GCTI icon indicating copy to clipboard operation
GCTI copied to clipboard
verified publisher icon chronicle

false positives on PCs in network with Windows Server 2019

Open dvschuetz opened this issue 2 years ago • 1 comments

Systems: Microsoft Windows Server 2019, ca. 86 Windows 10pro Clients and handful Windows 11 pro

Using Yara rules, we get the following false positives (with some variations on some clients: CobaltStrike_Resources_Artifact64_v1_49_v2_x_v3_0_v3_3_thru_v3_14 /media/5AC48A90C48A6E57/pagefile.sys CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x /media/5AC48A90C48A6E57/pagefile.sys CobaltStrike_Resources_Artifact32_v3_14_to_v4_x /media/5AC48A90C48A6E57/pagefile.sys CobaltStrike_Resources_Dnsstager_Bin_v1_47_through_v4_x /media/5AC48A90C48A6E57/pagefile.sys CobaltStrike_Resources__Template_Vbs_v3_3_to_v4_x /media/5AC48A90C48A6E57/pagefile.sys CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x /media/5AC48A90C48A6E57/pagefile.sys

For full detailes reports see heise forum

dvschuetz avatar Nov 30 '23 14:11 dvschuetz

@dvschuetz Can you send me the hash of the pagefile.sys or a copy of the file(s)? Then I can test to see what the problem might be.

gssincla-g avatar Dec 04 '23 21:12 gssincla-g