De: "Atlantic Security Alert" <Security@tomorrowsoffice.com>
Para: user@withoutemail.com
Data: 2026-02-26T21:47:15.000Z
--REPLY above this line to respond--
This ticket has been updated by Jeff Surofsky
Jeff Surofsky2/26/2026 4:42 PMSentinelOne generated a high-severity ransomware alert on a workstation at Atlantic Stonehenge Advisors. Immediate investigation determined the activity was tied to a legitimate Carbonite backup software upgrade. The detection was triggered by behavioral patterns that resemble modern attack techniques but were verified as part of normal vendor-signed update activity. No evidence of malware execution, data compromise, lateral movement, or unauthorized access was found. The endpoint remains secure, and no further action is required beyond continued standard monitoring.
Summary:
[##309861##] High - SentinelOne Threat - Stonehenge Advisors, Inc - powershell.exe (CLI 29c4) - 02/2
Status:
Technician Acknowledged
Ticket #
3466878
Company:
Stonehenge Advisors, Inc
Contact:
Dan Sablosky (POC)
Phone:
(215) 320-3777
Address:
4328-42 Ridge AvenueSuite 104Philadelphia, PA 19129
View Ticket
Discussion
Jeff Surofsky2/26/2026 4:42 PM-4:46 PMSentinelOne generated a high-severity ransomware alert on a workstation at Atlantic Stonehenge Advisors. Immediate investigation determined the activity was tied to a legitimate Carbonite backup software upgrade. The detection was triggered by behavioral patterns that resemble modern attack techniques but were verified as part of normal vendor-signed update activity. No evidence of malware execution, data compromise, lateral movement, or unauthorized access was found. The endpoint remains secure, and no further action is required beyond continued standard monitoring.
Dan Sablosky (POC)2/26/2026 1:52 PM-{ "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://desk.cyflare.cloud/portal/ticket/309861", "name": "View Ticket " }, "description": "View Ticket" } Dear IH-Atlantic_Stonehenge Advisors,A ticket has been created with the following details:Account Name: Atlantic_Stonehenge AdvisorsTicket ID: 309861Priority: HighSubject: High - SentinelOne Threat - Stonehenge Advisors, Inc - powershell.exe (CLI 29c4) - 02/26/26Description: Description: Alert: SentinelOne detected a ransomware-class behavior where powershell.exe executed a lengthy Carbonite upgrade script. Threat indicators: PowerShell encoded/obfuscated command, registry autorun/COM persistence techniques, ETW/ETW modification, vectored exception handler registration, and mitigation actions (kill, quarantine) reported successful. File path matches a standard Windows PowerShell binary (\Device\HarddiskVolume4\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe). Script references CarboniteUpgrade.exe and shows signature checks; presence of signature validation suggests a legitimate updater flow despite malicious-class detections.Threat Status: Mitigated - ContainedPriority: HighTime Of Detection:2026-02-05 02:43:54 UTC-05Alert Link:https://usea1-008.sentinelone.net/incidents/threats/2423488868721974890/overviewThreat Details:Threat Name: powershell.exe (CLI 29c4)Threat Classification: RansomwareDetection Engine: Anti Exploitation / FilelessFile Path: \Device\HarddiskVolume4\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe (CLI 29c4)File SHA1 Hash: 29c47caaf3ae73889899251485ec9a9e85cb1fafFile Publisher Name:File Publisher Signed & Verified: NotSignedCommand Line: -noexit -command "&{$carbProgramDataPath = $env:ProgramData + '\Carbonite\Carbonite Backup';$upgradeExe = 'CarboniteUpgrade.exe';$upgradeFullPath = $carbProgramDataPath + $upgradeExe;$logFile = 'CarboniteUpgrade.log';$logFileFullPath = $carbProgramDataPath + $logFile;$psversion = [string]$psversiontable.PSVersion.major + '.' + [string]$psversiontable.PSVersion.minor + '.' + [string]$psversiontable.PSVersion.build + '.' + [string]$psversiontable.PSVersion.revision;function LogMsg($level = ' ', $message){$tab = [char]9;$date = Get-Date -format yyyy'-'MM'-'dd'T'HH':'mm':'ss':'ffzzz;$fullMessage = $date + $tab + $level + ' ' + $message;Add-Content $logFileFullPath $fullMessage;};function LogError($message) {write-error $message; LogMsg('E', $message);};function LogWarning($message) {write-warning $message; LogMsg('W', $message);};function LogInfo($message) {write-host $message; LogMsg('#', $message);};LogInfo('CarboniteUpgrade.ps1 PS version: ' + $psversion + ' started at ' + (Get-Date -format g) + '.');LogInfo('Input args: '+ $args);if (!