Carbon Black Cloud: Command line - CLI text following redirects ">>" or ">" or pipes "|" are not being captured
search cancel

Carbon Black Cloud: Command line - CLI text following redirects ">>" or ">" or pipes "|" are not being captured

book

Article ID: 285910

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

EEDR events show text fields after redirect or pipe symbols in a command line are not being parsed or processed.

Environment

  • Carbon Black Cloud sensor: All versions
  • Carbon Black Cloud Enterprise EDR: All versions
  • Carbon Black Cloud Server: All versions

Cause

This is functioning as designed. 

Resolution

What one calls the "command line" of a process is "the list of all arguments that are passed to it when it starts". It is not "anything that is typed at a command prompt".
What's seen is readily explained by how "cmd.exe" (the DOS prompt) parses what is typed at its prompt, how it treats piping and redirection as it parses user input, and which sub-processes get launched as a result. EEDR uses a callback in the kernel drivers to capture information about all processes that are started. Each process's command line is usually available from within that callback, either directly, or by looking for it via ZwQueryProcessInformation. What Windows gives the EEDR driver is what is seen.