Forum Discussion
Multiple MDI alerts for "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation"
We're seeing several alerts firing up in our environment for the above. The alerts are primarily coming up from Linux hosts which are using the Winbindd component in Samba to integrate with the AD. W...
I had the same problem and got the following answer from Microsoft:
Your suspicion is correct, these alerts are false positive alerts that were triggered by a code issue in a recent deployment that was intended to improve our false-positive detection coverage, which resulted in users seeing an increase of the specific alert in the security.microsoft.com portal. This was a global issue that was addressed in an advisory SHD DZ696339 .
LiorShapira
Microsoft
MicrosoftWe fixed the issue a few hours after it was discovered.