Execution Blocks on psscriptpolicytest Powershell Scripts
search cancel

Execution Blocks on psscriptpolicytest Powershell Scripts

book

Article ID: 286540

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Execution Blocks on files similar to: c:\windows\temp\__psscriptpolicytest_w3zfet4t.u53.ps1
  • Block events each time powershell.exe is launched.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

These files are related to routine checks Microsoft implemented to determine which Language Mode to use for PowerShell. Blocking their execution reduces the attack surface of PowerShell by enabling Constrained Language Mode.

Resolution

Custom Rule Creation:

Create a Custom Rule that enforces the Block event, but does not display a Notifier to the user:

  1. Log in to the Console and navigate to Rules > Software Rules > Custom > Add Custom Rule.
  2. Use the following details:
    • Rule Name: Block PS Script Policy Test (or something memorable)
    • Platform: Windows
    • Rule Type: Execution Control
    • Execute Action: Block
    • Notifier: Uncheck and select <none>
    • Path or File:
      • *\__psscriptpolicytest*.ps1
      • *\????????.???.ps1
    • Process: Any process
    • User: Any user
  3. Save

Custom ABExclusion:

Create an ABExclusion to further suppress Event & File Information from being sent to Server for processing:

  1. Navigate to https://ServerAddress/shepherd_config.php
  2. Select the Property, "ABExclusionRules" and adjust the Value accordingly:
    • If a Value exists, copy & paste this to the end:
      |;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3
    • If a Value doesn't exist, copy & paste this:
      ;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3
  3. Click Change to apply the new ABExclusion.

Additional Information

  • In many customer environments that use PowerShell heavily, the amount of new files created by this cause significant overhead to the Server (processing & cataloging these files, events, etc).
  • Some customers could see a reduction of as much as 50-60% of all File Events in their environment with the Custom Rule & ABExclusion above.
  • These files are generated with a new hash each time PowerShell is launched (the file contains a timestamp that makes each creation unique).