Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: Large number of alerts for PowerShell attempting to execute fileless content that contains known malware

Endpoint Standard: Large number of alerts for PowerShell attempting to execute fileless content that contains known malware

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.6.x.x and Higher
  • Microsoft Windows: All Supported Versions

Symptoms

  • Alert reason shows Powershell.exe attempted to execute fileless content containing known malware
    The application powershell.exe attempted to execute fileless content that contains known malware. This content performs highly suspicious process injection behavior.  A Deny policy action was applied.
  •  Alert reason seen multiple times across multiple devices with Group Alerts turned on
    Seen ### times on ### devices
  • Tactics, Techniques, and Procedures (TTPs) include
    FILELESS, HAS_SUSPECT_CODE, INJECT_CODE, MODIFY_MEMORY_PROTECTION, PACKED_CALL, POLICY_DENY, mitre_t1055_process_inject
  • Searching for alert_id and reason_code returns result, indicating alert is tied to rule included in content manifests
    alert_id:<alert_id> AND reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:E0F73DEA\-1BF8\-4C59\-A521\-EE5DD662C8C4
  • Script being executed by Powershell has "-File -" on command line

Cause

Dynamic Rules Engine (DRE) block to prevent highly suspect, fileless process injection techniques

Resolution

Resolution is being tracked under DSEN-16753
To Locate Alerts Related to DRE Rule Above
  1. Go to Alerts page and search for reason_code below
    reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:E0F73DEA\-1BF8\-4C59\-A521\-EE5DD662C8C4
  2. Add search for list of TTPs
    AND ttp:(FILELESS AND HAS_SUSPECT_CODE AND INJECT_CODE AND MODIFY_MEMORY_PROTECTION AND PACKED_CALL AND POLICY_DENY AND mitre_t1055_process_inject)
  3. Select an alert_id which meets above criteria (toggling Group Alerts on/off as necessary) and go to Alert Triage or Investigate page in new browser tab
    Note: searching for specific alert_id can also be added, if desired
     AND alert_id:<alert_id>
  4. Review details of Alert Events to confirm commandline includes "-File -"
 

A temporary workaround employing a Permissions rule can be provided by Technical Support

  1. Open a case with Carbon Black Technical Support and provide
    - Org Key (LINK) to allow Support to properly locate organization
    - Example alert_id from above steps
    - Example device_id
  2. Support will review information and pull logs from an impacted Sensor to provide details of relevant Permissions rule

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎01-22-2022
Views:
503
Contributors