sickpuppy Posted December 27, 2018 Report Share Posted December 27, 2018 (edited) I have some oddities in my bro/suricata data. A system process on my Win10 machine is opening connections to paloaltonetworks.com and urlscan.io several times a minute. I don't seem to be able to use the usual tools to determine the actual process because it's a system process. This makes me wonder if these connections belong to Immunet? The JA3 hash suggests it's either a Chromium or Win32 API making the requests? I stumbled on the traffic while attempting to tag JA3 hashes with associated applications. So if this is Immunet traffic, it would be great to know exactly how those requests are being made so I could distinguish between Chrome/Win32API JA3s. Thanks Edited December 27, 2018 by sickpuppy Link to comment Share on other sites More sharing options...
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now