CB Response: Does Response sensor capture command "start-service/stop-service" running from PowerShell?
Article ID: 289689
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Does Response sensor capture command "start-service/stop-service" running from PowerShell?
Environment
- CB Response: All versions
Resolution
Please refer to "CB Response: Can I search for commands executed in cmd or powershell ?" for what sensor captures.
When about command "start-service/stop-service, it will not be captured by sensor if it was run within the shell. All that PowerShell is doing is asking service.exe to start/stop a service on its behalf. The start or stop of the service process will be recorded. But what is typed in PowerShell will not.
When about command "start-service/stop-service, it will not be captured by sensor if it was run within the shell. All that PowerShell is doing is asking service.exe to start/stop a service on its behalf. The start or stop of the service process will be recorded. But what is typed in PowerShell will not.
Additional Information
"services" have special status in Windows. The lifetime of a service is managed by the service manager.The service manager itself (services.exe) is a pretty critical piece of Windows. It starts very early in the boot process, before Response or any other security product. Response sensor doesn't get a "process start" for service.exe for this reason. Also
services.exe is very long-lived, it never stops until the machine itself stops.
Feedback
Yes
No
Powered by
