Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicous Firewall Rules, Unusual Accounts, and Svchost Oddness.


  • Please log in to reply
No replies to this topic

#1 spenca57

spenca57

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 15 March 2018 - 01:08 AM

Tonight, while considering improving my security policy for my Windows system I decided to check the firewall rules to perhaps bolster them. When I did so I noticed some unusual rules that had recently been set. The rules had names like @{Windows.ContactSupport_10.0.15063.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Windows.ContactSupport/Resources/appDisplayName} and @{Microsoft.Windows.Cortana_1.8.12.15063_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName} and @{Microsoft.PPIProjection_10.0.15063.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.PPIProjection/resources/ProductName}. They are inbound rules, I have attached screenshots bellow. What I thought was most unusual about these rules was that the local user owner was an unusual name like S-1-5-21-293847239847 (random sequence of numbers). I have seen these similar suspicious accounts when checking the permissions on Linux ISOs I have downloaded. I have also included a screenshot of these. An unusual account named S-1-5-21-34817632187 has read permissions on every ISO I download. Is this normal? Could this be an IOC? If so, what can I do? I have attached screenshots of all of this, however the screenshots in my posts seems to be disappearing for some reason. Furthermore, I have noticed in recent netstat -afb queries there are connections being made from svchost.exe to cloudproxy10003.sucuri.net. I'm not sure if this is unusual or relevant. Anyways, thank you for reading and hopefully replying. 


Edited by spenca57, 15 March 2018 - 01:09 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users