logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black Cloud: Trusted Script Interpreters Are Blocked Even After Added to Approved List

Carbon Black Cloud: Trusted Script Interpreters Are Blocked Even After Added to Approved List

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.6.x.x and Higher
  • Microsoft Windows: All Supported Versions

Symptoms

  • Trusted script interpreters (such as powershell.exe, wscript.exe, cscript.exe) are blocked even if allowed by permission rules in the policy
  • Sensor UI message appears when user attempts to execute a script called by a script interpreter: 
    Malicious behavior was detected
A Deny Action was applied
  • The Alerts in the CBC console shows blocks similar to the examples below 
    The application wscript.exe attempted to execute fileless content that contains highly suspicious Privilege Escalation techniques. A Terminate policy action was applied.
    The application powershell.exe attempted to execute fileless content that contains known malware. This content performs highly suspicious process injection behavior. A Deny policy action was applied.
    This script performs highly suspicious process injection behavior.
  • These alerts may have one or more of the following TTPs attached 
    AMSI_PROCESS_INJECTION
mitre_t1055_process_inject

Cause

Although script interpreters, such as powershell.exe and wscript.exe, are not in and of themselves malicious, they can be leveraged by attackers to execute malicious scripts and malware. Carbon Black identifies these tactics and techniques and blocks them with AMSI Core Prevention rules. Occasionally, legitimate applications (such as Arctic Wolf, Kace, Tanium) may use these same techniques and be blocked.

Resolution

  • The hash displayed in the console event is currently the in-memory SHA256 hash and may change. Therefore, calculate the on-disk SHA256 of the script and add it to the Approved List.
    • This workaround is reliant on Sensor 3.7.0.1253 and above
    • EEDR customer can look up the hash in the console with this KB .
    • Note: a quick method to calculate in-memory and on-disk hash is the Get-FileHash Powershell cmdlet as outlined in this Microsoft KB
  • Create a Permissions Rule for the parent process (i.e. Arctic Wolf, Kace, Tanium) that is invoking the script interpreter (i.e. powershell.exe, wscript.exe, cscript.exe) 
    Applications at path: <Path_to_Parent>\<Parent_Process>
Operation attempt: Performs any operation
Action: Bypass
    • Note: A permission rule for "Performs any API operation" can be created for the script interpreter, but this is not recommended as script interpreters can easily be exploited by attackers. 

Related Content


Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
CB_Support
Creation Date:
‎01-11-2022
Views:
4248
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.