DeepGuard Detecting CMD as Exploit

cetil35
cetil35 Posts: 7 Explorer
edited April 6 in F-Secure Elements Endpoint Detection and Response

Hello all,

I have an issue with some PCs that CMD.exe process is showing as exploit, I have checked PCs but couldnt find any thing else different that other PCs. Details are below;


Details: DeepGuard blocked an exploit action. Application path: C:\Windows\SysWOW64\cmd.exe File hash: 4048488de6ba4bfef9edf103755519f1f762668f Detection: Exploit:W32/PowerShellStager.D!DeepGuard Rarity: Unknown Reputation: Unknown Process ID: 7476 


Just want to be sure that if its FP, do you have any suggestions that how can I be sure ?

Like

Accepted Answer

  • Jamesch
    Jamesch Posts: 357 Moderator
    edited April 2022 Answer ✓

    Hi,

    It is not CMD that is malicious, but something malicious running using CMD.

    I would suggest to create a case with us so our Malware team can investigate further - https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample

    Do include the below information:

    1. Download Microsoft WMI Diagnosis Utility v2.2 tool from here.

    2. Extract the executable on a specific directory and will contain the following files:


    EULA.TXT

    WMIDiag.doc

    WMIDiag.vbs

    WMIDiag.xls


    3. Run Command Prompt with elevated mode and set CSCRIPT as default script launcher.


    Cscript.exe //H:Cscript


    4. On administrator CMD execute "WMIDiag.vbs"

    5. After execution it will results log path at the end will show result directory. The log files is located in %TEMP%

    6. Submit all related logs (starts with "WMIDIAG-V2.2_") (CSV, LOG, TXT) to us

    7. To restore, set the wscript.


    Cscript.exe //H:Wscript

    Jaims
    1Like

Answers

  • Christopher_NEO
    Christopher_NEO Posts: 1 New Member

    Hi,


    Thanks I've a customer that meet exactly the same issue.

    The link for "1. Download Microsoft WMI Diagnosis Utility v2.2 tool from" seems to be broken.

    So, I've made a log analysis with the agent EPP, and send it for analysis.


    Did you received more information about this issues ?



    Thanks a lot,


    Christopher.

    F-Secure.PNG


    Like
  • cetil35
    cetil35 Posts: 7 Explorer
    https://community.f-secure.com/en/discussion/comment/129567#Comment_129567

    Dear Jamesch, thanks a lot for your answer.

    But as Christopher_NEO mentional the links seems to be broken, and I couldnt find the updated one from Microsoft.

    Like
  • Jamesch
    Jamesch Posts: 357 Moderator

    Hi Christopher and Cetil,

    I had to check this for you. If WMI tool is not available, you may send us the FSDiag log.

    Please create and send an FSDIAG file from the affected computer for us to analyze the logs. Please follow these steps to create the FSDIAG log file:


    - Click Start.

    - Select All Programs > (Your F-Secure product) > Support Tool. The Support Tool window is displayed.

    - Click OK. The tool starts gathering information. It creates the output file on your desktop. The name of the archive file is fsdiag.tar.gz.

    Jaimscetil35
    2Like
This discussion has been closed.

Categories