Trusted Script Interpreters Are Blocked Even After Added to Approved List
search cancel

Trusted Script Interpreters Are Blocked Even After Added to Approved List

book

Article ID: 285078

calendar_today

Updated On: 05-23-2024

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Trusted script interpreters (such as powershell.exe, wscript.exe, cscript.exe) are blocked even if allowed by permission rules in the policy
  • Sensor UI message appears when user attempts to execute a script called by a script interpreter: 
    Malicious behavior was detected
A Deny Action was applied
  • The Alerts in the CBC console shows blocks similar to the examples below 
    The application wscript.exe attempted to execute fileless content that contains highly suspicious Privilege Escalation techniques. A Terminate policy action was applied.
    The application powershell.exe attempted to execute fileless content that contains known malware. This content performs highly suspicious process injection behavior. A Deny policy action was applied.
    This script performs highly suspicious process injection behavior.
  • These alerts may have one or more of the following TTPs attached 
    AMSI_PROCESS_INJECTION
mitre_t1055_process_inject

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.6.x.x and Higher
  • Microsoft Windows: All Supported Versions

Cause

Although script interpreters, such as powershell.exe and wscript.exe, are not in and of themselves malicious, they can be leveraged by attackers to execute malicious scripts and malware. Carbon Black identifies these tactics and techniques and blocks them with AMSI Core Prevention rules. Occasionally, legitimate applications (such as Arctic Wolf, Kace, Tanium) may use these same techniques and be blocked.

Resolution

  • The hash displayed in the console event is currently the in-memory SHA256 hash and may change. Therefore, calculate the on-disk SHA256 of the script and add it to the Approved List.
    • This workaround is reliant on Sensor 3.7.0.1253 and above
    • EEDR customer can look up the hash in the console with this KB How to locate a File Hash using EEDR?
    • Note: a quick method to calculate in-memory and on-disk hash is the Get-FileHash Powershell cmdlet as outlined in this Microsoft KB
  • Create a Permissions Rule for the parent process (i.e. Arctic Wolf, Kace, Tanium) that is invoking the script interpreter (i.e. powershell.exe, wscript.exe, cscript.exe) 
    Applications at path: <Path_to_Parent>\<Parent_Process>
Operation attempt: Performs any operation
Action: Bypass
    • Note: A permission rule for "Performs any API operation" can be created for the script interpreter, but this is not recommended as script interpreters can easily be exploited by attackers. 
Powered by Wolken Software