Unique 8-Character filename DLLs seen in temporary directories

Modified on Mon, 22 Aug 2022 at 03:46 PM

Applies to

Airlock Server - v4.6.x and above

Airlock Enforcement Agent Windows - v4.6.x and above

Operating System - Microsoft Windows


Symptoms

With .NET Assembly Reflection enabled, and PowerShell Constrained Language Mode disabled, Airlock administrators may see large volumes of DLLs with random 8 character filenames executing from the following locations:
  • C:\Windows\Temp\[random folder]\[random filename].dll; or

  • C:\Users\[username]\AppData\Local\Temp\[random folder]\[random filename].dll

Some examples are:

  • C:\Windows\Temp\weosfktl\weosfktl.DLL

  • C:\Users\[username]\AppData\Local\Temp\htyupodl\htyupodl.DLL

These files will typically have unique hashes for every file and powershell.exe as their parent process. 


Cause

These files are created dynamically by Microsoft Windows whenever a PowerShell script making use of the Add-Type cmdlet is executed. This cmdlet defines a Microsoft .NET Core class in a PowerShell session, which can then be used to execute non-PowerShell code in memory. 


With .NET Assembly Reflection enabled, the Airlock Agent will flag this file execution.


Resolution

These files cannot be trusted by publisher (as they are unsigned) and they cannot be trusted by hash (as the file content is dynamically created).


It is recommended that if these are being seen to trust these files using the following path rules:

C:\Windows\Temp\????????\????????.dll

C:\Users\*\AppData\Local\Temp\????????.dll
C:\Users\*\AppData\Local\Temp\????????\????????.dll
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\????????.dll

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\????????.dll


These executions will only be seen by the Agent with .NET Assembly Reflection enabled on policy. Disabling this setting will stop these executions from being detected by the Agent, however reduce the overall security the solution provides.

As an alternative administrators can enable Constrained Language Mode in either Airlock policy or Group policy, preventing the Add-Type cmdlet from being run in the first instance. However this will restrict Powershell's functionality within your environment, please consider this solution at your own risk.  





Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article