Think you have a false positive on this rule?

Sid 1-46969

Message

MALWARE-CNC Win.Trojan.Autophyte dropper variant outbound connection

Summary

This event is generated when a compromised internal PC reaches out to grab mainls.cs, a powershell script that downloads additional malware.

Impact

Trojan Activity

Detailed information

Autophyte's Dropper, also known as PowerSpritz is a downloader that changes its name to something innocuous on the user system, downloads additional payload, and deletes itself when its objective is complete.

Affected systems

  • Windows 7, 8, 10

Ease of attack

False positives

Not known.

False negatives

Not known.

Corrective action

Please follow corporate mitigation practices.

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • www.virustotal.com/#/file/086a50476f5ceee4b10871c1a8b0a794e96a337966382248a8289598b732bd47/detection