Security News > 2020 > October > Microsoft Defender ATP scars admins with false Cobalt Strike alerts

Microsoft Defender ATP scars admins with false Cobalt Strike alerts
2020-10-28 11:14

Administrators woke up to a scary surprise today after false positives in Microsoft Defender ATP showed network devices infected with Cobalt Strike.

Microsoft Defender ATP is Microsoft's enterprise antivirus and threat monitoring solution that admins deploy on devices throughout an organization.

These endpoints then monitor devices for malicious threats and behavior and send them back to Microsoft's cloud-based Microsoft Defender Security Center, where the alerts are aggregated and viewed from a central location.

It turns out that this was a Microsoft Defender ATP false positive that was detecting network connections to 127.0.0.1 as Cobalt Strike C2 traffic.

The bad signature causing the false positive has also been fixed, and admins should no longer see new alerts in Microsoft Defender Security Center.


News URL

https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-atp-scars-admins-with-false-cobalt-strike-alerts/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 480 75 2308 5127 264 7774