Carbon Black Cloud: How to Help Identify a Fileless Script Execution Block When No TTP is Present
Article ID: 290267
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Explain how to identify a fileless script execution block policy action, where no TTP is shown relevant to the block (i.e: TTP: Fileless) and why there is no TTP
Environment
- Carbon Black Cloud (Formerly PSC) Console: All supported versions
Resolution
Looking at a relevant block event in the console, check for the following:
- TTP for 'Policy Deny' or 'Policy Terminate' - this confirms that a policy action has taken place
- Check your Policy Blocking & Isolation Rules for 'Executes a Fileless Script', and match it to either the Process or the Target involved in the event
- 'Target Command Line' will contain an event that shows a command interpreter, calling another file, that exists on the machine, in a fileless way ( /c ) - example below:
- Target command line: C:\WINDOWS\system32\cmd.exe /c ""C:\Users\sample\AppData\Local\Microsoft\Windows\INetCache\IE\ABC1234\samplebatchfile.bat" "
- As the file is on disk, it does not meet the criteria outlined in the User Guide, for the TTP:Fileless to appear, as it states the following:
- A script interpreter is acting on a script that is not present on disk
Additional Information
See the TTP Reference Table in the In-Product User Guide, for a description of all TTP
Feedback
Yes
No
Powered by
