Intrusion Software Detecting as Cobalt

[cbondeson]

My companies SECOPS team was notified of a potential Cobalt Strike alert . Cobalt Strike is associated with ransomware and may be a indicator of compromise. VPN and network accounts for user have been disabled until further investigation is possible.  I disabled Kamo and this alert was removed. 

[Guest MeganCCleaner]

Hi @cbondeson Thanks for bringing this to our attention. We strongly believe this refers to a false positive but in any case, our product team is eager to investigate why this had happened. 

Can you please tell me what intrusion software made the detection and if possible, would you be able to attach logs from the intrusion software? 

[cbondeson]

I have requested the details of the event. I don't know if the security team will consider that a violation of their standards. I will keep you apprised of any decision.

[Guest MeganCCleaner]

That's completely understandable, and thanks for letting me know. 

As an additional request, if you could inform us of what Windows OS this alert appeared on and if applicable, the OS build & version number as well.

Please also let me know if you would prefer to continue via email as I'll gladly contact you using the email address registered to your forums account.

My email would be sent from support@ccleaner.com. 

[cbondeson]

The security team, as I suspected, will not divulge this information. They have been the point of many attacks and don't want to let out any secrets.

[cbondeson]

i am running Windows 10, OS Build 19044.2006, Windows Feature Experience Pack 120.2212.4180.0

[Guest MeganCCleaner]

Hi @cbondeson I understand, although our security team here did say they most certainly would not betray your trust and in any case, thanks for providing information about your system.

Rather than providing logs, would it be possible to tell us what security software had made the detection?