Environment

• Carbon Black Cloud Console: All Versions
  • Endpoint Standard (required, other products may also be present)
• Carbon Black Cloud Sensor: 3.6.x.x and Higher
• Microsoft Windows: All Supported Versions

Symptoms

• Alert reason calls out script interpreter (Powershell.exe and others, as <process_name> below) for running a script (<script_name> below) that attempted execution of known malware

  The application <process_name> ran a script <script_name> that attempted to execute known malware. This script performs highly suspicious process injection behavior.  A Deny policy action was applied.

• Alert reason seen multiple times across multiple devices with Group Alerts turned on

  Seen ### times on ## devices

• Tactics, Techniques, and Procedures (TTPs) include

  HAS_SUSPECT_CODE, INJECT_CODE, MODIFY_MEMORY_PROTECTION, PACKED_CALL, POLICY_DENY, mitre_t1055_process_inject

• Search for alert_id and reason_code returns result

  alert_id:<alert_id> AND reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:11F960B7\-AEDA\-4748\-A9BD\-2E5650E9B780

• On-disk SHA256 hash for script and/or script interpreter has not been added to Company Approved List

Cause

Resolution

1. Upgrade impacted Sensors to 3.7.0.1253 or higher
2. Go to Alerts page, turn Group Alerts On, and search for reason_code below

   reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:11F960B7\-AEDA\-4748\-A9BD\-2E5650E9B780

3. Add search for list of TTPs

    AND ttp:(HAS_SUSPECT_CODE AND INJECT_CODE AND MODIFY_MEMORY_PROTECTION AND PACKED_CALL AND POLICY_DENY AND mitre_t1055_process_inject)

4. Add search to verify reputation is NOT Company Approved

    AND -threat_cause_reputation:COMPANY_WHITE_LIST
   

5. Select an alert_id which meets above criteria and go to Alert Triage page in new browser tab

   Note: searching for specific alert_id can also be added, if desired
    AND alert_id:<alert_id>

6. Scroll to bottom of Alert Triage and expand Event with block on script noted from Alerts page
7. Copy SHA256 hash of script (either Process or Target)
8. Go to Enforce > Reputations and add hash to Company Approved List
9. Repeat steps 5-8 for additional target hashes as needed
10. If Blocking Alerts tied to reason_code above are still observed, add SHA256 of script interpreter to Company Approved List

Additional Notes

• Resolution via hash approval requires Sensor 3.7.0.1253 or higher
• EEDR customer can verify the Hash using this KB, sometimes an in-memory hash will be shown in the alert instead of the actual hash.
• If the problem remains, please open a case with Carbon Black Technical Support and provide details

  Org Key
  Alert ID prior to approving Target SHA256
  Process/Script Interpreter Name and SHA256
  Target/Script Name and SHA256
  Alert ID after approving Target SHA256

• Support will review logs for an impacted device to propose one of two remaining Permissions rule options
  • [Applications at path <parent_process>] [Performs any operation] [Bypass] also sometimes referred to as a Full bypass rule
  • [Applications at path <parent_process>] [Performs any API operation] [Bypass] also sometimes referred to as an API bypass rule

Related Content