cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
roberto.periale
Level 9
Report Inappropriate Content
Message 1 of 5
‎12-02-2022 02:25 AM

ATP log powershell

Hi,

 

from 1 week I get allot of event DAC (event id 37279) due to powershell. for example  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, that tried to access to file C:\Windows\TEMP\__PSScriptPolicyTest_t1xhtzyv.mkh.ps1, trying to violate "Create a fil with extension .bat"

any suggestion?

Thank you

0 Kudos
Reply
4 Replies
Daveb3d
MVP
Report Inappropriate Content
Message 2 of 5
‎12-02-2022 06:35 AM

Re: ATP log powershell

There is a DLL loading into PowerShell causing it to get contained.  Look for that event to see what is causing it.

Dave

0 Kudos
Reply
roberto.periale
Level 9
Report Inappropriate Content
Message 3 of 5
‎12-05-2022 02:10 AM

Re: ATP log powershell

Hi,

 

thank you. I've found this DLL system.ni.dll, but after few day it stopped to log, do you know why?

 

Thank you

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 4 of 5
‎12-05-2022 06:45 AM

Re: ATP log powershell

It may have become trusted due to its prevalence. Enabling JTI rule 250 may help with this too.  If it continues to be an issue, exclude the folder where these DLLs exist and use an Access Protection rule to protect the folder so only the true source process for these can write there.

Dave

0 Kudos
Reply
Sree26
Employee
Employee
Report Inappropriate Content
Message 5 of 5
‎12-05-2022 02:08 AM

Re: ATP log powershell

Hi @roberto.periale 

Thank you for the query.

Dynamic application containment (DAC) is a rule based feature of ATP. So if a certain transaction is sent over to DAC, it will verify the activity against the preset rules. As per the example you have given here, powershell script is running which in turn here is trying to create another .bat file. Since the rule gets violated due to this action, you see the event.

 

This rule by default is set to report only which means that you are only notified with an event, however the action is still allowed. You can choose to block this activity too.

Having said this, powershell reputation is lowered when there is a dll injected into it, hence its being put through DAC.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Sreekanth V
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC