Endpoint Standard: WmiPrvSE.exe blocked/terminated for potentially scraping memory off LSASS
Article ID: 286369
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
- Periodically observing the following Alerts: "The application WmiPrvSE.exe was detected running. A Terminate Policy Action was applied"
- Corresponding Event: "The application C:\Windows\SysWOW64\wbem\WmiPrvSE.exe attempted to read the memory of "C:\Windows\System32\lsass.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". The operation was blocked and the application terminated by Cb Defense."
- WmiPrvSE.exe reputation is Local White in the CB Defense PSC Web Console
Environment
- Carbon black cloud console: All Versions
- CB Endpoint Standard Sensor: All Versions
- Microsoft Windows: All Supported Versions
Cause
- Windows update was run shortly before the system startup, so a new version of WmiPrvSE.exe was downloaded
- Sensor was unable to get the reputation for WmiPrvSE.exe quickly enough during system startup
- Once the reputation was received, the policy was not refreshed in time to prevent policy rule "Unknown application or process Scrapes memory of another process Terminate" from being applied
Resolution
- Once the sensor receives the whitelist reputaiton for WmiPrvSE.exe, these Alerts will not re-occur and if these Alerts do not repeatedly re-occur on the same device, they can safely be ignored as False Positives.
- To prevent these types of Alerts in the future, one workaround would be to create an API bypass all rule for C:\Windows\sysWOW64\wbem\wmiprvse.exe
Additional Information
Since wmiprvse.exe is already a trusted Windows process, there would be minimal risk especially since API bypass still allows for some visibility into the process operations. Only operations like scrape memory would be bypassed.
Feedback
Yes
No
Powered by
