Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: MS Office applications blocked by AMSI prevention due to malicious WMI process execution techniques

Endpoint Standard: MS Office applications blocked by AMSI prevention due to malicious WMI process execution techniques

Environment

  • Endpoint Standard Sensor: 3.6.x.x and Higher
  • Windows OS: All Supported Versions

Symptoms

Observe Severity/Priority 10 alerts concerning malicious WMI process execution related to Microsoft Office applications
The application <OfficeApp> launched a document that contains macro content which performs malicious WMI process execution techniques. A Deny policy action was applied.

Cause

Carbon Black Cloud AMSI prevention rule (related to recent rule deployment) triggers blocking on suspicious WMI or OFFICE_VBA within macro-enabled Office documents

Resolution

  1. Check whether target Office file contains legitimate macro
  2. Check whether blocked Office process is legitimate via hash verification
  3. If Office process and macro included in file are legitimate, test Permissions rule for reduction/elimination of Alerts and Blocks
    Applications at path: **\<OfficeApp>
    Operation attempt: Performs any API operation
    Action: Bypass
    
    Example for Excel
    Applications at path: **\excel.exe
    Operation attempt: Performs any API operation
    Action: Bypass

Additional Notes


Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎11-30-2021
Views:
737
Contributors