DarktraceReport2022-06-01T05 00 00 2022-07-01T04 59 00

Darktrace UV Summary Report
2022/06/01 05:00:00 — 2022/07/01 04:59:00

Deployment Summary  Health Check
The following is a summary of the Darktrace deployment status on your network over the last month. The report shows the
Antigena
distribution of possible attacks and potential vulnerabilities in the network infrastructure, and off ers recommendations to network is deployed
address these risks.
Average bandwidth received:
28879 22606 4553 8.66 gbps (probe: 3)
active devices on the network modelled devices on the new devices detected in the
100.03 mbps (probe: 1)
in the last 4 weeks network last 4 weeks

Average bandwidth processed:
707 4.82
6 10
gbps (probe: 3)
subnets monitored across the

47.13
instances running Darktrace probes actively processing data
organisation mbps (probe: 4)
Attack Phase: Distribution of Model Breaches
Phases of an Attack
Darktrace models can be organized according to the attack phase they are most likely to detect. Monitoring models according to these categories can allow the
characteristic behavior pattern of an ongoing attack to be observed.
Summary of model breaches per Attack Phase

Exploit ‣ 56.76%
A total of 105 model breaches of 4 different models triggered by 92 unique devices
Top scoring devices: ccunbhbarrer.ccu.local · 10.100.16.35 95.10%
Lateral Movement ‣ 12.43%

Bruteforce ‣ 10.81%
A total of 20 model breaches of 1 model triggered by 20 unique devices
Tooling ‣ 8.11%

Top scoring devices: 192.168.100.2 77.30%
Internal Recon ‣ 7.03%

Top scoring devices: 172.19.168.138 95.10%
Scanning ‣ 4.86%
A total of 9 model breaches of 1 model triggered by 9 unique devices
Top scoring devices: ibmpsnt1.ccu.local · 172.19.168.88 95.10%
Overall Score: Devices
Top Devices by Overall Score
Devices highlighted here have exhibited the greatest overall degree of unusual activity over the course of the reporting period. Device overall score gives an indication
of which devices are at highest risk in the organisation.
Devices Model Breach Summary

ibmpsnt1.ccu.local Overall score: 95.10%
Suspicious Network Scan Activity 100.0%
clusf s02.ccu.cl Overall score: 95.10%
clsf sauf v2.ccu.cl Overall score: 95.10%
High Priority Crypto Currency Mining 100.0%
ccunbhbarrer.ccu.local Overall score: 95.10%
abizzarxp.ccu.local Overall score: 95.10%
MNT NBCMOSCOSO Overall score: 95.10%
SSL or HTTP Beacon 100.0%
172.19.168.138 Overall score: 95.10%
172.30.79.101 Overall score: 93.50%
SMB Lateral Movement 88.36%

High Priority Models: Devices
Top Devices Breaching High Priority Models
Devices highlighted here have breached models assessed to represent behaviors regarded as high priority for the organisation. This also includes models tagged by
the customer using the 'Autoreporting' tag or model breaches with a score over 80%.
Devices Model Breach Summary

wmsarbd1.ccu.cl Overall score: 95.10%

Monero Mining 87.14%
ibmpsnt1.ccu.local Overall score: 95.10%




ccunbhbarrer.ccu.local Overall score: 95.10%
Possible Brute-Force Activity 96.72%

abizzarxp.ccu.local Overall score: 95.10%

Compliance Models: Model Breaches
Highest Frequency Compliance Model Breaches
Compliance models can be used to monitor whether devices and users are breaching security policy. Some remote management tools, for instance, can be exploited
to gain control over devices in a similar manner to a remote access trojan, while others are commonly used in tech support scams so their presence can be an
indicator of compromise. Monitoring this type of device behavior across the network helps companies track risk more eff ectively.
No breaches to report in your chosen time period

Compliance Models: Devices
Top Devices Breaching Compliance Models
Devices highlighted here have breached compliance models multiple times over the reporting period. Devices may be using third-party file sharing service, privacy
VPN providers, encrypted messaging application or involved in other moderate risk network activities.
No breaches to report in your chosen time period

Categories: Distribution of Model Breaches
Top Directories with Model Breaches
Directories highlighted here have the highest number of model breaches.
Directory Breaches
Antigena 432
Compromise 198
Device 46
Anomalous File 15
Unusual Activity 3
Antigena: Antigena Actions
Antigena Actions Summary
The following actions were triggered by Antigena in response to anomalous behavior in your network environment. The actions taken range from interrupting
communications between distinct endpoint/port combinations up to complete quarantine - actions are proportional to threat and may be escalated if granular blocks
are not sufficient.
Antigena Network Actions (LICENSED)
In the last 7 days, 227 act ions were created and a minimum of 0 connect ions
blocked.
blocked.
blocked.
Antigena Firewall Actions (LICENSED)
In the last 7 days, 0 act ions were created and a minimum of 0 connect ions blocked.
In the last 28 days, 0 act ions were created and a minimum of 0 connect ions blocked.
blocked.
Appendix
Table of Contents
A. Attack Phases
B. Top Model Breaching Devices
C. Enhanced Monitoring
D. Compliance Model Breaches
Attack Phases
Details
Anomalous Octet Stream (No User Agent) — [, AP: Tooling]
172.20.236.116 · 62:5f:74:bf:14:2d
2022-06-06 19:12:26 UTC

172.20.236.116 · 62:5f:74:bf:14:2d made an HTTP connection to d1jojlqs3flo2j.cloudfront.net · 13.227.205.59 on TCP port 80.
2022-06-06 19:12:27 UTC
Model Breach: Anomalous File / Anomalous Octet Stream (No User Agent) — 100.0%
Active Directory Reconnaissance — [AP: Internal Recon]

pcbrk-wpvfc3.ccu.local · 172.19.170.69
2022-06-17 10:04:29 UTC
pcbrk-wpvfc3.ccu.local · 172.19.170.69 made a KERBEROS connection to srv-dc-04-.ccu.local · 172.19.170.9 on TCP port 88.
2022-06-17 10:04:29 UTC
2022-06-17 10:04:31 UTC
2022-06-17 10:04:31 UTC
KERBEROS (Ticket) to srv-dc-04-.ccu.local · 172.19.170.9 on port 88 — gis
Detail: TGS ok: crealm is [CCU.LOCAL], srealm is [CCU.LOCAL], service is [RPCSS/AVPRAPP-WINEHV.ccu.local], TGT is [2a6fcedbf9f0640d9d05df70b6324838], TGTcipher is
[aes256-cts-hmac-sha1-96], ST is [e22a971d54e6544ceb73c5c4ddd42522], STcipher is [aes256-cts-hmac-sha1-96], Flags are [Forwardable, Renewable], Reqtill is
[2136422885.000000], Pre-authentication [unknown-167]
2022-06-17 10:04:58 UTC
DCERPC (Bind) to pqlks-wcihv.ccu.local · 172.19.169.213 on port 135 — RequestedService: IRemoteSCMActivator, status: SUCCESS
Detail: endpoint_uuid: 000001a0-0000-0000-c000-000000000046, SecAddr: 135
2022-06-17 10:04:59 UTC to 2022-06-17 10:05:10 UTC
pcbrk-wpvfc3.ccu.local · 172.19.170.69 made a DCE_RPC,GSSAPI connection to pqlks-wcihv.ccu.local · 172.19.169.213 on TCP port 135.
2022-06-17 10:05:03 UTC
Protocol Detector (Server_Found) to pqlks-wcihv.ccu.local · 172.19.169.213 on port 135 — 172.19.169.213: GSSAPI server on port 135/tcp
Detail: GSSAPI
2022-06-17 10:05:11 UTC
Unusual Activity (meta-classifier) 34.0% — Internal Connection Spread, Internal Connections, Internal Connections to Closed Ports, Internal Active Connections
2022-06-17 10:05:12 UTC
Model Breach: Device / Active Directory Reconnaissance — 67.9%
SMB Lateral Movement — [AP: Lateral Movement]

172.30.79.101
2022-06-24 17:37:20 UTC
172.30.79.101 was still making an SMB1,NTLM,GSSAPI connection to srvsfeprn.ccu.arg · 172.30.24.157 on TCP port 445.
2022-06-24 17:37:20 UTC
172.30.79.101 made an SMB,NTLM,GSSAPI connection to srvsfeprn.ccu.arg · 172.30.24.157 on TCP port 445.
2022-06-24 17:37:20 UTC
2022-06-24 17:37:20 UTC
SMB (Session Failure) to srvsfeprn.ccu.arg · 172.30.24.157 on port 445 — German
Detail: client_hostname=GERMAN-PC domain=German-PC mechType=NTLMSSP version=smb1 reason=The attempted logon is invalid. This is either due to a bad username or
authentication information. details= result=logon_failure
2022-06-24 17:37:20 UTC
NTLM (Login Fail) to srvsfeprn.ccu.arg · 172.30.24.157 on port 445 — german
Detail: domain=German-PC hostname=GERMAN-PC auth_successful=F result=logon_failure
2022-06-24 17:37:20 UTC

2022-06-24 17:37:20 UTC
2022-06-24 17:37:21 UTC
DT (Model Breach) — Device / Anomaly Indicators / SMB Session Brute Force Non-Admin Indicator
2022-06-24 17:37:22 UTC
DT (Model Breach) — Device / SMB Session Brute Force (Non-Admin)
2022-06-24 17:37:23 UTC
Model Breach: Device / SMB Lateral Movement — 88.4%
Suspicious Octet Stream Download — [AP: Tooling]

192.168.100.2
2022-06-13 06:44:59 UTC
192.168.100.2 made an HTTP connection to 99.192.224.69 on TCP port 80.
2022-06-13 06:45:00 UTC
Model Breach: Anomalous File / Suspicious Octet Stream Download — 87.5%
2022-06-15 08:09:00 UTC to 2022-06-15 08:09:01 UTC
2022-06-15 08:09:02 UTC
2022-06-20 01:46:20 UTC
2022-06-20 01:46:21 UTC
Sustained Unusual Activity from New Device — [, AP: Internal Recon, OT Engineer]
sfe-syso010.ccu.arg · 172.30.24.10
2022-06-15 13:19:33 UTC to 2022-06-15 13:23:27 UTC
sfe-syso010.ccu.arg · 172.30.24.10 made an SSL connection to papex1-waphv1.ccu.local · 172.19.169.125 on TCP port 21112.
2022-06-15 13:20:34 UTC
Unusual Activity (meta-classifier) 66.0% — Internal Data Transfer, Internal Connections, Internal Connections to Closed Ports, Internal Active Connections
2022-06-15 13:47:36 UTC
sfe-syso010.ccu.arg · 172.30.24.10 made an Unknown connection to papex1-waphv1.ccu.local · 172.19.169.125 on TCP port 21112.
2022-06-15 13:47:37 UTC
2022-06-15 13:47:38 UTC
Model Breach: Unusual Activity / Sustained Unusual Activity from New Device — 90.8%
10.100.18.82
2022-06-30 14:58:37 UTC to 2022-06-30 15:01:00 UTC

