0% found this document useful (0 votes)
165 views4 pages

False Positive: Dell Update Alert

A request was made on February 4, 2025, regarding a detected malicious activity that was identified as a false positive by the Falcon security system. The request was handled by technician Vishall K, who closed it after confirming the false positive status within an hour. The incident involved a process related to the DellUpdateSupportAssistPlugin.exe, which was blocked as a precautionary measure.

Uploaded by

Manon Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
165 views4 pages

False Positive: Dell Update Alert

A request was made on February 4, 2025, regarding a detected malicious activity that was identified as a false positive by the Falcon security system. The request was handled by technician Vishall K, who closed it after confirming the false positive status within an hour. The incident involved a process related to the DellUpdateSupportAssistPlugin.exe, which was blocked as a precautionary measure.

Uploaded by

Manon Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

03/06/2025, 11:27 ITS Security - ManageEngine ServiceDesk Plus Cloud

REQUEST ID- # 167483

Malicious activity detected - Falcon (False Positive)


Requested by falcon on Feb 4, 2025 10:08 AM Approval Status : Not Configured

Request Details

Requester Details
Requester Name falcon

Technician vishall k Status Closed

Priority Medium Device check needed Not Assigned

User Location Not Assigned EDR Installation present Yes

Notified User Not Assigned Detection Type False Positive

Created Date Feb 4, 2025 10:08 AM Responded Time Not Configured

Due by date Feb 4, 2025 12:08 PM Completed Time Feb 4, 2025 11:06 AM

Response Due Date Not Configured

Emails to Notify -

Created By System Department Not Assigned

Template Malware Incident Response SLA Medium SLA


L1 Template

Closure Code Not Assigned Closure Comments / -


Status Change
Comments

Time Elapsed 00hrs 58mins

Conversations

falcon On : Feb 4, 2025 10:08 AM

Malicious activity detected - Falcon (False Positive)

Your Workflow generated an alert for your environment. Please review the information below.

Trigger: Alert

Trigger

[Link] 1/4
03/06/2025, 11:27 ITS Security - ManageEngine ServiceDesk Plus Cloud
User name: shub-18595
Sensor hostname: SHUB-18595-GF
User ID: S-1-5-21-1867688552-3649366528-3325780993-130106
Tactic: Impact
Technique: Inhibit System Recovery
Command Line: "C:\ProgramData\Package Cache\{f6a4df94-48f2-459a-8d40-16b1fbed13c5}\[Link]" -q -
[Link] BurnPipe.{9060D8BB-4927-4E67-84B3-7D217932F09A} {A5345C0E-6479-4C0E-93F8-F7FA17490915} 12916
Parent Process command line: "C:\ProgramData\Package Cache\{f6a4df94-48f2-459a-8d40-
16b1fbed13c5}\[Link]" -[Link]="C:\ProgramData\Package Cache\{f6a4df94-48f2-459a-8d40-
16b1fbed13c5}\[Link]" -[Link]=528 -[Link]=644 /quiet /norestart
/[Link] "C:\Windows\TEMP\Dell_SupportAssist_OS_Recovery_Plugin_for_Dell_Update_20240206094037.log"
Grandparent Process command line: "C:\ProgramData\Package Cache\{f6a4df94-48f2-459a-8d40-
16b1fbed13c5}\[Link]" /quiet /norestart /[Link]
"C:\Windows\TEMP\Dell_SupportAssist_OS_Recovery_Plugin_for_Dell_Update_20240206094037.log"
Action taken: Prevention, operation blocked.
Sensor local ip address: [Link]
Sensor external ip address: [Link]
Sensor external ipv6 address:
Sensor local ipv6 address:
Executable MD5: f388ceba4ea486963c33125c27548ecd
Parent Process executable md5: f388ceba4ea486963c33125c27548ecd
Grandparent Process executable md5: f388ceba4ea486963c33125c27548ecd
Executable SHA256: b46ce2340a3e12eda105c6852dfd6c4952ddfedfe7cb5bf1d53c4194c8cbd7f1
Parent Process executable sha256: b46ce2340a3e12eda105c6852dfd6c4952ddfedfe7cb5bf1d53c4194c8cbd7f1
Grandparent Process executable sha256: b46ce2340a3e12eda105c6852dfd6c4952ddfedfe7cb5bf1d53c4194c8cbd7f1
Sensor bios manufacturer: Dell Inc.
Sensor bios version: 1.28.0
Product ePP behavior objective: Follow Through
Product ePP behavior timestamp: 2025-02-04T[Link]Z
Product ePP behavior timestamp, date: 2025-02-04
Product ePP behavior timestamp, day of week: Tuesday
Product ePP behavior timestamp, hour: 4
Cloud process ID: pid:263b41b38a164d909ac27fbb0db0976e:4211922372945
Custom IOA rule:
Alert ID: f4bf9189cb9c4ca48982e367d2f819cc:ind:263b41b38a164d909ac27fbb0db0976e:4211922372945-458-3010320
URL: [Link]
v2/detections/f4bf9189cb9c4ca48982e367d2f819cc:ind:263b41b38a164d909ac27fbb0db0976e:4211922372945-458-3010320?
_cid=g030006s2n6qpp2jcanat4s74cvtsp4y
File path: \Device\HarddiskVolume3\ProgramData\Package Cache\{f6a4df94-48f2-459a-8d40-
16b1fbed13c5}\[Link]
Parent Process file path: \Device\HarddiskVolume3\ProgramData\Package Cache\{f6a4df94-48f2-459a-8d40-
16b1fbed13c5}\[Link]
Grandparent Process file path: \Device\HarddiskVolume3\ProgramData\Package Cache\{f6a4df94-48f2-459a-8d40-
16b1fbed13c5}\[Link]
Image file name: [Link]
Parent Process image file name: [Link]
Grandparent Process image file name: [Link]
Status: New
Sensor host type: Workstation
IOC Type:
Severity: Medium
Sensor mac address: cc-96-e5-c7-36-c1
Sensor os version: Windows 10
Sensor system manufacturer: Dell Inc.
Source event URL: [Link]
v2/detections/f4bf9189cb9c4ca48982e367d2f819cc:ind:263b41b38a164d909ac27fbb0db0976e:4211922372945-458-3010320?
_cid=g030006s2n6qpp2jcanat4s74cvtsp4y
Sensor platform: Windows
Sensor domain: [Link]
OS Process ID: 19836
IOC Value:
Sensor host id: 263b41b38a164d909ac27fbb0db0976e
Sensor host groups:
["5f85ec4d77f2471eb55bc14705692004","aa779c34c903424bbb72184a345d0546","ab56e20ef467435dbbac39dfd7d14326"]
IOA Description: A process attempted to delete a Volume Shadow Snapshot.
IOA Name: VolumeShadowSnapshotDeleted
Product ePP behavior timestamp, minute: 35
Product ePP behavior timestamp, timezone: UTC
Grandparent Process os process id: 20896
Grandparent Process user name: shub-18595
Sensor host tags:
Last Update: 2025-02-04T[Link]Z

