This week, many system administrators have had extremely nervous days: the corporate solution Microsoft Defender ATP (Advanced Threat Protection) allegedly detected Mimikatz and Cobalt Strike infections on devices. In fact, this was due to false positives.
some 'Mimikatz' FP too 🙂 pic.twitter.com/Fu9XRyR7BI
– merlos (@ merlos1977) October 28, 2020
Let me remind you that the legitimate commercial framework Cobalt Strike, created for pentesters and the red team and focused on exploitation and post-exploitation, has long been loved by hackers, from government APT groups to ransomware operators. Although it is not available to ordinary users and the full version is priced at about $ 3,500 per install, attackers still find ways to exploit it (for example, relying on old, pirated, jailbroken and unregistered versions).
Typically, attackers use hacked versions of Cobalt Strike to gain stable remote access to a compromised network and use them during ransomware attacks.
In turn, Mimikatz is a post-exploitation tool designed to collect passwords from compromised systems. It is commonly used by many "commercial" hack groups as well as government hackers.
Although the administrators definitely had more gray hair, it soon became clear that the infection reports were only false positives of ATP in Microsoft Defender, since it considered network connections to 127.0.0.1 (localhost) to be traffic from Cobalt Strike C&C servers.
The problem of false positives is already confirmed on Twitter Microsoft Threat Intelligence Analyst Kevin Beaumont. The expert writes that now such alarms should be marked as false in the logs. The incorrect signature that caused this issue has also been fixed.