10.100.18.82 was still making an Unknown connection to 172.19.56.15 on TCP port 8005.
2022-06-30 14:59:31 UTC to 2022-06-30 15:01:19 UTC
2022-06-30 15:40:03 UTC
10.100.18.82 failed to make an Unknown connection to 172.19.57.101 on TCP port 8000.
2022-06-30 15:40:04 UTC
2022-06-30 15:40:05 UTC
172.19.168.138
2022-06-16 15:45:27 UTC
2022-06-16 15:45:28 UTC
172.19.168.138 failed to make an Unknown connection to 192.168.100.37 · 00:15:65:e1:d9:e7 on TCP port 22.
2022-06-16 15:45:28 UTC
172.19.168.138 failed to make an Unknown connection to UYMON042 · 192.168.100.62 · a0:c5:89:ed:b0:61 on TCP port 22.
2022-06-16 15:45:30 UTC
172.19.168.138 failed to make an Unknown connection to 192.168.101.50 · f8:b1:56:be:52:06 on TCP port 22.
2022-06-16 15:45:31 UTC
172.19.168.138 failed to make an Unknown connection to Galaxy-A21s · 192.168.100.56 · d2:c0:0b:50:0e:28 on TCP port 22.
2022-06-16 15:45:32 UTC
Unusual Activity (meta-classifier) 59.0% — Internal Connection Spread, Internal Connections to Closed Ports
2022-06-16 16:30:39 UTC to 2022-06-16 16:30:41 UTC
172.19.168.138 made an SSH connection to 192.168.100.225 on TCP port 22.
2022-06-16 16:30:40 UTC
2022-06-16 16:30:41 UTC
Suspicious Internal Use Of Web Protocol — [, AP: Exploit, AP: Lateral Movement]
ccunbhbarrer.ccu.local · 10.100.16.35
2022-06-27 14:53:27 UTC

ccunbhbarrer.ccu.local · 10.100.16.69 made an HTTP connection to manantial-odoo-admin-qa.kub.ccu.cl · 172.19.170.58 on TCP port 443.
2022-06-27 14:53:27 UTC
2022-06-27 14:53:27 UTC
2022-06-27 14:53:27 UTC
2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC
2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC
2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC
Suspicious Netlogon RPC Calls Followed By DRS — [, AP: Exploit]

pc527.pulp.com.py · 192.168.112.123
2022-06-20 13:00:32 UTC
pc527.pulp.com.py · 192.168.112.123 made a DCE_RPC,NETLOGON connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 49680.
2022-06-20 13:00:32 UTC

pc527.pulp.com.py · 192.168.112.123 was still making a DCE_RPC,NETLOGON connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 49680.
2022-06-20 13:00:32 UTC
DCERPC (Bind) to dc3.pulp.com.py · 172.19.170.96 on port 49680 — RequestedService: Net logon, status: SUCCESS
Detail: endpoint_uuid: 12345678-1234-abcd-ef00-01234567cff b, SecAddr: 49680
2022-06-20 13:00:32 UTC

DCERPC (Request) to dc3.pulp.com.py · 172.19.170.96 on port 49669 — operation: DRSGetNCChanges, endpoint: drsuapi, status: SUCCESS
Detail: opnum: 0x3, endpoint_uuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2, SecAddr: 49669
2022-06-20 13:00:33 UTC

2022-06-20 13:00:33 UTC
2022-06-20 13:00:33 UTC
2022-06-20 13:00:38 UTC

pc527.pulp.com.py · 192.168.112.123 was still making a DCE_RPC connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 49669.
2022-06-20 13:00:38 UTC

2022-06-20 13:00:39 UTC
Model Breach: Compromise / Suspicious Netlogon RPC Calls Followed By DRS — 60.6%
nb880.pulp.com.py · 192.168.112.123
2022-06-13 18:28:47 UTC

nb880.pulp.com.py · 192.168.112.123 was still making a DCE_RPC connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 49668.
2022-06-13 18:28:47 UTC

nb880.pulp.com.py · 192.168.112.123 was still making a DCE_RPC,NETLOGON connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 49680.
2022-06-13 18:28:48 UTC

2022-06-13 18:28:49 UTC

2022-06-13 18:28:50 UTC

2022-06-13 18:28:57 UTC to 2022-06-13 18:29:08 UTC

nb880.pulp.com.py · 192.168.112.123 made a DCE_RPC,NETLOGON connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 49680.
2022-06-13 18:28:57 UTC
2022-06-13 18:29:09 UTC

2022-06-13 18:29:10 UTC
pc173.pulp.com.py · 192.168.112.123
2022-06-13 19:56:12 UTC
2022-06-13 19:56:12 UTC
2022-06-13 19:56:12 UTC

2022-06-13 19:56:13 UTC
pc173.pulp.com.py · 192.168.112.123 made a DCE_RPC connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 49668.
2022-06-13 19:56:13 UTC

2022-06-13 19:56:13 UTC
DCERPC (Bind) to dc3.pulp.com.py · 172.19.170.96 on port 49668 — RequestedService: drsuapi, status: SUCCESS
Detail: endpoint_uuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2, SecAddr: 49668
2022-06-13 19:56:13 UTC

DCERPC (Bind) to dc3.pulp.com.py · 172.19.170.96 on port 49668 — RequestedService: drsuapi, status: SUCCESS
Detail: endpoint_uuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2, SecAddr:
2022-06-13 19:56:13 UTC
Detail: opnum: 0x3, endpoint_uuid: e3514235-4b06-11d1-ab04-00c04fc2dcd2
2022-06-13 19:56:14 UTC

2022-06-13 19:56:14 UTC
Suspicious Netlogon RPC Calls — [AP: Exploit]

pc527.pulp.com.py · 192.168.112.123
2022-06-20 13:00:31 UTC

2022-06-20 13:00:31 UTC

2022-06-20 13:00:32 UTC

2022-06-20 13:00:32 UTC
2022-06-20 13:00:32 UTC
2022-06-20 13:00:33 UTC
2022-06-20 13:00:33 UTC

2022-06-20 13:00:33 UTC
2022-06-20 13:00:34 UTC

DT (Model Breach) — Device / Anomaly Indicators / Anomalous Netlogon RPC Calls
2022-06-20 13:00:35 UTC
Model Breach: Compromise / Suspicious Netlogon RPC Calls — 100.0%
Suspicious Network Scan Activity — [, AP: Internal Recon, AP: Scanning, Enhanced Monitoring, OT Engineer]
ibmpsnt1.ccu.local · 172.19.168.88
2022-06-12 23:13:38 UTC
RDP (Cookie) to foupbt-wefv.ccu.local · 172.19.169.165 on port 3389 — administr
Detail: Client connected with this RDP cookie, result=HYBRID_REQUIRED_BY_SERVER
New activity
2022-06-12 23:13:39 UTC

ibmpsnt1.ccu.local · 172.19.168.88 made a DCE_RPC connection to wmsprdbd02-.ccu.local · 172.19.169.255 on TCP port 135.
2022-06-12 23:13:39 UTC
ibmpsnt1.ccu.local · 172.19.168.88 was still making a DCE_RPC connection to 172.19.170.89 on TCP port 135.
2022-06-12 23:13:39 UTC

ibmpsnt1.ccu.local · 172.19.168.88 was still making a DCE_RPC connection to pdcar-wssfv.ccu.arg · 172.19.170.78 on TCP port 135.
2022-06-12 23:13:39 UTC
ibmpsnt1.ccu.local · 172.19.168.88 was still making a DCE_RPC connection to ppipci-wehv.ccu.local · 172.19.169.71 on TCP port 135.
2022-06-12 23:13:39 UTC

ibmpsnt1.ccu.local · 172.19.168.88 was still making a DCE_RPC connection to papex1-wdbhv.ccu.local · 172.19.169.126 on TCP port 135.
2022-06-12 23:13:39 UTC
ibmpsnt1.ccu.local · 172.19.168.88 was still making a DCE_RPC connection to pdeep-wsshv.ccu.local · 172.19.169.112 on TCP port 135.
2022-06-12 23:13:39 UTC
ibmpsnt1.ccu.local · 172.19.168.88 was still making a DCE_RPC connection to hwmsr-waphv.ccu.local · 172.19.170.47 on TCP port 135.
2022-06-12 23:13:39 UTC

DT (Model Breach) to Internal Traffic · 172.19.169.165 on port 3389 — Anomalous Connection / Unusual Admin RDP Session
2022-06-12 23:13:40 UTC
Model Breach: Device / Suspicious Network Scan Activity — 100.0%
clusfs02.ccu.cl · 172.19.168.139
2022-06-16 15:50:17 UTC
clusfs02.ccu.cl · 172.19.168.139 was still making an Unknown connection to Internal Traffic · 172.19.46.74 on TCP port 22.
2022-06-16 15:50:17 UTC

clusfs02.ccu.cl · 172.19.168.139 failed to make an Unknown connection to Internal Traffic · 172.19.46.74 on TCP port 22.
2022-06-16 15:50:17 UTC to 2022-06-16 15:50:17 UTC
2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC
2022-06-16 15:50:17 UTC to 2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC
2022-06-16 15:50:17 UTC

172.19.168.138
2022-06-16 16:24:41 UTC

2022-06-16 16:24:41 UTC
2022-06-16 16:24:41 UTC

2022-06-16 16:24:41 UTC
2022-06-16 16:24:41 UTC
SSH (Heuristic_Login_Failed) to 192.168.100.229 on port 22 — 172.19.168.138 failed to log in to 192.168.100.229 via SSH.
2022-06-16 16:24:42 UTC to 2022-06-16 16:24:42 UTC
172.19.168.138 made an SSH connection to 192.168.101.200 · 9a:15:75:c6:5d:9c on TCP port 22.
2022-06-16 16:24:42 UTC

