Security News > 2020 > October > Microsoft Defender ATP scars admins with false Cobalt Strike alerts
Administrators woke up to a scary surprise today after false positives in Microsoft Defender ATP showed network devices infected with Cobalt Strike.
Microsoft Defender ATP is Microsoft's enterprise antivirus and threat monitoring solution that admins deploy on devices throughout an organization.
These endpoints then monitor devices for malicious threats and behavior and send them back to Microsoft's cloud-based Microsoft Defender Security Center, where the alerts are aggregated and viewed from a central location.
It turns out that this was a Microsoft Defender ATP false positive that was detecting network connections to 127.0.0.1 as Cobalt Strike C2 traffic.
The bad signature causing the false positive has also been fixed, and admins should no longer see new alerts in Microsoft Defender Security Center.