Carbon Black Cloud: Is The Non-Truncated CMD Line Data Available?
search cancel

Carbon Black Cloud: Is The Non-Truncated CMD Line Data Available?

book

Article ID: 288603

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

When viewing events through the console, sometimes long or obfuscated command line parameters are truncated. Is it possible to view the entirety of the parameter being passed?

Environment

  • Carbon Black Cloud Sensor: All Supported Sensors
  • Microsoft Windows: All Supported Versions

Resolution

  • No, currently there is a field size limitation that precludes the sensor from recording the entirety of some overly long command line parameters.
  • To see this functionality added, please vote for this idea in Idea Central: https://community.carbonblack.com/t5/Idea-Central/Don-t-truncate-Command-line-information/idi-p/29483

Additional Information

  • Windows includes other logging facilities for Powershell / Windows RM and the parameters may be captured in those log files found here:
For Powershell Specific Logs: 
Event Viewer => Application and Services Logs => Windows PowerShell.evtx 
Event Viewer => Application and Services Logs => Microsoft => Windows => PowerShell => Operational.evtx
 
They can also sometimes be found in the Windows Remote Management logs: 
Event Viewer => Application and Services Logs => Microsoft => Windows => WinRM => Operational.evtx 
Powered by Wolken Software