.gq in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-16 19:37:50 UTC
tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up uyiuyiyiuyiuyio.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-16 19:38:02 UTC
tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up daddyclick.cf in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-16 19:38:03 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up fghfghfdghdfg.gq in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-16 19:38:26 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up xxxxxbvvbbbbbbbbbbbb.cf in a DNS connection to 128.84.0.41 on UDP port
53.
2022-04-16 19:38:33 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up fsltvlive.gq in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-16 19:38:33 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up dfghdfghd dfghdg .gq in a DNS connection to 128.84.0.41 on UDP port
53.
2022-04-16 19:38:38 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up klklkllklkkjuyuygv.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-16 19:38:39 UTC

2022-04-17 19:49:25 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up fghfghfdghdfg.cf in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 19:49:45 UTC
tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up desteaptaesti.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 19:49:50 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up hfghfghg g .tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 19:49:55 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up akamaihlstv.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 19:50:00 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up hghgj jgf.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 19:50:25 UTC
tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up akamaihlstv.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 19:50:30 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e failed to look up akamaizedhd.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 19:50:35 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up dfgdfgdfsgsdfg.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 19:50:56 UTC

tccpcbodega2.ccu.local · 172.19.204.29 · 78:e3:b5:b6:bf:2e successfully looked up akamaidrm.gq in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 19:50:57 UTC
tccpcmalquin · 172.21.53.142 · c4:65:16:98:fa:7e
2022-04-09 21:25:52 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up daddylveve.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:25:58 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up akamaivid.cf in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:26:06 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up akamaivid.gq in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:26:28 UTC
tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up 5454445.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:26:36 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up hyhyhyhy.gq in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:26:44 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up akamaidrm.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:27:00 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up akamaized.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:27:08 UTC
tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up fsltvlive.cf in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:27:09 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up xd gdg gj.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:27:10 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2
2022-04-27 23:48:19 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up akamaiweb.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:48:25 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up flslftyv.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:48:37 UTC
vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up 5454445.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:48:45 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up ronaldosport.xyz in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:48:45 UTC
vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up nbahighlights.xyz in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:48:45 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up soccermlbstream.xyz in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:48:45 UTC
vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up build.primeradirectacanal.xyz in a DNS connection to 128.84.0.41 on UDP port
53.
2022-04-27 23:48:46 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up cloudfrontws.gq in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:48:52 UTC
vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up hghgj jgf.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:48:53 UTC

vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80
2022-04-09 13:07:12 UTC

vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80 successfully looked up lhlhlhlhlhlhlhlh.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 13:07:24 UTC

vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80 successfully looked up hfghfghg g .ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 13:08:15 UTC

vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80 successfully looked up fghfghfdghdfg.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 13:08:16 UTC
vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80 successfully looked up putin.gq in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 13:08:36 UTC

vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80 successfully looked up dfgdfgdfsgsdfg.cf in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 13:08:40 UTC

vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80 successfully looked up fghfghfdghdfg.cf in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 13:08:43 UTC

vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80 successfully looked up sdfgsdfgdfs.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 13:08:44 UTC
vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80 successfully looked up weviewrealcd.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 13:09:05 UTC

vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80 successfully looked up freespbnepl.cf in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 13:09:06 UTC
DGA Beacon — [, AP: C2 Comms]

vsppclcorvals.ccu.local · 172.17.81.13 · 30:24:a9:88:bd:10
2022-04-29 21:21:14 UTC to 2022-04-29 21:26:20 UTC

vsppclcorvals.ccu.local · 172.17.81.13 · 30:24:a9:88:bd:10 was still making an SSL connection to gkdmqvqj.com · 216.21.13.15 on TCP port 443.
2022-04-29 21:31:15 UTC to 2022-04-29 21:31:16 UTC

vsppclcorvals.ccu.local · 172.17.81.13 · 30:24:a9:88:bd:10 made an SSL connection to gkdmqvqj.com · 216.21.13.15 on TCP port 443.
2022-04-29 21:31:17 UTC
Model Breach: Compromise / DGA Beacon — 82.4%
vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80

2022-04-09 14:21:42 UTC to 2022-04-09 14:27:04 UTC
vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80 was still making an SSL connection to xthizbdwgebzqf.com · 216.21.13.14 on TCP port 443.
2022-04-09 14:31:42 UTC to 2022-04-09 14:31:44 UTC

vsppcz2l1.ccu.local · 172.17.57.126 · 18:60:24:f5:9a:80 made an SSL connection to xthizbdwgebzqf.com · 216.21.13.14 on TCP port 443.
2022-04-09 14:31:45 UTC

