Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 1443 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS alerts - SID 57103 - SophosUpdate.exe process

Fabio Canabarro

Hello guys,

I'm receiving a lot of IPS alerts with SID 57103 for diferent destination IPs.

2021:12:17-10:29:11 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.101" proto="6" srcport="80" dstport="60832" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:29:25 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.3" proto="6" srcport="80" dstport="4493" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:30:30 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.101" proto="6" srcport="80" dstport="60842" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:30:39 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.4" proto="6" srcport="80" dstport="4519" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:42:47 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.68" proto="6" srcport="80" dstport="52597" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:44:03 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.68" proto="6" srcport="80" dstport="52628" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
Investigating on one of these hosts, I found via NETSTAT the connection ESTABLISHED and it's respective PID. Searching in Task Manager, I found the process with the same PID, it's the SophosUpdate.exe. All hosts of this network uses Sophos Intercept X.
I checked two other environment that also have Intercept X, one have the same alerts on the IPS. Anyone else going through this situation? I don't know if this is a false positive or something trying to impersonate Sophos Update. I found it strange to also use HTTP and not HTTPS in this communication.
I've listed below all external IP's that are generating these alerts, all listed in the name of Akamai and hosted in Brazil:
- 2.22.80.144
- 92.122.173.201
- 104.90.1.165
- 104.89.253.165
- 104.89.245.166
Thanks
Fabio


This thread was automatically locked due to age.
Unfiltered HTML