Skip to main content
Published Jun 03, 2020 | Updated May 06, 2024

VirTool:Win32/CobaltStrike.A

Detected by Microsoft Defender Antivirus

Aliases: No associated aliases

Summary

This threat is a Cobalt Strike Beacon payload associated with prior exploitation of the remote code execution (RCE) vulnerability CVE-2021-44228 (also referred to as “Log4Shell”) in the Log4j component of Apache. This vulnerability affects Java-based applications that use Log4j 2 versions 2.0 through 2.14.1.

Cyberattackers gain access to the target device and launch arbitrary remote code loaded from LDAP servers, which are logged and launched by the Log4j component. This can allow them to set up a Cobalt Strike Beacon on a target, allowing communication with and persistent access to the device.

Read the following blogs for more information:

Users should take the following steps to mitigate the threat:

  • Confirm that this server has Apache and the Log4j component installed.
  • Check for possible post-exploitation activities, such as unusual behavior from users with elevated privileges or suspicious spawned processes. 
  • Stop suspicious processes, isolate affected devices, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates. Update the Log4j component to log4j-2.15.0 or ensure that the device is set to start with log4j2.formatMsgNoLookups set to True.
  • Contact your incident response team or contact Microsoft support for investigation and remediation services.

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

Follow us