SSH (Heuristic_Login_Failed) to 192.168.101.200 · 9a:15:75:c6:5d:9c on port 22 — 172.19.168.138 failed to log in to 192.168.101.200 via SSH.
2022-06-16 16:24:53 UTC
DT (Model Breach) — Anomalous Connection / SSH Brute Force
2022-06-16 16:24:54 UTC

Possible Brute-Force Activity — [, AP: Bruteforce, AP: Lateral Movement, OT Engineer]
2022-06-27 15:14:14 UTC
2022-06-27 15:14:14 UTC

2022-06-27 15:14:14 UTC
2022-06-27 15:14:14 UTC

2022-06-27 15:14:14 UTC
2022-06-27 15:14:14 UTC

2022-06-27 15:14:14 UTC
2022-06-27 15:14:14 UTC

2022-06-27 15:14:14 UTC
2022-06-27 15:14:15 UTC

Model Breach: Device / Possible Brute-Force Activity — 96.7%
ciu-hpnb020.ccu.arg · 172.30.79.78 · e8:d8:d1:ee:fd:99
2022-06-24 12:14:36 UTC to 2022-06-24 12:14:41 UTC
ciu-hpnb020.ccu.arg · 172.30.79.78 · e8:d8:d1:ee:fd:99 made an SSL connection to ciu-sapcap13.ccu.arg · 172.30.17.10 on TCP port 443.
2022-06-24 12:14:36 UTC to 2022-06-24 12:14:41 UTC
2022-06-24 12:14:36 UTC

2022-06-24 12:14:37 UTC
Unusual Activity (meta-classifier) 50.0% — Internal Data Transfer, Internal Connections, Internal Active Connections
2022-06-24 12:14:41 UTC

2022-06-24 12:14:41 UTC
2022-06-24 12:14:41 UTC

2022-06-24 12:14:42 UTC
cba-ven020.ccu.arg · 172.30.79.12
2022-06-04 20:47:20 UTC to 2022-06-04 20:53:20 UTC
cba-ven020.ccu.arg · 172.30.79.12 was still making an SSL connection to 172.17.60.33 on TCP port 443.
2022-06-04 20:53:42 UTC

cba-ven020.ccu.arg · 172.30.79.12 made an SSL connection to 172.17.60.33 on TCP port 443.
2022-06-04 20:53:43 UTC
2022-06-04 20:53:44 UTC

Unusual SMB Session And DRS — [AP: Exploit]

nb-nchamorro.pulp.com.py · 192.168.112.123
2022-06-24 14:06:19 UTC

nb-nchamorro.pulp.com.py · 192.168.112.123 made an SMB,NTLM,GSSAPI connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 445.
2022-06-24 14:06:19 UTC
SMB (Session Success) to dc3.pulp.com.py · 172.19.170.96 on port 445 — Administrador
Detail: client_hostname=DC1 domain=PULP-PY mechType=NTLMSSP client_signed server_signed version=smb2
New activity
2022-06-24 14:06:19 UTC
NTLM (Login) to dc3.pulp.com.py · 172.19.170.96 on port 445 — administrador
Detail: domain=PULP-PY hostname=DC1 auth_successful=T result=success
New activity
2022-06-24 14:06:20 UTC

DT (Model Breach) — Device / Anomaly Indicators / Unusual SMB Session
2022-06-24 14:06:30 UTC

nb-nchamorro.pulp.com.py · 192.168.112.123 was still making a DCE_RPC connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 49667.
2022-06-24 14:06:30 UTC
New activity
2022-06-24 14:06:31 UTC

Model Breach: Compromise / Unusual SMB Session And DRS — 88.5%
nb800.pulp.com.py · 192.168.112.123
2022-06-27 13:04:28 UTC

An unusual time f or this event
2022-06-27 13:04:39 UTC

2022-06-27 13:04:46 UTC

2022-06-27 13:04:57 UTC

2022-06-27 13:05:22 UTC
SMB (Session Success) to dc3.pulp.com.py · 172.19.170.96 on port 445 — cbrugada
Detail: client_hostname=NB908 domain=PULP-PY mechType=NTLMSSP server_signed version=smb2
New activity
2022-06-27 13:05:22 UTC
New Credential Use to dc3.pulp.com.py · 172.19.170.96 on port 445 — cbrugada
Detail: domain=PULP-PY hostname=NB908 auth_successful=T result=success. cbrugada has logged into 2 devices in the last 107 seconds
New activity
2022-06-27 13:05:22 UTC

NTLM (Login) to dc3.pulp.com.py · 172.19.170.96 on port 445 — cbrugada
Detail: domain=PULP-PY hostname=NB908 auth_successful=T result=success
New activity
2022-06-27 13:05:23 UTC

nb800.pulp.com.py · 192.168.112.123 made an SMB,GSSAPI,NTLM connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 445.
2022-06-27 13:05:23 UTC

2022-06-27 13:05:24 UTC
devserver.pulp.com.py · 192.168.112.123
2022-06-21 16:02:31 UTC
devserver.pulp.com.py · 192.168.112.123 made an SMB,NTLM,GSSAPI,DCE_RPC connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 445.
2022-06-21 16:02:31 UTC

SMB (Write Success) to dc3.pulp.com.py · 172.19.170.96 on port 445 — share=\\172.19.170.96\IPC$ file=winreg version=smb2 account=Administrador
Detail: reason=The operation completed successfully. mimeType= details=Initial_transfer share_type=PIPE version=smb2 result=success, size=164B
New activity
2022-06-21 16:02:31 UTC

Detail: client_hostname=DC1 domain=PULP-PY mechType=NTLMSSP server_signed version=smb2
New activity
2022-06-21 16:02:31 UTC

New activity
2022-06-21 16:02:31 UTC

Detail: domain=PULP-PY hostname=DC1 auth_successful=T result=
2022-06-21 16:02:31 UTC
SMB (Read Success) to dc3.pulp.com.py · 172.19.170.96 on port 445 — share=\\172.19.170.96\IPC$ file=winreg version=smb2 account=Administrador
Detail: reason=The operation completed successfully. mimeType= details=Initial_transfer share_type=PIPE version=smb2 result=success, size=300B
New activity
2022-06-21 16:02:31 UTC

DCERPC (Bind) to dc3.pulp.com.py · 172.19.170.96 on port 445 — RequestedService: Remote registry, status: SUCCESS
Detail: endpoint_uuid: 338cd001-2244-31f1-aaaa-900038001003, SecAddr: \PIPE\winreg
New activity
2022-06-21 16:02:31 UTC

SMB (Access Failure) to dc3.pulp.com.py · 172.19.170.96 on port 445 — share=\\172.19.170.96\IPC$ file=winreg version=smb2 account=Administrador error=PIPE_NOT_AVAILABLE
Detail: share_type=PIPE details= error_desc=An instance of a named pipe cannot be found in the listening state. krb_ciphertext=
New activity
2022-06-21 16:02:32 UTC

2022-06-21 16:02:33 UTC
Multiple Lateral Movement Model Breaches — [, AP: Lateral Movement, Enhanced Monitoring, OT Engineer]
2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC
2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC
2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC
2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC
2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC
Top Model Breaching Devices
Devices Affected
172.20.236.116 — breached: Anomalous Octet Stream (No User Agent) (first seen: 2022-06-06 19:12:27 UTC)
vsppcecanales.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-06-14 01:22:15 UTC)
nprpcclecaros8.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-06-16 01:15:38 UTC)
172.17.91.109 — breached: Connections with Suspicious DNS (first seen: 2022-06-18 22:10:38 UTC)
clsfsaufv2.ccu.cl — breached: High Priority Crypto Currency Mining (first seen: 2022-06-16 14:23:02 UTC)
abizzarxp.ccu.local — breached: High Priority Crypto Currency Mining (first seen: 2022-06-13 13:27:22 UTC)
LAPTOP-1237A4L0 — breached: High Priority Crypto Currency Mining (first seen: 2022-06-14 15:05:47 UTC)
172.19.94.121 — breached: New User Agent and POST (first seen: 2022-06-17 19:49:55 UTC)
172.30.79.101 — breached: SMB Lateral Movement (first seen: 2022-06-24 17:37:23 UTC)
MNTNBCMOSCOSO — breached: SSL or HTTP Beacon (first seen: 2022-06-22 18:21:23 UTC)
ccunbhbarrer.ccu.local — breached: Suspicious Internal Use Of Web Protocol, Multiple Lateral Movement Model Breaches (first seen: 2022-06-27 14:53:27 UTC)
pc527.pulp.com.py — breached: Suspicious Netlogon RPC Calls (first seen: 2022-06-20 13:00:35 UTC)
172.19.168.138 — breached: Suspicious Network Scan Activity (first seen: 2022-06-16 16:24:54 UTC)
ibmpsnt1.ccu.local — breached: Suspicious Network Scan Activity (first seen: 2022-06-12 23:13:40 UTC)
clusfs02.ccu.cl — breached: Suspicious Network Scan Activity (first seen: 2022-06-16 15:50:17 UTC)
Details
Anomalous Octet Stream (No User Agent)
172.20.236.116 · 62:5f:74:bf:14:2d
2022-06-06 19:12:26 UTC

2022-06-06 19:12:27 UTC
High Priority Crypto Currency Mining

abizzarxp.ccu.local · 172.18.22.62 · 00:24:81:23:24:d0
2022-06-13 13:19:39 UTC to 2022-06-13 13:27:10 UTC

abizzarxp.ccu.local · 172.18.22.62 · 00:24:81:23:24:d0 was still making an Unknown connection to 139.177.196.162 on TCP port 443.
2022-06-13 13:27:20 UTC
Cryptocurrency (Miner) to 139.177.196.162 on port 443 — Cryptocurrency miner at 172.18.22.62, using Minergate protocol
Detail: METHODS: submit
2022-06-13 13:27:21 UTC

DT (Model Breach) to 139.177.196.162 on port 443 — Compromise / Crypto Currency Mining Activity
2022-06-13 13:27:22 UTC
Model Breach: Compromise / High Priority Crypto Currency Mining — 100.0%
LAPTOP-1237A4L0 · 172.19.95.137 · 3c:58:c2:c1:85:36

2022-06-14 15:05:04 UTC to 2022-06-14 15:05:45 UTC
LAPTOP-1237A4L0 · 172.19.95.137 · 3c:58:c2:c1:85:36 made an Unknown connection to 172.93.96.62 on TCP port 42350.
2022-06-14 15:05:45 UTC

