Jump to content

VS Code SSH (or maybe PowerShell SSH) triggering RTP detection for exploit

zazyzaya

By zazyzaya
in Exploit

 Share
Go to solution Solved by Porthos,

Recommended Posts

zazyzaya

zazyzaya

Posted
Posted

Every time I try to remote into my work server, I have to turn off exploit protection, otherwise it the SSH process is killed. Possibly related to this thread from a year ago, but resetting to default did not solve it in my case. 

 

When I try to use SSH on VS Code, it causes 3 detections. I will paste the output of the summaries below: 

Quote

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/2/23
Protection Event Time: 9:37 AM
Log File: c646ee26-6128-11ee-ae80-1831bf73eee9.json

-Software Information-
Version: 4.6.2.281
Components Version: 1.0.2131
Update Package Version: 1.0.75887
License: Premium

-System Information-
OS: Windows 10 (Build 19045.3448)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.PayloadProcessBlock, C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe \S \D \c type C:\Users\[MY USERNAME]\AppData\Local\Temp\vscode-linux-multi-line-command-[WORK SERVER].cloudapp.azure.com-861994863.sh, Blocked, 701, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe \S \D \c type C:\Users\[MY USERNAME]\AppData\Local\Temp\vscode-linux-multi-line-command-[WORK SERVER].cloudapp.azure.com-861994863.sh
URL: 

(end)

 

(note: [WORK SERVER] is just the server's FQDN, and [MY USERNAME] is.. well, my username. I'm redacting both here)

Quote

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/2/23
Protection Event Time: 9:37 AM
Log File: c3e19942-6128-11ee-b698-1831bf73eee9.json

-Software Information-
Version: 4.6.2.281
Components Version: 1.0.2131
Update Package Version: 1.0.75887
License: Premium

-System Information-
OS: Windows 10 (Build 19045.3448)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Exploit.PayloadFileBlock, C:\WINDOWS\system32\cmd.exe, Blocked, 601, 392684, 0.0.0, 8A2122E8162DBEF04694B9C3E0B6CDEE, B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload file blocked
File Name: C:\WINDOWS\system32\cmd.exe
URL: 

(end)

 

Quote

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/2/23
Protection Event Time: 9:37 AM
Log File: c3ec9586-6128-11ee-9d15-1831bf73eee9.json

-Software Information-
Version: 4.6.2.281
Components Version: 1.0.2131
Update Package Version: 1.0.75887
License: Premium

-System Information-
OS: Windows 10 (Build 19045.3448)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 0
(No malicious items detected)


(end)

 

 

Any help would be appreciated. Thanks!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.