Notifications

3424 views

Description

Remote Execution framework is now used in Madrid for several Windows Powershell probes. The Powershell command is run with "-EncodedCommand" to encode the parameters with MD5, and that is seen as potentially malicious by Anti-Virus software, including Cloudstrike. This is in addition to using the $admin share and executing from the Temp folder, which can also be considered indicators of potentially malicious code. This is a false positive, but will prevent that probe running.

In Madrid, these probes have the new Execute script remotely field as true.

  • Windows - Active Connections
    This is used by the existing "Windows - ADM" multiprobes (change related to PRB1291020)
  • Windows - Azure
    This is triggered by the Windows 2016 Server classifier (change related to PRB1270477)

This causes PSScript.ps1 to use ExecuteRemote.ps1 to execute remotely instead of on the MID Server. The temporary filename will be "psscript_executeRemote_<GUID>.ps1", and will be deleted again immediately after the probe runs.

In the case of Cloudstrike, the use of EncodedCommand is the trigger, and an alert may look something like:

powershell -ExecutionPolicy ByPass -NonInteractive -WindowStyle Hidden -EncodedCommand JgAgAHsAbQBvAGQAZQAgAGMAbwBuACAAbABpAG4AZQBzAD0A
MQAgAGMAbwBsAHMAPQA5ADkAOQA5ADsAIAAgACYAIABcAFwAMQAwAC4AMgA0ADEALgAyADIALgA0ADcAXABhAGQAbQBpAG4AJABcAHQAZQBtAHAAXAB1AG4AcgBlAGcAaQBzAHQ
AZQByAGUAZABcAHAAcwBzAGMAcgBpAHAAdABfAGUAeABlAGMAdQB0AGUAUgBlAG0AbwB0AGUAXwA3AGQANABhAGMANAAyAGIALQAyAGMAZgBjAC0ANAA0ADcAMQAtAGEAOABmAD
cALQAzADUAOAA4ADYAYQA0ADgANwAwAGQAZgAuAHAAcwAxAH0A
After decoding the Encoded command (Base64):
& {mode con lines=1 cols=9999; & \\10.x.x.x\admin$\temp\unregistered\psscript_executeRemote_7d4ac42b-2cfc-4471-a8f7-35886a4870df.ps1}

When a script is copied and run on the target server, if the target's ExecutionPolicy is set at the MachinePolicy or UserPolicy scopes, then the script will not execute and the probe will fail.
For probes that have the "Execute script remotely" checkbox checked, scripts are copied to the target under the following conditions:

  1. The MID Server is configured to use WMI protocol
  2. The MID Server is configured to use WinRM protocol and the "Copy script to target" checkbox on the probe is checked

Steps to Reproduce

  1. On an instance upgraded to Madrid, scan a Windows Server 2016 target. That should get both probe to run.
  2. The target server may trigger anti-virus software for remote execution of the psscript_executeRemote_<GUID>.ps1 script and prevent the probe running.

Workaround

This problem has been fixed. If you are able to upgrade, review the Fixed In or Intended Fix Version fields to determine whether any versions have a planned or permanent fix.

Whitelisting in the Anti-Virus software based on script filename or contents may be possible.

There is a simple way to revert it. Go to the probe and uncheck the “Execute script remotely” checkbox, and replace the script in the probe parameter with the old version of the script which is attached to this PRB


Related Problem: PRB1328998

Seen In

SR - IRM - Audit Management - New York 2019 Q3
SR - IRM - GRC Profiles - Madrid 2019 Q2
SR - IRM - Policy and Compliance - Madrid 2019 Q2
SR - IRM - Risk Management - New York 2019 Q3
SR - Security - Integration Framework - Madrid 2019 Q2
SR - Security - Support Common - Madrid 2019 Q2
SR - Security - Support Orchestration - Madrid 2019 Q2
SR - SIR - Security Incident Response - Madrid 2019 Q2
SR - SIR - Store SecOps Setup Assistant - Madrid 2019 Q2
SR - SIR - Store Threat Core - Madrid 2019 Q2
SR - SIR - Store Trusted Security Circles Client - New York 2019 Q3
SR - VR - Vulnerability Response - New York 2019 Q3

Fixed In

Madrid Patch 4
New York

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2019-10-31 16:59:36
Published:2019-07-17
discovery_probe_parameter_59224b72dbd532003398f1351d96196f.xmldiscovery_probe_parameter_7dfc5f870a000483000169d19b46c06d.xml