• Observe Alert "The application cmd.exe invoked another application (cmd.exe) on behalf of explorer.exe. A Deny\Terminate Policy Action was applied."
• Event Description "The application C​:\​​W​in​do​ws​\​​Sy​st​em​32​\​​cm​d.​ex​e invoked the application C​:\​​W​in​do​ws​\​​Sy​st​em​32​\​​cm​d.​ex​e. The operation was blocked by Cb Defense."
• FILELESS TTP is not attached to the event

• Carbon Black Cloud (Formerly PSC) Console: All supported versions
• Endpoint Standard (Formerly CB Defense) Sensor: 3.1 and above
• Microsoft Windows: All Versions

• The sensor blocks scripts (cmd, bat, etc..) due to policy rule: Application at path: **\cmd.exe Executes a fileless script Deny\Terminate operation 
• The script is is interpreted as being FILELESS because script is executed using cmd.exe /c. Example:

C:\Windows\system32\cmd.exe /c "C:\path\scriptname.cmd"

• REMOVE Blocking & Isolation rule: Application at path: **\cmd.exe Executes a fileless script Deny\Terminate operation 

• ADD Permission rule: Application at path: C:\Windows\System32\cmd.exe Executes a fileless script Allow & Log

• The cmd /c switch starts a new CMD shell, carries out the command specified by string, and then terminates