Carbon Black Cloud: Command line - CLI text following redirects ">>" or ">" or pipes "|" are not being captured
Article ID: 285910
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
EEDR events show text fields after redirect or pipe symbols in a command line are not being parsed or processed.
Environment
- Carbon Black Cloud sensor: All versions
- Carbon Black Cloud Enterprise EDR: All versions
- Carbon Black Cloud Server: All versions
Cause
This is functioning as designed.
Resolution
What one calls the "command line" of a process is "the list of all arguments that are passed to it when it starts". It is not "anything that is typed at a command prompt".
What's seen is readily explained by how "cmd.exe" (the DOS prompt) parses what is typed at its prompt, how it treats piping and redirection as it parses user input, and which sub-processes get launched as a result. EEDR uses a callback in the kernel drivers to capture information about all processes that are started. Each process's command line is usually available from within that callback, either directly, or by looking for it via ZwQueryProcessInformation. What Windows gives the EEDR driver is what is seen.
What's seen is readily explained by how "cmd.exe" (the DOS prompt) parses what is typed at its prompt, how it treats piping and redirection as it parses user input, and which sub-processes get launched as a result. EEDR uses a callback in the kernel drivers to capture information about all processes that are started. Each process's command line is usually available from within that callback, either directly, or by looking for it via ZwQueryProcessInformation. What Windows gives the EEDR driver is what is seen.
Feedback
Yes
No
Powered by
