Endpoint Standard: VBS scripts blocked with alert - "The Application Wscript.Exe Attempted To Execute Fileless Content That Contains Highly Suspicious Privilege Escalation Techniques. A Terminate Policy Action Was Applied."
book
Article ID: 285117
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Alert: "The Application Wscript.Exe Attempted To Execute Fileless Content That Contains Highly Suspicious Privilege Escalation Techniques. A Terminate Policy Action Was Applied."
wscript scriptload events for vbs files all show as Policy Terminate
Environment
Endpoint Standard Sensor: 3.7.x
Microsoft Windows: All Supported Versions
Cause
Recently updated AMSI sensor rules are blocking suspicious behavior.
Resolution
The rules which caused the blocks should be updated to only generate alerts as of December 8th 2021 US EST
If blocks persist, there are four options to avoid blocks as a workaround
Add the hash of the vbs script to the approved list. The hash should be calculated using the get-filehash method in Windows
Add a bypass for the parent process spawning wscript/csript
Add a bypass rule for wscript/csript
Sign the scripts and add the publisher certificate into Approve List.
NOTE: Bypass rules disable sensor visibility into excluded processes. Bypass rules should only be added after consulting with the company's security team