Model Breach: Compromise / DGA Beacon — 80.4%
Suspicious HTTP Redirect — [AP: Exploit, OT Engineer]

2022-04-04 20:44:29 UTC

2022-04-04 20:44:29 UTC to 2022-04-04 20:44:30 UTC

2022-04-04 20:44:29 UTC
New activity
2022-04-04 20:44:29 UTC

2022-04-04 20:44:29 UTC

New activity
2022-04-04 20:44:30 UTC
Suspicious Netlogon RPC Calls — [AP: Exploit]

2022-04-13 14:58:57 UTC to 2022-04-13 14:59:09 UTC

2022-04-13 14:58:58 UTC to 2022-04-13 14:59:58 UTC
2022-04-13 14:58:58 UTC to 2022-04-13 14:59:19 UTC

2022-04-13 15:00:13 UTC

2022-04-13 15:00:14 UTC

2022-04-13 15:00:15 UTC

2022-04-13 15:00:16 UTC

Fast Beaconing to DGA — [, AP: C2 Comms]

192.168.101.53 · f8:b1:56:c0:92:3e
2022-04-09 07:15:27 UTC to 2022-04-09 07:15:37 UTC

192.168.101.53 · f8:b1:56:c0:92:3e made an SSL connection to mdauxvl ilnqjzb.wzcdn594.net · 185.156.74.78 on TCP port 8443.
2022-04-09 07:15:27 UTC
192.168.101.53 · f8:b1:56:c0:92:3e was still making an SSL connection to mdauxvl ilnqjzb.wzcdn594.net · 185.156.74.78 on TCP port 8443.
2022-04-09 07:15:37 UTC to 2022-04-09 07:15:57 UTC

2022-04-09 07:15:57 UTC to 2022-04-09 07:16:07 UTC

2022-04-09 07:27:35 UTC

Model Breach: Compromise / Fast Beaconing to DGA — 86.1%
A20s-de-Cedric · 172.19.152.27 · be:69:ef:74:3d:ad
2022-04-12 23:16:01 UTC
A20s-de-Cedric · 172.19.152.27 · be:69:ef:74:3d:ad made an HTTP connection to cukuyx.lig1c w.xyz · 13.90.24.216 on TCP port 80.
2022-04-12 23:16:12 UTC

A20s-de-Cedric · 172.19.152.27 · be:69:ef:74:3d:ad made an Unknown connection to cukuyx.lig1c w.xyz · 13.90.24.216 on TCP port 80.
2022-04-12 23:16:23 UTC

2022-04-12 23:16:33 UTC

2022-04-12 23:16:38 UTC
2022-04-12 23:16:49 UTC

2022-04-12 23:16:59 UTC

2022-04-12 23:17:21 UTC

2022-04-12 23:17:32 UTC
2022-04-12 23:17:33 UTC

2022-04-28 22:15:42 UTC

A20s-de-Cedric · 172.19.152.27 · be:69:ef:74:3d:ad was still making an HTTP connection to cyxcound.lig1c w.xyz · 104.18.26.157 on TCP port 80.
2022-04-28 22:15:51 UTC to 2022-04-28 22:15:52 UTC

A20s-de-Cedric · 172.19.152.27 · be:69:ef:74:3d:ad made an HTTP connection to cyxcound.lig1c w.xyz · 104.18.26.157 on TCP port 80.
2022-04-28 22:16:00 UTC to 2022-04-28 22:16:02 UTC
2022-04-28 22:16:11 UTC to 2022-04-28 22:16:13 UTC

2022-04-28 22:16:13 UTC

2022-04-30 14:11:53 UTC

A20s-de-Cedric · 172.19.152.27 · be:69:ef:74:3d:ad was still making an HTTP connection to cukuyx.lig1c w.xyz · 54.211.35.205 on TCP port 80.
2022-04-30 14:12:07 UTC to 2022-04-30 14:12:34 UTC
2022-04-30 14:12:17 UTC

2022-04-30 14:12:27 UTC

2022-04-30 14:12:48 UTC
2022-04-30 14:12:58 UTC

2022-04-30 14:13:09 UTC

2022-04-30 14:13:19 UTC

2022-04-30 14:13:20 UTC
Galaxy-S20 · 172.19.208.40 · fe:41:97:d2:5a:73

2022-04-13 21:00:24 UTC
Galaxy-S20 · 172.19.208.40 · fe:41:97:d2:5a:73 made an HTTP connection to cyxcound.lig1c w.xyz · 104.18.27.157 on TCP port 80.
2022-04-13 21:00:34 UTC

