Re: Powershell Command in Registry Data

Bunged · ‎09-12-2023

For the last few hours we have been seeing an increasing number of 'Powershell command in registry data' findings.
They all look the same and report something similar:

Observables

File:	taskhostw.exe e6370920…58402728
Registry Key:	\USER\S-1-5-21-1514197063-1296195755-1265796959-7856\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\ListOfTaskBackedUpTiles_2361862998 ListOfTaskBackedUpTiles_2360852998

Observed Activity

Registry Set

\USER\S-1-5-21-1514197063-1296195755-1265796959-7856\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\ListOfTaskBackedUpTiles_2361862998

I assume this is nothing to worry about? Is there a way to prevent this particular alert message or do we have to wait for a signature update?

0x23MW · ‎09-14-2023

No nothing to worry but it obviously looks like the behavioral monitoring mapped the way it was added to known tactics and techniques. Is there a new or updated group policy up and running that manipulates existing scheduled tasks? Not sure but I thought there's a way to mute alerts the get triggered.

Bunged · ‎09-15-2023

We have opened a TAC on this. They are still investigating but it seems that more than one customer has been affected.
I am curious about the cause of this

0x23MW · ‎09-15-2023

By now it seems to get evolving with the last ms windows updates (patchday)...:-D

mark.e · ‎09-25-2023

Did Cisco get back to you on this? I started seeing this in our environment this morning.

Bunged · ‎09-25-2023

No, not yet. We opened a TAC almost two weeks ago, but got no response other than "we're investigating"... 🤷‍

IIIC · ‎09-27-2023

Hi There,

Just wondering if you have heard anything yet? I have had a couple of alerts for the same issue.

Thanks.

Bunged · ‎09-28-2023

> Sep 22: "Talos is currently working on improving the indicators of compromise. Unfortunately I do not have information about estimated time of putting this on production, but once I found out I will let you know immediately."

> Sep 27: "Engineering already improved the signatures so you should not see such False Positives anymore. Please confirm that everything is fine regarding this issue."

So supposedly it's fixed, but we're still getting alerts today...

IIIC · ‎09-28-2023

Thanks for the info, fingers crossed it's fixed.

sloeffler · ‎10-12-2023

We still see those alerts. Does anyone have news?

Bunged · ‎10-12-2023

We are still getting the alerts even though TAC has assured us several times that the problem is really fixed now...

ventaran · ‎10-26-2023

This popped

Registry Set \USER\S-1-5--blablalba\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\ListOfTaskBackedUpTiles_1794425386

2023-10-26 03:48:27 EDT

We have sysmon and whatever installed. No PowerShell around the time.

mski7861 · ‎11-06-2023

I saw this on one of our hosts 10 times in the last month:

Registry Key: \USER\S-1-5-21-3581115410-45963113-3647916999-49065\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\TotalListOfLastBackedUpTiles_2343873105

Let's hope this really is fixed.

ebarbarian99 · ‎11-21-2023

Still continuing to pop up for us, only a couple workstations though. Last one was on November 18th on version 8.1.3.

Jatrki · ‎11-23-2023

We have multiple customers and this only pops up for users of a specific customer (specific org). TAC says it's fixed with the latest definition updates but it's not. I have sent them some data and they are investigating.