https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472280#M1540 <P>Hello,</P><P>We are seeing what appears to be false positive detections for the PoshC2C vulnerability signatures that was released recently. Connections going to Google and BBC, is anyone else seeing the same thing here?</P> Fri, 11 Mar 2022 10:17:48 GMT MichaelWrigh 2022-03-11T10:17:48Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472280#M1540 <P>Hello,</P><P>We are seeing what appears to be false positive detections for the PoshC2C vulnerability signatures that was released recently. Connections going to Google and BBC, is anyone else seeing the same thing here?</P> Fri, 11 Mar 2022 10:17:48 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472280#M1540 MichaelWrigh 2022-03-11T10:17:48Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472349#M1541 <P>I think I'm seeing this too. I have a particular user where I'm seeing this when they click the google logo to go back to the main search page. I'm getting&nbsp;<SPAN>Threat ID: 86523</SPAN></P> Fri, 11 Mar 2022 15:07:42 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472349#M1541 lvultao 2022-03-11T15:07:42Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472365#M1542 <P>Confirmed. I just tried the same and got the alert for PoshC2 (ThreatID: 86523, release 8540 2022-03-10). Extremely easy to replicate:</P><P class="lia-indent-padding-left-30px">1) Do a Google search</P><P class="lia-indent-padding-left-30px">2) Click the Google logo on the search results page</P><P class="lia-indent-padding-left-30px">3) Page redirects to hxxps://google.com/webhp?hl=en&amp;sa=X&amp;ved=&lt;trackingID&gt; and is blocked as a threat</P> Fri, 11 Mar 2022 15:37:55 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472365#M1542 Adrian_Jensen 2022-03-11T15:37:55Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472451#M1543 <P>It appears that the rule looks for the URL strings listed on github[.]com/johnjohnsp1/PoshC2_Python/blob/master/Config.py:</P><P>URLS = '"adsense/troubleshooter/1631343/","adServingData/PROD/TMClient/6/8736/","advanced_search?hl=en-GB&amp;fg=","async/newtab?ei=","babel-polyfill/6.3.14/polyfill.min.js=","bh/sync/aol?rurl=/ups/55972/sync?origin=","bootstrap/3.1.1/bootstrap.min.js?p=","branch-locator/search.asp?WT.ac&amp;api=","business/home.asp&amp;ved=","business/retail-business/insurance.asp?WT.mc_id=","cdb?ptv=48&amp;profileId=125&amp;av=1&amp;cb=","cis/marketq?bartype=AREA&amp;showheader=FALSE&amp;showvaluemarkers=","classroom/sharewidget/widget_stable.html?usegapi=","client_204?&amp;atyp=i&amp;biw=1920&amp;bih=921&amp;ei=","load/pages/index.php?t=","putil/2018/0/11/po.html?ved=","q/2018/load.php?lang=en&amp;modules=","status/995598521343541248/query=","TOS?loc=GB&amp;hl=en&amp;privacy=","trader-update/history&amp;pd=","types/translation/v1/articles/","uasclient/0.1.34/modules/","usersync/tradedesk/","utag/lbg/main/prod/utag.15.js?utv=","vs/1/vsopts.js?","vs/site/bgroup/visitor/","w/load.php?debug=false&amp;lang=en&amp;modules=","web/20110920084728/","webhp?hl=en&amp;sa=X&amp;ved=","work/embedded/search?oid="'</P> Fri, 11 Mar 2022 18:56:51 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472451#M1543 SecurityEngineering 2022-03-11T18:56:51Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472473#M1544 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/212472">@SecurityEngineering</a>&nbsp;wrote:<P>&nbsp; "webhp?hl=en&amp;sa=X&amp;ved="</P><HR /></BLOCKQUOTE><P>Bingo.... that is the path of the Google redirect back to the main search page.</P><P>&nbsp;</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/62978">@MichaelWrigh</a>&nbsp; Have you opened a false alert report with PA?</P> Fri, 11 Mar 2022 19:50:54 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472473#M1544 Adrian_Jensen 2022-03-11T19:50:54Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472922#M1545 <P>Not yet, am hoping to get it done soon though. Am on a training course this week but should be bale to find the time.</P> Mon, 14 Mar 2022 16:52:56 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472922#M1545 MichaelWrigh 2022-03-14T16:52:56Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472928#M1546 <P>It looks like someone has already submitted a false positive report. The 8541 release has a single note about improving PoshC2 detection. Testing against Google I am no longer seeing the false alert.</P> Mon, 14 Mar 2022 17:01:27 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/poshc2-false-positive/m-p/472928#M1546 Adrian_Jensen 2022-03-14T17:01:27Z