Professional Documents
Culture Documents
The following is a summary of the Darktrace deployment status on your network over the last month. The report shows the
Antigena
distribution of possible attacks and potential vulnerabilities in the network infrastructure, and off ers recommendations to network is deployed
address these risks.
active devices on the network modelled devices on the new devices detected in the
100.03 mbps (probe: 1)
707 4.82
6 10
gbps (probe: 3)
47.13
instances running Darktrace probes actively processing data
organisation mbps (probe: 4)
Attack Phase: Distribution of Model Breaches
Phases of an Attack
Darktrace models can be organized according to the attack phase they are most likely to detect. Monitoring models according to these categories can allow the
characteristic behavior pattern of an ongoing attack to be observed.
Bruteforce ‣ 10.81%
A total of 20 model breaches of 1 model triggered by 20 unique devices
Top scoring devices: ccunbhbarrer.ccu.local · 10.100.16.35 95.10%
Tooling ‣ 8.11%
Scanning ‣ 4.86%
A total of 9 model breaches of 1 model triggered by 9 unique devices
Top scoring devices: ibmpsnt1.ccu.local · 172.19.168.88 95.10%
Overall Score: Devices
Top Devices by Overall Score
Devices highlighted here have exhibited the greatest overall degree of unusual activity over the course of the reporting period. Device overall score gives an indication
of which devices are at highest risk in the organisation.
Directory Breaches
Antigena 432
Compromise 198
Device 46
Anomalous File 15
Unusual Activity 3
Antigena: Antigena Actions
Antigena Actions Summary
The following actions were triggered by Antigena in response to anomalous behavior in your network environment. The actions taken range from interrupting
communications between distinct endpoint/port combinations up to complete quarantine - actions are proportional to threat and may be escalated if granular blocks
are not sufficient.
In the last 7 days, 227 act ions were created and a minimum of 0 connect ions
blocked.
In the last 28 days, 856 act ions were created and a minimum of 0 connect ions
blocked.
In the last 365 days, 14231 act ions were created and a minimum of 0 connect ions
blocked.
In the last 7 days, 0 act ions were created and a minimum of 0 connect ions blocked.
In the last 28 days, 0 act ions were created and a minimum of 0 connect ions blocked.
In the last 365 days, 17 act ions were created and a minimum of 0 connect ions
blocked.
Appendix
Table of Contents
A. Attack Phases
B. Top Model Breaching Devices
C. Enhanced Monitoring
D. Compliance Model Breaches
Attack Phases
Details
Anomalous Octet Stream (No User Agent) — [, AP: Tooling]
172.20.236.116 · 62:5f:74:bf:14:2d
Sustained Unusual Activity from New Device — [, AP: Internal Recon, OT Engineer]
sfe-syso010.ccu.arg · 172.30.24.10
2022-06-15 13:19:33 UTC to 2022-06-15 13:23:27 UTC
sfe-syso010.ccu.arg · 172.30.24.10 made an SSL connection to papex1-waphv1.ccu.local · 172.19.169.125 on TCP port 21112.
2022-06-15 13:20:34 UTC
Unusual Activity (meta-classifier) 66.0% — Internal Data Transfer, Internal Connections, Internal Connections to Closed Ports, Internal Active Connections
2022-06-15 13:47:36 UTC
sfe-syso010.ccu.arg · 172.30.24.10 made an Unknown connection to papex1-waphv1.ccu.local · 172.19.169.125 on TCP port 21112.
2022-06-15 13:47:37 UTC
Unusual Activity (meta-classifier) 61.0% — Internal Data Transfer, Internal Connections, Internal Connections to Closed Ports, Internal Active Connections
2022-06-15 13:47:38 UTC
Model Breach: Unusual Activity / Sustained Unusual Activity from New Device — 90.8%
10.100.18.82
Suspicious Internal Use Of Web Protocol — [, AP: Exploit, AP: Lateral Movement]
ccunbhbarrer.ccu.local · 10.100.16.35
nb880.pulp.com.py · 192.168.112.123
pc173.pulp.com.py · 192.168.112.123
2022-06-13 19:56:12 UTC
pc173.pulp.com.py · 192.168.112.123 made a DCE_RPC,NETLOGON connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 49680.
