Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Defense: App successfully injects code, modifies memory of another process, or scrapes memory (Unexpected Allow)

Cb Defense: App successfully injects code, modifies memory of another process, or scrapes memory (Unexpected Allow)

Environment

  • Cb Defense Web Console: All Versions
  • Cb Defense Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Symptoms

  • Configured Policy Rule: "When an application at path: "**\<application name>.exe Scrapes memory of another process or Injects code or modifies memory of another process TERMINATE"
  • Application is terminated when it attempted to inject code, modifying memory of another process, or scrape memory  
    Example:
    The application C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe attempted to read the memory of "C:\Program Files (x86)\Internet Explorer\iexplorer.exe" (potentially scraping memory), by calling the function "NtReadVirtualMemory". The operation was successful.

Cause

In addition to policy rules, the Cb Defense uses some additional criteria for inject code and scrape memory events to determine if these events are truly malicious. 

Resolution

  • If the processes involved in the inject code and scrape memory events meet these additional criteria, these operations will be blocked regardless of the policy rules configured. 
  • Some of the criteria used is:
    • The process targeted by the scrape memory operation
    • The number of processes and the number of times which are being targeted by the scrape memory operation
    • The number of times the process is trying to modify memory from or inject code

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-30-2018
Views:
1168
Contributors