Cryptocurrency (Mining_Credential) to 172.93.96.62 on port 42350 — Cryptocurrency mining credential x using Minergate protocol identified.
2022-06-14 15:05:46 UTC
2022-06-14 15:05:47 UTC

clsfsaufv2.ccu.cl · 172.19.168.157
2022-06-16 14:22:43 UTC

clsfsaufv2.ccu.cl · 172.19.168.157 made an Unknown connection to 146.59.198.38 on TCP port 8080.
2022-06-16 14:23:00 UTC

2022-06-16 14:23:01 UTC

2022-06-16 14:23:02 UTC
SMB Lateral Movement

172.30.79.101
2022-06-24 17:37:20 UTC
2022-06-24 17:37:20 UTC

2022-06-24 17:37:20 UTC
2022-06-24 17:37:20 UTC

2022-06-24 17:37:20 UTC
2022-06-24 17:37:20 UTC

2022-06-24 17:37:20 UTC
2022-06-24 17:37:21 UTC

2022-06-24 17:37:22 UTC

2022-06-24 17:37:23 UTC

Connections with Suspicious DNS

172.17.91.109 · 4e:07:68:16:b2:72
2022-06-18 22:02:04 UTC

172.17.91.109 · 4e:07:68:16:b2:72 successfully looked up hls42.ru.com in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-18 22:02:06 UTC
2022-06-18 22:02:09 UTC
2022-06-18 22:02:19 UTC

2022-06-18 22:02:28 UTC
2022-06-18 22:03:27 UTC

2022-06-18 22:03:28 UTC

DT (Model Breach) — Compromise / Domain Fluxing
2022-06-18 22:10:37 UTC

172.17.91.109 · 4e:07:68:16:b2:72 made an SSL connection to mucums.com · 104.21.14.87 on TCP port 443.
2022-06-18 22:10:37 UTC
DT (Hostname With No DNS) to mucums.com · 104.21.14.87 on port 443 — Hostname with no DNS
Detail: mucums.com
2022-06-18 22:10:38 UTC

Model Breach: Compromise / Connections with Suspicious DNS — 90.0%
nprpcclecaros8.ccu.local · 172.17.91.175 · a0:e7:0b:16:d6:27
2022-06-16 01:14:53 UTC to 2022-06-16 01:15:38 UTC

nprpcclecaros8.ccu.local · 172.17.91.175 · a0:e7:0b:16:d6:27 made an SSL connection to sturea.com · 104.21.18.122 on TCP port 443.
2022-06-16 01:15:01 UTC
nprpcclecaros8.ccu.local · 172.17.91.175 · a0:e7:0b:16:d6:27 successfully looked up hls72.ru.com in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-16 01:15:11 UTC

2022-06-16 01:15:18 UTC

2022-06-16 01:15:25 UTC

nprpcclecaros8.ccu.local · 172.17.91.175 · a0:e7:0b:16:d6:27 failed to look up hls75.ru.com in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-16 01:15:28 UTC
2022-06-16 01:15:36 UTC

2022-06-16 01:15:37 UTC
2022-06-16 01:15:38 UTC
vsppcecanales.ccu.local · 172.17.88.22 · 80:e8:2c:31:90:07

2022-06-14 01:16:45 UTC to 2022-06-14 01:17:18 UTC
vsppcecanales.ccu.local · 172.17.88.22 · 80:e8:2c:31:90:07 was still making an SSL connection to scores.nbcsports.com · 23.41.148.12 on TCP port 443.
2022-06-14 01:20:07 UTC

vsppcecanales.ccu.local · 172.17.88.22 · 80:e8:2c:31:90:07 successfully looked up hls22.ru.com in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-14 01:20:19 UTC

vsppcecanales.ccu.local · 172.17.88.22 · 80:e8:2c:31:90:07 successfully looked up uknode35.ru.com in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-14 01:20:31 UTC

2022-06-14 01:21:46 UTC
2022-06-14 01:22:01 UTC

2022-06-14 01:22:13 UTC

2022-06-14 01:22:14 UTC

2022-06-14 01:22:15 UTC
Suspicious Internal Use Of Web Protocol

2022-06-27 14:53:27 UTC
2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC
2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC
2022-06-27 14:53:27 UTC

SSL or HTTP Beacon

MNTNBCMOSCOSO · 172.19.8.70 · b0:7d:64:ef:01:6e
2022-06-22 18:21:06 UTC
MNTNBCMOSCOSO · 172.19.8.70 · b0:7d:64:ef:01:6e was still making an SSL connection to cls-2022.cmseventos.com · 18.224.97.111 on TCP port 9203.
2022-06-22 18:21:06 UTC

2022-06-22 18:21:09 UTC

MNTNBCMOSCOSO · 172.19.8.70 · b0:7d:64:ef:01:6e made an SSL connection to cls-2022.cmseventos.com · 18.224.97.111 on TCP port 9203.
2022-06-22 18:21:12 UTC

2022-06-22 18:21:15 UTC
2022-06-22 18:21:18 UTC

2022-06-22 18:21:21 UTC

2022-06-22 18:21:22 UTC

DT (Model Breach) — Device / Anomaly Indicators / Spike in SSL or HTTP Connections to New Location
2022-06-22 18:21:23 UTC
2022-06-22 18:21:23 UTC
Model Breach: Compromise / SSL or HTTP Beacon — 100.0%
New User Agent and POST

172.19.94.121 · 4e:f0:b6:cf:02:8f
2022-06-17 19:49:52 UTC
172.19.94.121 · 4e:f0:b6:cf:02:8f made an HTTP connection to tv5full.xyz · 193.111.198.54 on TCP port 25461.
2022-06-17 19:49:52 UTC

DT (Post With No Get) to tv5full.xyz · 193.111.198.54 on port None — /player_api.php
New activity
2022-06-17 19:49:52 UTC

DT (New Device User Agent) to tv5full.xyz · 193.111.198.54 on port 25461 — IPTV Smarters/1.0 (iPhone; iOS 15.5; Scale/3.00)
New activity
2022-06-17 19:49:54 UTC

2022-06-17 19:49:54 UTC

New activity
2022-06-17 19:49:55 UTC

Model Breach: Compromise / New User Agent and POST — 100.0%
Suspicious Netlogon RPC Calls

pc527.pulp.com.py · 192.168.112.123
2022-06-20 13:00:31 UTC

2022-06-20 13:00:31 UTC

2022-06-20 13:00:32 UTC

2022-06-20 13:00:32 UTC

2022-06-20 13:00:32 UTC

2022-06-20 13:00:33 UTC
2022-06-20 13:00:33 UTC

2022-06-20 13:00:33 UTC

2022-06-20 13:00:34 UTC

2022-06-20 13:00:35 UTC

Suspicious Network Scan Activity

2022-06-12 23:13:38 UTC

New activity
2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC
2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC
2022-06-12 23:13:40 UTC

clusfs02.ccu.cl · 172.19.168.139
2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC
2022-06-16 15:50:17 UTC to 2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC to 2022-06-16 15:50:17 UTC
2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC

172.19.168.138
2022-06-16 16:24:41 UTC

2022-06-16 16:24:41 UTC

2022-06-16 16:24:41 UTC
2022-06-16 16:24:41 UTC

2022-06-16 16:24:41 UTC

2022-06-16 16:24:42 UTC to 2022-06-16 16:24:42 UTC
2022-06-16 16:24:42 UTC

2022-06-16 16:24:53 UTC

2022-06-16 16:24:54 UTC

Multiple Lateral Movement Model Breaches

2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC
2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC
2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC

Enhanced Monitoring
Devices Affected
172.20.236.116 — breached: Anomalous Octet Stream (No User Agent) (first seen: 2022-06-06 19:12:27 UTC)
vsppcecanales.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-06-14 01:22:15 UTC)
nprpcclecaros8.ccu.local — breached: Connections with Suspicious DNS (first seen: 2022-06-16 01:15:38 UTC)
172.17.91.109 — breached: Connections with Suspicious DNS (first seen: 2022-06-18 22:10:38 UTC)
vsptpcdgonzal.ccu.local — breached: DGA Beacon (first seen: 2022-06-01 05:45:05 UTC)
HUAWEI_Y9_2019-f1975cbd0f — breached: Fast Beaconing to DGA (first seen: 2022-06-03 07:40:37 UTC)
Galaxy-A71 — breached: Fast Beaconing to DGA (first seen: 2022-06-28 12:01:18 UTC)
trk12fx2.ccu.cl — breached: High Priority Crypto Currency Mining (first seen: 2022-06-16 18:00:03 UTC)
abizzarxp.ccu.local — breached: High Priority Crypto Currency Mining (first seen: 2022-06-13 13:27:22 UTC)
LAPTOP-1237A4L0 — breached: High Priority Crypto Currency Mining (first seen: 2022-06-14 15:05:47 UTC)
clsfsaufv2.ccu.cl — breached: High Priority Crypto Currency Mining, Monero Mining (first seen: 2022-06-16 14:23:02 UTC)
clusfs02.ccu.cl — breached: High Priority Crypto Currency Mining, Monero Mining, Suspicious Network Scan Activity (first seen: 2022-06-16 14:33:29 UTC)
clusfs01.ccu.cl — breached: High Priority Crypto Currency Mining, Monero Mining, Suspicious Network Scan Activity (first seen: 2022-06-16 14:26:05 UTC)
clsfsaufv1.ccu.cl — breached: High Priority Crypto Currency Mining, Monero Mining, Suspicious Network Scan Activity (first seen: 2022-06-16 14:30:42 UTC)
wmsarbd1.ccu.cl — breached: High Priority Crypto Currency Mining, Monero Mining, Suspicious Network Scan Activity (first seen: 2022-06-16 14:33:43 UTC)
tccupcmarcoleta.ccu.local — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-27 11:58:54 UTC)
TCCPCCHTCCU — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-28 03:00:31 UTC)
TCCPCPPNORTE2 — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-27 12:04:00 UTC)
DESKTOP-08JUG1K — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-12 13:33:16 UTC)
TCCPCRCACERE — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-28 04:15:26 UTC)
ECUPCPORSANM2 — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-17 07:09:55 UTC)
10.100.29.225 — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-03 18:33:59 UTC)
10.100.29.251 — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-03 01:08:28 UTC)
VSPTPCPORTEIM — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-28 02:36:09 UTC)
CCUNBSALOPEZA — breached: Large DNS Volume for Suspicious Domain (first seen: 2022-06-28 03:20:56 UTC)
172.30.22.26 — breached: Monero Mining (first seen: 2022-06-22 09:33:50 UTC)
172.19.94.121 — breached: New User Agent and POST (first seen: 2022-06-17 19:49:55 UTC)
ccunbhbarrer.ccu.local — breached: Possible Brute-Force Activity, Suspicious Network Scan Activity, Multiple Lateral Movement Model Breaches, Suspicious Internal Use Of Web
Protocol (first seen: 2022-06-27 14:47:50 UTC)
172.30.79.101 — breached: SMB Lateral Movement (first seen: 2022-06-24 17:37:23 UTC)
MNTNBCMOSCOSO — breached: SSL or HTTP Beacon (first seen: 2022-06-22 18:21:23 UTC)
pc527.pulp.com.py — breached: Suspicious Netlogon RPC Calls (first seen: 2022-06-20 13:00:35 UTC)
ibmpsnt1.ccu.local — breached: Suspicious Network Scan Activity (first seen: 2022-06-12 23:13:40 UTC)
LAPTOP-8FR44O8M — breached: Suspicious Network Scan Activity (first seen: 2022-06-29 23:13:44 UTC)
10.212.134.202 — breached: Suspicious Network Scan Activity (first seen: 2022-06-07 13:04:46 UTC)
192.168.100.2 — breached: Suspicious Octet Stream Download (first seen: 2022-06-03 20:13:34 UTC)
sfe-syso010.ccu.arg — breached: Sustained Unusual Activity from New Device (first seen: 2022-06-15 13:47:38 UTC)
10.100.18.82 — breached: Sustained Unusual Activity from New Device (first seen: 2022-06-30 15:40:05 UTC)
172.19.168.138 — breached: Sustained Unusual Activity from New Device, Suspicious Network Scan Activity (first seen: 2022-06-16 16:24:54 UTC)
nb800.pulp.com.py — breached: Unusual SMB Session And DRS (first seen: 2022-06-27 13:05:24 UTC)
nb-nchamorro.pulp.com.py — breached: Unusual SMB Session And DRS (first seen: 2022-06-24 14:06:31 UTC)
Details
Connections with Suspicious DNS — [AP: C2 Comms]
172.17.91.109 · 4e:07:68:16:b2:72
2022-06-18 22:02:04 UTC

