• The a policy rule is in place for a script interpreter. i.e. powershell

Application(s) at path: *\powershell.exe Executes a fileless script Terminate process

• The very first Event in the Alert shows that TTPs: BYPASS_POLICY, FILELESS were attached and yet the action was still allowed to execute

EVENT
The application C:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to open itself for modification, by calling the function "OpenProcess". The operation was successful. 

PARENT PROCESS 
cmd.exe 
CMD: "C:\WINDOWS\system32\cmd.exe" /c powershell -noP -sta -w 1 -enc

PROCESS 
powershell.exe 
CMD: powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMA.....

 

• Endpoint Standard (was CB Defense): All Versions

Script interpreters such as powershell.exe, may be treated as fileless execution if certain options such as -e are in the command line. The sensor may perform a case-insensitive search of the whole command line, rather than looking for individual parameters, so in the example provided, the search for "-e" matches "-enc", which was on the command line. However, it is the parent that is checked for allowing fileless execution, in this case, cmd.exe

• The parent process, in this example - cmd.exe, is checked for fileless script policy, and since there is none, the script is allowed to execute.
• A rule to block the parent process (i.e. cmd.exe) executing a fileless script would have prevented this execution