Why Are There Multiple "System Attempted To Accept (PROTOCOL/PORT) Connection From Address (IP)" Events In The CB Defense Web Console?"

• CB Defense Web Console: All Versions
• CB Defense Sensor: All Supported Versions
• Microsoft Windows: All Supported Versions
• MacOS: All Supported Versions

These events are presented in the web console under the ATTEMPTED_SERVER TTP which indicates there was an inbound connection attempt being made to the local machine. These connection attempts could be related to incorrect / invalid credential attempts, vulnerability scans  or potentially malicious applications.

•     Review local logs and remote machine logs for access failures
•     Use the port information to help identify likely applications
•     Use Wireshark to view connection attempts

Vulnerability Scans:

• These scans generally run quickly and generate a lot of connection attempts. Local firewalls and or applications may have mechanisms builtin to block or drop this activity which could cause many new connection attempts.

• If the inbound connection IPs are on your internal network, verify whether the remote system is being used to perform vulnerability assessments, or using asset management tools.

• If the inbound connection IPs are off of your network:
  •     Evaluate the IPs for known web based scanners: (zmap.io,  shodan.io, censys.io, wappalyzer.com, wpscans.com, quttera.com, ​sh​ad​ow​se​rv​er​.o​rg, etc.)
  •     Check local IIS / Web logs for get requests
  •     Consider creating firewall block rules based on findings

Potentially Malicious Applications:

•     Review sensor data for local and remote systems within the CbD web console
•     Review the Alerts page
•     Search for interesting TTPs such as: TTP:ACTIVE_SERVER OR TTP:NON_STANDARD_PORT OR TTP:BEACON
•     Evaluate your findings