Snort mailing list archives
Re: Comodo Firewall, Comodo Dragon, svchost.exe and MS Office 2016 Triggering Snort IDS Alerts "A Network Trojan was Detected"
From: Turritopsis Dohrnii Teo En Ming <turritopsis.dohrnii () teo-en-ming com>
Date: Thu, 8 Nov 2018 07:58:21 +0000
It is now time for me to start learning how to use wireshark network protocol analyzer! ________________________________ From: John Byrne <jbyrnescu () gmail com> Sent: Thursday, November 8, 2018 1:33 PM To: Turritopsis Dohrnii Teo En Ming Cc: snort-users () lists snort org Subject: Re: [Snort-users] Comodo Firewall, Comodo Dragon, svchost.exe and MS Office 2016 Triggering Snort IDS Alerts "A Network Trojan was Detected" These are all port 80 (unencrypted http). Why don’t you use Snort, or your favorite packet capturing tool to find out what’s being sent/received? Just a thought. John Byrne On Nov 7, 2018, at 1:19 AM, Turritopsis Dohrnii Teo En Ming <turritopsis.dohrnii () teo-en-ming com<mailto:turritopsis.dohrnii () teo-en-ming com>> wrote: Good afternoon from Singapore, I am extremely alarmed as to why Comodo Firewall and svchost.exe are behaving like a network trojan and downloading executable files from Content Delivery Network (CDN) web servers 103.1.138.x. Has my Windows client operating system been compromised? Please, somebody please shed light on this. Excerpt from Wikipedia on svchost.exe: svchost.exe (Service Host, or SvcHost) is a system process<https://en.wikipedia.org/wiki/Process_(computing)> that can host from one to many Windows services<https://en.wikipedia.org/wiki/Windows_service> in the Windows NT<https://en.wikipedia.org/wiki/Windows_NT> family of operating systems<https://en.wikipedia.org/wiki/Operating_system>.[1]<https://en.wikipedia.org/wiki/Svchost.exe#cite_note-1> Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumes more memory than in other operating systems, e.g. in the Unix<https://en.wikipedia.org/wiki/Unix> family.[2]<https://en.wikipedia.org/wiki/Svchost.exe#cite_note-osterman-2>However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. Problems with various hosted services, particularly with Windows Update<https://en.wikipedia.org/wiki/Windows_Update>,[3]<https://en.wikipedia.org/wiki/Svchost.exe#cite_note-3>[4]<https://en.wikipedia.org/wiki/Svchost.exe#cite_note-4> get reported by users (and headlined by the press) as involving svchost. The svchost process was introduced in Windows 2000<https://en.wikipedia.org/wiki/Windows_2000>,[5]<https://en.wikipedia.org/wiki/Svchost.exe#cite_note-5> although the underlying support for shared service processes has existed since Windows NT 3.1<https://en.wikipedia.org/wiki/Windows_NT_3.1>.[2]<https://en.wikipedia.org/wiki/Svchost.exe#cite_note-osterman-2> My question is, which component services in svchost.exe are behaving like a network trojan and downloading executable files from CDN web servers 103.1.138.x? Which security tool will allow me to perform this kind of identification? Thank you. ________________________________ From: Turritopsis Dohrnii Teo En Ming Sent: Sunday, November 4, 2018 11:49 AM To: snort-users () lists snort org<mailto:snort-users () lists snort org> Cc: Turritopsis Dohrnii Teo En Ming Subject: Comodo Firewall, Comodo Dragon, svchost.exe and MS Office 2016 Triggering Snort IDS Alerts "A Network Trojan was Detected" Good morning from Singapore, Thank you Wei Chea for recommending sysmon and osquery to me. I have finally been able to pinpoint which Windows processes are triggering Snort Intrusion Detection System (IDS) alerts "A Network Trojan was detected". These Windows processes are: Comodo Firewall 10 cmdagent.exe, Comodo Dragon web browser Updater, svchost.exe and Microsoft Office 2016 Click-to-Run. I shall reproduce all the 65 Sysmon network events from 2 Nov 2018 to 4 Nov 2018 below. Do you think that my Windows client operating system have been trojaned? ===BEGIN SYSMON NETWORK EVENTS=== Level Date and Time Source Event ID Task Category Information 4/11/2018 10:05 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:05:02.210 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 56175 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.204 DestinationHostname: 204.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:05 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:05:02.187 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 56172 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.204 DestinationHostname: 204.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:04 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:04:56.118 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 56144 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.149 DestinationHostname: 149.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:04 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:04:56.104 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 56142 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.149 DestinationHostname: 149.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:04 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:04:13.490 ProcessGuid: {B066A9C4-539E-5BDE-0000-0010469AD33E} ProcessId: 12572 Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\16.0.11001.20074\OfficeClickToRun.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 56128 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.149 DestinationHostname: 149.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:04 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:04:13.199 ProcessGuid: {B066A9C4-539E-5BDE-0000-0010469AD33E} ProcessId: 12572 Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\16.0.11001.20074\OfficeClickToRun.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 56126 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.155 DestinationHostname: 155.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:04 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:03:59.798 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55930 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:03 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:03:49.837 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55720 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:03 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:03:49.824 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55719 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:03 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:03:49.823 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55718 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:03 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:03:49.806 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55713 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:03 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:03:49.771 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55711 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:03 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:03:31.629 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55684 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.149 DestinationHostname: 149.