Carbon Black Cloud: How to Help Identify a Fileless Script Execution Block When No TTP is Present
search cancel

Carbon Black Cloud: How to Help Identify a Fileless Script Execution Block When No TTP is Present

book

Article ID: 290267

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Explain how to identify a fileless script execution block policy action, where no TTP is shown relevant to the block (i.e: TTP: Fileless) and why there is no TTP

Environment

  • Carbon Black Cloud (Formerly PSC) Console: All supported versions

Resolution

Looking at a relevant block event in the console, check for the following:
  • TTP for 'Policy Deny' or 'Policy Terminate' - this confirms that a policy action has taken place
  • Check your Policy Blocking &¬†Isolation Rules for¬† 'Executes a Fileless Script', and match it to either the Process or the Target involved in the event
  • 'Target Command Line' will contain an event that shows a command interpreter, calling another file, that exists on the machine, in a fileless way ( /c ) - example below:
    • Target command line: C:\WINDOWS\system32\cmd.exe /c ""C:\Users\sample\AppData\Local\Microsoft\Windows\INetCache\IE\ABC1234\samplebatchfile.bat" "
  • As the file is on disk, it does not meet the criteria outlined in the User Guide, for the TTP:Fileless to appear, as it states the following:
    • A script interpreter is acting on a script that is not present on disk

Additional Information

See the TTP Reference Table in the In-Product User Guide, for a description of all TTP