New with Suricata - Cobalt Strike botnet warning

Hello,

I am new with Suricata, and in the first three weeks I have encountered two alerts that worry me: ThreatFox Cobalt Strike botnet C2 traffic.

We only have one file server 10.20.10.10 and one terminal server 10.20.10.20 on the network. The two warnings are these:

Aug 17 11:54:30 OPNsense.company.org suricata [info] {"timestamp": "2021-08-17T11:54:24.594448+0200", "flow_id": 177758081651216, "in_iface": "vmx1", "event_type": "alert", "src_ip": "10.20.10.20", "src_port": 61915, "dest_ip": "217.160.0.211", "dest_port": 443, "proto": "TCP", "alert": {"action": "allowed", "gid": 1, "signature_id": 90159163, "rev": 1, "signature": "ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)", "category": "A Network Trojan was Detected", "severity": 1, "source": {"ip": "217.160.0.211", "port": 443}, "target": {"ip": "10.20.10.20", "port": 61915}, "metadata": {"first_seen": ["2021_07_09"], "confidence_level": ["100"]}}, "flow": {"pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 74, "bytes_toclient": 0, "start": "2021-08-17T11:54:24.594448+0200"}, "payload_printable": "", "stream": 0}

Aug 16 17:24:36 OPNsense.company.org suricata [info] {"timestamp": "2021-08-16T17:24:34.016953+0200", "flow_id": 981780185367097, "in_iface": "vmx1", "event_type": "alert", "src_ip": "10.20.10.10", "src_port": 61687, "dest_ip": "198.49.23.144", "dest_port": 443, "proto": "TCP", "alert": {"action": "allowed", "gid": 1, "signature_id": 90159034, "rev": 1, "signature": "ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)", "category": "A Network Trojan was Detected", "severity": 1, "source": {"ip": "198.49.23.144", "port": 443}, "target": {"ip": "10.20.10.10", "port": 61687}, "metadata": {"first_seen": ["2021_07_09"], "confidence_level": ["100"]}}, "flow": {"pkts_toserver": 1, "pkts_toclient": 0, "bytes_toserver": 66, "bytes_toclient": 0, "start": "2021-08-16T17:24:34.016953+0200"}, "payload_printable": "", "stream": 0}

Do you think I should be worried? How would you proceed if you have something like this?

Or do I just have to get used to such messages coming from time to time?

PS: All other warnings from Suricata during this time are not problematic, for example unusual TLDs, but I can explain them.

Greetings,
Oliver

I’m not familiar with this rule / ruleset, so its hard to say. If you’re able to share the rule here, we might be able to assist some more. Otherwise I would suggest reaching out to the rule writer to see if they can assist.

You should definitely investigate those alerts, more details about the IOCs that you got alert on can be found in ThreatFox Database:

• 217.160.0.211
• 198.49.23.144

You should ask why those servers contacted those IP addresses.

Hello,

I would block those IPs and investigate the Servers.

Hello,

thank you very much for your advice!

First of all, OPNsense with “ET Pro Telemetry edition ruleset”.

I have since noticed that the two devices were terminal servers. I was mistaken in saying that one of the servers was a file server.

I now understand that the warning occurred because there was contact with IP addresses that are also used by “Cobalt Strike botnet”. For this to happen, it is probably enough for one of the users to visit a web page that has a link to a Cobalt server built in.

I hadn’t understood that it was the IP address that triggered the warning.

The users use an up-to-date Google Chrome. I will check the terminal servers offline with a signature-based virus scanner in the near future.

But I am not worried anymore, because it was really only one warning per server. I have looked at all other messages and think that they are unproblematic (contact to TLDs like .to, .cc etc.).

It would be different if a file server (where nobody goes to the Internet) also contacted the IP address, then I should be much more worried.

Thanks for the link to https://threatfox.abuse.ch/ - that is very interesting and I have saved it.

If you think otherwise - I am open to corrections.

Best Regards,
Oliver

Today we received a bunch of alerts from an OPNsense with the Telemetry rulesets for this rule:

“signature_id”:90393151,“rev”:1,“signature”:“ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)”,“category”:“A Network Trojan was detected”,“severity”:1,“source”:{“ip”:“13.33.165.86”,“port”:443}

Turns out that Lenovo Vantage is talking to that IP as per sysmon:
Dns query:
RuleName: -
UtcTime: 2022-09-07 18:29:05.163
ProcessGuid: {38fa637d-ae51-6310-7b0a-000000001f00}
ProcessId: 3672
QueryName: filedownload.csw.lenovo.com
QueryStatus: 0
QueryResults: type: 5 filedownload-csw-lenovo.com;::ffff:13.33.165.13;::ffff:13.33.165.86;::ffff:13.33.165.32;::ffff:13.33.165.70;
Image: C:\Program Files (x86)\Lenovo\VantageService\3.13.14.0\LenovoVantageService.exe

As an aside, I highly recommend that anyone running Suricata also deploys a Sysmon config to allow tracing of alarming events like these.