Administrators woke up to a scary surprise today after false positives in Microsoft Defender ATP showed network devices infected with Cobalt Strike. The bad signature causing the false positive has also been fixed, and admins should no longer see new alerts. An alert for a Cobalt strike beacon is a severe detection and, if you received such alerts, you are better off being safe than sorry and should perform a sweep of all affected devices. Attackers use cracked versions of Cobalt. to gain persistent remote access to a compromised network and are commonly used during ransomware attacks.
Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-atp-scars-admins-with-false-cobalt-strike-alerts/