Endpoint Standard: Large number of alerts for PowerShell attempting to execute fileless content that contains known malware
book
Article ID: 287457
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Alert reason shows Powershell.exe attempted to execute fileless content containing known malware
The application powershell.exe attempted to execute fileless content that contains known malware. This content performs highly suspicious process injection behavior. A Deny policy action was applied.
Alert reason seen multiple times across multiple devices with Group Alerts turned on
Seen ### times on ### devices
Tactics, Techniques, and Procedures (TTPs) include
AND ttp:(FILELESS AND HAS_SUSPECT_CODE AND INJECT_CODE AND MODIFY_MEMORY_PROTECTION AND PACKED_CALL AND POLICY_DENY AND mitre_t1055_process_inject)
Select an alert_id which meets above criteria (toggling Group Alerts on/off as necessary) and go to Alert Triage or Investigate page in new browser tab
Note: searching for specific alert_id can also be added, if desired
AND alert_id:<alert_id>
Review details of Alert Events to confirm commandline includes "-File -"
A temporary workaround employing a Permissions rule can be provided by Technical Support
Open a case with Carbon Black Technical Support and provide
- Org Key (LINK) to allow Support to properly locate organization
- Example alert_id from above steps
- Example device_id
Support will review information and pull logs from an impacted Sensor to provide details of relevant Permissions rule