Cobalt Strike Potential Command and Control Traffic(18927)

apackard · ‎03-28-2019

Anyone seeing this new signature as FP prone?

skumar1 · ‎04-07-2019

This has been fixed by removing the signature for "Cobalt Strike Potential Command and Control Traffic (18927)" in content version 1840 due to the reason it creates lot of false positives and Paloalto decided to rework on this signature

View solution in original post

nigelswift · ‎03-28-2019

We haven't seen any reported at this point.

mivaldi · ‎03-28-2019

The signature is meant to detect an empty space in "HTTP/1.1 200 OK " (right after the OK) in HTTP responses, which may indicate a connection with a NanoHTTPD server, which is 'typically' used in Cobalt Strike's team server.

If you see other HTTPD implementations inserting the "extraneous space", do let us know.

More information available at:

https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/

apackard · ‎03-28-2019

Hi, yes, I guessed that might be what you defined the signature for.

We are seeing hits on this, obviously hoping that it’s a false positive.....

It seems to be triggering on valid websites as far as we can tell, and it’s not just one, so either there are a lot of compromised commercial websites or it’s too sensitive. I can provide the packet captures as necessary.

apackard · ‎03-28-2019

As a FYI here are three domains we're seeing hits on:-

www.merrell.com

www.belk.com

www.hotelchocolat.com

Rgds

PaulT · ‎03-29-2019

We are seeing what we think are false postives with this signature. We see lots of OCSP traffic from Amazon and others that has space after the 200 OK.

POST / HTTP/1.0

Connection: Keep-Alive

Content-Type: application/ocsp-request

Accept: */*

User-Agent: Entrust Entelligence Security Provider

Content-Length: 121

Host: ocsp.rootg2.amazontrust.com

0w0u.....0N0L0J0...+.......}.D^g.|.wNC..>...s...._.....0+8...mJ..........J*'.....+.........0.0.. +.....0...

0.. +.....0..HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Content-Length: 1546

Connection: keep-alive

Date: Fri, 29 Mar 2019 09:56:06 GMT

Server: WEBrick/1.3.1 (Ruby/2.3.8/2018-10-18)

X-Cache: Miss from cloudfront

Via: 1.1 048de604b26de968a1aa2fe5dd1a0085.cloudfront.net (CloudFront)

X-Amz-Cf-Id: xuBEvyqfYSM9Hr0TcWIUJ-CL-n_a8enx3EmVPtId3MItOJgncm_6ew==

ChrisThuys · ‎03-31-2019

We are also see ing lots of hits for this signature on ocsp.rootca1.amazontrust.com

GuillaumeD · ‎04-01-2019

Hello community,

We have also the same threats traffic detected on our Palo devices and watching to the traffic itself it seems to be ocsp traffic on serveral legitimate servers around amazon, cloudfront...

Can we safely consider this traffic as false positive detection?

Thank you in advance,

Guillaume

mivaldi · ‎04-01-2019

I believe that's the reason why this was named "Potential" with "informational" severity. Its definition hints you that the signature is lose enough to be FP prone.

stevenkadish · ‎04-03-2019

Here's a few domains that have been triggering the FP for us:

store.moma.org
www.saucony.com
www.bcbg.com

The common denominator seems to be shopping (apparently all our users do) and that all the IPs are hosted on Cloudflare.

Thanks,

- Steve

Cobalt Strike Potential Command and Control Traffic(18927)

Cobalt Strike Potential Command and Control Traffic(18927)

Show your appreciation!