Fortianalyzer shows DC as compromised host

Forum|Forum|4 years ago
January 4, 2022
2 replies
5351 views

Hi,

I have internal domain dns server on domain controller, Fortianalyzer shows this host as compromised with multiple attempts to websites like:

zmarsa.com Malware CnC Spyware and Malware infected-domain

com.tr Malware CnC Not Rated infected-domain

techcdn.com Malware CnC Spyware and Malware infected-domain

and others.

First of all, my all servers have blocked internet access, and the second when I check Cached Lookups on my domain controller dns I can't find neither of these domains from Fortianalyzer logs.

Could anyone could me explain how could I troubleshoot these attempts and source of them?

FortiAnalyzer

A

Anonymous_User

Contributor

Hello Tutek,

Do you also log on Syslog server? Hope you will find some information in there.

Also, can you check if all the logs are been forwarded from the firewall to the Fortianalyzer, can you check on the firewall if you can find anything from the logs in the firewall.

Let us know if that helps.

Debbie_FTNT

Staff & Editor

Hey Tutek,

if you check the compromised host details on FortiAnalyzer, by right-clicking you should be able to get to the underlying logs FortiAnalyzer received, which made it reach the compromised verdict.

I would suggest checking traffic and/or security logs with source IP of your domain controller to figure out if there is in fact any traffic going to the internet from your DCs. If there is such traffic, the logs should tell you what policy allows that traffic, you can lock down the access, and then figure out if your domain controllers are actually compromised or not.

Hope this helps!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded