EDR: Fileless Scriptload Events Displays <Corrupt command line data found>
search cancel

EDR: Fileless Scriptload Events Displays <Corrupt command line data found>

book

Article ID: 287621

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

On the Process Analysis page, a fileless_scriptload event displays “<Corrupt command line data found>” rather than the expected script.

Environment

  • EDR Server: 7.6.0

Cause

The sensor may incorrectly truncate large scripts (> 64KB) within the fileless_scriptload (AMSI) event data. 

Resolution

The error is fixed in win-7.3.0.  The upcoming fix includes the ability to view the 64KB truncated script along with the hash and character length of the entire command.

Additional Information

  • Other metadata that the fileless script events captures include the script length and the unique SHA256 hash of the fileless_script event data.
  • File-based scripts are logged locally.
  • The fileless_scriptload event represents each occasion when the sensor detected AMSI-decoded script content that was executed by any process.
  • Only the fileless script content that was not stored in a file on the file system when the context was executed is sent to the EDR server.
  • The fileless_scriptload data is a new event type stored and indexed in Solr.
Powered by Wolken Software