Post-Compromise

Post-Compromise detections are a vital feature of Netography Fusion's Netography Detection Models (NDMs) designed to identify and alert about activities associated with already compromised systems. These detections focus on recognizing the signs of a machine that has been breached and is possibly being manipulated for malicious activities. For example, the system can detect Command and Control (C2) traffic, often a clear sign of a compromised machine being remotely controlled by a threat actor. Another key detection involves monitoring for connections to external IPs with a known bad reputation, which might suggest data exfiltration or further malware download from malicious sources. The 'ip_lookup_attempt' detection, specifically, flags when a machine is attempting to look up its own IP address. This behavior is often exhibited by certain malware strains post-infection to understand more about the infected network environment. By promptly identifying these post-compromise indicators, the NDMs allow network administrators to take immediate action, mitigating further damage and initiating incident response procedures.