topic Endpoint connector 7.5.3.20938 flagging every service start as IOC in Endpoint Security https://community.cisco.com/t5/endpoint-security/endpoint-connector-7-5-3-20938-flagging-every-service-start-as/m-p/4585546#M6788 <P>Just about every service start command is being flagged as an IOC right now. I've gotten around 30 or 40 alerts in the last hour for normal service starting behavior, some examples:</P><P>&nbsp;</P><P><SPAN>C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry</SPAN></P><P><SPAN>C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc</SPAN></P><P><SPAN>C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc</SPAN></P><P><SPAN>C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</SPAN></P><P>&nbsp;</P><P>All these are getting flagged:&nbsp;Cloud IOC: ExecutedMalware.ioc</P><P>These are all normal service startup commands.</P><P>&nbsp;</P> Mon, 04 Apr 2022 19:54:19 GMT davalosn 2022-04-04T19:54:19Z Endpoint connector 7.5.3.20938 flagging every service start as IOC https://community.cisco.com/t5/endpoint-security/endpoint-connector-7-5-3-20938-flagging-every-service-start-as/m-p/4585546#M6788 <P>Just about every service start command is being flagged as an IOC right now. I've gotten around 30 or 40 alerts in the last hour for normal service starting behavior, some examples:</P><P>&nbsp;</P><P><SPAN>C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry</SPAN></P><P><SPAN>C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc</SPAN></P><P><SPAN>C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc</SPAN></P><P><SPAN>C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</SPAN></P><P>&nbsp;</P><P>All these are getting flagged:&nbsp;Cloud IOC: ExecutedMalware.ioc</P><P>These are all normal service startup commands.</P><P>&nbsp;</P> Mon, 04 Apr 2022 19:54:19 GMT https://community.cisco.com/t5/endpoint-security/endpoint-connector-7-5-3-20938-flagging-every-service-start-as/m-p/4585546#M6788 davalosn 2022-04-04T19:54:19Z Re: Endpoint connector 7.5.3.20938 flagging every service start as IOC https://community.cisco.com/t5/endpoint-security/endpoint-connector-7-5-3-20938-flagging-every-service-start-as/m-p/4585587#M6798 <P>All FPs.&nbsp;&nbsp;</P> <P>Check your Announcements panel in the console.</P> Mon, 04 Apr 2022 21:41:54 GMT https://community.cisco.com/t5/endpoint-security/endpoint-connector-7-5-3-20938-flagging-every-service-start-as/m-p/4585587#M6798 Ken Stieers 2022-04-04T21:41:54Z