Environment
- Endpoint Standard Sensor: 3.7.x
- Microsoft Windows: All Supported Versions
Symptoms
- Alert: "The Application Wscript.Exe Attempted To Execute Fileless Content That Contains Highly Suspicious Privilege Escalation Techniques. A Terminate Policy Action Was Applied."
- wscript scriptload events for vbs files all show as Policy Terminate
Cause
Recently updated AMSI sensor rules are blocking suspicious behavior.
Resolution
- The rules which caused the blocks should be updated to only generate alerts as of December 8th 2021 US EST
- If blocks persist, there are four options to avoid blocks as a workaround
- Add the hash of the vbs script to the approved list. The hash should be calculated using the get-filehash method in Windows
- Add a bypass for the parent process spawning wscript/csript
- Add a bypass rule for wscript/csript
- Sign the scripts and add the publisher certificate into Approve List.
NOTE: Bypass rules disable sensor visibility into excluded processes. Bypass rules should only be added after consulting with the company's security team
Additional Notes
Related Content