2022-06-18 22:02:06 UTC

2022-06-18 22:02:09 UTC

2022-06-18 22:02:19 UTC

2022-06-18 22:02:28 UTC
2022-06-18 22:03:27 UTC

2022-06-18 22:03:28 UTC

2022-06-18 22:10:37 UTC
172.17.91.109 · 4e:07:68:16:b2:72 made an SSL connection to mucums.com · 104.21.14.87 on TCP port 443.
2022-06-18 22:10:37 UTC

DT (Hostname With No DNS) to mucums.com · 104.21.14.87 on port 443 — Hostname with no DNS
Detail: mucums.com
2022-06-18 22:10:38 UTC

nprpcclecaros8.ccu.local · 172.17.91.175 · a0:e7:0b:16:d6:27

2022-06-16 01:14:53 UTC to 2022-06-16 01:15:38 UTC
nprpcclecaros8.ccu.local · 172.17.91.175 · a0:e7:0b:16:d6:27 made an SSL connection to sturea.com · 104.21.18.122 on TCP port 443.
2022-06-16 01:15:01 UTC

2022-06-16 01:15:11 UTC

2022-06-16 01:15:18 UTC

2022-06-16 01:15:25 UTC
2022-06-16 01:15:28 UTC

2022-06-16 01:15:36 UTC

2022-06-16 01:15:37 UTC

2022-06-16 01:15:38 UTC
vsppcecanales.ccu.local · 172.17.88.22 · 80:e8:2c:31:90:07

2022-06-14 01:16:45 UTC to 2022-06-14 01:17:18 UTC
vsppcecanales.ccu.local · 172.17.88.22 · 80:e8:2c:31:90:07 was still making an SSL connection to scores.nbcsports.com · 23.41.148.12 on TCP port 443.
2022-06-14 01:20:07 UTC

2022-06-14 01:20:19 UTC

vsppcecanales.ccu.local · 172.17.88.22 · 80:e8:2c:31:90:07 successfully looked up uknode35.ru.com in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-14 01:20:31 UTC
2022-06-14 01:21:46 UTC

2022-06-14 01:22:01 UTC

2022-06-14 01:22:13 UTC

2022-06-14 01:22:14 UTC
2022-06-14 01:22:15 UTC

Fast Beaconing to DGA — [, AP: C2 Comms]

Galaxy-A71 · 172.19.92.140 · 7a:bd:70:7c:c7:7b
2022-06-28 12:00:31 UTC to 2022-06-28 12:00:44 UTC

Galaxy-A71 · 172.19.92.140 · 7a:bd:70:7c:c7:7b made an SSL connection to x-us.64e98469810bd13e2b45e52d19d6fddfe333b3528350d8cfa792d478.com · 172.67.197.116 on
TCP port 443.
2022-06-28 12:00:46 UTC to 2022-06-28 12:00:50 UTC
TCP port 443.
2022-06-28 12:00:52 UTC to 2022-06-28 12:00:57 UTC

TCP port 443.
2022-06-28 12:01:01 UTC to 2022-06-28 12:01:16 UTC

TCP port 443.
2022-06-28 12:01:17 UTC

TCP port 443.
2022-06-28 12:01:18 UTC

Model Breach: Compromise / Fast Beaconing to DGA — 93.4%
HUAWEI_Y9_2019-f1975cbd0f · 172.20.172.89 · 88:10:8f:d4:9d:f1
2022-06-03 07:39:41 UTC to 2022-06-03 07:39:44 UTC

HUAWEI_Y9_2019-f1975cbd0f · 172.20.172.89 · 88:10:8f:d4:9d:f1 made an HTTP connection to cyxcound.lig1c w.xyz · 104.18.26.157 on TCP port 80.
2022-06-03 07:39:51 UTC to 2022-06-03 07:39:54 UTC

2022-06-03 07:40:14 UTC to 2022-06-03 07:40:16 UTC

2022-06-03 07:40:35 UTC to 2022-06-03 07:40:36 UTC
2022-06-03 07:40:37 UTC

Model Breach: Compromise / Fast Beaconing to DGA — 90.3%
DGA Beacon — [, AP: C2 Comms]

vsptpcdgonzal.ccu.local · 172.17.51.32 · 04:0e:3c:1c:e9:be
2022-06-01 05:43:02 UTC to 2022-06-01 05:44:02 UTC

vsptpcdgonzal.ccu.local · 172.17.51.32 · 04:0e:3c:1c:e9:be was still making an SSL connection to z 88.club · 74.82.60.47 on TCP port 443.
2022-06-01 05:44:02 UTC to 2022-06-01 05:45:03 UTC

vsptpcdgonzal.ccu.local · 172.17.51.32 · 04:0e:3c:1c:e9:be made an SSL connection to z 88.club · 74.82.60.47 on TCP port 443.
2022-06-01 05:45:03 UTC to 2022-06-01 05:45:04 UTC

2022-06-01 05:45:05 UTC
Model Breach: Compromise / DGA Beacon — 84.8%
2022-06-01 06:45:43 UTC to 2022-06-01 06:46:43 UTC

vsptpcdgonzal.ccu.local · 172.17.51.32 · 04:0e:3c:1c:e9:be was still making an SSL connection to z 88.club · 64.62.219.54 on TCP port 443.
2022-06-01 06:49:16 UTC to 2022-06-01 06:50:17 UTC

2022-06-01 06:50:17 UTC to 2022-06-01 06:50:18 UTC

2022-06-01 06:50:19 UTC
Model Breach: Compromise / DGA Beacon — 81.4%
High Priority Crypto Currency Mining — [Enhanced Monitoring]
LAPTOP-1237A4L0 · 172.19.95.137 · 3c:58:c2:c1:85:36
2022-06-14 15:05:04 UTC to 2022-06-14 15:05:45 UTC

LAPTOP-1237A4L0 · 172.19.95.137 · 3c:58:c2:c1:85:36 made an Unknown connection to 172.93.96.62 on TCP port 42350.
2022-06-14 15:05:45 UTC

2022-06-14 15:05:46 UTC
2022-06-14 15:05:47 UTC

abizzarxp.ccu.local · 172.18.22.62 · 00:24:81:23:24:d0
2022-06-13 13:19:39 UTC to 2022-06-13 13:27:10 UTC

abizzarxp.ccu.local · 172.18.22.62 · 00:24:81:23:24:d0 was still making an Unknown connection to 139.177.196.162 on TCP port 443.
2022-06-13 13:27:20 UTC

2022-06-13 13:27:21 UTC

2022-06-13 13:27:22 UTC

2022-06-16 14:30:27 UTC

clsfsaufv1.ccu.cl · 172.19.168.156 failed to make an Unknown connection to 146.59.198.38 on TCP port 8080.
2022-06-16 14:30:40 UTC

Detail: METHODS:
2022-06-16 14:30:41 UTC

2022-06-16 14:30:42 UTC

2022-06-16 14:22:43 UTC

clsfsaufv2.ccu.cl · 172.19.168.157 made an Unknown connection to 146.59.198.38 on TCP port 8080.
2022-06-16 14:23:00 UTC
2022-06-16 14:23:01 UTC

2022-06-16 14:23:02 UTC

clusfs01.ccu.cl · 172.19.168.138
2022-06-16 14:23:10 UTC to 2022-06-16 14:26:01 UTC

clusfs01.ccu.cl · 172.19.168.138 made an Unknown connection to 146.59.198.38 on TCP port 8080.
2022-06-16 14:26:03 UTC

Detail: METHODS: submit, job
2022-06-16 14:26:04 UTC

2022-06-16 14:26:05 UTC

clusfs02.ccu.cl · 172.19.168.139
2022-06-16 14:32:35 UTC

clusfs02.ccu.cl · 172.19.168.139 made an Unknown connection to 146.59.198.38 on TCP port 8080.
2022-06-16 14:33:27 UTC
2022-06-16 14:33:28 UTC

2022-06-16 14:33:29 UTC

trk12fx2.ccu.cl · 172.19.168.141
2022-06-16 17:59:49 UTC
trk12fx2.ccu.cl · 172.19.168.141 made an Unknown connection to c4k-rx0.pwndns.pw · 146.59.198.38 on TCP port 8080.
2022-06-16 18:00:01 UTC

