EDR: Live Response Execfg and Exec Command Unintended Behavior
Article ID: 288281
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Unintended binary file execution
Environment
- EDR Server: All Supported
- EDR Sensor: All Supported
Resolution
- The Live Repsonse execfg and exec commands use the Microsoft CreateProcess API on the sensor
- If an absolute path is not provided to the binary a different binary of the same name may be executed
Additional Information
For Example:
If the following command is executed in the Live Response session
If the following command is executed in the Live Response session
c:\Windows\Carbonblack> execfg powershell.exe Get-Host
- If Powershell.exe does not existed by default in the c:\Windows\CarbonBlack directory
- The above command will cause Windows to use the search order behavior
- Powershell.exe will be executed and the results returned to the Live Response console session, but it may not be the version expected
Feedback
Yes
No
Powered by
