# Post-Compromise Post-Compromise detections are a vital feature of Netography Fusion's Netography Detection Models (NDMs) designed to identify and alert about activities associated with already compromised systems. These detections focus on recognizing the signs of a machine that has been breached and is possibly being manipulated for malicious activities. For example, the system can detect Command and Control (C2) traffic, often a clear sign of a compromised machine being remotely controlled by a threat actor. Another key detection involves monitoring for connections to external IPs with a known bad reputation, which might suggest data exfiltration or further malware download from malicious sources. The 'ip\_lookup\_attempt' detection, specifically, flags when a machine is attempting to look up its own IP address. This behavior is often exhibited by certain malware strains post-infection to understand more about the infected network environment. By promptly identifying these post-compromise indicators, the NDMs allow network administrators to take immediate action, mitigating further damage and initiating incident response procedures. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/detection-models/library/post-compromise.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.