Read on Twitter
TL;DR - Potentially bad #ATP rule update last night. Don't panic. Investigate - don't let me bias you. Providing for broader context.
#MDR insight: Between 06:25 UTC - 07:40 UTC we detected an unusually high # of false positive MS Defender ATP alerts for "Cobalt Strike C2".
#MDR insight: Between 06:25 UTC - 07:40 UTC we detected an unusually high # of false positive MS Defender ATP alerts for "Cobalt Strike C2".
We observed false positive alerts for:
[CommandAndControl] Cobalt Strike C2
Observed at: all customers running MS Defender ATP.
Fp sequence: System boot / logon initialization / ATP alert on netconn to 127.0.0.1.
We timelined.
No evidence of attacker activity. Bad rule.
[CommandAndControl] Cobalt Strike C2
Observed at: all customers running MS Defender ATP.
Fp sequence: System boot / logon initialization / ATP alert on netconn to 127.0.0.1.
We timelined.
No evidence of attacker activity. Bad rule.
Please don't let me bias you. This thread was built with the intent to provide greater context.
Yes, other orgs running @Microsoft Defender ATP had false positive alerts for [CommandAndControl] Cobalt Strike last night / this am.
From what we see: bad vendor rule (it happens)
Yes, other orgs running @Microsoft Defender ATP had false positive alerts for [CommandAndControl] Cobalt Strike last night / this am.
From what we see: bad vendor rule (it happens)
Last false positive alert fired at ~07:40 UTC. This may already be addressed on the vendor side.
If you had alerts - please investigate. This info is for context - not meant to replace your investigation.
We'll continue to share details for those interested.
If you had alerts - please investigate. This info is for context - not meant to replace your investigation.
We'll continue to share details for those interested.
