EDR Keeps Detecting Suspicious Fileless Attack via PowerShell – Need Help Identifying the Source

Hello,

We are using Sangfor Endpoint Secure in our organization and encountering a recurring issue. The EDR is continuously blocking the following PowerShell script execution as a “Suspicious fileless attack”, detected by the Fileless Attack Detection Engine.

Here are the details of one such incident:

Infected Endpoint: hp600pcX (10.0.X.X)
Process: c:\windows\system32\windowspowershell\v1.0\powershell.exe
Parameter:

powershell.exe -ExecutionPolicy Restricted -Command

$isBroken = 0

$ShellRegRoot = 'HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell'

$bagMRURoot = $ShellRegRoot + '\BagMRU'

$bagRoot = $ShellRegRoot + '\Bags'

$HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'

$properties = Get-ItemProperty -Path $bagMRURoot

foreach ($property in $properties.PSObject.Properties) {

  if ($property.TypeNameOfValue -eq 'System.Byte[]') {

    $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''

    if ($hexString -eq $HomeFolderGuid) {

      $subkey = $property.Name

      $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\' + $subkey) -Name 'NodeSlot'

      $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\' + $nodeSlot + '\Shell\*') -Name 'GroupView') -eq 0) { 1 } else { 0 }

      break

    }

  }

}

Write-Host 'Final result:',$isBroken

We could not identify which application or process triggered this script.
It has been executed on almost all user endpoints, usually once.

Here’s what we’ve tried:

• Checked Sysmon and PowerShell logs — no clear parent process was found.
  
  
• Confirmed that users did not manually run the script.
  
  
• No known GPO or login script includes this code.
  
  
• No scheduled task matches it.
  
  
• We are hesitant to whitelist this behavior without understanding its origin.
  
  

❓ My Questions:

• Is there a known component (e.g., Windows update, Teams, OneDrive, EMR agent, etc.) that might trigger this PowerShell command?
  
  
• Is there any way within the Sangfor EDR console to trace the origin or parent process of a PowerShell execution?
  
  
• Could this be a false positive, and if so, what’s the best way to validate and report it?
  
  

Any help or insights from the community or Sangfor team would be appreciated.
Thanks in advance!

If you sign the PowerShell script with your organization’s code-signing certificate, Sangfor and most EDRs treat it as more trustworthy.

We encountered a similar issue in our environment and here is how we resolved it:
Go to General Policies in the Sangfor Endpoint Secure console.
Select the relevant policy group that applies to your endpoints.
Navigate to Realtime Protection.
Under Fileless Attack Protection, enable “Enable suspicious PowerShell script detection” and select “Block script execution” (as shown in the screenshot above).

If you have any legitimate PowerShell script that you want to allow, you must add it to the Whitelist. This will ensure that trusted scripts continue to run while all suspicious or unknown executions are blocked.

This approach allowed us to block the recurring suspicious script executions while still keeping control over our own internal/authorized scripts.

Hope this helps!

Hi, I have forwarded your issue to Sangfor technical support as it is a bit complicated.

i have this experience also, need some answers too.