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:03 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:03:31.610 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55682 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.149 DestinationHostname: 149.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:03 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:03:31.572 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55679 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.149 DestinationHostname: 149.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:03 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:03:25.304 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55671 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 10:03 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 02:03:25.163 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55669 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 8:52 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-04 00:52:47.996 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010F70E0400} ProcessId: 4780 Image: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55424 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 7:31 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 23:31:49.880 ProcessGuid: {B066A9C4-47EB-5BD2-0000-00104B0A0400} ProcessId: 4736 Image: C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55160 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.204 DestinationHostname: 204.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 7:24 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 23:24:35.523 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010BBFB0300} ProcessId: 4408 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 55127 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 6:24 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 22:24:24.552 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010BBFB0300} ProcessId: 4408 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 54884 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.149 DestinationHostname: 149.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 2:52 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 18:52:48.266 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010F70E0400} ProcessId: 4780 Image: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 54211 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 4/11/2018 1:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 17:30:50.251 ProcessGuid: {B066A9C4-47EB-5BD2-0000-00104B0A0400} ProcessId: 4736 Image: C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53944 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.204 DestinationHostname: 204.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:32 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:32:17.044 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53587 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:32 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:32:07.076 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53585 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:32 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:32:07.063 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53584 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:32 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:32:02.032 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53581 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:31 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:31:42.039 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53578 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:31 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:31:42.039 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53577 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:31 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:31:18.941 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53568 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:31 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:31:18.939 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53567 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:31 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:31:08.981 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53563 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:31 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:31:08.959 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53564 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:30:45.361 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53559 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:30:35.381 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53553 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:30:35.373 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53554 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:30:19.991 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53549 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:30:10.017 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53542 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:30:10.004 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53543 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:30:09.270 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53537 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:30:09.256 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53536 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:30:07.638 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53533 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:30:02.631 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53516 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.138 DestinationHostname: 138.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:30:02.592 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53514 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.138 DestinationHostname: 138.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:29:58.876 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53511 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.138 DestinationHostname: 138.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:29:58.150 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53505 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.138 DestinationHostname: 138.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:29:58.110 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53502 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.138 DestinationHostname: 138.