Endpoint Standard: How to find events blocked by fileless execution without the ttp tag
book
Article ID: 290256
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Find the files that would be blocked by fileless execution without the ttp:FILELESS tag
Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard Sensor: All Versions
Resolution
The following processes and commandline arguments will cause an event to be blocked as a fileless execution
Process | Commandline Arguments |
---|
cmd.exe | /k, /r, or /c |
powershell.exe | " \"iex\" ", " iex ", Invoke-Expression, FromBase64String, DeflateStream, -NonI, -e or -c |
python.exe | decode or base64 |
ruby.exe | unpack( |
perl.exe | decode_base64( |
regsvr32.exe | sct, /u, or /i:http |
Additional Information
Future work may be added to allow for more granular exclusions to allow certain scripts with these commands to execute - CBC-383
Feedback
thumb_up
Yes
thumb_down
No