Jump to content
bumskull

Exploit paylod process blocked

Recommended Posts

How do I exclude something?  Antiexploit blocked one of our GPO scripts but it seems at least for now to only be on one computer.  When in the threat view it will not let me exclude it.  When I try i get a message "Selected threat does not contain a valid payload checksum, it cannot be added into exclusion list."

Share this post


Link to post
Share on other sites

Hello Bumskull,

 

Do you mind collecting the logs outlined in this post here:

 

I want to look at the logs to see why we are blocking it and get you a fix. 

 

Share this post


Link to post
Share on other sites

Hello Bumskull,

Since this alert has occurred, has it happened more then once? 

This is what is happening with the alert:

 

"2016-12-02T09:54:33.494-06:00";"tboehm";"6276";"C:\Windows\system32\cmd.exe";"3200";"C:\Windows\system32\cmd.exe";"3";"701";"207";"";"";"";"";"";"";"C:\Windows\system32\cscript.exe cscript.exe \nologo \(blocking out the name).local\SysVol\(blocking out the name).local\Policies\{52D9B9E8-9131-4138-A8EA-C597B562796F}\User\Scripts\Logon\gpo.vbs";"";"";"";""

Just based on that, it seems like it may be something we block due to the nature of it opening up cmd to launch vbs via cscript. But if this is the only computer having the issue then it may be something else that we need to look into.
 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.