2022-06-13 19:56:12 UTC
DCERPC (Bind) to dc3.pulp.com.py · 172.19.170.96 on port 49680 — RequestedService: Net logon, status: SUCCESS
Detail: endpoint_uuid: 12345678-1234-abcd-ef00-01234567cff b, SecAddr: 49680
Suspicious Network Scan Activity — [, AP: Internal Recon, AP: Scanning, Enhanced Monitoring, OT Engineer]
ibmpsnt1.ccu.local · 172.19.168.88
2022-06-12 23:13:38 UTC
RDP (Cookie) to foupbt-wefv.ccu.local · 172.19.169.165 on port 3389 — administr
Detail: Client connected with this RDP cookie, result=HYBRID_REQUIRED_BY_SERVER
New activity
clusfs02.ccu.cl · 172.19.168.139
2022-06-16 15:50:17 UTC
clusfs02.ccu.cl · 172.19.168.139 was still making an Unknown connection to Internal Traffic · 172.19.46.74 on TCP port 22.
Possible Brute-Force Activity — [, AP: Bruteforce, AP: Lateral Movement, OT Engineer]
ccunbhbarrer.ccu.local · 10.100.16.35
2022-06-27 15:14:14 UTC
ccunbhbarrer.ccu.local · 10.100.16.69 made an HTTP connection to manantial-odoo-admin-qa.kub.ccu.cl · 172.19.170.58 on TCP port 443.
cba-ven020.ccu.arg · 172.30.79.12
2022-06-04 20:47:20 UTC to 2022-06-04 20:53:20 UTC
cba-ven020.ccu.arg · 172.30.79.12 was still making an SSL connection to 172.17.60.33 on TCP port 443.
New activity
2022-06-24 14:06:19 UTC
NTLM (Login) to dc3.pulp.com.py · 172.19.170.96 on port 445 — administrador
Detail: domain=PULP-PY hostname=DC1 auth_successful=T result=success
New activity
New activity
New activity
2022-06-27 13:05:22 UTC
New Credential Use to dc3.pulp.com.py · 172.19.170.96 on port 445 — cbrugada
Detail: domain=PULP-PY hostname=NB908 auth_successful=T result=success. cbrugada has logged into 2 devices in the last 107 seconds
New activity
New activity
devserver.pulp.com.py · 192.168.112.123
2022-06-21 16:02:31 UTC
devserver.pulp.com.py · 192.168.112.123 made an SMB,NTLM,GSSAPI,DCE_RPC connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 445.
New activity
Multiple Lateral Movement Model Breaches — [, AP: Lateral Movement, Enhanced Monitoring, OT Engineer]
ccunbhbarrer.ccu.local · 10.100.16.35
Devices Affected
172.20.236.116 — breached: Anomalous Octet Stream (No User Agent) (first seen: 2022-06-06 19:12:27 UTC)
vsppcecanales.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-06-14 01:22:15 UTC)
nprpcclecaros8.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-06-16 01:15:38 UTC)
172.17.91.109 — breached: Connections with Suspicious DNS (first seen: 2022-06-18 22:10:38 UTC)
clsfsaufv2.ccu.cl — breached: High Priority Crypto Currency Mining (first seen: 2022-06-16 14:23:02 UTC)
abizzarxp.ccu.local — breached: High Priority Crypto Currency Mining (first seen: 2022-06-13 13:27:22 UTC)
LAPTOP-1237A4L0 — breached: High Priority Crypto Currency Mining (first seen: 2022-06-14 15:05:47 UTC)
172.19.94.121 — breached: New User Agent and POST (first seen: 2022-06-17 19:49:55 UTC)
172.30.79.101 — breached: SMB Lateral Movement (first seen: 2022-06-24 17:37:23 UTC)
MNTNBCMOSCOSO — breached: SSL or HTTP Beacon (first seen: 2022-06-22 18:21:23 UTC)
ccunbhbarrer.ccu.local — breached: Suspicious Internal Use Of Web Protocol, Multiple Lateral Movement Model Breaches (first seen: 2022-06-27 14:53:27 UTC)
pc527.pulp.com.py — breached: Suspicious Netlogon RPC Calls (first seen: 2022-06-20 13:00:35 UTC)
172.19.168.138 — breached: Suspicious Network Scan Activity (first seen: 2022-06-16 16:24:54 UTC)
ibmpsnt1.ccu.local — breached: Suspicious Network Scan Activity (first seen: 2022-06-12 23:13:40 UTC)
