Saw some strange traffic going to 152.199.21.175
After getting a capture saw it was looking up cdn.devolutions.net
Both IP and URL had good rep but was trying to tie it to a corp app
Used sysmon on the server to log DNS requests
Found it was coming from a manageengine process
C:\Program Files (x86)\ManageEngine\UEMS_DistributionServer\bin\dcreplication.exe
No comments:
Post a Comment