Skip to main content

Traffic to a known sinkhole indicating infection

ID:sinkholed_destination
Data type:DNS,IP,HTTP
Severity:
High
MITRE ATT&CK:TA0011:T1071

Description

AlphaSOC detected network traffic directed to a destination that has been sinkholed by a security vendor. Sinkholing redirects malicious traffic to a controlled server, typically managed by security researchers or law enforcement. This indicates that a device on your network may be compromised or attempting to connect to a known malicious command and control (C2) server.

Impact

Traffic to sinkholed destinations indicates potential malware infection or compromise. The affected system may be part of a botnet, attempting to exfiltrate data, or awaiting instructions from a threat actor. While the sinkhole mitigates the immediate threat, the root cause remains a security risk that requires investigation.

Severity

SeverityCondition
High
Traffic to a known sinkhole destination

Investigation and Remediation

Identify the affected system and isolate it from the network. Perform a thorough malware scan and forensic analysis to determine the extent of the compromise. Review recent system activity, installed software, and user actions. If malware is confirmed, reimage the affected systems, reset all credentials, and patch any vulnerabilities that may have been exploited.