Ticket#3466878/Stonehenge Advisors, Inc/COMPLETED STATUS - All Recent Emails

THIS IS AN AUTOMATED EMAIL RESPONSE; NO REPLY IS NECCESSAR

Company Name: Stonehenge Advisors, Inc
Contact: Dan Sablosky (POC)
Ticket #: 3466878
Summary: [##309861##] High - SentinelOne Threat - Stonehenge Advisors, Inc - powershell.exe (CLI 29c4) - 02/2

This email is to inform you that ticket 3466878 has been marked completed and will be closed in one day.

Should you feel that this ticket has not been resolved satisfactorily, please let us know how we may assist by replying to this email or call 212-507-9420.

Thu 2/26/2026/4:42 PM UTC-05/ Jeff Surofsky (time)-

SentinelOne generated a high-severity ransomware alert on a workstation at Atlantic Stonehenge Advisors. Immediate investigation determined the activity was tied to a legitimate Carbonite backup software upgrade. The detection was triggered by behavioral patterns that resemble modern attack techniques but were verified as part of normal vendor-signed update activity. No evidence of malware execution, data compromise, lateral movement, or unauthorized access was found. The endpoint remains secure, and no further action is required beyond continued standard monitoring.

Thu 2/26/2026/1:52 PM UTC-05/ Dan Sablosky (POC)

{      "@context": "http://schema.org",      "@type": "EmailMessage",      "potentialAction": {        "@type": "ViewAction",        "target": "https://desk.cyflare.cloud/portal/ticket/309861",        "name": "View Ticket "      },      "description": "View Ticket"    }

Dear IH-Atlantic_Stonehenge Advisors,

A ticket has been created with the following details:

Account Name: Atlantic_Stonehenge Advisors
Ticket ID:  309861
Priority:  High
Subject:  High - SentinelOne Threat - Stonehenge Advisors, Inc - powershell.exe (CLI 29c4) - 02/26/26
Description:

Description: Alert: SentinelOne detected a ransomware-class behavior where powershell.exe executed a lengthy Carbonite upgrade script. Threat indicators: PowerShell encoded/obfuscated command, registry autorun/COM persistence techniques, ETW/ETW modification, vectored exception handler registration, and mitigation actions (kill, quarantine) reported successful. File path matches a standard Windows PowerShell binary (\Device\HarddiskVolume4\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe). Script references CarboniteUpgrade.exe and shows signature checks; presence of signature validation suggests a legitimate updater flow despite malicious-class detections.

Threat Status: Mitigated - Contained
Priority: High

Time Of Detection:2026-02-05 02:43:54 UTC-05
Alert Link:https://usea1-008.sentinelone.net/incidents/threats/2423488868721974890/overview

Threat Details:
Threat Name: powershell.exe (CLI 29c4)
Threat Classification: Ransomware
Detection Engine: Anti Exploitation / Fileless

File Path: \Device\HarddiskVolume4\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe (CLI 29c4)
File SHA1 Hash: 29c47caaf3ae73889899251485ec9a9e85cb1faf
File Publisher Name:
File Publisher Signed & Verified: NotSigned

Command Line: -noexit -command "&{$carbProgramDataPath = $env:ProgramData + '\Carbonite\Carbonite Backup';$upgradeExe = 'CarboniteUpgrade.exe';$upgradeFullPath =  $carbProgramDataPath + $upgradeExe;$logFile = 'CarboniteUpgrade.log';$logFileFullPath = $carbProgramDataPath + $logFile;$psversion = [string]$psversiontable.PSVersion.major + '.' + [string]$psversiontable.PSVersion.minor + '.' + [string]$psversiontable.PSVersion.build + '.' + [string]$psversiontable.PSVersion.revision;function LogMsg($level = ' ', $message){$tab = [char]9;$date = Get-Date -format yyyy'-'MM'-'dd'T'HH':'mm':'ss':'ffzzz;$fullMessage = $date + $tab + $level + ' ' + $message;Add-Content $logFileFullPath $fullMessage;};function LogError($message) {write-error $message; LogMsg('E', $message);};function LogWarning($message) {write-warning $message; LogMsg('W', $message);};function LogInfo($message) {write-host $message; LogMsg('#', $message);};LogInfo('CarboniteUpgrade.ps1 PS version: ' + $psversion + ' started at ' + (Get-Date -format g) + '.');LogInfo('Input args: '+ $args);if (!(test-path -path $upgradeFullPath)){$logStr = 'No upgrade necessary: ' + $upgradeFullPath + ' not found.';LogInfo($logStr);exit(0);};$expectedSubjectName = 'Carbonite';$expectedSubjectName2018 = 'Carbonite, Inc.';$expectedSubjectName2022 = 'Open Text Corporation';$codeSignStatus = $(get-authenticodesignature $upgradeFullPath).status;if ($codeSignStatus -ne 'Valid'){$errorStr = 'Invalid code signature status: ' + $codeSignStatus;LogError($errorStr);exit(1);};$actualSubjectName = $(get-authenticodesignature $upgradeFullPath).signercertificate.GetNameInfo('SimpleName', $false);if ($actualSubjectName -ne $expectedSubjectName -and $actualSubjectName -ne $expectedSubjectName2018 -and $actualSubjectName -ne $expectedSubjectName2022){$errorStr = 'Unexpected certificate subject name: ' + $actualSubjectName;LogError($errorStr);exit(1);};LogInfo('Starting ' + $upgradeFullPath + ' ' + $args + '...');$p = (start-process $upgradeFullPath -argumentlist $args -passthru -wait -verb runas);if ($p.ExitCode -ne 0){$errorStr = 'Upgrade exited with error code: ' + $p.ExitCode;LogError($errorStr);exit($p.ExitCode);};LogInfo('Upgrade completed.');exit(0);}" /silent '$(Arg0)'

