EDR: Command Line Redirection Events are Missing
Article ID: 291154
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Why in the captured events for the following command "find / -perm -u=s -type f 2>/dev/null" the 2>/dev/null is stripped from the command line
Environment
- EDR Server: All Supported Versions
- EDR Sensor: All Supported Versions
Resolution
- These redirections look like part of the command, but they are actually controlling shell behavior before the command is executed
- When
bashruns a command like this, it does this:- Fork to create a new process
- Open a file handle to /dev/null
- Remap that over the stderr file descriptor
- Exec the command line not including any redirections
- In this kind of syntax, the
findcommand never sees these redirections; it’s not part of the command, it’s something bash does to the environment before running the command
Feedback
Yes
No
Powered by
