Endpoint Standard: WmiPrvSE.exe blocked/terminated for potentially scraping memory off LSASS
search cancel

Endpoint Standard: WmiPrvSE.exe blocked/terminated for potentially scraping memory off LSASS

book

Article ID: 286369

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Periodically observing the following Alerts: "The application WmiPrvSE.exe was detected running. A Terminate Policy Action was applied"
  • Corresponding Event: ¬†"The application C:\Windows\SysWOW64\wbem\WmiPrvSE.exe attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". The operation was blocked and the application terminated by Cb Defense."
  • WmiPrvSE.exe reputation is Local White in the CB Defense PSC Web Console

Environment

  • Carbon black cloud console: All Versions
  • CB Endpoint Standard Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Cause

  • Windows update was run shortly before the system startup, so a new version of WmiPrvSE.exe was downloaded¬†
  • Sensor was unable to get the reputation for WmiPrvSE.exe quickly enough during system startup
  • Once the reputation was received, the policy was not refreshed in time to prevent policy rule "Unknown application or process Scrapes memory of another process Terminate" from being applied

Resolution

  • Once the sensor receives the whitelist reputaiton for WmiPrvSE.exe, these Alerts will not re-occur and if these Alerts do not repeatedly re-occur on the same device, they can safely be ignored as False Positives.
  • To prevent these types of Alerts in the future, one workaround would be to create an API bypass all rule for C:\Windows\sysWOW64\wbem\wmiprvse.exe

Additional Information

Since wmiprvse.exe is already a trusted Windows process, there would be minimal risk especially since API bypass still allows for some visibility into the process operations. Only operations like scrape memory would be bypassed.