PSC Console: TAU-TIN Death Ransomware Query Incorrect Results
book
Article ID: 288592
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
When selecting the December 2nd 2019 TAU-TIN Death Ransomware threat query link from the main console page too many process_name:WMIC results are returned that do not match the correct process_cmdline:shadowcopy OR process_cmdline:delete
Environment
PSC Console: December 19' Release
Cause
The linked search query has missing parenthesis that cause the required process_cmdlines to not be evaluated correctly
Resolution
While we work to fix this in the console a workaround is available by using the search below:
(((process_cmdline:vssadmin.exe OR process_cmdline:vssadmin) AND (process_cmdline:shadows process_cmdline:delete process_cmdline:\/quiet)) OR ((process_cmdline:wmic OR process_cmdline:wmic.exe) AND (process_cmdline:shadowcopy OR process_cmdline:delete)))