CB Defense: No alert in web console for blocked metasploit executions in WSL
Article ID: 289882
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Metasploit execution in the Windows Subsystem for Linux does not generate an alert
Environment
- CB Defense Web Console: All Versions
- CB Defense Sensor: All Versions
- Microsoft Windows 10 version 1607 and Higher
- Microsoft Windows Server 2019
Cause
Not all blocked events will generate alerts. In the case of metasploit via WSL, an access action is blocked
Resolution
This is behaving as designed. The following workarounds can increase visibility of blocked events
- Enable email notifications for all block and terminate events
- Event blocks can still be found by searching for the process blocked
Additional Information
Due to the possible high number of blocking events, most will not generate alerts. This is to avoid alert fatigue for responders
Feedback
Yes
No
Powered by
