CacheBuilder is Flagging AMSI

This forum can be browsed by the general public. Posting is limited to current SAPIEN license holders with active maintenance and does not offer a response time guarantee.
Forum rules
DO NOT POST SUBSCRIPTION NUMBERS, LICENSE KEYS OR ANY OTHER LICENSING INFORMATION IN THIS FORUM.
Only the original author and our tech personnel can reply to a topic that is created in this forum. If you find a topic that relates to an issue you are having, please create a new topic and reference the other in your post.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
User avatar
gerane
Posts: 7
Joined: Sat Feb 28, 2015 4:26 pm

CacheBuilder is Flagging AMSI

Post by gerane » Mon Mar 28, 2016 9:26 am

Product, version and build: PowerShell Studio Version 5.2.117 PowerShell Studio 2016 9141949543174315

32 or 64 bit version of product: 64

Operating system: Windows 10

32 or 64 bit OS: 64

On Windows 10, CacheBuilder64.exe is triggering AMSI in Windows Defender. I have not seen this in the past, and this morning was the first time I have actually seen this happen. It is being triggered as if it were HackToolLWin32/Mikatz!dha which is what would trigger for mimikatz. Since Mimikatz is attempting to steal cached credentials, I am assuming CacheBuilder is using a very similar technique to build a cache to be used for the different powershell versions which is triggering AMSI. Here is the item it is detecting:

amsi:PowerShell_C:\Program Files\SAPIEN Technologies, Inc\PowerShell Studio 2016\CacheBuilder64.exe_2.4.28.0000000000000010c

I downloaded PowerSploit from the PSGallery and let Windows Defender trigger for it to show how it is being triggered in the same way. Here is a screenshot of Windows Defender.
Screenshot 2016-03-28 11.21.37.png
Screenshot 2016-03-28 11.21.37.png (33.74 KiB) Viewed 925 times
I wanted to bring this to your attention since some Users might not have the luxury of adding exceptions or ignoring due to security policies, or might have a very long and drawn out process to get that done.

User avatar
davidc
Posts: 5913
Joined: Thu Aug 18, 2011 4:56 am

Re: CacheBuilder is Flagging AMSI

Post by davidc » Mon Mar 28, 2016 9:47 am

Thank you for bringing this to our attention.

If you look at the alert text, the true culprit is the PowerSploit module. The module is loaded when the cache builder iterates through all the modules and stores the command information in a cache file. You would probably get this alert every time PowerShell loads the module regardless of host (including in PowerShell.exe).

If a user doesn't have the luxury of adding exceptions, they should not download this module :).

David
David
SAPIEN Technologies, Inc.

User avatar
gerane
Posts: 7
Joined: Sat Feb 28, 2015 4:26 pm

Re: CacheBuilder is Flagging AMSI

Post by gerane » Mon Mar 28, 2016 10:59 am

Ahh, ok, that makes sense. This is the first AMSI trigger I have encountered, and was thinking that each of those 3 were separate entries.