https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255433#M521 <P>We are seeing what we think are false postives with this signature.&nbsp; We see lots of OCSP traffic from Amazon and others that has space after the 200 OK.</P><P>&nbsp;</P><P><SPAN>POST / HTTP/1.0</SPAN></P><P><SPAN>Connection: Keep-Alive</SPAN></P><P><SPAN>Content-Type: application/ocsp-request</SPAN></P><P><SPAN>Accept: */*</SPAN></P><P><SPAN>User-Agent: Entrust Entelligence Security Provider</SPAN></P><P><SPAN>Content-Length: 121</SPAN></P><P><SPAN>Host: ocsp.rootg2.amazontrust.com</SPAN></P><P>&nbsp;</P><P><SPAN>0w0u.....0N0L0J0...+.......}.D^g.|.wNC..&gt;...s...._.....0+8...mJ..........J*'.....+.........0.0.. +.....0...</SPAN></P><P><SPAN>0.. +.....0..</SPAN><SPAN>HTTP/1.1 200 OK </SPAN></P><P><SPAN>Content-Type: application/ocsp-response</SPAN></P><P><SPAN>Content-Length: 1546</SPAN></P><P><SPAN>Connection: keep-alive</SPAN></P><P><SPAN>Date: Fri, 29 Mar 2019 09:56:06 GMT</SPAN></P><P><SPAN>Server: WEBrick/1.3.1 (Ruby/2.3.8/2018-10-18)</SPAN></P><P><SPAN>X-Cache: Miss from cloudfront</SPAN></P><P><SPAN>Via: 1.1 048de604b26de968a1aa2fe5dd1a0085.cloudfront.net (CloudFront)</SPAN></P><P><SPAN>X-Amz-Cf-Id: xuBEvyqfYSM9Hr0TcWIUJ-CL-n_a8enx3EmVPtId3MItOJgncm_6ew==</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 663px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19283i2A5CA0D304FE4095/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 29 Mar 2019 15:40:54 GMT PaulT 2019-03-29T15:40:54Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255251#M515 <P>Anyone seeing this new signature as FP prone?</P> Thu, 28 Mar 2019 11:07:44 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255251#M515 apackard 2019-03-28T11:07:44Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255294#M517 <P>We haven't seen any reported at this point.</P> Thu, 28 Mar 2019 17:58:38 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255294#M517 nigelswift 2019-03-28T17:58:38Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255336#M518 <P>The signature is meant to detect<SPAN>&nbsp;an empty space in "HTTP/1.1 200 OK " (right after the OK) in HTTP responses, which may indicate a connection with a NanoHTTPD server, which is 'typically' used in Cobalt Strike's team server.</SPAN></P> <P>&nbsp;</P> <P><SPAN>If you see other HTTPD implementations inserting the "extraneous space", do let us know.</SPAN></P> <P>&nbsp;</P> <P><SPAN>More information available at:</SPAN></P> <P><SPAN><A href="https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/" target="_blank" rel="noopener">https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/</A></SPAN></P> Thu, 28 Mar 2019 22:51:13 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255336#M518 mivaldi 2019-03-28T22:51:13Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255337#M519 <P>Hi, yes, I guessed that might be what you defined the signature for.</P><P>&nbsp;</P><P>We are seeing hits on this, obviously hoping that it’s a false positive.....</P><P>&nbsp;</P><P>It seems to be triggering on valid websites as far as we can tell, and it’s not just one, so either there are a lot of compromised commercial websites or it’s too sensitive. &nbsp;I can provide the packet captures as necessary.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 28 Mar 2019 23:00:18 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255337#M519 apackard 2019-03-28T23:00:18Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255348#M520 <P>As a FYI here are three domains we're seeing hits on:-</P><P>&nbsp;</P><P><A href="http://www.merrell.com" target="_blank">www.merrell.com</A></P><P><A href="http://www.belk.com" target="_blank">www.belk.com</A></P><P><A href="http://www.hotelchocolat.com" target="_blank">www.hotelchocolat.com</A></P><P>&nbsp;</P><P>Rgds</P> Fri, 29 Mar 2019 01:09:28 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255348#M520 apackard 2019-03-29T01:09:28Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255433#M521 <P>We are seeing what we think are false postives with this signature.