EDR: Fileless Scriptload Events Displays <Corrupt command line data found>
book
Article ID: 287621
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
On the Process Analysis page, a fileless_scriptload event displays “<Corrupt command line data found>” rather than the expected script.
Environment
EDR Server: 7.6.0
Cause
The sensor may incorrectly truncate large scripts (> 64KB) within the fileless_scriptload (AMSI) event data.
Resolution
The error is fixed in win-7.3.0. The upcoming fix includes the ability to view the 64KB truncated script along with the hash and character length of the entire command.
Additional Information
Other metadata that the fileless script events captures include the script length and the unique SHA256 hash of the fileless_script event data.
File-based scripts are logged locally.
The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process.
Only the fileless script content that was not stored in a file on the file system when the context was executed is sent to the EDR server.
The fileless_scriptload data is a new event type stored and indexed in Solr.