Network Protection: Firewall, NAT, QoS, & IPS IPS false positive? "MALWARE-OTHER CobaltStrike beacon.dll download attempt"

UTM Firewall requires membership for participation - click to join

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS false positive? "MALWARE-OTHER CobaltStrike beacon.dll download attempt"

EdmundSackbauer over 4 years ago

Since yesterday, I get a lot of these alerts:

Intrusion Prevention Alert

An intrusion has been detected. The packet has been dropped automatically.

You can toggle this rule between "drop" and "alert only" in WebAdmin.

Details about the intrusion alert:

Message........: MALWARE-OTHER CobaltStrike beacon.dll download attempt

Details........: https://www.snort.org/search?query=53757

Time...........: 2021-05-07 13:06:57

Packet dropped.: yes

Priority.......: high

Classification.: A Network Trojan was Detected IP protocol....: 6 (TCP)

Source IP address: 93.184.221.240

Source port: 80 (http)

Destination IP address: 10.0.0.2 Destination port: 1240 (instantia)

This is coming from a Windows Desktop, but also from an Ubuntu system checking for updates.

It seems like a false positive, the Snort link contained in the mail is leading to a different alert.

The IP adresses are static content providers like Akamai or Canonical in case of Ubuntu

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 4 years ago in reply to EdmundSackbauer +1

Attackers use Living on the Land (LOL) to after first exploits. They are getting on your network with other techniques and start exploiting with such tools to get more access. So in case of your example…

Parents

LuCar Toni over 4 years ago

CobaltStrike could be a IoC, that somebody is actively attacking you. You should immediately start investigating this alert.

The time matters in case you need help: https://www.sophos.com/en-us/products/managed-threat-response/rapid-response.aspx
Cancel
Vote Up 0 Vote Down

Cancel
EdmundSackbauer over 4 years ago in reply to LuCar Toni

Maybe I am missing something. These "source" addresses are actually on connections which we created from within my network.

So they are only source in terms of where the payload comes from, but not the TCP connection source.

I checked those public IPs and they are legit Microsoft (Akamai) and Ubuntu addresses, providing OS upgrades/patches.

And its only happening sometimes and only when Windows Update is running or Ubuntu checks for updates.

I traced on Windows the processes responsible for these connections and they are legit windows executables/dlls.
Cancel
Vote Up 0 Vote Down

Cancel
LuCar Toni over 4 years ago in reply to EdmundSackbauer

Attackers use Living on the Land (LOL) to after first exploits. They are getting on your network with other techniques and start exploiting with such tools to get more access. So in case of your example, they could already be on your network starting certain techniques.
Cancel
Vote Up +1 Vote Down

Cancel

Reply

LuCar Toni over 4 years ago in reply to EdmundSackbauer

Attackers use Living on the Land (LOL) to after first exploits. They are getting on your network with other techniques and start exploiting with such tools to get more access. So in case of your example, they could already be on your network starting certain techniques.
Cancel
Vote Up +1 Vote Down

Cancel

Children

No Data