2022-04-13 21:00:45 UTC

2022-04-13 21:00:55 UTC

2022-04-13 21:01:06 UTC
2022-04-13 21:01:21 UTC

2022-04-13 21:01:32 UTC

2022-04-13 21:01:42 UTC

2022-04-13 21:01:52 UTC
2022-04-13 21:01:53 UTC

S20-FE-de-Benjamin · 172.19.94.4 · 8e:5c:78:82:4a:01
2022-04-12 21:06:38 UTC

S20-FE-de-Benjamin · 172.19.94.4 · 8e:5c:78:82:4a:01 was still making an HTTP connection to cukuyx.lig1c w.xyz · 13.90.24.216 on TCP port 80.
2022-04-12 21:06:49 UTC

S20-FE-de-Benjamin · 172.19.94.4 · 8e:5c:78:82:4a:01 made an Unknown connection to cukuyx.lig1c w.xyz · 13.90.24.216 on TCP port 80.
2022-04-12 21:06:59 UTC

S20-FE-de-Benjamin · 172.19.94.4 · 8e:5c:78:82:4a:01 made an HTTP connection to cukuyx.lig1c w.xyz · 13.90.24.216 on TCP port 80.
2022-04-12 21:07:09 UTC to 2022-04-12 21:07:18 UTC

S20-FE-de-Benjamin · 172.19.94.4 · 8e:5c:78:82:4a:01 made an Unknown connection to cukuyx.lig1c w.xyz · 13.90.24.216 on TCP port 80.
2022-04-12 21:07:10 UTC

S20-FE-de-Benjamin · 172.19.94.4 · 8e:5c:78:82:4a:01 failed to make an Unknown connection to cukuyx.lig1c w.xyz · 13.90.24.216 on TCP port 80.
2022-04-12 21:07:25 UTC

2022-04-12 21:07:33 UTC

2022-04-12 21:07:34 UTC

2022-04-13 22:02:59 UTC

S20-FE-de-Benjamin · 172.19.94.4 · 8e:5c:78:82:4a:01 was still making an HTTP connection to cyxcound.lig1c w.xyz · 104.18.26.157 on TCP port 80.
2022-04-13 22:03:12 UTC

S20-FE-de-Benjamin · 172.19.94.4 · 8e:5c:78:82:4a:01 was still making an HTTP connection to cyxcound.lig1c w.xyz · 104.18.26.157 on TCP port 80.
2022-04-13 22:03:12 UTC

S20-FE-de-Benjamin · 172.19.94.4 · 8e:5c:78:82:4a:01 made an HTTP connection to cyxcound.lig1c w.xyz · 104.18.26.157 on TCP port 80.
2022-04-13 22:03:23 UTC to 2022-04-13 22:03:24 UTC

2022-04-13 22:03:34 UTC to 2022-04-13 22:03:34 UTC

2022-04-13 22:03:45 UTC to 2022-04-13 22:03:45 UTC

2022-04-13 22:03:46 UTC
ecunbiandia.ccu.local · 172.19.94.85 · b0:7d:64:ee:f2:dc
2022-04-12 20:57:13 UTC

ecunbiandia.ccu.local · 172.19.94.85 · b0:7d:64:ee:f2:dc was still making an SSL connection to device-7824ccf7-2ca9-418e-81b5-30866ebfd1be.remotewd.com · 190.44.118.111 on
TCP port 49592.
2022-04-12 20:57:20 UTC

ecunbiandia.ccu.local · 172.19.94.85 · b0:7d:64:ee:f2:dc was still making an SSL connection to device-7824ccf7-2ca9-418e-81b5-30866ebfd1be.remotewd.com · 190.44.118.111 on
TCP port 49592.
2022-04-12 20:57:38 UTC to 2022-04-12 20:58:14 UTC
ecunbiandia.ccu.local · 172.19.94.85 · b0:7d:64:ee:f2:dc made an Unknown connection to device-7824ccf7-2ca9-418e-81b5-30866ebfd1be.remotewd.com · 190.44.118.111 on TCP
port 49592.
2022-04-12 20:58:33 UTC to 2022-04-12 20:59:05 UTC

port 49592.
2022-04-12 20:58:45 UTC to 2022-04-12 20:59:06 UTC

port 49592.
2022-04-12 20:59:27 UTC

port 49592.
2022-04-12 20:59:28 UTC

luj-bar7102.ccu.arg · 172.30.7.102 · 84:2a:fd:09:02:21

2022-04-06 22:05:20 UTC to 2022-04-06 22:05:27 UTC
luj-bar7102.ccu.arg · 172.30.7.102 · 84:2a:fd:09:02:21 made an SSL connection to srv.pr4mg.com · 34.107.162.152 on TCP port 443.
2022-04-06 22:05:28 UTC to 2022-04-06 22:05:37 UTC

