Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: VBS scripts blocked with alert - "The Application Wscript.Exe Attempted To Execute Fileless Content That Contains Highly Suspicious Privilege Escalation Techniques. A Terminate Policy Action Was Applied."

Endpoint Standard: VBS scripts blocked with alert - "The Application Wscript.Exe Attempted To Execute Fileless Content That Contains Highly Suspicious Privilege Escalation Techniques. A Terminate Policy Action Was Applied."

Environment

  • Endpoint Standard Sensor: 3.7.x
  • Microsoft Windows: All Supported Versions

Symptoms

  • Alert: "The Application Wscript.Exe Attempted To Execute Fileless Content That Contains Highly Suspicious Privilege Escalation Techniques. A Terminate Policy Action Was Applied."
  • wscript scriptload events for vbs files all show as Policy Terminate

Cause

Recently updated AMSI sensor rules are blocking suspicious behavior. 

Resolution

  • The rules which caused the blocks should be updated to only generate alerts as of December 8th 2021 US EST
  • If blocks persist, there are three options to avoid blocks as a workaround
    1. Add the hash of the vbs script to the approved list. The hash should be calculated using the get-filehash method in Windows
    2. Add a bypass for the parent process spawning wscript/csript
    3. Add a bypass rule for wscript/csript
NOTE: Bypass rules disable sensor visibility into excluded processes. Bypass rules should only be added after consulting with the company's security team

Additional Notes

If blocks still occur after applying an approval or bypass, collect sensor logs and open a case with Carbon Black Support 

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎11-30-2021
Views:
494
Contributors