Powershell Command in Registry Data - Page 2

Bunged · ‎09-12-2023

For the last few hours we have been seeing an increasing number of 'Powershell command in registry data' findings.
They all look the same and report something similar:

Observables

File:	taskhostw.exe e6370920…58402728
Registry Key:	\USER\S-1-5-21-1514197063-1296195755-1265796959-7856\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\ListOfTaskBackedUpTiles_2361862998 ListOfTaskBackedUpTiles_2360852998

Observed Activity

Registry Set

\USER\S-1-5-21-1514197063-1296195755-1265796959-7856\SOFTWARE\Microsoft\Windows\CurrentVersion\AppListBackup\ListOfTaskBackedUpTiles_2361862998

I assume this is nothing to worry about? Is there a way to prevent this particular alert message or do we have to wait for a signature update?

mski7861 · ‎11-24-2023

Did Cisco say what version of the connector this was fixed in? The latest? Or did the signature get fixed for all versions of the connector?

ebarbarian99 · ‎01-09-2024

I only had 2 PCs that were constantly impacted with these false positives since October. Finally got with support, Cisco TAC recommended pushing the impacted workstations to version 8.2.1, and so far, I've not seen the issue crop up again for them for the last week.

I would take note there are a few community posts about 8.2.1 creating other problems, such as errors or high memory usage. Definitely test before doing a complete rollout. Good luck!

RalphNelson · ‎11-24-2023

It looks the same here. We receive 5-10 alerts per day on this topic. Is there any news from Cisco or has someone already opened a new TAC?

ebarbarian99 · ‎01-09-2024

See my other post above. Version 8.2.1 seems to be the only fix in my situation. Had no luck between versions 8.1.3 - 8.1.7.

mski7861 · ‎01-10-2024

Same here. Once I updated our connectors to 8.2.1.21650 the events subsided.