2022-04-06 22:05:39 UTC to 2022-04-06 22:05:47 UTC

2022-04-06 22:05:52 UTC to 2022-04-06 22:05:57 UTC

2022-04-06 22:05:58 UTC
2022-04-06 22:05:59 UTC
High Priority Crypto Currency Mining — [Enhanced Monitoring]

2022-04-04 15:08:58 UTC

2022-04-04 15:08:59 UTC
2022-04-04 15:09:03 UTC

2022-04-04 15:09:23 UTC

2022-04-04 15:09:23 UTC

2022-04-04 15:09:26 UTC
2022-04-04 15:09:34 UTC

2022-04-04 15:09:35 UTC

2022-04-04 15:09:36 UTC

DT (Model Breach) — Compromise / Monero Mining
2022-04-04 15:09:37 UTC
Model Breach: Compromise / High Priority Crypto Currency Mining — 100.0%
Monero Mining — [, OT Engineer]

172.30.22.26
2022-04-25 16:11:46 UTC

172.30.22.26 successfully looked up fee.xmrig.com in a DNS connection to srvlv3dc.ccu.arg · 192.168.15.4 on UDP port 53.
2022-04-25 16:11:50 UTC
2022-04-25 16:12:02 UTC

2022-04-25 16:12:04 UTC
2022-04-25 16:12:06 UTC

2022-04-25 16:12:10 UTC

2022-04-25 16:12:22 UTC

2022-04-25 16:12:24 UTC
2022-04-25 16:12:26 UTC

172.30.22.26 made a DNS connection to srvsfedc.ccu.arg · 172.30.24.121 on UDP port 53.
2022-04-25 16:12:27 UTC

Model Breach: Compromise / Monero Mining — 80.5%
2022-04-04 15:08:51 UTC

2022-04-04 15:08:58 UTC

2022-04-04 15:08:59 UTC
2022-04-04 15:09:03 UTC

2022-04-04 15:09:23 UTC

2022-04-04 15:09:23 UTC

2022-04-04 15:09:26 UTC
2022-04-04 15:09:34 UTC

2022-04-04 15:09:35 UTC

2022-04-04 15:09:36 UTC
2022-04-23 00:16:48 UTC

2022-04-23 00:16:52 UTC

2022-04-23 00:17:13 UTC

2022-04-23 00:17:17 UTC
2022-04-23 00:17:25 UTC

2022-04-23 00:17:29 UTC

2022-04-23 00:17:49 UTC

2022-04-23 00:17:52 UTC
2022-04-23 00:18:01 UTC

2022-04-23 00:18:02 UTC

Connections with Suspicious DNS — [AP: C2 Comms]

crvnbfaaguile.ccu.local · 10.100.25.57
2022-04-10 21:29:58 UTC

crvnbfaaguile.ccu.local · 10.100.25.57 successfully looked up sync.tag.clrstm.com in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-10 21:29:58 UTC

DT (External Domain Pointing At Internal IP) to tag.clrstm.com · 128.84.0.199 on port None — Hostname tag.clrstm.com is pointing at 127.0.0.1
Detail: Domain clrstm.com
2022-04-10 21:30:42 UTC

crvnbfaaguile.ccu.local · 10.100.25.57 successfully looked up cvhbcvghg g g ghg .ga in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-10 21:30:43 UTC

crvnbfaaguile.ccu.local · 10.100.25.57 successfully looked up xd gdg gj.ml in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-10 21:30:44 UTC
crvnbfaaguile.ccu.local · 10.100.25.57 successfully looked up dfgdhdfghdg .ga in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-10 21:30:45 UTC

crvnbfaaguile.ccu.local · 10.100.25.57 successfully looked up hyhyhyhy.ga in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-10 21:30:46 UTC

crvnbfaaguile.ccu.local · 10.100.25.57 successfully looked up hbhjkhgkj.tk in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-10 21:31:13 UTC
crvnbfaaguile.ccu.local · 10.100.25.57 successfully looked up refpamjeql.top in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-10 21:31:14 UTC

DT (Model Breach) — Compromise / Domain Fluxing
2022-04-10 21:31:15 UTC

Model Breach: Compromise / Connections with Suspicious DNS — 84.4%
pc791 · 192.168.100.138 · e4:54:e8:67:a8:39
2022-04-26 18:34:07 UTC

pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up repro.vdtgr.xyz in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-26 18:34:16 UTC

pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up d24ak3f2b.top in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-26 18:35:00 UTC
pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to make an SSL connection to vcdnads.ru.com · 172.67.162.93 on TCP port 443.
2022-04-26 18:35:00 UTC

