• Support
  • Forums
  • Blogs

False Positive: C&C Communication — PSEmpire SSL Activity

JRNolanJRNolan

New Life Form
Anyone else seeing this in the past week? Just want to verify to management that it's a false positive.

IPs - 131.253.61.102,131.253.61.82131.253.61.64, 131.253.61.98, 131.253.61.64, 131.253.61.70, which point to Microsoft Live.


Thanks!
tracy.dangerAlienWolf

Share post:

Comments

  • I received a couple hundred of the same alarms from those same IP addresses this morning.
    tracy.dangerJRNolan
  • Yes it seems so. We are seeing this activity from -
    IPs: 131.253.61.100, 131.253.61.98, 131.253.61.66, 131.253.61.82, 131.253.61.120 and 131.253.61.102.

    These appear to be IPs for Digicert. com (link below). I believe this is flagging due to the use of Omniroot2025.crl (however I may be wrong). I do know we are seeing this run from 
    http://crl3.digicert.com/Omniroot2025.crl. Kaspersky was also putting out false positives on this same flag. Omniroot2025 seems to be a property of Microsoft but I am having trouble seeing exactly what it is.  

    https://www.digicert.com/


  • Yes it seems so. We are seeing this activity from -
    IPs: 131.253.61.100, 131.253.61.98, 131.253.61.66, 131.253.61.82, 131.253.61.120 and 131.253.61.102.

    These appear to be IPs for Digicert. com (link below). I believe this is flagging due to the use of 
    Omniroot2025.crl (however I may be wrong). I do know we are seeing this run from 
    http://crl3.digicert.com/Omniroot2025.crl. Kaspersky was also putting out false positives on this same
    flag. Omniroot2025 seems to be a property of Microsoft but I am having trouble seeing exactly
    what it is.  


    https://www.digicert.com/
    JRNolan
  • #JRNolan sorry it did not wrap text fo
  • *from my first post. 
  • We started seeing overnight as well.

    NIDS event 2828823 which is "ETPRO TROJAN
    Observed Possible Malicious SSL Cert (Powershell Empire)"

    Sources are Microsoft IP ranges 131.253.61.0/24 & 204.79.196.0/23.

    Seems to all be traffic to sites with the same digicert certificate used by microsoft on the following sites: 

    DNS Name=login.live.com
    DNS Name=loginnet.passport.com
    DNS Name=msnia.login.live.com
    DNS Name=pst.microsoftpassportsupport.net
    DNS Name=api.login.live.com
    DNS Name=tools.login.live.com
    DNS Name=xml.login.live.com
    DNS Name=ipv6.login.live.com
    DNS Name=ipv4.login.live.com
    DNS Name=nexus.passport.com
    DNS Name=login.passport.com
    DNS Name=msnialogin.passport.com
    DNS Name=gateway.api.live.com
    DNS Name=gateway.login.live.com
    DNS Name=active.api.live.com
    DNS Name=active.login.live.com
    DNS Name=g2.login.live.com
    DNS Name=g1.login.live.com

    tracy.danger
  • There is a FP on the snort side for this rule that we will fix today, anyone seeing this FP on the suricata side?
  • Yes, we are using ETPRO suricata across multiple (dozen or so) sites and we are seeing this FP as well.
  • So, these are false positives? I traced it back to the cybertrust.omniroot.com which is a Verizon certificate services. the following Ip address is associated with it # 104.146.184.68
    tracy.danger
  • #AngeloStizz  Ours look like false positives. We also got omniroot but from crl3.digicert.com/Omniroot2025.crl
  • We are noe getting events from geotrust. Any one else?
  • I am getting events from geotrust as well but the majority of the source IPs are resolving to Google.


  • DHeady and Tracy.Danger,

    I have not received any alarms relating to GeoTrust. 
  • #tracy.danger Thanks, the alarms I have are reporting back to Microsoft 
  • Also received dozens/hundreds of these this weekend into today. These are the two IP's we are seeing trigger.

    52.109.120.17 - Microsoft 

    38.97.114.21 - Bit9/Carbon Black

    adam.nohava
  • Seeing the same @NickAures  pointing to  - Miscrosoft  (52.109.120.17)
    NickAures
  • It appears ET came out with a new revision to the sig, but FPs still fire. Examining the pcaps shows the certs are for legitimate services, and even if they are being used as even a connectivity check by this PS Empire trojan, it isn't a good detection. They have further work to do on this signature.
    NickAures
  •   I received this same alarm referring to SSL traffic from 3 different IP addresses which all look up to Microsoft.  Alarms began on 8 December with the last one being 4 days ago on 15 December.


















    13.107.6.151

    40.84.192.103

    65.55.169.46


      All internal devices referenced in the alarms were using some form of Microsoft Office 365 and all but 1 were IOS or OSX devices.


      When looking through the raw logs, I see a lot of traffic (as expected) between internal hosts and these IP addresses.  However, the majority of that traffic has not generated alarms.


      I'm not an expert at Suricata rules but when I searched through the pcap of the events that triggered the alarms, it seemed that the content matching was not functioning as the author expected it to.

  • I'm seeing the same all related to Microsoft IP's.
  • Must be the thing for December.  Seeing this alarm again this December even though I haven't seen this since last December.  This time I see this alarm in reference to 52.109.2.18 and 52.109.20.4 and url roaming.officeapps.live.com.
    asdf39434
Sign In or Register to comment.