Re: Isolated host generating multiple Expolit Prevention events

mski7861 · ‎04-09-2024

We have an end user machine that was placed into isolation after a high severity Cloud IOC Event (Cloud IOC: W32.PowershellIEXReplace.ioc) and a low severity Cloud IOC Event (Cloud IOC: W32.PowershellObfuscationAttempt.ioc) was detected. Powershell called cmd.exe and attempted to download sh.jpg from a URL. Once this happened, I received over 400 Exploit Prevention events for RegSvcs.exe for process hollowing attempts.

I want to be sure the exploit prevention events aren't false positives.

Roman Valenta · ‎04-09-2024

Seem like legitimate attack but not enough information to be 100% positive. If you like to investigate this incident more deeper you can always open TAC case and let us look in to that with you. Also as reminder. Most IOCs are generated by the AMP Console and are known as Synthetic events. They are merely notifications. The IOCs simply look for files or behaviors that match specific patterns and alert on them, sometimes whether it is benign or not. IOC’s will not BLOCK or QUARANTINE they will only inform you about something that you as administrator should investigate. Typically, these events do not always mean your endpoint has something malicious on it or block a file, it is more of an alert that you should investigate further. Automated action (isolation) however still apply.

mski7861 · ‎04-09-2024

Thank you Roman, I understand the roles of IOCs and appreciate your feedback. I opened a tac case to help investigate this further.