Endpoint Standard: Large number of alerts for PowerShell attempting to execute fileless content that contains known malware
search cancel

Endpoint Standard: Large number of alerts for PowerShell attempting to execute fileless content that contains known malware

book

Article ID: 287457

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

  • Alert reason shows Powershell.exe attempted to execute fileless content containing known malware 
    The application powershell.exe attempted to execute fileless content that contains known malware. This content performs highly suspicious process injection behavior.  A Deny policy action was applied.
  •  Alert reason seen multiple times across multiple devices with Group Alerts turned on 
    Seen ### times on ### devices
  • Tactics, Techniques, and Procedures (TTPs) include 
    FILELESS, HAS_SUSPECT_CODE, INJECT_CODE, MODIFY_MEMORY_PROTECTION, PACKED_CALL, POLICY_DENY, mitre_t1055_process_inject
  • Searching for alert_id and reason_code returns result, indicating alert is tied to rule included in content manifests 
    alert_id:<alert_id> AND reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:E0F73DEA\-1BF8\-4C59\-A521\-EE5DD662C8C4
  • Script being executed by Powershell has "-File -" on command line

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.6.x.x and Higher
  • Microsoft Windows: All Supported Versions

Cause

Dynamic Rules Engine (DRE) block to prevent highly suspect, fileless process injection techniques

Resolution

Resolution is being tracked under DSEN-16753
To Locate Alerts Related to DRE Rule Above
  1. Go to Alerts page and search for reason_code below 
    reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:E0F73DEA\-1BF8\-4C59\-A521\-EE5DD662C8C4
  2. Add search for list of TTPs 
    AND ttp:(FILELESS AND HAS_SUSPECT_CODE AND INJECT_CODE AND MODIFY_MEMORY_PROTECTION AND PACKED_CALL AND POLICY_DENY AND mitre_t1055_process_inject)
  3. Select an alert_id which meets above criteria (toggling Group Alerts on/off as necessary) and go to Alert Triage or Investigate page in new browser tab 
    Note: searching for specific alert_id can also be added, if desired
 AND alert_id:<alert_id>
  4. Review details of Alert Events to confirm commandline includes "-File -"
 

A temporary workaround employing a Permissions rule can be provided by Technical Support

  1. Open a case with Carbon Black Technical Support and provide 
    - Org Key (LINK) to allow Support to properly locate organization
- Example alert_id from above steps
- Example device_id
  2. Support will review information and pull logs from an impacted Sensor to provide details of relevant Permissions rule
Powered by Wolken Software