Cryptocurrency (Miner) to c4k-rx0.pwndns.pw · 146.59.198.38 on port 8080 — Cryptocurrency miner at 172.19.168.141, using Minergate protocol
Detail: METHODS: submit, job
2022-06-16 18:00:02 UTC
DT (Model Breach) to c4k-rx0.pwndns.pw · 146.59.198.38 on port 8080 — Compromise / Crypto Currency Mining Activity
2022-06-16 18:00:03 UTC

wmsarbd1.ccu.cl · 172.19.168.211
2022-06-16 14:34:11 UTC to 2022-06-16 14:37:16 UTC

wmsarbd1.ccu.cl · 172.19.168.211 made an Unknown connection to 146.59.198.38 on TCP port 8080.
2022-06-16 14:37:46 UTC

2022-06-16 14:37:47 UTC

2022-06-16 14:37:48 UTC

New User Agent and POST — [, AP: C2 Comms, OT Engineer]

172.19.94.121 · 4e:f0:b6:cf:02:8f
2022-06-17 19:49:52 UTC

2022-06-17 19:49:52 UTC

New activity
2022-06-17 19:49:52 UTC

DT (New Device User Agent) to tv5full.xyz · 193.111.198.54 on port 25461 — IPTV Smarters/1.0 (iPhone; iOS 15.5; Scale/3.00)
New activity
2022-06-17 19:49:54 UTC

2022-06-17 19:49:54 UTC
New activity
2022-06-17 19:49:55 UTC

Model Breach: Compromise / New User Agent and POST — 100.0%
Possible Brute-Force Activity — [, AP: Bruteforce, AP: Lateral Movement, OT Engineer]
2022-06-27 15:14:14 UTC
2022-06-27 15:14:14 UTC

2022-06-27 15:14:14 UTC

2022-06-27 15:14:14 UTC

2022-06-27 15:14:14 UTC
2022-06-27 15:14:14 UTC

2022-06-27 15:14:14 UTC

2022-06-27 15:14:14 UTC

2022-06-27 15:14:14 UTC
2022-06-27 15:14:15 UTC

Anomalous Octet Stream (No User Agent) — [, AP: Tooling]

172.20.236.116 · 62:5f:74:bf:14:2d
2022-06-06 19:12:26 UTC

2022-06-06 19:12:27 UTC

Sustained Unusual Activity from New Device — [, AP: Internal Recon, OT Engineer]
10.100.18.82
2022-06-30 14:58:37 UTC to 2022-06-30 15:01:00 UTC

2022-06-30 14:59:31 UTC to 2022-06-30 15:01:19 UTC

2022-06-30 15:40:03 UTC
10.100.18.82 failed to make an Unknown connection to 172.19.57.101 on TCP port 8000.
2022-06-30 15:40:04 UTC

2022-06-30 15:40:05 UTC
172.19.168.138
2022-06-16 15:45:27 UTC
2022-06-16 15:45:28 UTC

172.19.168.138 failed to make an Unknown connection to 192.168.100.37 · 00:15:65:e1:d9:e7 on TCP port 22.
2022-06-16 15:45:28 UTC

172.19.168.138 failed to make an Unknown connection to UYMON042 · 192.168.100.62 · a0:c5:89:ed:b0:61 on TCP port 22.
2022-06-16 15:45:30 UTC

172.19.168.138 failed to make an Unknown connection to 192.168.101.50 · f8:b1:56:be:52:06 on TCP port 22.
2022-06-16 15:45:31 UTC
172.19.168.138 failed to make an Unknown connection to Galaxy-A21s · 192.168.100.56 · d2:c0:0b:50:0e:28 on TCP port 22.
2022-06-16 15:45:32 UTC

Unusual Activity (meta-classifier) 59.0% — Internal Connection Spread, Internal Connections to Closed Ports
2022-06-16 16:30:39 UTC to 2022-06-16 16:30:41 UTC

2022-06-16 16:30:40 UTC

2022-06-16 16:30:41 UTC
sfe-syso010.ccu.arg · 172.30.24.10
2022-06-15 13:19:33 UTC to 2022-06-15 13:23:27 UTC
sfe-syso010.ccu.arg · 172.30.24.10 made an SSL connection to papex1-waphv1.ccu.local · 172.19.169.125 on TCP port 21112.
2022-06-15 13:20:34 UTC

2022-06-15 13:47:36 UTC

sfe-syso010.ccu.arg · 172.30.24.10 made an Unknown connection to papex1-waphv1.ccu.local · 172.19.169.125 on TCP port 21112.
2022-06-15 13:47:37 UTC
2022-06-15 13:47:38 UTC

Suspicious Netlogon RPC Calls — [AP: Exploit]

pc527.pulp.com.py · 192.168.112.123
2022-06-20 13:00:31 UTC

2022-06-20 13:00:31 UTC
2022-06-20 13:00:32 UTC

2022-06-20 13:00:32 UTC
2022-06-20 13:00:32 UTC

2022-06-20 13:00:33 UTC
2022-06-20 13:00:33 UTC

2022-06-20 13:00:33 UTC

2022-06-20 13:00:34 UTC

2022-06-20 13:00:35 UTC

Monero Mining — [, OT Engineer]

172.30.22.26
2022-06-22 09:33:42 UTC

172.30.22.26 made a DNS connection to srvlv3dc.ccu.arg · 192.168.15.4 on UDP port 53.
2022-06-22 09:33:42 UTC
2022-06-22 09:33:45 UTC
2022-06-22 09:33:45 UTC

2022-06-22 09:33:45 UTC

172.30.22.26 failed to look up fee.xmrig.com in a DNS connection to srvlv3dc.ccu.arg · 192.168.15.4 on UDP port 53.
2022-06-22 09:33:45 UTC

2022-06-22 09:33:49 UTC
2022-06-22 09:33:49 UTC

2022-06-22 09:33:49 UTC

2022-06-22 09:33:50 UTC

Model Breach: Compromise / Monero Mining — 80.2%
2022-06-16 14:28:02 UTC

clsfsaufv1.ccu.cl · 172.19.168.156 failed to look up pool.supportxmr.com in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-16 14:31:15 UTC
2022-06-16 14:31:20 UTC

2022-06-16 14:31:23 UTC

2022-06-16 14:31:33 UTC

clsfsaufv1.ccu.cl · 172.19.168.156 made a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-16 14:31:33 UTC
2022-06-16 14:32:12 UTC

2022-06-16 14:32:20 UTC
2022-06-16 14:32:22 UTC

2022-06-16 14:32:23 UTC

2022-06-16 14:51:22 UTC

2022-06-16 14:51:23 UTC

2022-06-16 14:51:25 UTC
2022-06-16 14:51:31 UTC

clsfsaufv2.ccu.cl · 172.19.168.157 failed to look up pool.supportxmr.com.ccu.cl in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-16 14:52:23 UTC

2022-06-16 14:52:26 UTC

2022-06-16 14:52:35 UTC
2022-06-16 14:52:35 UTC

2022-06-16 14:52:35 UTC

clsfsaufv2.ccu.cl · 172.19.168.157 failed to look up pool.supportxmr.com.ccu.cl in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-16 14:52:36 UTC

clusfs01.ccu.cl · 172.19.168.138
2022-06-16 14:39:30 UTC

clusfs01.ccu.cl · 172.19.168.138 made a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-16 14:39:45 UTC
2022-06-16 14:39:51 UTC
2022-06-16 14:40:23 UTC

clusfs01.ccu.cl · 172.19.168.138 failed to look up pool.supportxmr.com in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-16 14:40:23 UTC

2022-06-16 14:40:25 UTC
2022-06-16 14:40:25 UTC

2022-06-16 14:40:40 UTC

2022-06-16 14:40:47 UTC

2022-06-16 14:40:48 UTC
clusfs02.ccu.cl · 172.19.168.139
2022-06-16 15:41:01 UTC
2022-06-16 15:41:03 UTC

2022-06-16 15:41:03 UTC

2022-06-16 15:41:06 UTC

2022-06-16 15:41:12 UTC
2022-06-16 15:41:14 UTC

2022-06-16 15:41:15 UTC

2022-06-16 15:41:25 UTC

2022-06-16 15:41:30 UTC
2022-06-16 15:41:31 UTC

wmsarbd1.ccu.cl · 172.19.168.211
2022-06-16 14:32:27 UTC

wmsarbd1.ccu.cl · 172.19.168.211 made a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-16 14:32:34 UTC

2022-06-16 14:33:17 UTC

wmsarbd1.ccu.cl · 172.19.168.211 failed to look up pool.supportxmr.com in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-16 14:33:21 UTC

2022-06-16 14:33:25 UTC

2022-06-16 14:33:30 UTC

2022-06-16 14:33:35 UTC

2022-06-16 14:39:35 UTC

2022-06-16 14:39:39 UTC

2022-06-16 14:39:40 UTC

SSL or HTTP Beacon — [, AP: C2 Comms, OT Engineer]

MNTNBCMOSCOSO · 172.19.8.70 · b0:7d:64:ef:01:6e
2022-06-22 18:21:06 UTC

2022-06-22 18:21:06 UTC
2022-06-22 18:21:09 UTC

2022-06-22 18:21:12 UTC
2022-06-22 18:21:15 UTC

2022-06-22 18:21:18 UTC
2022-06-22 18:21:21 UTC

2022-06-22 18:21:22 UTC

DT (Model Breach) — Device / Anomaly Indicators / Spike in SSL or HTTP Connections to New Location
2022-06-22 18:21:23 UTC

2022-06-22 18:21:23 UTC
Model Breach: Compromise / SSL or HTTP Beacon — 100.0%
Suspicious Network Scan Activity — [, AP: Internal Recon, AP: Scanning, Enhanced Monitoring, OT Engineer]
10.212.134.202
2022-06-07 13:04:45 UTC
10.212.134.202 failed to make an Unknown connection to pc270.pulp.com.py · 192.168.10.215 on TCP port 1.
2022-06-07 13:04:45 UTC

10.212.134.202 made an Unknown connection to pc270.pulp.com.py · 192.168.10.215 on TCP port 135.
2022-06-07 13:04:45 UTC

10.212.134.202 made an Unknown connection to pc270.pulp.com.py · 192.168.10.215 on ICMP port None.
2022-06-07 13:04:45 UTC

2022-06-07 13:04:45 UTC
2022-06-07 13:04:45 UTC

2022-06-07 13:04:45 UTC

2022-06-07 13:04:45 UTC

2022-06-07 13:04:45 UTC
DT (Model Breach) to Internal Traffic · 192.168.10.215 on port 3389 — Device / Attack and Recon Tools
2022-06-07 13:04:46 UTC
172.19.168.138
2022-06-16 16:24:41 UTC
2022-06-16 16:24:41 UTC