DT (Hostname With No DNS) to vcdnads.ru.com · 172.67.162.93 on port 443 — Hostname with no DNS
Detail: vcdnads.ru.com
2022-04-26 18:35:05 UTC
pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up cvhbcvghg g g ghg .tk in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-26 18:35:08 UTC

pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up ulkrcdj.ga in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-26 18:35:19 UTC

pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up hbhjkhgkj.ga in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-26 18:35:24 UTC

pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up uyiuyiyiuyiuyio.tk in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-26 18:35:25 UTC
2022-04-26 18:35:26 UTC
2022-04-27 19:06:37 UTC

pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up repro.vdtgr.xyz in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-27 19:06:41 UTC

pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up d24ak3f2b.top in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-27 19:06:51 UTC

pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up signalcloud.web3-lab.com in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-27 19:07:10 UTC

pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to make an SSL connection to off erimage.com · 104.22.32.172 on TCP port 443.
2022-04-27 19:07:10 UTC

DT (Hostname With No DNS) to off erimage.com · 104.22.32.172 on port 443 — Hostname with no DNS
Detail: off erimage.com
2022-04-27 19:08:08 UTC
pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up afflat3e1.com in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-27 19:08:30 UTC

pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up w3needman3w.com in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-27 19:08:43 UTC

pc791 · 192.168.100.138 · e4:54:e8:67:a8:39 failed to look up aditmedia.g2afse.com in a DNS connection to dc1.pulp.com.py · 192.168.10.19 on UDP port 53.
2022-04-27 19:08:44 UTC

2022-04-27 19:08:45 UTC

tccpcmalquin · 172.21.53.142 · c4:65:16:98:fa:7e
2022-04-09 21:12:36 UTC to 2022-04-09 21:13:23 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e was still making an SSL connection to ligninenchant.com · 23.109.87.221 on TCP port 443.
2022-04-09 21:13:03 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up hyhyhyhy.cf in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:13:04 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up flslftyv.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:13:07 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up xxxxxbvvbbbbbbbbbbbb.cf in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:13:15 UTC
tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up uyiuyiyiuyiuyio.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:13:21 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up klklkllklkkjuyuygv.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:13:23 UTC

tccpcmalquin · 172.20.244.77 · c4:65:16:98:fa:7e successfully looked up xd dfghdfghdfghg.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-09 21:13:24 UTC

2022-04-09 21:13:25 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2
2022-04-27 23:09:48 UTC to 2022-04-27 23:10:33 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 was still making an SSL connection to www.freewebs.com · 104.17.22.109 on TCP port 443.
2022-04-27 23:10:25 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up 5454445.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:10:26 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up xd dfghdfghdfghg.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:10:28 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up tryukhgjmhb.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:10:31 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up flslftyv.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:10:32 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up gfg dfgh.ml in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-27 23:10:33 UTC

vsppcpemolin.ccu.local · 172.19.41.154 · e4:e7:49:39:a1:e2 successfully looked up refpamjeql.top in a DNS connection to 128.84.0.199 on UDP port 53.
2022-04-27 23:10:34 UTC
2022-04-27 23:10:35 UTC

vsppcvtamoli2.ccu.local · 172.17.88.99 · 30:24:a9:83:7e:ed
2022-04-17 22:20:21 UTC

vsppcvtamoli2.ccu.local · 172.17.88.99 · 30:24:a9:83:7e:ed successfully looked up hghgj jgf.ga in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 22:20:23 UTC
vsppcvtamoli2.ccu.local · 172.17.88.99 · 30:24:a9:83:7e:ed successfully looked up hyhyhyhy.cf in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 22:20:25 UTC

vsppcvtamoli2.ccu.local · 172.17.88.99 · 30:24:a9:83:7e:ed successfully looked up dfghdfghdfghdfghdfghh.tk in a DNS connection to 128.84.0.41 on UDP port
53.
2022-04-17 22:20:27 UTC

vsppcvtamoli2.ccu.local · 172.17.88.99 · 30:24:a9:83:7e:ed successfully looked up vcbcvbcvb.tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 22:20:35 UTC

vsppcvtamoli2.ccu.local · 172.17.88.99 · 30:24:a9:83:7e:ed successfully looked up hfghfghg g .tk in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-17 22:21:17 UTC

vsppcvtamoli2.ccu.local · 172.17.88.99 · 30:24:a9:83:7e:ed successfully looked up xxxxxbvvbbbbbbbbbbbb.cf in a DNS connection to 128.84.0.41 on UDP port
53.
2022-04-17 22:21:18 UTC

