Carbon Black Cloud: How to Search for Specific Command Line Parameters
search cancel

Carbon Black Cloud: How to Search for Specific Command Line Parameters

book

Article ID: 290446

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How to search for specific command line parameters in the investigate page

Environment

  • Carbon Black Cloud Console: All Versions
    • Enterprise EDR
    • Endpoint Standard

Resolution

In order to search for command line arguments, the switches must be escaped with a backslash (\) as well as hyphens/tacks (-).

For instance, in order to look for the Linux command "useradd" and "usermod" with the "-G" parameter, use the following search string:
process_cmdline:useradd\ \-G* 
process_cmdline:usermod\ \-G*
If the process if being invoked by another, then use:
childproc_cmdline:useradd\ \-G*
childproc_cmdline:usermod\ \-G*

Or to search for Chrome running in incognito mode, use:
process_cmdline:\"C\:\\Program\ Files\ \(x86\)\\Google\\Chrome\\Application\\chrome.exe\"\ \-incognito


 

Additional Information

Surrounding the command line and parameters with unescaped double-quotes will force the search engine to ignore the escape character (\).