cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Hidden Powershell Detected - SMB1

Jump to solution

I'm in the process of upgrading from VSE to Endpoint.

 

I'm getting flooded by Critical Event E-mails caused by Windows Scheduling a task to run a Powershell script to disable SMB1.

 

C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE -EXECUTIONPOLICY UNRESTRICTED -NONINTERACTIVE -NOPROFILE -WINDOWSTYLE HIDDEN "& C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\MODULES\SMBSHARE\DISABLEUNUSEDSMB1.PS1 -SCENARIO CLIENT"

 

I'm sure this has been in occurring in the background previously, but VSE was not flagging it at all.

 

Best I understand it I cannot make an exception for a specific powershell script.  So how can I address this?

1 Solution

Accepted Solutions
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Hidden Powershell Detected - SMB1

Jump to solution

I wouldn't use the provided rule.   Try this instead as an Expert Rule

Rule {

Process {

Include OBJECT_NAME { -v "powershell.exe" }

Include PROCESS_CMD_LINE { -v "*hidden*" }

Exclude PROCESS_CMD_LINE { -v "*DISABLEUNUSEDSMB1.PS1 -SCENARIO CLIENT*" }

}

Target {

Match SECTION { Include -access "CREATE" }

}

}

 

Load it locally to ensure it compiles properly as I typed it from my phone,  but that should give you powershell hidden without that false positive.   If you aren't blocking,  I would target a single DLL on the section match our you will get multiple events from each single execution.   Before the Include - access just do Include OBJECT_NAME { -v "whatever.dll" }

3 Replies
Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Hidden Powershell Detected - SMB1

Jump to solution

I wouldn't use the provided rule.   Try this instead as an Expert Rule

Rule {

Process {

Include OBJECT_NAME { -v "powershell.exe" }

Include PROCESS_CMD_LINE { -v "*hidden*" }

Exclude PROCESS_CMD_LINE { -v "*DISABLEUNUSEDSMB1.PS1 -SCENARIO CLIENT*" }

}

Target {

Match SECTION { Include -access "CREATE" }

}

}

 

Load it locally to ensure it compiles properly as I typed it from my phone,  but that should give you powershell hidden without that false positive.   If you aren't blocking,  I would target a single DLL on the section match our you will get multiple events from each single execution.   Before the Include - access just do Include OBJECT_NAME { -v "whatever.dll" }

Re: Hidden Powershell Detected - SMB1

Jump to solution
Fantastic!

This is the exact guidance I needed.
Reliable Contributor SWISS
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Hidden Powershell Detected - SMB1

Jump to solution

Hello,

We have seen the same error on W10 17** and 18** PRO/ENT where ENS was installed from the beginning. This may be caused by Microsoft Windows Updates from WSUS Server.

 

Anybody at McAfee intersted in fixing this? Is it fixed in ENS 10.6.1 JULY Re-post?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community