Who Me Too'd this topic

Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

New Emotet version using WMI -- ENS exploit expert rule

Over the past week, we've seen a new strain of Emotet that completely bypasses ENS 10.5.x.  It doesn't follow the typical infection chain of WinWord > powershell > payload, or WinWord > cmd > powershell.  Instead, WinWord is utilizing WMI to launch powershell, causing the payload to not load as a child process of WinWord. The process chain becomes svchost.exe > wmiprvse.exe > powershell.exe

The ENS ATP module does not even triggers events for these threats.

As a result, utilizing Access Protection or existing Exploit rules to prevent Word from launching cmd/powershell is ineffective.  I want to prevent Word & Excel from running win32_process.create().  Does anyone know if an ENS expert exploit rule can be used to prevent this behavior?  Documentation for expert rules is very limited.

Who Me Too'd this topic

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community