Execution Blocks on psscriptpolicytest Powershell Scripts
search cancel

Execution Blocks on psscriptpolicytest Powershell Scripts

book

Article ID: 286540

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Execution Blocks on files similar to: c:\windows\temp\__psscriptpolicytest_w3zfet4t.u53.ps1
  • Block events each time powershell.exe is launched.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

These files are related to routine checks Microsoft implemented to determine which Language Mode to use for PowerShell. Blocking the creation of the files will switch PowerShell to Constrained Language Mode to help reduce the attack surface.

Resolution

Custom Rule Creation:

Determine whether to block the creation of the files to enforce Constrained Language Mode, or to Approve the creation and allow Full Language Mode.

  1. Log in to the Console and navigate to Rules > Software Rules > Custom > Add Custom Rule.
  2. Use the following details:
    • Rule Name: Block PS Script Policy Test (or something memorable)
    • Platform: Windows
    • Rule Type: File Creation Control
    • Write Action:
      • Choose Block to enforce Constrained Language Mode
      • Choose Approve to allow Full Language Mode
    • Notifier or Approval Event: 
      • If Blocking: Uncheck Notifier and select <none>
      • If Approving: Uncheck Send Approval Event
    • Path or File:
      • *\__psscriptpolicytest*.ps1
      • *\????????.???.ps1
    • Process: Any process
    • User: Any user
  3. Save

Custom ABExclusion:

Create an ABExclusion to suppress Event & File Information from being sent to Server for processing:

  1. Navigate to https://ServerAddress/shepherd_config.php
  2. Select the Property, "ABExclusionRules" and adjust the Value accordingly:
    • If a Value exists, copy & paste this to the end: 
      |;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3
    • If a Value doesn't exist, copy & paste this: 
      ;????????.???.ps1,*-????-????-????-*.ps1,__psscriptpolicytest_*.???.ps1;;;;;;;;;3
  3. Click Change to apply the new ABExclusion.

Additional Information

  • In many customer environments that use PowerShell heavily, the amount of new files created by this cause significant overhead to the Server (processing & cataloging these files, events, etc).
  • Some customers could see a reduction of as much as 50-60% of all File Events in their environment with the Custom Rule & ABExclusion above.
  • These files are generated with a new hash each time PowerShell is launched (the file contains a timestamp that makes each creation unique).
Powered by Wolken Software