Carbon Black Cloud: How to Help Identify a Fileless Script Execution Block When No TTP is Present
book
Article ID: 290267
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Explain how to identify a fileless script execution block policy action, where no TTP is shown relevant to the block (i.e: TTP: Fileless) and why there is no TTP
Environment
Carbon Black Cloud (Formerly PSC) Console: All supported versions
Resolution
Looking at a relevant block event in the console, check for the following:
TTP for 'Policy Deny' or 'Policy Terminate' - this confirms that a policy action has taken place
Check your Policy Blocking & Isolation Rules for 'Executes a Fileless Script', and match it to either the Process or the Target involved in the event
'Target Command Line' will contain an event that shows a command interpreter, calling another file, that exists on the machine, in a fileless way ( /c ) - example below: