cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
NickG1
Level 7
Report Inappropriate Content
Message 1 of 2

Powershell Script ExP:Illegal API Use

Jump to solution
We have a couple of PS (v 5.1) scripts that are kicked off by a scheduled task. They are pretty simple scripts that either copies a file or sends an email alert (send-mailmessage) after checking a file path. Analyzer rule 6113 ( T1055 - Fileless Threat: Reflective Self Injection) is tripped. MITRE seems to imply we should see an event id of 1404 in the Windows Powershell Operational logs showing an injection attempt. There are no 1404's in the logs and this happens on multiple Windows servers. I tried to put a rule in to exclude the scripts but that did not work. I can suppress the tripping by putting an exclusion in for Powershell but obviously that is not acceptable I can find no other indication as to what is causing the alert? Anyone else see something like this?
1 Solution

Accepted Solutions
yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Powershell Script ExP:Illegal API Use

Jump to solution

Hi @NickG1 

Thanks for reaching out to community.

Based on the provided details, it looks like you see injection caused due to Powershell. 

This is likely due to the countermeasures present with ENS exploit prevention.

Kindly refer to the KB below. 

https://kc.mcafee.com/corporate/index?page=content&id=KB91836

I request you to open an SR with our support and provide us with script and debug enabled MER logs so that we can test internally to see if this could be potential false positives or any known threats in the past. 

Was my reply helpful?

If yes, please give me a kudo.

If I have answered your query, kindly mark this as solution so that together we help other community members. 

 

View solution in original post

1 Reply
yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Powershell Script ExP:Illegal API Use

Jump to solution

Hi @NickG1 

Thanks for reaching out to community.

Based on the provided details, it looks like you see injection caused due to Powershell. 

This is likely due to the countermeasures present with ENS exploit prevention.

Kindly refer to the KB below. 

https://kc.mcafee.com/corporate/index?page=content&id=KB91836

I request you to open an SR with our support and provide us with script and debug enabled MER logs so that we can test internally to see if this could be potential false positives or any known threats in the past. 

Was my reply helpful?

If yes, please give me a kudo.

If I have answered your query, kindly mark this as solution so that together we help other community members. 

 

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community