Malicious File Detected

Solved
Kelkar
Conversationalist

Malicious File Detected

Hello,

 

I have detected a file that was flagged by our Cisco Endpoint protection.

 

File Name: Get-NewLocalAdmin.ps1

Detection: W32.CFAB3E3BCA-95.SBX.TG

SHA 256: cfab3e3bca1517a535358cef7b206c65abb02470495ac929ca7b3ee0cfe3fab8

 

It looks like it spread across a lot of our computers and servers but it was denied. I have put it under the blocked application list.

 

I also found another file called "Set-LocalAdmin.ps1"

 

They were created in the ProgramData folder and the folder was called _Automation

 

I would like any advice if possible!

 

File Detected.png

 

Location of File on End User.png

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

Have more than one layer of protection, like a good antivirus for example.
 
Relying solely on the firewall does not guarantee good protection, nor does having a good antivirus.
 
The best thing you can do is “educate” users, create anti-phishing campaigns, etc.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

2 Replies 2
alemabrahao
Kind of a big deal
Kind of a big deal

Have more than one layer of protection, like a good antivirus for example.
 
Relying solely on the firewall does not guarantee good protection, nor does having a good antivirus.
 
The best thing you can do is “educate” users, create anti-phishing campaigns, etc.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Kelkar
Conversationalist

Hello,

 

Thank you for the feedback. It turns out the issue was from our MSP running a script without notifying me 😑

 

Sorry for the trouble! 

Get notified when there are additional replies to this discussion.