clusfs02.ccu.cl — breached: Suspicious Network Scan Activity (first seen: 2022-06-16 15:50:17 UTC)
Details
Anomalous Octet Stream (No User Agent)
172.20.236.116 · 62:5f:74:bf:14:2d
New activity
New activity
New activity
New activity
172.19.168.138
Devices Affected
172.20.236.116 — breached: Anomalous Octet Stream (No User Agent) (first seen: 2022-06-06 19:12:27 UTC)
vsppcecanales.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-06-14 01:22:15 UTC)
nprpcclecaros8.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-06-16 01:15:38 UTC)
172.17.91.109 — breached: Connections with Suspicious DNS (first seen: 2022-06-18 22:10:38 UTC)
vsptpcdgonzal.ccu.local — breached: DGA Beacon (first seen: 2022-06-01 05:45:05 UTC)
HUAWEI_Y9_2019-f1975cbd0f — breached: Fast Beaconing to DGA (first seen: 2022-06-03 07:40:37 UTC)
Galaxy-A71 — breached: Fast Beaconing to DGA (first seen: 2022-06-28 12:01:18 UTC)
trk12fx2.ccu.cl — breached: High Priority Crypto Currency Mining (first seen: 2022-06-16 18:00:03 UTC)
abizzarxp.ccu.local — breached: High Priority Crypto Currency Mining (first seen: 2022-06-13 13:27:22 UTC)
LAPTOP-1237A4L0 — breached: High Priority Crypto Currency Mining (first seen: 2022-06-14 15:05:47 UTC)
clsfsaufv2.ccu.cl — breached: High Priority Crypto Currency Mining, Monero Mining (first seen: 2022-06-16 14:23:02 UTC)
clusfs02.ccu.cl — breached: High Priority Crypto Currency Mining, Monero Mining, Suspicious Network Scan Activity (first seen: 2022-06-16 14:33:29 UTC)
clusfs01.ccu.cl — breached: High Priority Crypto Currency Mining, Monero Mining, Suspicious Network Scan Activity (first seen: 2022-06-16 14:26:05 UTC)
clsfsaufv1.ccu.cl — breached: High Priority Crypto Currency Mining, Monero Mining, Suspicious Network Scan Activity (first seen: 2022-06-16 14:30:42 UTC)
wmsarbd1.ccu.cl — breached: High Priority Crypto Currency Mining, Monero Mining, Suspicious Network Scan Activity (first seen: 2022-06-16 14:33:43 UTC)
tccupcmarcoleta.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-27 11:58:54 UTC)
TCCPCCHTCCU — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-28 03:00:31 UTC)
TCCPCPPNORTE2 — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-27 12:04:00 UTC)
DESKTOP-08JUG1K — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-12 13:33:16 UTC)
TCCPCRCACERE — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-28 04:15:26 UTC)
ECUPCPORSANM2 — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-17 07:09:55 UTC)
10.100.29.225 — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-03 18:33:59 UTC)
10.100.29.251 — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-03 01:08:28 UTC)
VSPTPCPORTEIM — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-28 02:36:09 UTC)
CCUNBSALOPEZA — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-28 03:20:56 UTC)
172.30.22.26 — breached: Monero Mining (first seen: 2022-06-22 09:33:50 UTC)
172.19.94.121 — breached: New User Agent and POST (first seen: 2022-06-17 19:49:55 UTC)
ccunbhbarrer.ccu.local — breached: Possible Brute-Force Activity, Suspicious Network Scan Activity, Multiple Lateral Movement Model Breaches, Suspicious Internal Use Of Web
Protocol (first seen: 2022-06-27 14:47:50 UTC)
172.30.79.101 — breached: SMB Lateral Movement (first seen: 2022-06-24 17:37:23 UTC)
MNTNBCMOSCOSO — breached: SSL or HTTP Beacon (first seen: 2022-06-22 18:21:23 UTC)
pc527.pulp.com.py — breached: Suspicious Netlogon RPC Calls (first seen: 2022-06-20 13:00:35 UTC)
