Solved

Known Behavior of execmd.ps1?

  • 16 March 2022
  • 4 replies
  • 144 views

Badge

Looking to validate events from an EDR related to amagent activity.  Are these known behavior?

The script C:\programdata\amagent\execdir775765479\execcmd799295514.ps1 attempted to create a viewable window, by calling the function "CreateWindowExW". The operation was successful.

The script C:\programdata\amagent\execdir775765479\execcmd799295514.ps1 attempted to modify the next instruction to execute in the process "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe". The operation was blocked and the application terminated by Cb Defense.

 

icon

Best answer by JohnG-Automox 11 December 2023, 16:30

View original

4 replies

Hmm...actually, let me double-check with a couple of teams to get some feedback. Thanks for posting! 

Hmm...actually, let me double-check with a couple of teams to get some feedback. Thanks for posting! 

 

Userlevel 3

Hi @filemod !


Just checking in and seeing if this is still an issue for you.

In the example you provided, it appears that CB Defense is blocking the invocation of the Automox Agent’s (Powershell) scripts under the C:\programdata\amagent\execdir directory.

If you are still experiencing this behavior, I recommend taking a look at our 
Globally Trust-listing Automox Through EPP Application Control article to ensure your EPP is setup correctly to work with the Automox Agent. For Carbon Black, you will need to set up your App Control policies to allow our agent.

You may also need to whitelist our agent directories explicitly if you are still experiencing issues.

If you need a hand with this process, please open up a ticket with our support team so they can guide you through the process.

 

Have a great day!

 

Badge

Hi John,

Not so much an issue, but still getting some alerts on Automox related activity.  I’ve done some Carbon Black hash approvals to reduce the alerts, I’ll check the links you shared.

 

Thanks,

Reply