CB PSC: Process listed as script name instead of actual process name

CB PSC: Process listed as script name instead of actual process name

search cancel

CB PSC: Process listed as script name instead of actual process name

book

Article ID: 290532

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Process shows the name of a script instead of the actual process that started the script

Environment

CB PSC Console
- CB Defense
- CB ThreatHunter

Cause

CB Defense by design will use the name of the script run. In some situations the Defense event will be reported instead of the ThreatHunter event.

Resolution

This is by design of the Defense sensor.
A potential workaround when finding powershell events would be to search for powershell.exe with the process_cmdline field

Feedback

thumb_up Yes

thumb_down No