Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 2998 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any one get IPS alert "MALWARE-OTHER Windows Management Instrumentation manipulation attempt" ?

BobG

We have been getting these email alerts to our network team from our main Sophos UTM since Tuesday morning. 

 

=============================================================

Message........: MALWARE-OTHER Windows Management Instrumentation manipulation attempt

Details........: https://www.snort.org/search?query=49570

Packet dropped.: yes

Classification.: A Network Trojan was Detected IP protocol....: 6 (TCP)

Source IP address: <SophosEndpointProtection-IP> Source port: 80 (http) Destination IP address: <Sophos-UTM-IP>  Destination port: 64218

--

HA Status          : HA MASTER (node id: 2)

System Uptime      : 0 days 0 hours 18 minutes

System Load        : 4.05

System Version     : Sophos UTM 9.604-2

==========================================================

 

(2) The IPS log shows following summary

@12:18:34 action="drop" reason="MALWARE-OTHER Windows Management Instrumentation manipulation attempt" srcip="23.32.80.135" srcport="80" sid="49570" class="A Network Trojan was Detected"

@12:19:04 action="drop" reason="MALWARE-OTHER Windows Management Instrumentation manipulation attempt" srcip="23.76.197.134" srcport="80" sid="49570" class="A Network Trojan was Detected"

@12:19:35 action="drop" reason="MALWARE-OTHER Windows Management Instrumentation manipulation attempt" srcip="184.25.98.243" srcport="80" sid="49570" class="A Network Trojan was Detected"

 

(3) Since it is outbound on port 80, our 'WebProtection' shows this following sample summary...

12:19:04 method="GET" dstip="23.76.197.134" statuscode="200" cached="0" url="d1.sophosupd.com/.../1ab6fc7acbfce20ac8782ae88318a252x000.dat"

12:19:34 method="GET" dstip="23.32.80.135"  statuscode="200" cached="0"  url="http://d1.sophosupd.com/update/1ab6fc7acbfce20ac8782ae88318a252x000.dat"

12:20:04 method="GET" dstip="184.25.98.243" statuscode="200" cached="1" url="http://dci.sophosupd.com/update/3/25/325420ec2b9d8646efcfea111f80f01f.dat"

 

(4) The IPS log does not shows any detailed other that the SNORT# 49570 .   Googling around found this link...

https://snort.org/rule_docs/1-49570

 

 

Any suggestions?   We are getting 30-40 email alerts every hour.

 

Thanks,

Bob Gausman



This thread was automatically locked due to age.
  • 0

    Bob, please edit your post so that it contains actual IPs and complete log lines.  Obfuscate IPs like 64.x.y.183, 10.x.y.33, 172.2x.y.22, 192.168.x.11.

    This may be a false positive due to an erroneous pattern, but it's difficult to say without a bit more context.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    This is a somewhat shot in the dark but the source address is Akamai Technologies which is what Microsoft uses, WMI is used to gather info on the systems among other things, do you have send diagnostic data to help Microsoft?  Or are you using any Office 365 services or updating that could be pulling information?

     

    Respectfully, 

     

    Badrobot

     

  • 0 in reply to Badrobot

    Also I should add that WMI typically requires admin privileges, this may be a false positive but may not be... to be safe you could have all admins change their passwords.  

     

    https://attack.mitre.org/techniques/T1084/

    Respectfully, 

     

    Badrobot

     

  • 0 in reply to BAlfson

    Thanks Bob for chime in,

     

    Yes these where false positives.   All traffic was Sophos Updates.  Alert msg stopped yesterday around 15:00

     

    These are the five dst IP's showing up in alert messages.   

     

    Destination IP address: 10.xxx.xxx.3 (utm-3)

    Source IP address: 104.119.115.86 (a104-119-115-86.deploy.static.akamaitechnologies.com)Source port: 80 (http)

    Source IP address: 184.25.98.243 (a184-25-98-243.deploy.static.akamaitechnologies.com)Source port: 80 (http)

    Source IP address: 23.40.18.92 (a23-40-18-92.deploy.static.akamaitechnologies.com)Source port: 80 (http)

    Source IP address: 23.32.80.135 (a23-32-80-135.deploy.static.akamaitechnologies.com)Source port: 80 (http)

    Source IP address: 23.56.203.90 (a23-56-203-90.deploy.static.akamaitechnologies.com)Source port: 80 (http)

     

    Good thing these where HTTP so I had excellent detail logging.   Some of the UTM#3 web log detail

