search

mitre / cti

Cyber Threat Intelligence Repository expressed in STIX 2.0
Other
1.71k stars 410 forks source link

Microsoft Defender Detection #210

Closed Malthasian closed 1 year ago

Malthasian commented 1 year ago

Microsoft Defender reports a "Backdoor:PHP/Remoteshell.B" detection in enterprise-attack/relationship/relationship--2610bdef-0b08-46a8-94f5-cf253f11e5fc.json

(Edit: my initial assumption was incorrect)

Malthasian commented 1 year ago

image

Malthasian commented 1 year ago

(https://www.virustotal.com/gui/file/80c4069d66a4e7dfaa37bb65e1b9dbb4fd63ff6b651be3268388df11ca24af38)

image

jondricek commented 1 year ago

This regularly happens with each release of ATT&CK where it is initially deemed malicious by A/V scanners due to the nature of the content being reported in ATT&CK.

Ultimately this is a duplicate of #67, #76, and #162 (not to mention future GitHub issues as well).

Thanks for reporting it though!

jim-nitterauer commented 10 months ago

We are seeing the same behavior every time we spin up a Docker instance. Is there a way to validate that the file enterprise-attack/relationship/relationship--2610bdef-0b08-46a8-94f5-cf253f11e5fc.json is actually safe? Seems like there should be a re-write or some sort of validation that this is a false positive aside from a random "trust me, its ok" post. Thanks!