Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1536
Views
0
Helpful
1
Replies

Endpoint connector 7.5.3.20938 flagging every service start as IOC

davalosn
Level 1
Level 1

‎04-04-2022 12:54 PM

Just about every service start command is being flagged as an IOC right now. I've gotten around 30 or 40 alerts in the last hour for normal service starting behavior, some examples:

 

C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry

C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

 

All these are getting flagged: Cloud IOC: ExecutedMalware.ioc

These are all normal service startup commands.

 

4 people had this problem
Labels:
0 Helpful
1 Reply 1

Ken Stieers
VIP
VIP

‎04-04-2022 02:41 PM

All FPs.  

Check your Announcements panel in the console.

0 Helpful
Customers Also Viewed These Support Documents