(test-path -path $upgradeFullPath)){$logStr = 'No upgrade necessary: ' + $upgradeFullPath + ' not found.';LogInfo($logStr);exit(0);};$expectedSubjectName = 'Carbonite';$expectedSubjectName2018 = 'Carbonite, Inc.';$expectedSubjectName2022 = 'Open Text Corporation';$codeSignStatus = $(get-authenticodesignature $upgradeFullPath).status;if ($codeSignStatus -ne 'Valid'){$errorStr = 'Invalid code signature status: ' + $codeSignStatus;LogError($errorStr);exit(1);};$actualSubjectName = $(get-authenticodesignature $upgradeFullPath).signercertificate.GetNameInfo('SimpleName', $false);if ($actualSubjectName -ne $expectedSubjectName -and $actualSubjectName -ne $expectedSubjectName2018 -and $actualSubjectName -ne $expectedSubjectName2022){$errorStr = 'Unexpected certificate subject name: ' + $actualSubjectName;LogError($errorStr);exit(1);};LogInfo('Starting ' + $upgradeFullPath + ' ' + $args + '...');$p = (start-process $upgradeFullPath -argumentlist $args -passthru -wait -verb runas);if ($p.ExitCode -ne 0){$errorStr = 'Upgrade exited with error code: ' + $p.ExitCode;LogError($errorStr);exit($p.ExitCode);};LogInfo('Upgrade completed.');exit(0);}" /silent '$(Arg0)'Threat Status:Threat quarantine status: successThreat kill status: successEndpoint Details:Endpoint Name: DESKTOP-494JT93Endpoint IP Address: 10.1.10.251Site Name: Atlantic_Stonehenge AdvisorsGroup Name: Stonehenge Advisors Inc - HQSentinelOne Mitigation Policy: protectSentinelOne Mitigation Status: mitigatedSOC Response Actions:Isolate Endpoint: N/AInitiate Full Disk Scan: N/ATimeline for additional findings:Alfie AI Summarization (Beta)The threat indicators reveal a range of suspicious activities suggesting a potential security breach. Various applications are attempting to establish persistence on the system by modifying registry settings and creating unknown COM objects. Evasion techniques are evident, such as executing PowerShell commands in encoded or obfuscated forms and manipulating system tracing to avoid detection. Additionally, processes are being registered to run automatically, and there are indications of suspicious resource types being executed. These actions highlight significant risks, suggesting that the system may be compromised and requires immediate security attention.Network Connections:Src: 10.1.10.251 → Dst: 204.79.197.203, SrcPort: 50837 — TCP connect to port 80 from powershell.exe (CLI); likely HTTP retrieval or callback, can exfiltrate data or fetch payloads.Src: 10.1.10.251 → Dst: 13.33.82.18, SrcPort: 50837 — TCP connect to port 443 from powershell.exe (CLI); encrypted outbound connection, may fetch updates or staged content.Src: 10.1.10.251 → Dst: 13.33.82.18, SrcPort: 50838 — TCP connect to port 443 from CarboniteUpgrade.exe; legitimate-looking update check or installer download.Src: 10.1.10.251 → Dst: 13.33.82.18, SrcPort: 50838 — TCP connect to port 443 from CarboniteSetup64.exe; installer network activity for setup or telemetry.Src: 10.1.10.251 → Dst: 13.33.82.18, SrcPort: — Additional TCP connects to 13.33.82.18 by setup/installer processes; repeated encrypted connections may indicate update/installation traffic.Processes Involved:Unique processes observed: powershell.exe — executed CarboniteUpgrade.ps1 command for Carbonite upgrade steps (logging, path variables); CarboniteUpgrade.exe — referenced upgrade binary run by PowerShell; multiple PowerShell PIDs executing identical upgrade command. Potential impacts: unauthorized persistence via startup/registry or scheduled tasks; defense-evasion via encoded/obfuscated PowerShell commands; service execution for persistence. Top 5 processes: powershell.exe; CarboniteUpgrade.exe; (other PowerShell instances listed by PID).SOC Recommended Actions* Isolate the affected endpoint(s) from the network to prevent further propagation.Remove the persistent autorun entries identified (registry Run keys, startup folder, scheduled tasks, services, COM hijacks, or shims) that were used to maintain persistence.Quarantine or delete the identified malicious file located at \Device\HarddiskVolume4\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe (CLI 29c4) and any copies identified on endpoints.Change credentials for any accounts that may have been leveraged; treat Domain accounts and other Valid Accounts as potentially compromised and enforce password resets and multifactor authentication.Apply available security updates and harden PowerShell usage by enforcing script signing, disabling unrestricted PowerShell execution policies where feasible, and enabling AMSI/PowerShell logging protections.Alfie Insights (Beta)Case DetailsCase Created Time: 02/26/2026 13:43:52 ESTCase Assigned Time: NoneTicket Creation Time: NoneTicket Number: NoneCase Closed Time: NoneCase Name: POWERSHELL.EXE (CLI 29C4)Case Source: SentinelOneV2Org Name: Atlantic_Stonehenge AdvisorsMsp Name: AtlanticEntity EnrichmentSentinelonev2: Client Knowledge Base Lookup:Threat HuntingStellar Searches:Ticket CorrelationTicket Searches: * Query: Tickets related to the same Alert Type with the same HashResult: 1 matching ticketsThreshold ChecksVerified if its Critical or not Verified if the threat name contains Ransomware or Interactive Session OR Isolation Validated the activity was on the blocklist Validated the activity was mitigatedResponse ActionsNoneYou can view all details here: 309861
View Ticket