cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1110
Views
5
Helpful
5
Replies

PowerShell detected as Malware

For a long time I received many alerts about the Powershell being indentified as Malware, when a retrospective Malware alert was received making that file as Clean.

Common detecion: W32.PowershellEncodedBuffer.ioc

Did anyone else see this same behavior?

1 Accepted Solution

Accepted Solutions

Hello @hell ,
there are two options.

  • Short Term: You may open a TAC case, so an exclusion gets added to your environment.
  • Mid Term: We will provide IOC exclusions soon, so customer can configure their own IOC exclusions.

Greetings,
Thorsten

View solution in original post

5 Replies 5

Troja007
Cisco Employee
Cisco Employee

Hello @Hellen Queiros Brito ,
FYI, the IOC does not outline that Powershell itself is malware, it outlines that something malicious may has been done with powershell. This IOC has been seen often in the past. It outlines, in most cases, that the command line includes a base64 encoded string. This technique can be used to hide something. This technique is also described by MITRE to obfuscate something.

Two things:

  • i assume the IOC shows a severity level low, right?
  • The IOC should also outline the string which was encoded, right?

Greetings,
Thorsten

Hello @Troja007 . 

Yes it's right. Shows as severety level low and it's was encoded too.

and what can we do in this case, I still receive several alerts regarding the PS and in another topic on the cisco blog it was mentioned that an isolated case would not be serious, but several alerts would already become worrying, relating to cases of LOLBins

 

Thank you for your help!!

Hello @hell ,
there are two options.

  • Short Term: You may open a TAC case, so an exclusion gets added to your environment.
  • Mid Term: We will provide IOC exclusions soon, so customer can configure their own IOC exclusions.

Greetings,
Thorsten

Thank you @Troja007 

Hello @Hellen Queiros Brito ,
FYI, custom CloudIOC exclusions have been released. They are handled and configured in the same way as any other exclusions.
Greetings,
Thorsten

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: