Applies to
Airlock Server - v4.6.x and above
Airlock Enforcement Agent Windows - v4.6.x and above
Operating System - Microsoft Windows
Symptoms
C:\Windows\Temp\[random folder]\[random filename].dll; or
C:\Users\[username]\AppData\Local\Temp\[random folder]\[random filename].dll
Some examples are:
C:\Windows\Temp\weosfktl\weosfktl.DLL
C:\Users\[username]\AppData\Local\Temp\htyupodl\htyupodl.DLL
These files will typically have unique hashes for every file and powershell.exe as their parent process.
Cause
These files are created dynamically by Microsoft Windows whenever a PowerShell script making use of the Add-Type cmdlet is executed. This cmdlet defines a Microsoft .NET Core class in a PowerShell session, which can then be used to execute non-PowerShell code in memory.
With .NET Assembly Reflection enabled, the Airlock Agent will flag this file execution.
Resolution
Administrators can enable Constrained Language Mode in either Airlock policy or Group policy, preventing the Add-Type cmdlet from running in the first instance. However, this will restrict Powershell's functionality within your environment; please consider this solution at your own risk.
For alternate solutions, please reach out to the Airlock Support team.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article