Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Known Script Interpreters Are Blocked Until Added to Approved List

Endpoint Standard: Known Script Interpreters Are Blocked Until Added to Approved List

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (required, other products may also be present)
  • Carbon Black Cloud Sensor: 3.6.x.x and Higher
  • Microsoft Windows: All Supported Versions

Symptoms

  • Alert reason calls out script interpreter (Powershell.exe and others, as <process_name> below) for running a script (<script_name> below) that attempted execution of known malware
    The application <process_name> ran a script <script_name> that attempted to execute known malware. This script performs highly suspicious process injection behavior.  A Deny policy action was applied.
  • Alert reason seen multiple times across multiple devices with Group Alerts turned on
    Seen ### times on ## devices
  • Tactics, Techniques, and Procedures (TTPs) include
    HAS_SUSPECT_CODE, INJECT_CODE, MODIFY_MEMORY_PROTECTION, PACKED_CALL, POLICY_DENY, mitre_t1055_process_inject
  • Search for alert_id and reason_code returns result
    alert_id:<alert_id> AND reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:11F960B7\-AEDA\-4748\-A9BD\-2E5650E9B780
  • On-disk SHA256 hash for script and/or script interpreter has not been added to Company Approved List

Cause

Dynamic Rules Engine (DRE) block to prevent highly suspect fileless process injection techniques, backed by a script file, from being executed by binaries not on Company Approved List

Resolution

  1. Upgrade impacted Sensors to 3.7.0.1253 or higher
  2. Go to Alerts page, turn Group Alerts On, and search for reason_code below
    reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:11F960B7\-AEDA\-4748\-A9BD\-2E5650E9B780
  3. Add search for list of TTPs
     AND ttp:(HAS_SUSPECT_CODE AND INJECT_CODE AND MODIFY_MEMORY_PROTECTION AND PACKED_CALL AND POLICY_DENY AND mitre_t1055_process_inject)
  4. Add search to verify reputation is NOT Company Approved
     AND -threat_cause_reputation:COMPANY_WHITE_LIST
    
  5. Select an alert_id which meets above criteria and go to Alert Triage page in new browser tab
    Note: searching for specific alert_id can also be added, if desired
     AND alert_id:<alert_id>
  6. Scroll to bottom of Alert Triage and expand Event with block on script noted from Alerts page
  7. Copy SHA256 hash of script (either Process or Target)
  8. Go to Enforce > Reputations and add hash to Company Approved List
  9. Repeat steps 5-8 for additional target hashes as needed
  10. If Blocking Alerts tied to reason_code above are still observed, add SHA256 of script interpreter to Company Approved List

Additional Notes

  • Resolution via hash approval requires Sensor 3.7.0.1253 or higher
  • If the problem remains, please open a case with Carbon Black Technical Support and provide details
    Org Key
    Alert ID prior to approving Target SHA256
    Process/Script Interpreter Name and SHA256
    Target/Script Name and SHA256
    Alert ID after approving Target SHA256
  • Support will review logs for an impacted device to propose one of two remaining Permissions rule options
    • [Applications at path <parent_process>] [Performs any operation] [Bypass] also sometimes referred to as a Full bypass rule
    • [Applications at path <parent_process>] [Performs any API operation] [Bypass] also sometimes referred to as an API bypass rule

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎01-22-2022
Views:
411
Contributors