Applies to
Airlock Server - v4.6.x and above
Airlock Enforcement Agent Windows - v4.6.x and above
Operating System - Microsoft Windows
Symptoms
C:\Windows\Temp\[random folder]\[random filename].dll; or
C:\Users\[username]\AppData\Local\Temp\[random folder]\[random filename].dll
Some examples are:
C:\Windows\Temp\weosfktl\weosfktl.DLL
C:\Users\[username]\AppData\Local\Temp\htyupodl\htyupodl.DLL
These files will typically have unique hashes for every file and powershell.exe as their parent process.
Cause
These files are created dynamically by Microsoft Windows whenever a PowerShell script making use of the Add-Type cmdlet is executed. This cmdlet defines a Microsoft .NET Core class in a PowerShell session, which can then be used to execute non-PowerShell code in memory.
With .NET Assembly Reflection enabled, the Airlock Agent will flag this file execution.
Resolution
These files cannot be trusted by publisher (as they are unsigned) and they cannot be trusted by hash (as the file content is dynamically created).
It is recommended that if these are being seen to trust these files using the following path rules:
C:\Windows\Temp\????????\????????.dll
C:\Users\*\AppData\Local\Temp\????????.dll
C:\Users\*\AppData\Local\Temp\????????\????????.dll
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\????????.dll
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\????????.dll
These executions will only be seen by the Agent with .NET Assembly Reflection enabled on policy. Disabling this setting will stop these executions from being detected by the Agent, however reduce the overall security the solution provides.
As an alternative administrators can enable Constrained Language Mode in either Airlock policy or Group policy, preventing the Add-Type cmdlet from being run in the first instance. However this will restrict Powershell's functionality within your environment, please consider this solution at your own risk.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article