2022-04-17 22:23:03 UTC

vsppcvtamoli2.ccu.local · 172.17.88.99 · 30:24:a9:83:7e:ed made an SSL connection to www.careofdog.com · 104.21.18.97 on TCP port 443.
2022-04-17 22:23:03 UTC

DT (Hostname With No DNS) to www.careofdog.com · 104.21.18.97 on port 443 — Hostname with no DNS
Detail: www.careofdog.com
2022-04-17 22:23:04 UTC

New User Agent and POST — [, AP: C2 Comms, OT Engineer]

172.18.33.50 · a2:0d:cb:05:b4:10
2022-04-08 15:05:24 UTC

172.18.33.50 · a2:0d:cb:05:b4:10 made an HTTP connection to 45.79.179.111 on TCP port 80.
2022-04-08 15:05:24 UTC
DT (Post With No Get) to 45.79.179.111 on port None — /python-ios/compile_python_version_dir_acc.php
New activity
2022-04-08 15:05:24 UTC

DT (New Device User Agent) to 45.79.179.111 on port 80 — Python Compiler/3.8.1 (iPhone; iOS 15.1; Scale/3.00)
New activity
2022-04-08 15:05:25 UTC

Model Breach: Compromise / New User Agent and POST — 100.0%
RDP Brute Force — [, AP: Bruteforce, AP: Lateral Movement, OT Engineer]
172.30.24.19
2022-04-24 05:57:15 UTC

2022-04-24 05:57:15 UTC

2022-04-24 05:57:15 UTC

2022-04-24 05:57:15 UTC to 2022-04-24 05:57:17 UTC
2022-04-24 05:57:16 UTC

2022-04-24 05:57:16 UTC

2022-04-24 05:57:17 UTC

2022-04-24 05:57:18 UTC

SSL or HTTP Beacon — [, AP: C2 Comms, OT Engineer]

CCUNBFRPINO · 172.19.92.42 · 08:5b:d6:ce:0a:d1
2022-04-25 11:57:53 UTC to 2022-04-25 11:57:58 UTC

2022-04-25 11:57:57 UTC

2022-04-25 11:57:59 UTC to 2022-04-25 11:58:04 UTC

2022-04-25 11:58:05 UTC to 2022-04-25 11:58:10 UTC

2022-04-25 11:58:08 UTC

2022-04-25 11:58:09 UTC
2022-04-25 11:58:10 UTC
sfe-li3013.ccu.arg · 172.30.74.78 · a0:d3:c1:1e:99:fd
2022-04-12 21:47:55 UTC

2022-04-12 21:47:56 UTC

2022-04-12 21:47:57 UTC

2022-04-12 21:48:49 UTC

2022-04-12 21:48:51 UTC

2022-04-12 21:48:53 UTC
2022-04-12 21:48:55 UTC

2022-04-12 21:48:57 UTC

2022-04-12 21:48:58 UTC

2022-04-12 21:48:59 UTC

Tor Domain DNS Requests — [AP: C2 Comms]

CCUnbAPARDO · 172.18.18.13 · 30:24:a9:a2:d4:da
2022-04-01 12:10:25 UTC

CCUnbAPARDO · 172.18.18.13 · 30:24:a9:a2:d4:da failed to look up qtornadoklbgdyww.onion in a DNS connection to srv-dc-03-.ccu.local · 172.19.170.8 on UDP
port 53.
2022-04-01 12:46:33 UTC

CCUnbAPARDO · 172.18.18.13 · 30:24:a9:a2:d4:da failed to look up qtornadoklbgdyww.onion in a DNS connection to 128.84.0.41 on UDP port 53.
2022-04-01 12:46:34 UTC

ecunbelira.ccu.local · 10.100.30.117
2022-04-20 14:48:23 UTC
2022-04-20 15:22:47 UTC

2022-04-20 15:22:48 UTC

SMB Lateral Movement — [AP: Lateral Movement]

2022-04-05 17:02:06 UTC

2022-04-05 17:02:06 UTC

2022-04-05 17:02:07 UTC

2022-04-05 17:02:07 UTC

2022-04-05 17:02:07 UTC

2022-04-05 17:02:07 UTC

2022-04-05 17:02:07 UTC

2022-04-05 17:02:07 UTC

2022-04-05 17:02:08 UTC

2022-04-05 17:02:09 UTC

2022-04-29 17:35:26 UTC

2022-04-29 17:35:26 UTC
2022-04-29 17:35:31 UTC

2022-04-29 17:35:31 UTC

2022-04-29 17:35:32 UTC

2022-04-29 17:35:33 UTC

2022-04-29 17:35:34 UTC

2022-04-29 17:35:34 UTC

2022-04-29 17:35:34 UTC

2022-04-29 17:35:34 UTC

comnbfmramire.ccu.local · 10.100.26.71 · 80:b6:55:1e:a1:7c
2022-04-12 17:10:05 UTC