2022-06-16 16:24:41 UTC

2022-06-16 16:24:41 UTC

2022-06-16 16:24:41 UTC
2022-06-16 16:24:42 UTC to 2022-06-16 16:24:42 UTC

2022-06-16 16:24:42 UTC

2022-06-16 16:24:53 UTC

2022-06-16 16:24:54 UTC
LAPTOP-8FR44O8M · 172.17.91.233 · f8:5e:a0:e7:60:49

2022-06-29 23:13:42 UTC
LAPTOP-8FR44O8M · 172.17.91.233 · f8:5e:a0:e7:60:49 failed to make an Unknown connection to 192.168.1.101 on TCP port 445.
2022-06-29 23:13:42 UTC

LAPTOP-8FR44O8M · 172.17.91.233 · f8:5e:a0:e7:60:49 failed to make an Unknown connection to Internal Traffic · 192.168.1.129 on TCP port 445.
2022-06-29 23:13:42 UTC

2022-06-29 23:13:42 UTC

LAPTOP-8FR44O8M · 172.17.91.233 · f8:5e:a0:e7:60:49 failed to make an Unknown connection to CPCNBRIBACET · 192.168.1.102 · c4:65:16:f8:ad:12 on TCP port 445.
2022-06-29 23:13:42 UTC
2022-06-29 23:13:42 UTC

2022-06-29 23:13:43 UTC

2022-06-29 23:13:43 UTC

2022-06-29 23:13:43 UTC
DT (Model Breach) — Device / Network Scan
2022-06-29 23:13:44 UTC

2022-06-27 14:43:02 UTC

ccunbhbarrer.ccu.local · 10.100.16.69 failed to make an Unknown connection to manantial-odoo-admin-qa.kub.ccu.cl · 172.19.170.58 on TCP port 54076.
2022-06-27 14:43:02 UTC

2022-06-27 14:43:02 UTC

2022-06-27 14:43:02 UTC
2022-06-27 14:43:02 UTC

2022-06-27 14:43:02 UTC

2022-06-27 14:47:48 UTC

ccunbhbarrer.ccu.local · 10.100.16.69 made an HTTP connection to rancher.kub.ccu.cl · 172.19.170.56 on TCP port 80.
2022-06-27 14:47:48 UTC
DT (New Device User Agent) to Internal Traffic · 172.19.170.56 on port 80 — WhatWeb/0.5.5
New activity
2022-06-27 14:47:49 UTC

DT (Model Breach) to Internal Traffic · 172.19.170.56 on port 80 — Device / New User Agent To Internal Server
2022-06-27 14:47:50 UTC
2022-06-16 14:32:41 UTC

clsfsaufv1.ccu.cl · 172.19.168.156 failed to make an Unknown connection to Internal Traffic · 172.19.13.247 on TCP port 22.
2022-06-16 14:32:41 UTC

2022-06-16 14:32:41 UTC

2022-06-16 14:32:41 UTC

2022-06-16 14:32:41 UTC
2022-06-16 14:32:41 UTC

2022-06-16 14:32:41 UTC

clsfsaufv1.ccu.cl · 172.19.168.156 was still making an Unknown connection to ECUPCJOARAVE · 172.19.94.168 · a8:64:f1:c4:b7:29 on TCP port 22.
2022-06-16 14:32:41 UTC

2022-06-16 14:32:41 UTC
2022-06-16 14:32:41 UTC

clusfs01.ccu.cl · 172.19.168.138
2022-06-16 14:40:58 UTC

2022-06-16 14:40:58 UTC

2022-06-16 14:40:58 UTC

2022-06-16 14:40:58 UTC

2022-06-16 14:40:58 UTC
2022-06-16 14:40:58 UTC

clusfs01.ccu.cl · 172.19.168.138 made an Unknown connection to Internal Traffic · 192.168.225.237 on TCP port 22.
2022-06-16 14:40:58 UTC

2022-06-16 14:40:58 UTC
clusfs01.ccu.cl · 172.19.168.138 made an Unknown connection to Internal Traffic · 192.168.179.161 on TCP port 22.
2022-06-16 14:40:59 UTC

DT (Model Breach) — Device / Network Scan
2022-06-16 14:41:00 UTC

clusfs02.ccu.cl · 172.19.168.139
2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC to 2022-06-16 15:50:17 UTC
2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC to 2022-06-16 15:50:17 UTC

2022-06-16 15:50:17 UTC
2022-06-16 15:50:17 UTC

2022-06-12 23:13:38 UTC

New activity
2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC
2022-06-12 23:13:39 UTC

2022-06-12 23:13:39 UTC

2022-06-12 23:13:40 UTC

wmsarbd1.ccu.cl · 172.19.168.211
2022-06-16 14:33:43 UTC

wmsarbd1.ccu.cl · 172.19.168.211 failed to make an Unknown connection to Internal Traffic · 172.19.37.93 on TCP port 22.
2022-06-16 14:33:43 UTC

2022-06-16 14:33:43 UTC

2022-06-16 14:33:43 UTC

Internal Traffic · 172.28.4.2 made an Unknown connection to wmsarbd1.ccu.cl · 172.19.168.211 on ICMP port 1.
2022-06-16 14:33:43 UTC

wmsarbd1.ccu.cl · 172.19.168.211 made an Unknown connection to AP-nuevo-cd-los-angeles-bodeg-15 · 172.19.130.17 · a0:e0:af:e1:f3:88 on TCP port 22.
2022-06-16 14:33:43 UTC
wmsarbd1.ccu.cl · 172.19.168.211 failed to make an Unknown connection to 172.19.168.212 on TCP port 6200.
2022-06-16 14:33:43 UTC
wmsarbd1.ccu.cl · 172.19.168.211 made an SSH connection to trk12fx1.ccu.cl · 172.19.168.140 on TCP port 22.
2022-06-16 14:33:43 UTC

wmsarbd1.ccu.cl · 172.19.168.211 was still making an Unknown connection to Internal Traffic · 172.19.244.21 on TCP port 22.
2022-06-16 14:33:43 UTC

2022-06-16 14:33:43 UTC

wmsarbd1.ccu.cl · 172.19.168.211 was still making an Unknown connection to Internal Traffic · 172.19.14.148 on TCP port 22.
Unusual SMB Session And DRS — [AP: Exploit]

nb-nchamorro.pulp.com.py · 192.168.112.123
2022-06-24 14:06:19 UTC

nb-nchamorro.pulp.com.py · 192.168.112.123 made an SMB,NTLM,GSSAPI connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 445.
2022-06-24 14:06:19 UTC
Detail: client_hostname=DC1 domain=PULP-PY mechType=NTLMSSP client_signed server_signed version=smb2
New activity
2022-06-24 14:06:19 UTC

New activity
2022-06-24 14:06:20 UTC

2022-06-24 14:06:30 UTC

nb-nchamorro.pulp.com.py · 192.168.112.123 was still making a DCE_RPC connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 49667.
2022-06-24 14:06:30 UTC

New activity
2022-06-24 14:06:31 UTC

nb800.pulp.com.py · 192.168.112.123
2022-06-27 13:04:28 UTC

2022-06-27 13:04:39 UTC

2022-06-27 13:04:46 UTC

2022-06-27 13:04:57 UTC

2022-06-27 13:05:22 UTC
SMB (Session Success) to dc3.pulp.com.py · 172.19.170.96 on port 445 — cbrugada
Detail: client_hostname=NB908 domain=PULP-PY mechType=NTLMSSP server_signed version=smb2
New activity
2022-06-27 13:05:22 UTC

New Credential Use to dc3.pulp.com.py · 172.19.170.96 on port 445 — cbrugada
Detail: domain=PULP-PY hostname=NB908 auth_successful=T result=success. cbrugada has logged into 2 devices in the last 107 seconds
New activity
2022-06-27 13:05:22 UTC

NTLM (Login) to dc3.pulp.com.py · 172.19.170.96 on port 445 — cbrugada
Detail: domain=PULP-PY hostname=NB908 auth_successful=T result=success
New activity
2022-06-27 13:05:23 UTC

nb800.pulp.com.py · 192.168.112.123 made an SMB,GSSAPI,NTLM connection to dc3.pulp.com.py · 172.19.170.96 on TCP port 445.
2022-06-27 13:05:23 UTC

2022-06-27 13:05:24 UTC

SMB Lateral Movement — [AP: Lateral Movement]

172.30.79.101
2022-06-24 17:37:20 UTC
2022-06-24 17:37:20 UTC

2022-06-24 17:37:20 UTC
2022-06-24 17:37:20 UTC

2022-06-24 17:37:20 UTC

2022-06-24 17:37:20 UTC

2022-06-24 17:37:20 UTC

2022-06-24 17:37:21 UTC

2022-06-24 17:37:22 UTC

2022-06-24 17:37:23 UTC

Multiple Lateral Movement Model Breaches — [, AP: Lateral Movement, Enhanced Monitoring, OT Engineer]
2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC
2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC
2022-06-27 14:53:28 UTC

2022-06-27 14:53:28 UTC

Suspicious Octet Stream Download — [AP: Tooling]

192.168.100.2
2022-06-03 20:13:32 UTC to 2022-06-03 20:13:33 UTC

2022-06-03 20:13:34 UTC

2022-06-13 06:44:59 UTC

2022-06-13 06:45:00 UTC

2022-06-15 08:09:00 UTC to 2022-06-15 08:09:01 UTC

2022-06-15 08:09:02 UTC

2022-06-20 01:46:20 UTC

2022-06-20 01:46:21 UTC
Suspicious Internal Use Of Web Protocol — [, AP: Exploit, AP: Lateral Movement]
2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC
2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC
Large DNS Volume for Suspicious Domain — [AP: C2 Comms]

10.100.29.225
2022-06-03 18:33:44 UTC
10.100.29.225 failed to look up www.thenewsystemsetup.online in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-03 18:33:47 UTC

2022-06-03 18:33:47 UTC

2022-06-03 18:33:58 UTC
2022-06-03 18:33:58 UTC

2022-06-03 18:33:58 UTC

2022-06-03 18:33:58 UTC

2022-06-03 18:33:58 UTC
2022-06-03 18:33:58 UTC

2022-06-03 18:33:59 UTC

Model Breach: Compromise / Large DNS Volume for Suspicious Domain — 89.7%
10.100.29.251
2022-06-03 01:08:07 UTC