    ==============================================================================================

    2019:07:16-00:21:07 cmh-utm-3-1 httpproxy[9383]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.x.x.99" dstip="104.119.115.86" user="" group="" ad_domain="" statuscode="200" cached="1" profile="REF_HttProContaInterNetwo (Transparent Proxy [none])" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="461" request="0xd553100" url="http://d1.sophosupd.com/update/catalogue/sdds.MAC2019-4.5.xml" referer="" error="" authtime="0" dnstime="52270" aptptime="345" cattime="0" avscantime="0" fullreqtime="75371" device="0" auth="0" ua="AutoUpdate/5.14.36 SDDS/2.0 (u= P7 c= 32c5cb05-3622 i= )" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size" application="sophupda" app-id="794"

     

    2019:07:16-00:48:39 cmh-utm-3-1 httpproxy[9383]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.x.x.114" dstip="104.119.115.86" user="" group="" ad_domain="" statuscode="200" cached="1" profile="REF_HttProContaInterNetwo3 (Non-Hospital WebProfile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4121" request="0xdcaa1500" url="http://dci.sophosupd.com/update/3/25/325420ec2b9d8646efcfea111f80f01f.dat" referer="" error="" authtime="0" dnstime="18914" aptptime="248" cattime="0" avscantime="0" fullreqtime="145139" device="0" auth="0" ua="AutoUpdate/5.14.36 SDDS/2.0 (u= P7 c=c051c80c i= )" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,application,fileextension,size" application="sophupda" app-id="794"

     

    2019:07:16-00:48:58 cmh-utm-3-1 httpproxy[9383]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.x.x.89" dstip="104.119.115.86" user="WS_RM5" group="" ad_domain="" statuscode="200" cached="1" profile="REF_HttProContaInterNetwo (Transparent Proxy [none])" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="460" request="0xe0284300" url="http://d1.sophosupd.com/update/catalogue/sdds.SUM2018-2.1.xml" referer="" error="" authtime="0" dnstime="892" aptptime="225" cattime="0" avscantime="0" fullreqtime="40204" device="0" auth="0" ua="AutoUpdate/5.14.36 SDDS/2.0 (u= P7 c= 6b7620aa i= )" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size"

     

    2019:07:16-01:18:59 cmh-utm-3-1 httpproxy[9383]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.x.x.251" dstip="104.119.115.86" user="" group="" ad_domain="" statuscode="200" cached="1" profile="REF_HttProContaInterNetwo (Transparent Proxy [none])" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4121" request="0xd15ac300" url="http://dci.sophosupd.com/update/3/25/325420ec2b9d8646efcfea111f80f01f.dat" referer="" error="" authtime="0" dnstime="20701" aptptime="206" cattime="0" avscantime="0" fullreqtime="147695" device="0" auth="0" ua="AutoUpdate/5.14.36 SDDS/2.0 (u= P7 c= becb6ec4 i= )" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size" application="sophupda" app-id="794"

     

    2019:07:16-09:41:26 cmh-utm-3-1 httpproxy[9383]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.x.x.99" dstip="104.119.115.86" user="JMF" group="" ad_domain="" statuscode="200" cached="1" profile="REF_HttProContaInterNetwo (Transparent Proxy [none])" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="460" request="0xc7ef2000" url="http://d1.sophosupd.com/update/catalogue/sdds.SUM2018-2.1.xml" referer="" error="" authtime="0" dnstime="0" aptptime="252" cattime="0" avscantime="0" fullreqtime="17258" device="0" auth="0" ua="AutoUpdate/5.10.139 SDDS/2.0 (u= P7 c= ded5b89c i= )" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,fileextension,size" application="sophupda" app-id="794"

     

     

  • 0 in reply to BobG

    Update:  We are no longer getting the SNORT alerts so this was probably been fixed by Sophos definition update.  

     

    While we are talking about Sophos update,  we get these messages regard Sophos Up2Date from two of the three Sophos UTMs...

    First started on our 'public' many months ago then after the firmware upgrade to 9.6.03 on UTM2 about a month ago it also started..  It is always for a 15 minute period.

    By the 'public' is is Sophos UTM free firewall only software appliance and UTM2 is Sophos UTM Network Protection licensed.  

    Not worried about this - just extra noise... 

  • 0 in reply to BobG

    It looks like your EXTERNAL_NET and HOME_NET are not defined correctly, and that's why the alerts are occurring.

Unfiltered HTML