ibmpsnt1.ccu.local — breached: Suspicious Network Scan Activity (first seen: 2022-06-12 23:13:40 UTC)
LAPTOP-8FR44O8M — breached: Suspicious Network Scan Activity (first seen: 2022-06-29 23:13:44 UTC)
10.212.134.202 — breached: Suspicious Network Scan Activity (first seen: 2022-06-07 13:04:46 UTC)
192.168.100.2 — breached: Suspicious Octet Stream Download (first seen: 2022-06-03 20:13:34 UTC)
sfe-syso010.ccu.arg — breached: Sustained Unusual Activity from New Device (first seen: 2022-06-15 13:47:38 UTC)
10.100.18.82 — breached: Sustained Unusual Activity from New Device (first seen: 2022-06-30 15:40:05 UTC)
172.19.168.138 — breached: Sustained Unusual Activity from New Device, Suspicious Network Scan Activity (first seen: 2022-06-16 16:24:54 UTC)
nb800.pulp.com.py — breached: Unusual SMB Session And DRS (first seen: 2022-06-27 13:05:24 UTC)
nb-nchamorro.pulp.com.py — breached: Unusual SMB Session And DRS (first seen: 2022-06-24 14:06:31 UTC)
Details
Connections with Suspicious DNS — [AP: C2 Comms]
172.17.91.109 · 4e:07:68:16:b2:72
clsfsaufv1.ccu.cl · 172.19.168.156
clsfsaufv2.ccu.cl · 172.19.168.157
clusfs01.ccu.cl · 172.19.168.138
trk12fx2.ccu.cl · 172.19.168.141
2022-06-16 17:59:49 UTC
trk12fx2.ccu.cl · 172.19.168.141 made an Unknown connection to c4k-rx0.pwndns.pw · 146.59.198.38 on TCP port 8080.
wmsarbd1.ccu.cl · 172.19.168.211
New activity
Possible Brute-Force Activity — [, AP: Bruteforce, AP: Lateral Movement, OT Engineer]
ccunbhbarrer.ccu.local · 10.100.16.35
2022-06-27 15:14:14 UTC
ccunbhbarrer.ccu.local · 10.100.16.69 made an HTTP connection to manantial-odoo-admin-qa.kub.ccu.cl · 172.19.170.58 on TCP port 443.
Sustained Unusual Activity from New Device — [, AP: Internal Recon, OT Engineer]
10.100.18.82
172.19.168.138
2022-06-16 15:45:27 UTC
172.19.168.138 was still making an Unknown connection to 192.168.103.3 on TCP port 22.
sfe-syso010.ccu.arg · 172.30.24.10
2022-06-15 13:19:33 UTC to 2022-06-15 13:23:27 UTC
sfe-syso010.ccu.arg · 172.30.24.10 made an SSL connection to papex1-waphv1.ccu.local · 172.19.169.125 on TCP port 21112.
clsfsaufv2.ccu.cl · 172.19.168.157
clusfs02.ccu.cl · 172.19.168.139
2022-06-16 15:41:01 UTC
clusfs02.ccu.cl · 172.19.168.139 made a DNS connection to 128.84.0.41 on UDP port 53.
wmsarbd1.ccu.cl · 172.19.168.211
Suspicious Network Scan Activity — [, AP: Internal Recon, AP: Scanning, Enhanced Monitoring, OT Engineer]
10.212.134.202
2022-06-07 13:04:45 UTC
10.212.134.202 failed to make an Unknown connection to pc270.pulp.com.py · 192.168.10.215 on TCP port 1.
172.19.168.138
2022-06-16 16:24:41 UTC
172.19.168.138 made an SSH connection to 192.168.100.230 on TCP port 22.
ccunbhbarrer.ccu.local · 10.100.16.35
New activity
clsfsaufv1.ccu.cl · 172.19.168.156
clusfs01.ccu.cl · 172.19.168.138
clusfs02.ccu.cl · 172.19.168.139
ibmpsnt1.ccu.local · 172.19.168.88
wmsarbd1.ccu.cl · 172.19.168.211
New activity
New activity
New activity
nb800.pulp.com.py · 192.168.112.123
New activity
New activity
Multiple Lateral Movement Model Breaches — [, AP: Lateral Movement, Enhanced Monitoring, OT Engineer]
ccunbhbarrer.ccu.local · 10.100.16.35
Suspicious Internal Use Of Web Protocol — [, AP: Exploit, AP: Lateral Movement]
ccunbhbarrer.ccu.local · 10.100.16.35
10.100.29.251
VSPTPCPORTEIM · 98:af:65:68:50:d3
2022-06-28 02:35:53 UTC
VSPTPCPORTEIM · 172.19.152.58 · 98:af:65:68:50:d3 failed to look up <strong>nhlgamer.online</strong> in a DNS connection to 128.84.0.199 on UDP port 53.