Forum Discussion

ActualCassandra's avatar
ActualCassandra
Copper Contributor
Oct 23, 2023

MDE repeatable false positive "Multi-stage incident involving Privilege escalation..." How to fix?

Anyone else seeing this? It always has 57 alerts, too, and the Detection source is always 'Custom TI' and always at the same time in the morning. Doesn't matter if the machine is managed, AD joined, ...
ActualCassandra's avatar
ActualCassandra
Copper Contributor
Oct 24, 2023

jbmartin6 

 

I know! The guids do vary, too, the one from a week ago (same incident comprised of exactly 57 alerts, mind you). Wonder if the indicators are poisoned somehow even though I'm not seeing after listing in the API.

 

 

elieelkarkafi's avatar
elieelkarkafi
MVP
Oct 24, 2023
Do you have any other thrid party application installed on your devices that may collect logs ?
  • MaheshMarthi's avatar
    MaheshMarthi
    MCT
    Nov 15, 2023
    make sure you have access to existing TI projects. While creating a new one , it shows "accessible to Me" option.
  • elieelkarkafi's avatar
    elieelkarkafi
    MVP
    Nov 01, 2023
    do you any special agent on your devices that run every 7 days for example and send data somewhere other than MDE ?
  • ActualCassandra's avatar
    ActualCassandra
    Copper Contributor
    Nov 01, 2023
    No, that is what makes it so strange. I have even used the API to list indicators and there is nothing there to trigger something like the incident above.
  • ActualCassandra's avatar
    ActualCassandra
    Copper Contributor
    Oct 31, 2023

    OK, this happens every seven days at the exact same time, when Windows 10 is carrying out its behind the scenes operating system scheduled tasks. Example (similar to the original screenshot):

     

     

  • ActualCassandra's avatar
    ActualCassandra
    Copper Contributor
    Oct 24, 2023

    elieelkarkafiHi - yes, the latest are new machines from scratch. I even tried a VM in Azure this time around since the other ones were on-prem in VMware.

     

    I just don't understand the 'Custom TI' detection source. We get other alerts which show this and you can tell that they are related to the the Endpoint settings under Rules, Indicators. The only section with any entries is URLs/Domains and any alert related to those settings is correctly named as a connection to a custom network indicator. However, these multi-stage attack incidents don't show as having any indicators, even when I call the MDE API and have it list indicators.

  • elieelkarkafi's avatar
    elieelkarkafi
    MVP
    Oct 24, 2023
    did you try to create a greenfield machine without installing any app on it and just onboarded to MDE and see if will automatically trigger the same false positive alerts ? what version of windows 10 \11 are you using ?
  • ActualCassandra's avatar
    ActualCassandra
    Copper Contributor
    Oct 24, 2023

    elieelkarkafi 

    Thanks - we do have a ticket, but the help has been ... less than useful so I have posted over here, too.

  • elieelkarkafi's avatar
    elieelkarkafi
    MVP
    Oct 24, 2023

    ActualCassandra I suggest opening a ticket with Microsoft security team so they can check your tenant in backend with MDE because your devices are triggering alerts for processes related to the windows and that abnormal. 

     

  • ActualCassandra's avatar
    ActualCassandra
    Copper Contributor
    Oct 24, 2023

    elieelkarkafi 
    I can install one - we have multiple boxes with different configs kicking out these weird incidents.