sklevtsov

@itman Thanks a lot for the responses! @Marcos Is there a place where we can lookup how exactly ESET detects this indicator Win32/RiskWare.Meterpreter.Q ? Which patterns or signatures does ESET look in traffic? From what we checked we see no anomalies or suspicious activities on the VM, we also conducted a full scan with ESET. It seems like a false positive, however we cannot pinpoint it. Our app could in some case send requests like these, however, they surely do not include Meterpreter, shell, etc.

Hello, colleagues, We recently had several suspicious detections on ESET Endpoint antivirus. From what I see in logs It seems that webserver is already compromised and trying to access or elevate access from webserver (10.15.144.21 random port 50000+) to k8s (10.12.80.100 on port 80). We conducted full scan with ESET - no detections. Analyzed network connections and processes for suspicious activity didn't find anything. Could this be a false positive? or is it just a blocked outside attack that is somehow appears as an elevation attempt from inside? Attaching the detections

@Marcos @itman Same here, we also getting lots of outbound connections blocked from Exchange server. All unresolved. Is this the case of source and destination being swapped in logs and not some kind of C&C activity from Exchange? It looks very suspicious. We have our Exchange patched, conducted ESET full scan - no indicators of malware.