Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: False Positive? resolving to Microsoft Blackhole IP - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
False Positive? resolving to Microsoft Blackhole IP

Thanks to Xavier for bringing this to our attention. It looks a couple of days ago, a legitimate Microsoft host name, started to resolve to a Microsoft IP that is commonly used for blackholes that Microsoft operates:

$ host is an alias for is an alias for has address

Connecting to a blackhole IP like this is often an indicator of compromise, and many IDS's will flag it. For example:

[**] [1:2016101:2] ET TROJAN DNS Reply Sinkhole - Microsoft - [**] [Classification: A Network Trojan was detected] [Priority: 1] ...

It is not yet clear what process causes the connect to this IP on port 443. But a number of other users are reporting similar issues. For example, see here:

At this point, I am assuming that this is some kind of configuration error at Microsoft.

Johannes B. Ullrich, Ph.D.

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
May 19th 2015
I have also seen the same type of detection and according to the analysis, it was DiagTrack service which is trying to communicate to this IP range ( Recently released MS patch KB: 3022345 is associated with this, doubt it might be reason for this false positive.

KB detail: This update enables the Diagnostics Tracking Service in Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1. This tracking service collects data about functional issues in Windows.

But some confirmation from Microsoft is still pending.

5 Posts
Emerging threads rule has been updated a few hours ago!

old: alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Microsoft -"; content:"|00 01 00 01|"; content:"|00 04 83 fd 12|"; distance:4; within:5; classtype:trojan-activity; sid:2016101; rev:2;)
new: alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Microsoft -"; content:"|00 01 00 01|"; content:"|00 04 83 fd 12|"; distance:4; within:5; byte_test:1,>,10,0,relative; byte_test:1,<,13,0,relative; threshold: type limit, count 1, seconds 120, track by_src; classtype:trojan-activity; sid:2016101; rev:6;)


687 Posts
ISC Handler
I haven't seen any new hits after updating my rules. I had 20+ hosts hitting the sink hole yesterday, ranging from Server 2012, Windows 7, Windows CE. None of them had Skype for Business, and only a few had Office 2010.

6 Posts
This is initiated by the process dmclient.exe.

From the MS website "": "The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment."

I see this on a regular basis on Windows 8.1 and Windows 10 machines that are not on a domain.

Sign Up for Free or Log In to start participating in the conversation!