https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4729365#M7178 <P>Thank you&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/547768">@Troja007</a>&nbsp;</P> Mon, 28 Nov 2022 20:55:34 GMT Hellen Queiros Brito 2022-11-28T20:55:34Z https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4649480#M6965 <P>For a long time I received many alerts about the Powershell being indentified as Malware, when a retrospective Malware alert was received making that file as Clean.</P><P>Common detecion:&nbsp;<SPAN>W32.PowershellEncodedBuffer.ioc</SPAN></P><P>Did anyone else see this same behavior?</P> Wed, 13 Jul 2022 12:16:15 GMT https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4649480#M6965 Hellen Queiros Brito 2022-07-13T12:16:15Z https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4651076#M6982 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1377376">@Hellen Queiros Brito</a>&nbsp;,<BR />FYI, the IOC does not outline that Powershell itself is malware, it outlines that something malicious may has been done with powershell. This IOC has been seen often in the past. It outlines, in most cases, that the command line includes a base64 encoded string. This technique can be used to hide something. This technique is also described by MITRE to obfuscate something.</P> <P>Two things:</P> <UL> <LI>i assume the IOC shows a severity level low, right?</LI> <LI>The IOC should also outline the string which was encoded, right?</LI> </UL> <P>Greetings,<BR />Thorsten</P> Fri, 15 Jul 2022 09:00:49 GMT https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4651076#M6982 Troja007 2022-07-15T09:00:49Z https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4728247#M7175 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/547768">@Troja007</a>&nbsp;.&nbsp;</P><P>Yes it's right. Shows as severety level low and it's was encoded too.</P><P>and what can we do in this case, I still receive several alerts regarding the PS and in another topic on the cisco blog it was mentioned that an isolated case would not be serious, but several alerts would already become worrying, relating to cases of LOLBins</P><P>&nbsp;</P><P>Thank you for your help!!</P> Fri, 25 Nov 2022 19:38:34 GMT https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4728247#M7175 Hellen Queiros Brito 2022-11-25T19:38:34Z https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4728953#M7176 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/844356">@hell</a>&nbsp;,<BR />there are two options.</P> <UL> <LI>Short Term: You may open a TAC case, so an exclusion gets added to your environment.</LI> <LI>Mid Term: We will provide IOC exclusions soon, so customer can configure their own IOC exclusions.</LI> </UL> <P>Greetings,<BR />Thorsten</P> Mon, 28 Nov 2022 08:14:03 GMT https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4728953#M7176 Troja007 2022-11-28T08:14:03Z https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4729365#M7178 <P>Thank you&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/547768">@Troja007</a>&nbsp;</P> Mon, 28 Nov 2022 20:55:34 GMT https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4729365#M7178 Hellen Queiros Brito 2022-11-28T20:55:34Z https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4729572#M7179 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1377376">@Hellen Queiros Brito</a>&nbsp;,<BR />FYI, custom CloudIOC exclusions have been released. They are handled and configured in the same way as any other exclusions.<BR />Greetings,<BR />Thorsten</P> Tue, 29 Nov 2022 09:36:18 GMT https://community.cisco.com/t5/endpoint-security/powershell-detected-as-malware/m-p/4729572#M7179 Troja007 2022-11-29T09:36:18Z