Carbon Black Cloud: Alerts for "The application powershell_ise.exe attempted to execute fileless content in order to evade inspection."
Article ID: 286872
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Seeing events similar to:
The application powershell_ise.exe attempted to execute fileless content in order to evade inspection. A Deny policy action was applied. CMD: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -Command Help Set-ExecutionPolicy
Environment
- Carbon Black Cloud Sensor: 3.6.x - 3.8.0.627
- Microsoft Windows: All Supported Versions
Cause
Code change DSEN-19179
Resolution
Upgrade to 3.8.0.722 or above
https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/3.8.0.722/rn/vmware-carbon-black-cloud-windows-sensor-380722-release-notes/index.html
https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/3.8.0.722/rn/vmware-carbon-black-cloud-windows-sensor-380722-release-notes/index.html
- DSEN-19179: Fixed an issue with PowerShell fileless script rules blocking the use of the “-executionpolicy” command line option
Feedback
Yes
No
Powered by
