For details on cookie usage on our site, read our Privacy Policy
Cobalt Strike Potential Command and Control Traffic(18927)
- LIVEcommunity
- Discussions
- Cloud Delivered Security Services
- Threat & Vulnerability
- Cobalt Strike Potential Command and Control Traffic(18927)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-07-2019 06:10 AM
This has been fixed by removing the signature for "Cobalt Strike Potential Command and Control Traffic (18927)" in content version 1840 due to the reason it creates lot of false positives and Paloalto decided to rework on this signature
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-28-2019 10:58 AM
We haven't seen any reported at this point.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-28-2019 03:50 PM - edited 03-28-2019 03:51 PM
The signature is meant to detect an empty space in "HTTP/1.1 200 OK " (right after the OK) in HTTP responses, which may indicate a connection with a NanoHTTPD server, which is 'typically' used in Cobalt Strike's team server.
If you see other HTTPD implementations inserting the "extraneous space", do let us know.
More information available at:
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-28-2019 04:00 PM
Hi, yes, I guessed that might be what you defined the signature for.
We are seeing hits on this, obviously hoping that it’s a false positive.....
It seems to be triggering on valid websites as far as we can tell, and it’s not just one, so either there are a lot of compromised commercial websites or it’s too sensitive. I can provide the packet captures as necessary.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-28-2019 06:09 PM
As a FYI here are three domains we're seeing hits on:-
Rgds
- False positive - Threat ID 86672 - NewPOSThing Command and Control Traffic Detection in Threat & Vulnerability Discussions
- High vulnerabilities PAN-OS reported by vulnerability management scan in Threat & Vulnerability Discussions
- Potential false positive AV for MS VisualStudio update in Threat & Vulnerability Discussions
- Latest DDOS attack related issue on Palo alto in Threat & Vulnerability Discussions
- DNS Security and Untrust to Untrust Alerts in Threat & Vulnerability Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
