Hello guys,
I'm receiving a lot of IPS alerts with SID 57103 for diferent destination IPs.
2021:12:17-10:29:11 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.101" proto="6" srcport="80" dstport="60832" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:29:25 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.3" proto="6" srcport="80" dstport="4493" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:30:30 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.101" proto="6" srcport="80" dstport="60842" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:30:39 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.4" proto="6" srcport="80" dstport="4519" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:42:47 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.68" proto="6" srcport="80" dstport="52597" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:44:03 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.68" proto="6" srcport="80" dstport="52628" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:29:25 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.3" proto="6" srcport="80" dstport="4493" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:30:30 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.101" proto="6" srcport="80" dstport="60842" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:30:39 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.4" proto="6" srcport="80" dstport="4519" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:42:47 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.68" proto="6" srcport="80" dstport="52597" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-10:44:03 sg-alpex snort[25704]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt" group="110" srcip="2.22.80.144" dstip="10.0.0.68" proto="6" srcport="80" dstport="52628" sid="57103" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
Investigating on one of these hosts, I found via NETSTAT the connection ESTABLISHED and it's respective PID. Searching in Task Manager, I found the process with the same PID, it's the SophosUpdate.exe. All hosts of this network uses Sophos Intercept X.
I checked two other environment that also have Intercept X, one have the same alerts on the IPS. Anyone else going through this situation? I don't know if this is a false positive or something trying to impersonate Sophos Update. I found it strange to also use HTTP and not HTTPS in this communication.
I've listed below all external IP's that are generating these alerts, all listed in the name of Akamai and hosted in Brazil:
- 2.22.80.144
- 92.122.173.201
- 104.90.1.165
- 104.89.253.165
- 104.89.245.166
- 92.122.173.201
- 104.90.1.165
- 104.89.253.165
- 104.89.245.166
Thanks
Fabio
This thread was automatically locked due to age.
