“PowerWare” Detection

Carbon Black Enterprise Protection users can block the initial cmd.exe by Word with a rule that blocks cmd.exe from executing when launched by winword.exe. Covering other Office applications such as: excel.exe, powerpnt.exe, and outlook.exe may be a good idea as well. As always, when creating rules like this, it is recommended to first create them as report rules and watch the console to gauge any potential impacts. Once you’re satisfied that this does not occur legitimately in your environment, you can change the rule action to “Block.”

Consider a similar rule for browsers to block these apps from running PowerShell as well. This should help against other types of malware leveraging Office documents.

For detection, the following Cb Enterprise Response queries should identify this activity as well (and likely other types of malware):

process_name:cmd.exe parent_name:winword.exe chilproc_name:powershell.exe

process_name:powershell.exe filemod_count:[1000 to *]

And while this sample used cmd.exe as an intermediary, you should watch for PowerShell being spawned directly –

process_name:powershell.exe parent_name:winword.exe

And even cmd.exe spawned from office apps for more general detection –

Process_name:cmd.exe AND (parent_name:winword.exe OR parent_name:excel.exe OR parent_name:powerpnt.exe OR parent_name:outlook.exe)

Indicators of Compromise

File Details

1w

Network Details

n1

“PowerWare” Encrypts the Following:

n2

Source:https://www.carbonblack.com