EDR: Fileless Scriptload Cmdline Does Not Return Results
search cancel

EDR: Fileless Scriptload Cmdline Does Not Return Results

book

Article ID: 285266

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

A Process Search built with Add search terms > Choose criteria > Fileless > Command line contents > [Insert text] does not return results.

Environment

  • EDR Server:  7.6.0

Cause

EDR 7.6.0 did not add the double quotes when reading the search query.  The double quotes are needed internally for processing the query.

Resolution

Place double quotes around the text in the search query to obtain the expected results. 
For example modify the search query: 
      fileless_scriptload_cmdline:myscript
To:
      fileless_scriptload_cmdline:"myscript"
 
 

Additional Information

  • This is a temporary workaround until the next release.
  • AMSI event capture is disabled by default.
  • The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process.
  • Only the fileless_script content that was not stored in a file on the file system when the context was executed is sent to the EDR server.
Powered by Wolken Software