Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Just about every service start command is being flagged as an IOC right now. I've gotten around 30 or 40 alerts in the last hour for normal service starting behavior, some examples: C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry...
I agree with Orlith as well, I can tell you definitively that the install scan misses things that should have been caught if it were truly doing a full system scan. Things got picked up and quarantined on endpoints after scheduling a full system scan...
I can't find exactly where these are being downloaded from in AMP, Threat Response or Umbrella. I'm assuming it's a false positive on grammarly javascripts.
