topic Re: Powershell Command in Registry Data in Endpoint Security

Powershell Command in Registry Data

Bunged — Wed, 13 Sep 2023 05:48:34 GMT

For the last few hours we have been seeing an increasing number of 'Powershell command in registry data' findings.
They all look the same and report something similar:

Observables

File:	taskhostw.exe e6370920…58402728
Registry Key:	\USER\S-1-5-21-1514197063-1296195755-1265796959-7856\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\ListOfTaskBackedUpTiles_2361862998 ListOfTaskBackedUpTiles_2360852998

Observed Activity

Registry Set

\USER\S-1-5-21-1514197063-1296195755-1265796959-7856\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\ListOfTaskBackedUpTiles_2361862998

I assume this is nothing to worry about? Is there a way to prevent this particular alert message or do we have to wait for a signature update?

Re: Powershell Command in Registry Data

0x23MW — Thu, 14 Sep 2023 07:17:22 GMT

No nothing to worry but it obviously looks like the behavioral monitoring mapped the way it was added to known tactics and techniques. Is there a new or updated group policy up and running that manipulates existing scheduled tasks? Not sure but I thought there's a way to mute alerts the get triggered.

Re: Powershell Command in Registry Data

Bunged — Fri, 15 Sep 2023 12:52:14 GMT

We have opened a TAC on this. They are still investigating but it seems that more than one customer has been affected.
I am curious about the cause of this 🙂

Re: Powershell Command in Registry Data

0x23MW — Fri, 15 Sep 2023 14:20:19 GMT

By now it seems to get evolving with the last ms windows updates (patchday)...:-D

Re: Powershell Command in Registry Data

mark.e — Mon, 25 Sep 2023 13:32:44 GMT

Did Cisco get back to you on this? I started seeing this in our environment this morning.

Re: Powershell Command in Registry Data

Bunged — Mon, 25 Sep 2023 13:49:50 GMT

No, not yet. We opened a TAC almost two weeks ago, but got no response other than "we're investigating"... 🤷‍♂️

Re: Powershell Command in Registry Data

IIIC — Wed, 27 Sep 2023 12:42:07 GMT

Hi There,

Just wondering if you have heard anything yet? I have had a couple of alerts for the same issue.

Thanks.

Re: Powershell Command in Registry Data

Bunged — Thu, 28 Sep 2023 07:08:47 GMT

> Sep 22: "Talos is currently working on improving the indicators of compromise. Unfortunately I do not have information about estimated time of putting this on production, but once I found out I will let you know immediately."

> Sep 27: "Engineering already improved the signatures so you should not see such False Positives anymore. Please confirm that everything is fine regarding this issue."

So supposedly it's fixed, but we're still getting alerts today...

Re: Powershell Command in Registry Data

IIIC — Thu, 28 Sep 2023 09:37:24 GMT

Thanks for the info, fingers crossed it's fixed.

Re: Powershell Command in Registry Data

sloeffler — Thu, 12 Oct 2023 14:54:44 GMT

We still see those alerts. Does anyone have news?

Re: Powershell Command in Registry Data

Bunged — Thu, 12 Oct 2023 16:39:19 GMT

We are still getting the alerts even though TAC has assured us several times that the problem is really fixed now... 🙄

Re: Powershell Command in Registry Data

ventaran — Thu, 26 Oct 2023 16:02:14 GMT

This popped

Registry Set \USER\S-1-5--blablalba\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\ListOfTaskBackedUpTiles_1794425386

2023-10-26 03:48:27 EDT

We have sysmon and whatever installed. No PowerShell around the time.

Re: Powershell Command in Registry Data

mski7861 — Mon, 06 Nov 2023 14:42:24 GMT

I saw this on one of our hosts 10 times in the last month:

Registry Key: \USER\S-1-5-21-3581115410-45963113-3647916999-49065\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\TotalListOfLastBackedUpTiles_2343873105

Let's hope this really is fixed.

Re: Powershell Command in Registry Data

ebarbarian99 — Tue, 21 Nov 2023 14:19:09 GMT

Still continuing to pop up for us, only a couple workstations though. Last one was on November 18th on version 8.1.3.

Re: Powershell Command in Registry Data

Jatrki — Thu, 23 Nov 2023 14:44:15 GMT

We have multiple customers and this only pops up for users of a specific customer (specific org). TAC says it's fixed with the latest definition updates but it's not. I have sent them some data and they are investigating.

Re: Powershell Command in Registry Data

mski7861 — Fri, 24 Nov 2023 14:33:18 GMT

Did Cisco say what version of the connector this was fixed in? The latest? Or did the signature get fixed for all versions of the connector?

Re: Powershell Command in Registry Data

RalphNelson — Sat, 25 Nov 2023 07:56:58 GMT

It looks the same here. We receive 5-10 alerts per day on this topic. Is there any news from Cisco or has someone already opened a new TAC?

Re: Powershell Command in Registry Data

ebarbarian99 — Tue, 09 Jan 2024 21:06:34 GMT

I only had 2 PCs that were constantly impacted with these false positives since October. Finally got with support, Cisco TAC recommended pushing the impacted workstations to version 8.2.1, and so far, I've not seen the issue crop up again for them for the last week.

I would take note there are a few community posts about 8.2.1 creating other problems, such as errors or high memory usage. Definitely test before doing a complete rollout. Good luck!

Re: Powershell Command in Registry Data

ebarbarian99 — Tue, 09 Jan 2024 21:08:38 GMT

See my other post above. Version 8.2.1 seems to be the only fix in my situation. Had no luck between versions 8.1.3 - 8.1.7.

Re: Powershell Command in Registry Data

mski7861 — Wed, 10 Jan 2024 17:37:23 GMT

Same here. Once I updated our connectors to 8.2.1.21650 the events subsided.