MDATP - Cobalt Strike C2 Attack

Jens Mander 21 Reputation points
2020-10-29T15:58:13.323+00:00

Hi @ll,

Yesterday we saw a couple of alerts in Microsoft Defednder ATP (now called Microsoft Defender for Endpoint) about Cobalt Strike C2 on severeral PCs and on one server. The deeper inspection of the corresponding timelines were kind of confusing, because:

  • The corresponding processes were different on nearly all endpoints (e.g. “onedrive.exe”, “MsSense.exe”, etc.)
  • The C2 IP address was 127.0.0.1 in all cases

The alerts started on October, 27th and ended on October, 28th.
We had the same alerts in another customer environment on some endpoints within the same timeframe. Also there no more alerts after October, 28th.

This leads us to the assumption that this may be a false positive?. Someone of you were also facing similar effects – or if they know about e.g. some recent changes of the detection rules that could lead to this kind of (false) alerts?

Thank you in advance!

Greetings
Jens...

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,886 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,806 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jenny Yan-MSFT 9,336 Reputation points
    2020-10-30T07:14:22.657+00:00

    Hi,
    Kindly check the comment from below link:
    Microsoft Senior Threat Intelligence Analyst Kevin Beaumont confirmed the false positive on Twitter and stated that it should now be marked as such in the console. The bad signature causing the false positive has also been fixed, and admins should no longer see new alerts in Microsoft Defender Security Center.

    Reference link:
    Microsoft Defender ATP scars admins with false Cobalt Strike alerts
    https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-atp-scars-admins-with-false-cobalt-strike-alerts/

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Jens Mander 21 Reputation points
    2020-10-30T09:53:58.407+00:00

    Hi JennyYan,
    thx 4 the information.
    Now I can relax again!
    :-)
    Greets, Jens Mander...

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.