Read on Twitter
TL;DR - Potentially bad #ATP rule update last night. Don& #39;t panic. Investigate - don& #39;t let me bias you. Providing for broader context.
#MDR insight: Between 06:25 UTC - 07:40 UTC we detected an unusually high # of false positive MS Defender ATP alerts for "Cobalt Strike C2".
#MDR insight: Between 06:25 UTC - 07:40 UTC we detected an unusually high # of false positive MS Defender ATP alerts for "Cobalt Strike C2".
We observed false positive alerts for:
[CommandAndControl] Cobalt Strike C2
Observed at: all customers running MS Defender ATP.
Fp sequence: System boot / logon initialization / ATP alert on netconn to 127.0.0.1.
We timelined.
No evidence of attacker activity. Bad rule.
[CommandAndControl] Cobalt Strike C2
Observed at: all customers running MS Defender ATP.
Fp sequence: System boot / logon initialization / ATP alert on netconn to 127.0.0.1.
We timelined.
No evidence of attacker activity. Bad rule.
Please don& #39;t let me bias you. This thread was built with the intent to provide greater context.
Yes, other orgs running @Microsoft Defender ATP had false positive alerts for [CommandAndControl] Cobalt Strike last night / this am.
From what we see: bad vendor rule (it happens)
Yes, other orgs running @Microsoft Defender ATP had false positive alerts for [CommandAndControl] Cobalt Strike last night / this am.
From what we see: bad vendor rule (it happens)
Last false positive alert fired at ~07:40 UTC. This may already be addressed on the vendor side.
If you had alerts - please investigate. This info is for context - not meant to replace your investigation.
We& #39;ll continue to share details for those interested.
If you had alerts - please investigate. This info is for context - not meant to replace your investigation.
We& #39;ll continue to share details for those interested.
