Environment
- Carbon Black Cloud Console: All Versions
- Carbon Black Cloud Sensor: 3.6.x.x and Higher
- Microsoft Windows: All Supported Versions
Symptoms
- Alert reason shows Powershell.exe attempted to execute fileless content containing known malware
The application powershell.exe attempted to execute fileless content that contains known malware. This content performs highly suspicious process injection behavior. A Deny policy action was applied.
- Alert reason seen multiple times across multiple devices with Group Alerts turned on
Seen ### times on ### devices
- Tactics, Techniques, and Procedures (TTPs) include
FILELESS, HAS_SUSPECT_CODE, INJECT_CODE, MODIFY_MEMORY_PROTECTION, PACKED_CALL, POLICY_DENY, mitre_t1055_process_inject
- Searching for alert_id and reason_code returns result, indicating alert is tied to rule included in content manifests
alert_id:<alert_id> AND reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:E0F73DEA\-1BF8\-4C59\-A521\-EE5DD662C8C4
- Script being executed by Powershell has "-File -" on command line
Cause
Dynamic Rules Engine (DRE) block to prevent highly suspect, fileless process injection techniques
Resolution
Resolution is being tracked under DSEN-16753
To Locate Alerts Related to DRE Rule Above
- Go to Alerts page and search for reason_code below
reason_code:78F50A65\-EC30\-4A20\-8328\-A523BDA82217\:E0F73DEA\-1BF8\-4C59\-A521\-EE5DD662C8C4
- Add search for list of TTPs
AND ttp:(FILELESS AND HAS_SUSPECT_CODE AND INJECT_CODE AND MODIFY_MEMORY_PROTECTION AND PACKED_CALL AND POLICY_DENY AND mitre_t1055_process_inject)
- Select an alert_id which meets above criteria (toggling Group Alerts on/off as necessary) and go to Alert Triage or Investigate page in new browser tab
Note: searching for specific alert_id can also be added, if desired
AND alert_id:<alert_id>
- Review details of Alert Events to confirm commandline includes "-File -"
A temporary workaround employing a Permissions rule can be provided by Technical Support
- Open a case with Carbon Black Technical Support and provide
- Org Key (LINK) to allow Support to properly locate organization
- Example alert_id from above steps
- Example device_id
- Support will review information and pull logs from an impacted Sensor to provide details of relevant Permissions rule
Related Content