Endpoint Standard: MS Office applications blocked by AMSI prevention due to malicious WMI process execution techniques
Article ID: 291565
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Observe Severity/Priority 10 alerts concerning malicious WMI process execution related to Microsoft Office applications
The application <OfficeApp> launched a document that contains macro content which performs malicious WMI process execution techniques. A Deny policy action was applied.
Environment
- Endpoint Standard Sensor: 3.6.x.x and Higher
- Windows OS: All Supported Versions
Cause
Carbon Black Cloud AMSI prevention rule (related to recent rule deployment) triggers blocking on suspicious WMI or OFFICE_VBA within macro-enabled Office documents
Resolution
- Check whether target Office file contains legitimate macro
- Check whether blocked Office process is legitimate via hash verification
- If Office process and macro included in file are legitimate, test Permissions rule for reduction/elimination of Alerts and Blocks
Applications at path: **\<OfficeApp> Operation attempt: Performs any API operation Action: Bypass Example for Excel Applications at path: **\excel.exe Operation attempt: Performs any API operation Action: Bypass
Additional Information
- AMSI prevention is part of the Content Manifests introduced with the 3.6.x.x Sensor, and the rules are not visible in CBC console.
- Refer to https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal for more details of AMSI.
Feedback
Yes
No
Powered by
