Rule Category

MALWARE-CNC -- Snort has detected a Comand and Control (CNC) rule violation, most likely for commands and calls for files or other stages from the control server. The alert indicates a host has been infiltrated by an attacker, who is using the host to make calls for files, as a call-home vector for other malware-infected networks, for shuttling traffic back to bot owners, etc.

Alert Message

MALWARE-CNC User-Agent known malicious user agent - istsvc

Rule Explanation

This event is generated when activity relating to a spyware application is detected. Impact: Unknown. Possible information disclosure, violation of privacy, possible violation of policy. Details: Spyware is malicious software running on a host that may intercept or take information from the host system without a users consent or knowledge. Spyware is also capable of using a hosts Internet connection without the knowledge or consent of the user, in order to deliver that information to an unauthorized third party. This software not only uses available bandwidth on a network connection but also consumes system resources to the point of making the host unusable in some cases. Spyware can be classified into multiple categories depending on the behavior of the software. In particular, this event indicates that the software detected is a hijacker. Hijacker programs take control of browser settings and are able to redirect information intended for one web site to another without the consent and knowledge of the user. Ease of Attack: Simple. This is spyware activity.

What To Look For

Known Usage

No public information

False Positives

No known false positives


Cisco Talos

MITRE ATT&CK Framework



For reference, see the MITRE ATT&CK vulnerability types here:

Additional Links

Rule Vulnerability

CVE Additional Information