Endpoint Standard: What rule is causing policy action blocks with the TTP: HAS_SCRIPT_DLL?
search cancel

Endpoint Standard: What rule is causing policy action blocks with the TTP: HAS_SCRIPT_DLL?

book

Article ID: 287524

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

What rule is causing blocks due to a Deny operation or Terminate process policy action, with the TTP 'HAS_SCRIPT_DLL'?

Environment

  • Endpoint Standard (formerly CB Defense) Web Console: All Versions
  • Endpoint Standard Sensor: All Versions
  • Policy Action blocks with TTP: HAS_SCRIPT_DLL

Resolution

The TTP 'HAS_SCRIPT_DLL' can be linked to the 'Invokes a command interpreter', 'Scrapes memory of another process' or the 'Injects code or modifies memory of another process' Operation Attempt of a policy rule

Additional Information

  • The TTP 'HAS_SCRIPT_DLL' is defined as when a process loads an in-memory script interpreter.
  • Feature Request to rename this TTP to better match the Operation Attempt: https://community.carbonblack.com/t5/Idea-Central/Cb-Defense-Rename-TTP-HAS-SCRIPT-DLL-to-better-match-Operation/idi-p/30500
  • Feature Request to show which rule caused the block right on the event/alert: https://community.carbonblack.com/t5/Knowledge-Base/CB-Defense-What-rule-is-causing-policy-action-blocks-with-the/ta-p/68687
Powered by Wolken Software