EDR: Powershell Commands are not Shown in Command Line
Article ID: 287968
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
When running a command in powershell the commands do not show up in the command ine.
Environment
- EDR Console: All Versions
- Microsoft Windows: 10 RS2+ and Windows 2016+
Cause
Commands run within a powershell description are not seen without fileless scriptload enabled and searching fileless_scriptload_cmdline.
Resolution
- Open the console
- Go to the sensors page and edit a sensor group
- Find the Event Collections tab and enable fileless script load.
- When searching use fileless_scriptload_cmdline:
Additional Information
- The fileless_scriptload event leverages the Anti-Malware Scanning Interface (AMSI)support that is available in Windows 10 RS2+ and Windows 2016
- Examples of powershell situations:
Here are some examples using Write-Output to display "hello world".
---------------
Example 1, we run the full command in command prompt
C:\Users\Administrator>powershell.exe Write-Output "Hello World!"
Hello
World!
Expectations, command line will be: powershell.exe Write-Output "Hello World!"
There would be no fileless scriptload here.
----------------
Example 2, we run the same thing but within a ps1 script
C:\Users\Administrator>powershell.exe C:\Users\Administrator\Documents\helloworld.ps1
Hello World!
The expectation here would be the command line is going to be: powershell.exe C:\Users\Administrator\Documents\helloworld.ps1
We would not see "Write-Output" as part of the regular command line
----------------
Example 3 We run powershell.exe, then run commands within the terminal session
C:\Users\Administrator>powershell.exe
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator> Write-Output "Hello World!"
Hello World!
Expectations are similar to the ps1 script in example 2 except command line will be just powershell.exe.
---------------
Example 1, we run the full command in command prompt
C:\Users\Administrator>powershell.exe Write-Output "Hello World!"
Hello
World!
Expectations, command line will be: powershell.exe Write-Output "Hello World!"
There would be no fileless scriptload here.
----------------
Example 2, we run the same thing but within a ps1 script
C:\Users\Administrator>powershell.exe C:\Users\Administrator\Documents\helloworld.ps1
Hello World!
The expectation here would be the command line is going to be: powershell.exe C:\Users\Administrator\Documents\helloworld.ps1
We would not see "Write-Output" as part of the regular command line
----------------
Example 3 We run powershell.exe, then run commands within the terminal session
C:\Users\Administrator>powershell.exe
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\Administrator> Write-Output "Hello World!"
Hello World!
Expectations are similar to the ps1 script in example 2 except command line will be just powershell.exe.
Feedback
Yes
No
Powered by
