Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Unique 8-Character filename DLLs seen in temporary directories

            Modified on Mon, 22 Aug 2022 at 03:46 PM

            Applies to

            Airlock Server - v4.6.x and above

            Airlock Enforcement Agent Windows - v4.6.x and above

            Operating System - Microsoft Windows


            Symptoms

            With .NET Assembly Reflection enabled, and PowerShell Constrained Language Mode disabled, Airlock administrators may see large volumes of DLLs with random 8 character filenames executing from the following locations:

            • C:\Windows\Temp\[random folder]\[random filename].dll; or

            • C:\Users\[username]\AppData\Local\Temp\[random folder]\[random filename].dll

            Some examples are:

            • C:\Windows\Temp\weosfktl\weosfktl.DLL

            • C:\Users\[username]\AppData\Local\Temp\htyupodl\htyupodl.DLL

            These files will typically have unique hashes for every file and powershell.exe as their parent process. 


            Cause

            These files are created dynamically by Microsoft Windows whenever a PowerShell script making use of the Add-Type cmdlet is executed. This cmdlet defines a Microsoft .NET Core class in a PowerShell session, which can then be used to execute non-PowerShell code in memory. 


            With .NET Assembly Reflection enabled, the Airlock Agent will flag this file execution.


            Resolution

            These files cannot be trusted by publisher (as they are unsigned) and they cannot be trusted by hash (as the file content is dynamically created).


            It is recommended that if these are being seen to trust these files using the following path rules:

            C:\Windows\Temp\????????\????????.dll

            C:\Users\*\AppData\Local\Temp\????????.dll
            C:\Users\*\AppData\Local\Temp\????????\????????.dll
            C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\????????.dll

            C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\????????.dll


            These executions will only be seen by the Agent with .NET Assembly Reflection enabled on policy. Disabling this setting will stop these executions from being detected by the Agent, however reduce the overall security the solution provides.

            As an alternative administrators can enable Constrained Language Mode in either Airlock policy or Group policy, preventing the Add-Type cmdlet from being run in the first instance. However this will restrict Powershell's functionality within your environment, please consider this solution at your own risk.  





            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select atleast one of the reasons

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0