logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Endpoint Standard: Large number of alerts for PowerShell attempting to execute fileless content that contains known malware

Endpoint Standard: Large number of alerts for PowerShell attempting to execute fileless content that contains known malware

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Sensor: 3.6.x.x and Higher
  • Microsoft Windows: All Supported Versions

Symptoms

  • Alert reason shows Powershell.exe attempted to execute fileless content containing known malware 
    The application powershell.exe attempted to execute fileless content that contains known malware. This content performs highly suspicious process injection behavior.  A Deny policy action was applied.
  •  Alert reason seen multiple times across multiple devices with Group Alerts turned on 
    Seen ### times on ### devices
  • Tactics, Techniques, and Procedures (TTPs) include 
    FILELESS, HAS_SUSPECT_CODE, INJECT_CODE, MODIFY_MEMORY_PROTECTION, PACKED_CALL, POLICY_DENY, mitre_t1055_process_inject
  • Searching for alert_id and reason_code returns result, indicating alert is tied to rule included in content manifests 
    alert_id:<alert_id> AND reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:E0F73DEA\-1BF8\-4C59\-A521\-EE5DD662C8C4
  • Script being executed by Powershell has "-File -" on command line

Cause

Dynamic Rules Engine (DRE) block to prevent highly suspect, fileless process injection techniques

Resolution

Resolution is being tracked under DSEN-16753
To Locate Alerts Related to DRE Rule Above
  1. Go to Alerts page and search for reason_code below 
    reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:E0F73DEA\-1BF8\-4C59\-A521\-EE5DD662C8C4
  2. Add search for list of TTPs 
    AND ttp:(FILELESS AND HAS_SUSPECT_CODE AND INJECT_CODE AND MODIFY_MEMORY_PROTECTION AND PACKED_CALL AND POLICY_DENY AND mitre_t1055_process_inject)
  3. Select an alert_id which meets above criteria (toggling Group Alerts on/off as necessary) and go to Alert Triage or Investigate page in new browser tab 
    Note: searching for specific alert_id can also be added, if desired
 AND alert_id:<alert_id>
  4. Review details of Alert Events to confirm commandline includes "-File -"
 

A temporary workaround employing a Permissions rule can be provided by Technical Support

  1. Open a case with Carbon Black Technical Support and provide 
    - Org Key (LINK) to allow Support to properly locate organization
- Example alert_id from above steps
- Example device_id
  2. Support will review information and pull logs from an impacted Sensor to provide details of relevant Permissions rule

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎01-22-2022
Views:
2369
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.