&nbsp; We see lots of OCSP traffic from Amazon and others that has space after the 200 OK.</P><P>&nbsp;</P><P><SPAN>POST / HTTP/1.0</SPAN></P><P><SPAN>Connection: Keep-Alive</SPAN></P><P><SPAN>Content-Type: application/ocsp-request</SPAN></P><P><SPAN>Accept: */*</SPAN></P><P><SPAN>User-Agent: Entrust Entelligence Security Provider</SPAN></P><P><SPAN>Content-Length: 121</SPAN></P><P><SPAN>Host: ocsp.rootg2.amazontrust.com</SPAN></P><P>&nbsp;</P><P><SPAN>0w0u.....0N0L0J0...+.......}.D^g.|.wNC..&gt;...s...._.....0+8...mJ..........J*'.....+.........0.0.. +.....0...</SPAN></P><P><SPAN>0.. +.....0..</SPAN><SPAN>HTTP/1.1 200 OK </SPAN></P><P><SPAN>Content-Type: application/ocsp-response</SPAN></P><P><SPAN>Content-Length: 1546</SPAN></P><P><SPAN>Connection: keep-alive</SPAN></P><P><SPAN>Date: Fri, 29 Mar 2019 09:56:06 GMT</SPAN></P><P><SPAN>Server: WEBrick/1.3.1 (Ruby/2.3.8/2018-10-18)</SPAN></P><P><SPAN>X-Cache: Miss from cloudfront</SPAN></P><P><SPAN>Via: 1.1 048de604b26de968a1aa2fe5dd1a0085.cloudfront.net (CloudFront)</SPAN></P><P><SPAN>X-Amz-Cf-Id: xuBEvyqfYSM9Hr0TcWIUJ-CL-n_a8enx3EmVPtId3MItOJgncm_6ew==</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 663px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19283i2A5CA0D304FE4095/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 29 Mar 2019 15:40:54 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255433#M521 PaulT 2019-03-29T15:40:54Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255581#M522 <P>We are also see ing lots of hits for&nbsp; this signature on ocsp.rootca1.amazontrust.com</P><P>&nbsp;</P> Mon, 01 Apr 2019 06:48:13 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255581#M522 ChrisThuys 2019-04-01T06:48:13Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255629#M523 <P>Hello community,</P><P>&nbsp;</P><P>We have also the same threats traffic detected on our Palo devices and watching to the traffic itself it seems to be ocsp traffic on serveral legitimate servers around amazon, cloudfront...</P><P>&nbsp;</P><P>Can we safely consider this traffic as false positive detection?</P><P>&nbsp;</P><P>Thank you in advance,</P><P>&nbsp;</P><P>Guillaume</P> Tue, 02 Apr 2019 09:15:57 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255629#M523 GuillaumeD 2019-04-02T09:15:57Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255639#M524 <P>I believe that's the reason why this was named "Potential" with "informational" severity. Its definition hints you that the signature is lose enough to be FP prone.</P> Mon, 01 Apr 2019 16:42:30 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255639#M524 mivaldi 2019-04-01T16:42:30Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255908#M525 <P>Here's a few domains that have been triggering the FP for us:</P><P>&nbsp;</P><P>store.moma.org<BR /><A href="http://www.saucony.com" target="_blank">www.saucony.com</A><BR /><A href="http://www.bcbg.com" target="_blank">www.bcbg.com</A></P><P>&nbsp;</P><P>The common denominator seems to be shopping (apparently all our users do) and that all the IPs are hosted on Cloudflare.</P><P>&nbsp;</P><P>Thanks,</P><P>- Steve</P><P>&nbsp;</P> Wed, 03 Apr 2019 15:09:23 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/255908#M525 stevenkadish 2019-04-03T15:09:23Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/256515#M535 <P>This has been fixed by removing the signature for "Cobalt Strike Potential Command and Control Traffic (18927)" in content version 1840 due to the reason it creates lot of false positives and Paloalto decided to rework on this signature&nbsp;</P> Sun, 07 Apr 2019 13:10:30 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/cobalt-strike-potential-command-and-control-traffic-18927/m-p/256515#M535 skumar1 2019-04-07T13:10:30Z