Enterprise EDR: Wildcards are not working in the process_cmdline field
Article ID: 288243
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Go to investigate page; processes tab:
these queries return the expected results:
process_cmdline:c\:\\windows\\system32\\msiexec.exe process_cmdline:c\:\\windows\\system32\\.exe (finds all *.exe processes as it should)but the wildcard with process_cmdline is NOT returning any hits (no syntax error but no hits):
process_cmdline:c\:\\windows\\system32\\*.exe process_cmdline:c\:\\windows\\system32\\\*.exe process_cmdline:c\:\\windows\\system32\\msi*.exe process_cmdline:c\:\\windows\\system32\\msi\*.exe process_cmdline:c\:/\windows/\system32/\msi*.exe
Environment
- Enterprise EDR Console: All versions
- Enterprise EDR Sensor: All versions
Cause
This is issue LC-1075. "Due to specifics in parsing paths of "cmdline" queries wildcards are not always handled correctly."
Resolution
LC-1075 will be fixed in a future server-side version.
As a workaround until then, use escaped whitespace-s instead of path separators together with trailing wildcard only.
For example:
As a workaround until then, use escaped whitespace-s instead of path separators together with trailing wildcard only.
For example:
process_cmdline:c\:\ windows\ system32\ msiex*
Feedback
Yes
No
Powered by
