Unique 8-Character filename DLLs seen in temporary directories

Modified on Thu, 22 Jun 2023 at 11:45 PM

Applies to

Airlock Server - v4.6.x and above

Airlock Enforcement Agent Windows - v4.6.x and above

Operating System - Microsoft Windows


Symptoms

With .NET Assembly Reflection enabled, and PowerShell Constrained Language Mode disabled, Airlock administrators may see large volumes of DLLs with random 8 character filenames executing from the following locations:
  • C:\Windows\Temp\[random folder]\[random filename].dll; or

  • C:\Users\[username]\AppData\Local\Temp\[random folder]\[random filename].dll

Some examples are:

  • C:\Windows\Temp\weosfktl\weosfktl.DLL

  • C:\Users\[username]\AppData\Local\Temp\htyupodl\htyupodl.DLL

These files will typically have unique hashes for every file and powershell.exe as their parent process. 


Cause

These files are created dynamically by Microsoft Windows whenever a PowerShell script making use of the Add-Type cmdlet is executed. This cmdlet defines a Microsoft .NET Core class in a PowerShell session, which can then be used to execute non-PowerShell code in memory. 


With .NET Assembly Reflection enabled, the Airlock Agent will flag this file execution.


Resolution

Administrators can enable Constrained Language Mode in either Airlock policy or Group policy, preventing the Add-Type cmdlet from running in the first instance. However, this will restrict Powershell's functionality within your environment; please consider this solution at your own risk.

For alternate solutions, please reach out to the Airlock Support team.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article