[Link] 2/4
03/06/2025, 11:27 ITS Security - ManageEngine ServiceDesk Plus Cloud
Sensor version: 7.21.19205.0
Sensor system product: Precision 5570
Sensor site: KRISP

See in Falcon

Copyright © 2024 CrowdStrike, Inc. All rights reserved.

Announcements

Title Access Level Start Date End Date

No announcements found in this view

History

Feb 4, 2025 11:06 AM Life cycle info Request has reached end of the life cycle
Performed by System

Feb 4, 2025 11:06 AM Updated Subject updated from Malicious activity detected - Falcon to Malicious
activity detected - Falcon (False Positive)
Performed by sysadmin master account

Feb 4, 2025 11:06 AM Updated Status updated from Open to Closed


"Mark as False Positive" - Transition executed
Performed by vishall k

Feb 4, 2025 11:06 AM Closed Status updated from Open to Closed


FCR is set as false
Performed by vishall k

Feb 4, 2025 11:05 AM Updated Technician updated from None to vishall k


Performed by vishall k

Feb 4, 2025 11:05 AM Updated Detection Type updated from None to False Positive
Performed by vishall k

Feb 4, 2025 10:51 AM Note Created Note added


User name: shub-18595 Sensor hostname: SHUB-18595-
GF User ID: S-1-5-21-1867688552-3649366528-3325780993-
130106 Tactic: Impact Technique: Inhibit System Recovery
Command Line: "C:\ProgramData\Package Cache\{f6a4df94-
48f2-459a-8d40-16b1fbed13c5}\[Link]
Comment : Dell software update alert.
Performed by vishall k

Feb 4, 2025 10:08 AM Life cycle info Life cycle "Malware Incident L1" applied
Performed by System

Feb 4, 2025 10:08 AM Task Added Task Analyze Malware Alert added
Performed by System

[Link] 3/4
03/06/2025, 11:27 ITS Security - ManageEngine ServiceDesk Plus Cloud

Feb 4, 2025 10:08 AM Resolution added Resolution added


`
Performed by System

Feb 4, 2025 10:08 AM Request Created Performed by System

[Link] 4/4

You might also like