TL;DR - Potentially bad #ATP rule update last night. Don& #39;t panic. Investigate - don& #39;t let me bias you. Providing for broader context.

#MDR insight: Between 06:25 UTC - 07:40 UTC we detected an unusually high # of false positive MS Defender ATP alerts for "Cobalt Strike C2".
We observed false positive alerts for:
[CommandAndControl] Cobalt Strike C2

Observed at: all customers running MS Defender ATP.

Fp sequence: System boot / logon initialization / ATP alert on netconn to 127.0.0.1.

We timelined.

No evidence of attacker activity. Bad rule.
Please don& #39;t let me bias you. This thread was built with the intent to provide greater context.

Yes, other orgs running @Microsoft Defender ATP had false positive alerts for [CommandAndControl] Cobalt Strike last night / this am.

From what we see: bad vendor rule (it happens)
Last false positive alert fired at ~07:40 UTC. This may already be addressed on the vendor side.

If you had alerts - please investigate. This info is for context - not meant to replace your investigation.

We& #39;ll continue to share details for those interested.
You can follow @jhencinski.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: