Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard (required, other products may also be present)
- Carbon Black Cloud Sensor: 3.6.x.x and Higher
- Microsoft Windows: All Supported Versions
Symptoms
- Alert reason calls out script interpreter (Powershell.exe and others, as <process_name> below) for running a script (<script_name> below) that attempted execution of known malware
The application <process_name> ran a script <script_name> that attempted to execute known malware. This script performs highly suspicious process injection behavior. A Deny policy action was applied.
- Alert reason seen multiple times across multiple devices with Group Alerts turned on
Seen ### times on ## devices
- Tactics, Techniques, and Procedures (TTPs) include
HAS_SUSPECT_CODE, INJECT_CODE, MODIFY_MEMORY_PROTECTION, PACKED_CALL, POLICY_DENY, mitre_t1055_process_inject
- Search for alert_id and reason_code returns result
alert_id:<alert_id> AND reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:11F960B7\-AEDA\-4748\-A9BD\-2E5650E9B780
- On-disk SHA256 hash for script and/or script interpreter has not been added to Company Approved List
Cause
Dynamic Rules Engine (DRE) block to prevent highly suspect fileless process injection techniques, backed by a script file, from being executed by binaries not on Company Approved List
Resolution
- Upgrade impacted Sensors to 3.7.0.1253 or higher
- Go to Alerts page, turn Group Alerts On, and search for reason_code below
reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:11F960B7\-AEDA\-4748\-A9BD\-2E5650E9B780
- Add search for list of TTPs
AND ttp:(HAS_SUSPECT_CODE AND INJECT_CODE AND MODIFY_MEMORY_PROTECTION AND PACKED_CALL AND POLICY_DENY AND mitre_t1055_process_inject)
- Add search to verify reputation is NOT Company Approved
AND -threat_cause_reputation:COMPANY_WHITE_LIST
- Select an alert_id which meets above criteria and go to Alert Triage page in new browser tab
Note: searching for specific alert_id can also be added, if desired
AND alert_id:<alert_id>
- Scroll to bottom of Alert Triage and expand Event with block on script noted from Alerts page
- Copy SHA256 hash of script (either Process or Target)
- Go to Enforce > Reputations and add hash to Company Approved List
- Repeat steps 5-8 for additional target hashes as needed
- If Blocking Alerts tied to reason_code above are still observed, add SHA256 of script interpreter to Company Approved List
Additional Notes
Related Content