gssincla-g
commented
11 months ago @dvschuetz Can you send me the hash of the pagefile.sys or a copy of the file(s)? Then I can test to see what the problem might be.
Open dvschuetz opened 11 months ago
gssincla-g
commented
11 months ago @dvschuetz Can you send me the hash of the pagefile.sys or a copy of the file(s)? Then I can test to see what the problem might be.
Systems: Microsoft Windows Server 2019, ca. 86 Windows 10pro Clients and handful Windows 11 pro
Using Yara rules, we get the following false positives (with some variations on some clients:
CobaltStrike_Resources_Artifact64_v1_49_v2_x_v3_0_v3_3_thru_v3_14 /media/5AC48A90C48A6E57/pagefile.sys CobaltStrike_Resources_Reverse_Bin_v2_5_through_v4_x /media/5AC48A90C48A6E57/pagefile.sys CobaltStrike_Resources_Artifact32_v3_14_to_v4_x /media/5AC48A90C48A6E57/pagefile.sys CobaltStrike_Resources_Dnsstager_Bin_v1_47_through_v4_x /media/5AC48A90C48A6E57/pagefile.sys CobaltStrike_Resources__Template_Vbs_v3_3_to_v4_x /media/5AC48A90C48A6E57/pagefile.sys CobaltStrike_Resources_Artifact32svc_Exe_v3_1_v3_2_v3_14_and_v4_x /media/5AC48A90C48A6E57/pagefile.sysFor full detailes reports see heise forum