Thread Info
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 1312 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS false positive? "MALWARE-OTHER CobaltStrike beacon.dll download attempt"

EdmundSackbauer

Since yesterday, I get a lot of these alerts:

Intrusion Prevention Alert

 

An intrusion has been detected. The packet has been dropped automatically.

You can toggle this rule between "drop" and "alert only" in WebAdmin.

 

Details about the intrusion alert:

 

Message........: MALWARE-OTHER CobaltStrike beacon.dll download attempt

Details........: https://www.snort.org/search?query=53757

Time...........: 2021-05-07 13:06:57

Packet dropped.: yes

Priority.......: high

Classification.: A Network Trojan was Detected IP protocol....: 6 (TCP)

 

Source IP address: 93.184.221.240

Source port: 80 (http)

Destination IP address: 10.0.0.2  Destination port: 1240 (instantia)

This is coming from a Windows Desktop, but also from an Ubuntu system checking for updates.

It seems like a false positive, the Snort link contained in the mail is leading to a different alert.

The IP adresses are static content providers like Akamai or Canonical in case of Ubuntu



This thread was automatically locked due to age.
Parents

  • CobaltStrike could be a IoC, that somebody is actively attacking you. You should immediately start investigating this alert. 

    The time matters in case you need help: https://www.sophos.com/en-us/products/managed-threat-response/rapid-response.aspx

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni

    Maybe I am missing something. These "source" addresses are actually on connections which we created from within my network.

    So they are only source in terms of where the payload comes from, but not the TCP connection source.

    I checked those public IPs and they are legit Microsoft (Akamai) and Ubuntu addresses, providing OS upgrades/patches.

    And its only happening sometimes and only when Windows Update is running or Ubuntu checks for updates.

    I traced on Windows the processes responsible for these connections and they are legit windows executables/dlls.

  • in reply to EdmundSackbauer

    Attackers use Living on the Land (LOL) to after first exploits. They are getting on your network with other techniques and start exploiting with such tools to get more access. So in case of your example, they could already be on your network starting certain techniques. 

    __________________________________________________________________________________________________________________

Reply
  • in reply to EdmundSackbauer

    Attackers use Living on the Land (LOL) to after first exploits. They are getting on your network with other techniques and start exploiting with such tools to get more access. So in case of your example, they could already be on your network starting certain techniques. 

    __________________________________________________________________________________________________________________

Children
No Data
Unfiltered HTML