This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

CobaltStrike.Gen Command and Control Traffic(18005) spyware

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

CobaltStrike.Gen Command and Control Traffic(18005) spyware

R.Arrington
L0 Member

‎03-24-2025 01:08 PM

So I am fairly new to the PaloAlto brand. We installed 2 PA460's without Panorama and they replaced our Cisco ASAs. Loving what I have seen so far and it feels like I have more insight into what is going on with regards to the firewall. 

My issue is in recent months we have seen this CobaltStrike.Gen Command and Control Traffic(18005) spyware  alerts. The traffic is being dropped and I have enabled the Sinkhole feature. 

I am having trouble tracing it back to the endpoint that initiated the DNS request. In the logs it shows as coming from our internal DNS servers.

So at the direction of PaloAlto support I created a policy to block all sinkhole traffic and that was supposed to give me the endpoint IP. 

I am trying to match the threat log entries for this alert to the time stamps of the sinkhole logs but the don't exactly match up time wise. 

I am hoping someone can guide me to a solution so that we can track down the endpoint or endpoints creating the issue. I will say from what I have seen so far, it appears to be some Apple devices we use here. I could be wrong about that but those are the only things I see in the sinkhole logs for that time frame. Any help would be appreciated.

0 Likes Likes
2 REPLIES 2

JayGolf
Community Team Member

‎03-24-2025 09:16 PM

Hi @R.Arrington ,

 

The time mismatch between the threat and traffic logs can happen due to how DNS requests and sinkhole responses are processed. Instead of trying to match exact timestamps, can you try filtering traffic logs by the sinkhole IP as the destination? Do you see reccuring internal IPs around the same time frame? 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
(1)

R.Arrington
L0 Member

‎03-26-2025 11:21 AM

Yeah, the traffic logs time stamps weren't matching up with the threat logs or email times. I went back into the Sinkhole object and changed it to only sinkhole the command and control hits to go to the sinkhole. I waited for about a day and finally got another hit. Went to check the traffic logs since that should be the only thing going to the sinkhole and now I have no entries in the traffic logs for that rule or the sinkhole IP. I set this up with Palo support, so I creating a new ticket for this part of the investigation. Appreciate the feedback.

0 Likes Likes
  • 294 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks