PoshC2 false positive

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

PoshC2 false positive

L2 Linker


We are seeing what appears to be false positive detections for the PoshC2C vulnerability signatures that was released recently. Connections going to Google and BBC, is anyone else seeing the same thing here?


L0 Member

I think I'm seeing this too. I have a particular user where I'm seeing this when they click the google logo to go back to the main search page. I'm getting Threat ID: 86523

L6 Presenter

Confirmed. I just tried the same and got the alert for PoshC2 (ThreatID: 86523, release 8540 2022-03-10). Extremely easy to replicate:

1) Do a Google search

2) Click the Google logo on the search results page

3) Page redirects to hxxps://google.com/webhp?hl=en&sa=X&ved=<trackingID> and is blocked as a threat

It appears that the rule looks for the URL strings listed on github[.]com/johnjohnsp1/PoshC2_Python/blob/master/Config.py:

URLS = '"adsense/troubleshooter/1631343/","adServingData/PROD/TMClient/6/8736/","advanced_search?hl=en-GB&fg=","async/newtab?ei=","babel-polyfill/6.3.14/polyfill.min.js=","bh/sync/aol?rurl=/ups/55972/sync?origin=","bootstrap/3.1.1/bootstrap.min.js?p=","branch-locator/search.asp?WT.ac&api=","business/home.asp&ved=","business/retail-business/insurance.asp?WT.mc_id=","cdb?ptv=48&profileId=125&av=1&cb=","cis/marketq?bartype=AREA&showheader=FALSE&showvaluemarkers=","classroom/sharewidget/widget_stable.html?usegapi=","client_204?&atyp=i&biw=1920&bih=921&ei=","load/pages/index.php?t=","putil/2018/0/11/po.html?ved=","q/2018/load.php?lang=en&modules=","status/995598521343541248/query=","TOS?loc=GB&hl=en&privacy=","trader-update/history&pd=","types/translation/v1/articles/","uasclient/0.1.34/modules/","usersync/tradedesk/","utag/lbg/main/prod/utag.15.js?utv=","vs/1/vsopts.js?","vs/site/bgroup/visitor/","w/load.php?debug=false&lang=en&modules=","web/20110920084728/","webhp?hl=en&sa=X&ved=","work/embedded/search?oid="'

@SecurityEngineering wrote:


Bingo.... that is the path of the Google redirect back to the main search page.


@MichaelWrigh  Have you opened a false alert report with PA?

Not yet, am hoping to get it done soon though. Am on a training course this week but should be bale to find the time.

L6 Presenter

It looks like someone has already submitted a false positive report. The 8541 release has a single note about improving PoshC2 detection. Testing against Google I am no longer seeing the false alert.

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!