SMB (Session Failure) to fileman.ccu.cl · 128.84.5.146 on port 445 — jmpugad
2022-04-12 17:10:05 UTC

NTLM (Login Fail) to fileman.ccu.cl · 128.84.5.146 on port 445 — jmpugad
2022-04-12 17:10:05 UTC

SMB (Session Failure) to fileman.ccu.cl · 128.84.5.146 on port 445 — jmpugad
2022-04-12 17:10:05 UTC

NTLM (Login Fail) to fileman.ccu.cl · 128.84.5.146 on port 445 — jmpugad
2022-04-12 17:10:06 UTC

2022-04-13 00:17:24 UTC

comnbfmramire.ccu.local · 10.100.26.71 · 80:b6:55:1e:a1:7c made an SMB,NTLM,GSSAPI connection to 128.84.0.67 on TCP port 445.
2022-04-13 00:17:24 UTC

SMB (Session Success) to 128.84.0.67 on port 445 — gmonsal
Detail: client_hostname=CCUNBGMONSAL domain=CCUCL mechType=NTLMSSP server_signed version=smb2
New activity
2022-04-13 00:17:24 UTC

NTLM (Login) to 128.84.0.67 on port 445 — gmonsal
Detail: domain=CCUCL hostname=CCUNBGMONSAL auth_successful=T result=success
New activity
2022-04-13 00:17:25 UTC

DT (Model Breach) — Device / Anomaly Indicators / Unusual SMB Session
2022-04-13 00:17:26 UTC

2022-04-13 21:03:55 UTC

2022-04-13 21:03:55 UTC

2022-04-13 21:03:55 UTC

2022-04-13 21:03:55 UTC

2022-04-13 21:03:55 UTC
2022-04-13 21:03:55 UTC

2022-04-13 21:03:55 UTC
2022-04-13 21:03:56 UTC

2022-04-13 21:03:57 UTC

2022-04-13 21:03:58 UTC

tccnbdrojasc.ccu.local · 10.100.27.131
2022-04-13 18:17:58 UTC

2022-04-13 18:17:58 UTC

2022-04-13 18:17:58 UTC
2022-04-13 18:17:58 UTC

2022-04-13 18:17:59 UTC

2022-04-13 18:20:08 UTC

tccnbdrojasc.ccu.local · 10.100.26.119 made an SMB,NTLM,GSSAPI connection to srvlv3pwsb.ccu.arg · 192.168.15.47 on TCP port 445.
2022-04-13 18:20:13 UTC

SMB (Session Success) to srvlv3pwsb.ccu.arg · 192.168.15.47 on port 445 — smbecer
Detail: client_hostname=CCUNBSMBECER2 domain=CCUCL mechType=NTLMSSP server_signed version=smb2
2022-04-13 18:20:13 UTC

NTLM (Login) to srvlv3pwsb.ccu.arg · 192.168.15.47 on port 445 — smbecer
Detail: domain=CCUCL hostname=CCUNBSMBECER2 auth_successful=T result=success
2022-04-13 18:20:14 UTC

DT (Model Breach) — Device / Anomaly Indicators / Unusual SMB Session
2022-04-13 18:20:15 UTC

Suspicious Network Scan Activity — [, AP: Internal Recon, AP: Scanning, Enhanced Monitoring, OT Engineer]
2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC to 2022-04-06 21:36:49 UTC

2022-04-06 21:36:49 UTC to 2022-04-06 21:36:49 UTC
2022-04-06 21:36:49 UTC
2022-04-06 21:36:49 UTC

2022-04-06 09:19:09 UTC

2022-04-06 09:19:09 UTC

2022-04-06 09:19:09 UTC

2022-04-06 09:19:09 UTC

2022-04-06 09:19:09 UTC

2022-04-06 09:19:10 UTC

2022-04-06 09:19:10 UTC

2022-04-06 09:19:10 UTC
2022-04-06 09:19:11 UTC

2022-04-06 09:19:12 UTC

2022-04-20 14:54:14 UTC to 2022-04-20 14:54:17 UTC

2022-04-20 14:54:17 UTC

2022-04-20 14:54:22 UTC to 2022-04-20 14:54:25 UTC
2022-04-20 14:54:25 UTC

2022-04-20 14:54:47 UTC

2022-04-20 14:54:50 UTC

2022-04-20 14:54:51 UTC
2022-04-20 14:54:52 UTC

Unusual DRS Activity — [AP: Exploit]