Threat Status:
Threat quarantine status: success
Threat kill status: success

Endpoint Details:
Endpoint Name: DESKTOP-494JT93
Endpoint IP Address: 10.1.10.251
Site Name: Atlantic_Stonehenge Advisors
Group Name: Stonehenge Advisors Inc - HQ

SentinelOne Mitigation Policy: protect
SentinelOne Mitigation Status: mitigated

SOC Response Actions:

Isolate Endpoint: N/A
Initiate Full Disk Scan: N/A
Timeline for additional findings:

Alfie AI Summarization (Beta)

The threat indicators reveal a range of suspicious activities suggesting a potential security breach. Various applications are attempting to establish persistence on the system by modifying registry settings and creating unknown COM objects. Evasion techniques are evident, such as executing PowerShell commands in encoded or obfuscated forms and manipulating system tracing to avoid detection. Additionally, processes are being registered to run automatically, and there are indications of suspicious resource types being executed. These actions highlight significant risks, suggesting that the system may be compromised and requires immediate security attention.
Network Connections:

Src: 10.1.10.251 → Dst: 204.79.197.203, SrcPort: 50837 — TCP connect to port 80 from powershell.exe (CLI); likely HTTP retrieval or callback, can exfiltrate data or fetch payloads.
Src: 10.1.10.251 → Dst: 13.33.82.18, SrcPort: 50837 — TCP connect to port 443 from powershell.exe (CLI); encrypted outbound connection, may fetch updates or staged content.
Src: 10.1.10.251 → Dst: 13.33.82.18, SrcPort: 50838 — TCP connect to port 443 from CarboniteUpgrade.exe; legitimate-looking update check or installer download.
Src: 10.1.10.251 → Dst: 13.33.82.18, SrcPort: 50838 — TCP connect to port 443 from CarboniteSetup64.exe; installer network activity for setup or telemetry.
Src: 10.1.10.251 → Dst: 13.33.82.18, SrcPort: — Additional TCP connects to 13.33.82.18 by setup/installer processes; repeated encrypted connections may indicate update/installation traffic.

Processes Involved:
Unique processes observed: powershell.exe — executed CarboniteUpgrade.ps1 command for Carbonite upgrade steps (logging, path variables); CarboniteUpgrade.exe — referenced upgrade binary run by PowerShell; multiple PowerShell PIDs executing identical upgrade command. Potential impacts: unauthorized persistence via startup/registry or scheduled tasks; defense-evasion via encoded/obfuscated PowerShell commands; service execution for persistence. Top 5 processes: powershell.exe; CarboniteUpgrade.exe; (other PowerShell instances listed by PID).
SOC Recommended Actions
* Isolate the affected endpoint(s) from the network to prevent further propagation.

Remove the persistent autorun entries identified (registry Run keys, startup folder, scheduled tasks, services, COM hijacks, or shims) that were used to maintain persistence.
Quarantine or delete the identified malicious file located at \Device\HarddiskVolume4\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe (CLI 29c4) and any copies identified on endpoints.
Change credentials for any accounts that may have been leveraged; treat Domain accounts and other Valid Accounts as potentially compromised and enforce password resets and multifactor authentication.
Apply available security updates and harden PowerShell usage by enforcing script signing, disabling unrestricted PowerShell execution policies where feasible, and enabling AMSI/PowerShell logging protections.

Alfie Insights (Beta)
Case Details

Case Created Time: 02/26/2026 13:43:52 EST
Case Assigned Time: None
Ticket Creation Time: None
Ticket Number: None
Case Closed Time: None
Case Name: POWERSHELL.EXE (CLI 29C4)
Case Source: SentinelOneV2
Org Name: Atlantic_Stonehenge Advisors
Msp Name: Atlantic
Entity Enrichment

Sentinelonev2:
Client Knowledge Base Lookup:

Threat Hunting

Stellar Searches:

Ticket Correlation

Ticket Searches:
* Query: Tickets related to the same Alert Type with the same Hash
Result: 1 matching tickets
Threshold Checks

Verified if its Critical or not

Verified if the threat name contains Ransomware or Interactive Session OR Isolation

Validated the activity was on the blocklist

Validated the activity was mitigated

Response Actions

None
You can view all details here: 309861

Thank you,

You can check the status of your Service Ticket by calling our Customer Care Hotline at (212) 507-9420.

View Ticket