2022-06-03 01:08:07 UTC

2022-06-03 01:08:15 UTC

2022-06-03 01:08:15 UTC

2022-06-03 01:08:15 UTC

2022-06-03 01:08:15 UTC

2022-06-03 01:08:15 UTC
2022-06-03 01:08:15 UTC

2022-06-03 01:08:27 UTC

2022-06-03 01:08:28 UTC
CCUNBSALOPEZA · 172.16.28.148 · e0:70:ea:41:dd:f7
2022-06-28 03:20:51 UTC

CCUNBSALOPEZA · 172.16.28.148 · e0:70:ea:41:dd:f7 failed to look up nl52.amstream.me in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-28 03:20:51 UTC

2022-06-28 03:20:51 UTC

2022-06-28 03:20:51 UTC

2022-06-28 03:20:51 UTC

2022-06-28 03:20:51 UTC

2022-06-28 03:20:51 UTC

2022-06-28 03:20:55 UTC
2022-06-28 03:20:55 UTC

2022-06-28 03:20:56 UTC

DESKTOP-08JUG1K · 172.17.57.8 · 40:b0:34:6f:96:6f
2022-06-12 13:32:23 UTC

DESKTOP-08JUG1K · 172.17.57.8 · 40:b0:34:6f:96:6f successfully looked up funfunfunfest.icu in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-12 13:32:27 UTC

2022-06-12 13:32:39 UTC

2022-06-12 13:32:39 UTC

2022-06-12 13:33:08 UTC
2022-06-12 13:33:08 UTC

2022-06-12 13:33:14 UTC
DESKTOP-08JUG1K · 172.17.57.8 · 40:b0:34:6f:96:6f successfully looked up nhlgamer.online in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-12 13:33:15 UTC

2022-06-12 13:33:15 UTC

2022-06-12 13:33:16 UTC

ECUPCPORSANM2 · 172.19.64.160 · 30:24:a9:83:8a:30
2022-06-17 07:09:31 UTC

ECUPCPORSANM2 · 172.19.64.160 · 30:24:a9:83:8a:30 successfully looked up api.facecast.xyz in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-17 07:09:31 UTC

ECUPCPORSANM2 · 172.19.64.160 · 30:24:a9:83:8a:30 successfully looked up api.facecast.xyz in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-17 07:09:38 UTC

ECUPCPORSANM2 · 172.19.64.160 · 30:24:a9:83:8a:30 successfully looked up shortconn.im.qcloud.com in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-17 07:09:38 UTC

ECUPCPORSANM2 · 172.19.64.160 · 30:24:a9:83:8a:30 successfully looked up shortconn.im.qcloud.com in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-17 07:09:42 UTC

ECUPCPORSANM2 · 172.19.64.160 · 30:24:a9:83:8a:30 successfully looked up mp5.facecast.xyz in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-17 07:09:42 UTC
2022-06-17 07:09:46 UTC

2022-06-17 07:09:46 UTC

2022-06-17 07:09:54 UTC

ECUPCPORSANM2 · 172.19.64.160 · 30:24:a9:83:8a:30 failed to look up live.facecast.xyz in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-17 07:09:55 UTC

TCCPCCHTCCU · 172.21.48.20 · e4:e7:49:39:54:2a
2022-06-28 02:59:48 UTC

TCCPCCHTCCU · 172.19.64.125 · e4:e7:49:39:54:2a failed to look up www.thenewsystemsetup.online in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-28 02:59:52 UTC

2022-06-28 03:00:12 UTC

2022-06-28 03:00:15 UTC

2022-06-28 03:00:15 UTC

2022-06-28 03:00:19 UTC

2022-06-28 03:00:19 UTC

2022-06-28 03:00:28 UTC

2022-06-28 03:00:30 UTC

2022-06-28 03:00:31 UTC

TCCPCPPNORTE2 · 172.19.48.40 · c4:65:16:9c:0a:83
2022-06-27 12:03:30 UTC

TCCPCPPNORTE2 · 172.19.48.40 · c4:65:16:9c:0a:83 failed to look up comma-store.website in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-27 12:03:30 UTC

2022-06-27 12:03:34 UTC

2022-06-27 12:03:34 UTC

2022-06-27 12:03:52 UTC

2022-06-27 12:03:53 UTC
2022-06-27 12:03:55 UTC
2022-06-27 12:03:59 UTC

2022-06-27 12:03:59 UTC

2022-06-27 12:04:00 UTC

TCCPCRCACERE · 172.17.54.35 · f8:b4:6a:a3:0c:9d
2022-06-28 04:15:21 UTC

TCCPCRCACERE · 172.17.54.35 · f8:b4:6a:a3:0c:9d failed to look up nl41.amstream.me in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-28 04:15:21 UTC

2022-06-28 04:15:21 UTC

2022-06-28 04:15:21 UTC

2022-06-28 04:15:25 UTC

2022-06-28 04:15:25 UTC
2022-06-28 04:15:25 UTC

2022-06-28 04:15:25 UTC

2022-06-28 04:15:25 UTC

2022-06-28 04:15:26 UTC

VSPTPCPORTEIM · 98:af:65:68:50:d3
2022-06-28 02:35:53 UTC
VSPTPCPORTEIM · 172.19.152.58 · 98:af:65:68:50:d3 failed to look up nhlgamer.online in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-28 02:35:56 UTC

2022-06-28 02:35:56 UTC

2022-06-28 02:35:59 UTC

2022-06-28 02:36:00 UTC
VSPTPCPORTEIM · 172.19.152.58 · 98:af:65:68:50:d3 failed to look up funfunfunfest.icu in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-28 02:36:02 UTC

2022-06-28 02:36:04 UTC

2022-06-28 02:36:04 UTC

2022-06-28 02:36:08 UTC

2022-06-28 02:36:09 UTC

tccupcmarcoleta.ccu.local · 172.19.12.118 · ec:b1:d7:66:5f:42
2022-06-27 11:58:49 UTC

tccupcmarcoleta.ccu.local · 172.19.12.118 · ec:b1:d7:66:5f:42 failed to look up nhlgamer.online in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-27 11:58:49 UTC

tccupcmarcoleta.ccu.local · 172.19.12.118 · ec:b1:d7:66:5f:42 failed to look up nhlgamer.online in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-27 11:58:49 UTC

tccupcmarcoleta.ccu.local · 172.19.12.118 · ec:b1:d7:66:5f:42 failed to look up scoesc.xyz in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-27 11:58:49 UTC
2022-06-27 11:58:50 UTC

tccupcmarcoleta.ccu.local · 172.19.12.118 · ec:b1:d7:66:5f:42 failed to look up funfunfunfest.icu in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-27 11:58:50 UTC

tccupcmarcoleta.ccu.local · 172.19.12.118 · ec:b1:d7:66:5f:42 failed to look up funfunfunfest.icu in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-27 11:58:50 UTC
tccupcmarcoleta.ccu.local · 172.19.12.118 · ec:b1:d7:66:5f:42 failed to look up mrsikhnet.website in a DNS connection to 128.84.0.41 on UDP port 53.
2022-06-27 11:58:50 UTC

tccupcmarcoleta.ccu.local · 172.19.12.118 · ec:b1:d7:66:5f:42 failed to look up mrsikhnet.website in a DNS connection to 128.84.0.199 on UDP port 53.
2022-06-27 11:58:53 UTC

2022-06-27 11:58:54 UTC

Compliance Model Breaches

DarktraceReport2022-06-01T05 00 00 2022-07-01T04 59 00

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DarktraceReport2022-06-01T05 00 00 2022-07-01T04 59 00

Uploaded by

Copyright:

Available Formats

Darktrace UV Summary Report

2022/06/01 05:00:00 — 2022/07/01 04:59:00

Average bandwidth received:

28879 22606 4553 8.66 gbps (probe: 3)

in the last 4 weeks network last 4 weeks

Average bandwidth processed:

subnets monitored across the

Summary of model breaches per Attack Phase

Lateral Movement ‣ 12.43%

A total of 23 model breaches of 4 diﬀerent models triggered by 21 unique devices

A total of 15 model breaches of 2 diﬀerent models triggered by 2 unique devices

Internal Recon ‣ 7.03%

Devices Model Breach Summary

Suspicious Network Scan Activity 100.0%

clusf s02.ccu.cl Overall score: 95.10%

clsf sauf v2.ccu.cl Overall score: 95.10%

High Priority Crypto Currency Mining 100.0%

ccunbhbarrer.ccu.local Overall score: 95.10%

abizzarxp.ccu.local Overall score: 95.10%

High Priority Crypto Currency Mining 100.0%

MNT NBCMOSCOSO Overall score: 95.10%

SSL or HTTP Beacon 100.0%

172.19.168.138 Overall score: 95.10%

Suspicious Network Scan Activity 100.0%

172.30.79.101 Overall score: 93.50%

SMB Lateral Movement 88.36%

Devices Model Breach Summary

High Priority Crypto Currency Mining 100.0%

ibmpsnt1.ccu.local Overall score: 95.10%

Suspicious Network Scan Activity 100.0%

clusf s02.ccu.cl Overall score: 95.10%

High Priority Crypto Currency Mining 100.0%

clusf s01.ccu.cl Overall score: 95.10%

High Priority Crypto Currency Mining 100.0%

clsf sauf v2.ccu.cl Overall score: 95.10%

High Priority Crypto Currency Mining 100.0%

clsf sauf v1.ccu.cl Overall score: 95.10%

High Priority Crypto Currency Mining 100.0%

ccunbhbarrer.ccu.local Overall score: 95.10%

Possible Brute-Force Activity 96.72%

abizzarxp.ccu.local Overall score: 95.10%

No breaches to report in your chosen time period

No breaches to report in your chosen time period

Antigena Network Actions (LICENSED)

Antigena Firewall Actions (LICENSED)

2022-06-06 19:12:26 UTC

Active Directory Reconnaissance — [AP: Internal Recon]

SMB Lateral Movement — [AP: Lateral Movement]

2022-06-24 17:37:20 UTC

Suspicious Octet Stream Download — [AP: Tooling]

2022-06-30 14:58:37 UTC to 2022-06-30 15:01:00 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

2022-06-27 14:53:27 UTC

Suspicious Netlogon RPC Calls Followed By DRS — [, AP: Exploit]

2022-06-20 13:00:32 UTC

2022-06-20 13:00:32 UTC

2022-06-20 13:00:33 UTC

2022-06-20 13:00:38 UTC

2022-06-20 13:00:38 UTC

2022-06-13 18:28:47 UTC

2022-06-13 18:28:47 UTC