PSC Console: TAU-TIN Death Ransomware Query Incorrect Results
search cancel

PSC Console: TAU-TIN Death Ransomware Query Incorrect Results

book

Article ID: 288592

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

When selecting the December 2nd 2019 TAU-TIN Death Ransomware threat query link from the main console page too many process_name:WMIC results are returned that do not match the correct process_cmdline:shadowcopy OR process_cmdline:delete

Environment

  • PSC Console: December 19' Release

Cause

The linked search query has missing parenthesis that cause the required process_cmdlines to not be evaluated correctly 

Resolution

While we work to fix this in the console a workaround is available by using the search below: 
(((process_cmdline:vssadmin.exe OR process_cmdline:vssadmin) AND (process_cmdline:shadows process_cmdline:delete process_cmdline:\/quiet)) OR ((process_cmdline:wmic OR process_cmdline:wmic.exe) AND (process_cmdline:shadowcopy OR process_cmdline:delete)))

 
Powered by Wolken Software