2022-04-06 14:28:11 UTC

DCERPC (Bind) to srvlv3dc.ccu.arg · 192.168.15.4 on port 49154 — RequestedService: IWbemWCOSmartEnum interface, status: SUCCESS
Detail: endpoint_uuid: 423ec01e-2e35-11d2-b604-00104b703efd, SecAddr:
New activity
2022-04-06 14:28:12 UTC

DT (Model Breach) — Device / Anomaly Indicators / New or Uncommon WMI Activity Indicator
2022-04-06 14:28:13 UTC

DT (Model Breach) to Internal Traffic · 192.168.15.4 on port 49154 — Device / New or Uncommon WMI Activity
2022-04-06 15:11:44 UTC
2022-04-06 15:12:08 UTC

2022-04-06 15:12:08 UTC

2022-04-06 15:12:08 UTC

2022-04-06 15:12:08 UTC
2022-04-06 15:12:08 UTC

New activity
2022-04-06 15:12:09 UTC

Compliance Model Breaches

DarktraceReport2022-04-01T05 00 00 2022-05-01T04 59 00

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DarktraceReport2022-04-01T05 00 00 2022-05-01T04 59 00

Uploaded by

Copyright:

Available Formats

Darktrace UV Summary Report

2022/04/01 05:00:00 — 2022/05/01 04:59:00

Average bandwidth received:

28893 22659 4299 9.75 gbps (probe: 3)

in the last 4 weeks network last 4 weeks

Average bandwidth processed:

subnets monitored across the

Summary of model breaches per Attack Phase

A total of 23 model breaches of 2 diﬀerent models triggered by 22 unique devices

Internal Recon ‣ 4.62%

A total of 3 model breaches of 1 model triggered by 3 unique devices

Devices Model Breach Summary

Suspicious Network Scan Activity 100.0%

172.18.33.50 Overall score: 98.60%

New User Agent and POST 100.0%

sf e-li3013.ccu.arg Overall score: 96.50%

SSL or HTTP Beacon 100.0%

ECUNBJDRIQUE2 Overall score: 95.10%

CCUNBFRPINO Overall score: 95.10%

SSL or HTTP Beacon 100.0%

srvlv3adaudit.ccu.arg Overall score: 94.80%

Suspicious Network Scan Activity 92.43%

MNT NBCAREYES Overall score: 94.70%

SMB Lateral Movement 88.66%

mntnbsmorenog.ccu.local Overall score: 93.80%

SMB Lateral Movement 88.76%

Devices Model Breach Summary

Large DNS Volume for Suspicious Domain 89.94%

vsppcpemolin.ccu.local Overall score: 99.70%

Large DNS Volume for Suspicious Domain 89.82%

serveurscalya.ccu.local Overall score: 99.40%

Suspicious Network Scan Activity 100.0%

172.18.33.50 Overall score: 98.60%

New User Agent and POST 100.0%

sf e-li3013.ccu.arg Overall score: 96.50%

SSL or HTTP Beacon 100.0%

ECUNBJDRIQUE2 Overall score: 95.10%

CCUNBFRPINO Overall score: 95.10%

SSL or HTTP Beacon 100.0%

srvlv3adaudit.ccu.arg Overall score: 94.80%

Suspicious Network Scan Activity 92.43%

No breaches to report in your chosen time period

No breaches to report in your chosen time period

Antigena Network Actions (LICENSED)

Antigena Firewall Actions (LICENSED)

2022-04-13 21:03:55 UTC

2022-04-13 21:03:55 UTC

2022-04-29 17:35:32 UTC

2022-04-29 17:35:33 UTC

Suspicious HTTP Redirect — [AP: Exploit, OT Engineer]

2022-04-04 20:44:29 UTC

2022-04-04 20:44:29 UTC

2022-04-04 20:44:30 UTC

2022-04-19 12:04:42 UTC

2022-04-19 12:04:42 UTC

2022-04-19 12:04:42 UTC

2022-04-27 19:16:59 UTC

2022-04-27 19:16:59 UTC

2022-04-27 19:16:59 UTC

2022-04-27 19:17:39 UTC

2022-04-27 19:21:22 UTC

Suspicious Netlogon RPC Calls — [AP: Exploit]

2022-04-13 14:58:58 UTC to 2022-04-13 14:59:19 UTC