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:29:58.041 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53500 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.150 DestinationHostname: 150.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:29:57.668 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53497 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 23:30 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 15:29:57.653 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 53496 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.139 DestinationHostname: 139.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 20:52 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 12:52:53.442 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010F70E0400} ProcessId: 4780 Image: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 52916 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 19:29 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 11:29:51.027 ProcessGuid: {B066A9C4-47EB-5BD2-0000-00104B0A0400} ProcessId: 4736 Image: C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 52640 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.204 DestinationHostname: 204.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 15:53 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 07:53:46.646 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010BBFB0300} ProcessId: 4408 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 51813 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 15:19 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 07:19:38.319 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010BBFB0300} ProcessId: 4408 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 51706 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.149 DestinationHostname: 149.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 14:52 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 06:52:49.117 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010F70E0400} ProcessId: 4780 Image: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 51594 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 13:28 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 05:28:50.720 ProcessGuid: {B066A9C4-47EB-5BD2-0000-00104B0A0400} ProcessId: 4736 Image: C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 51297 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.204 DestinationHostname: 204.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 8:52 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-03 00:52:49.271 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010F70E0400} ProcessId: 4780 Image: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 50220 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 7:27 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-02 23:27:50.297 ProcessGuid: {B066A9C4-47EB-5BD2-0000-00104B0A0400} ProcessId: 4736 Image: C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 49961 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.204 DestinationHostname: 204.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 2:52 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-02 18:52:49.783 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010F70E0400} ProcessId: 4780 Image: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 65395 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 1:26 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-02 17:26:49.203 ProcessGuid: {B066A9C4-47EB-5BD2-0000-00104B0A0400} ProcessId: 4736 Image: C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 65085 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.204 DestinationHostname: 204.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 1:09 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-02 17:09:00.978 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010BBFB0300} ProcessId: 4408 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 65020 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.141 DestinationHostname: 141.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 3/11/2018 0:01 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-02 16:01:01.405 ProcessGuid: {B066A9C4-47EB-5BD2-0000-0010BBFB0300} ProcessId: 4408 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 64768 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.149 DestinationHostname: 149.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 2/11/2018 23:25 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-02 15:25:32.818 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 64665 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.138 DestinationHostname: 138.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 2/11/2018 23:25 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-02 15:25:29.299 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 64661 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.138 DestinationHostname: 138.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http Information 2/11/2018 23:25 Microsoft-Windows-Sysmon 3 Network connection detected (rule: NetworkConnect) Network connection detected: RuleName: UtcTime: 2018-11-02 15:25:28.674 ProcessGuid: {B066A9C4-4865-5BD2-0000-0010A3764A00} ProcessId: 10440 Image: C:\Windows\System32\svchost.exe User: NT AUTHORITY\NETWORK SERVICE Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: A.B.C.D SourceHostname: TEO-EN-MING.teo-en-ming-corp.com<http://teo-en-ming.teo-en-ming-corp.com/> SourcePort: 64657 SourcePortName: DestinationIsIpv6: false DestinationIp: 103.1.138.150 DestinationHostname: 150.138.1.103.unknown.m1.com.sg<http://unknown.m1.com.sg/> DestinationPort: 80 DestinationPortName: http ===END SYSMON NETWORK EVENTS=== Please advise. Thank you very much. ===BEGIN SIGNATURE=== Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017 [1] https://tdtemcerts.wordpress.com/ [2] http://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming ===END SIGNATURE=== _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Comodo Firewall, Comodo Dragon, svchost.exe and MS Office 2016 Triggering Snort IDS Alerts "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Nov 03)
- Re: Comodo Firewall, Comodo Dragon, svchost.exe and MS Office 2016 Triggering Snort IDS Alerts "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Nov 07)
- Re: Comodo Firewall, Comodo Dragon, svchost.exe and MS Office 2016 Triggering Snort IDS Alerts "A Network Trojan was Detected" John Byrne via Snort-users (Nov 07)
- Re: Comodo Firewall, Comodo Dragon, svchost.exe and MS Office 2016 Triggering Snort IDS Alerts "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Nov 08)
- Re: Comodo Firewall, Comodo Dragon, svchost.exe and MS Office 2016 Triggering Snort IDS Alerts "A Network Trojan was Detected" John Byrne via Snort-users (Nov 07)
- Re: Comodo Firewall, Comodo Dragon, svchost.exe and MS Office 2016 Triggering Snort IDS Alerts "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Nov 07)