Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1568
Views
5
Helpful
5
Replies

PowerShell detected as Malware

Go to solution
Hellen Queiros Brito
Level 1
Level 1

‎07-13-2022 05:16 AM

For a long time I received many alerts about the Powershell being indentified as Malware, when a retrospective Malware alert was received making that file as Clean.

Common detecion: W32.PowershellEncodedBuffer.ioc

Did anyone else see this same behavior?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Troja007
Cisco Employee
Cisco Employee
In response to Hellen Queiros Brito

‎11-28-2022 12:14 AM

Hello @hell ,
there are two options.

  • Short Term: You may open a TAC case, so an exclusion gets added to your environment.
  • Mid Term: We will provide IOC exclusions soon, so customer can configure their own IOC exclusions.

Greetings,
Thorsten

View solution in original post

5 Replies 5

Go to solution
Troja007
Cisco Employee
Cisco Employee

‎07-15-2022 02:00 AM

Hello @Hellen Queiros Brito ,
FYI, the IOC does not outline that Powershell itself is malware, it outlines that something malicious may has been done with powershell. This IOC has been seen often in the past. It outlines, in most cases, that the command line includes a base64 encoded string. This technique can be used to hide something. This technique is also described by MITRE to obfuscate something.

Two things:

  • i assume the IOC shows a severity level low, right?
  • The IOC should also outline the string which was encoded, right?

Greetings,
Thorsten

0 Helpful

Go to solution
Hellen Queiros Brito
Level 1
Level 1
In response to Troja007

‎11-25-2022 11:38 AM

Hello @Troja007 . 

Yes it's right. Shows as severety level low and it's was encoded too.

and what can we do in this case, I still receive several alerts regarding the PS and in another topic on the cisco blog it was mentioned that an isolated case would not be serious, but several alerts would already become worrying, relating to cases of LOLBins

 

Thank you for your help!!

0 Helpful

Go to solution
Troja007
Cisco Employee
Cisco Employee
In response to Hellen Queiros Brito

‎11-28-2022 12:14 AM

Hello @hell ,
there are two options.

  • Short Term: You may open a TAC case, so an exclusion gets added to your environment.
  • Mid Term: We will provide IOC exclusions soon, so customer can configure their own IOC exclusions.

Greetings,
Thorsten

Go to solution
Hellen Queiros Brito
Level 1
Level 1

‎11-28-2022 12:55 PM

Thank you @Troja007 

0 Helpful

Go to solution
Troja007
Cisco Employee
Cisco Employee
In response to Hellen Queiros Brito

‎11-29-2022 01:36 AM

Hello @Hellen Queiros Brito ,
FYI, custom CloudIOC exclusions have been released. They are handled and configured in the same way as any other exclusions.
Greetings,
Thorsten

0 Helpful
Customers Also Viewed These Support Documents