Does CBC have a way to detect path masquerading via query searching the console?

• Carbon Black Cloud Console: Current Version
  • Carbon Black Cloud Enterprise EDR
  • Carbon Black Cloud Endpoint Standard

Yes, the CBC can detect path masquerading because it doesn't do any path simplification (e.g. translate these unicode spaces into just spaces) other than converting to lowercase, but it is dependent on configuring detection rules and what endpoint telemetry is collected.

CBC can assist with both process hashing and path mismatch because it tracks process hashes alongside their file paths. If a legitimate system binary (e.g., C:\Windows\System32\notepad.exe) is actually executing from an unexpected location (e.g., C:\Users\Public\notepad.exe), CB Cloud can flag it as suspicious because the hash does not match the expected version.

• Parent-Child Process Analysis
  • Attackers using path masquerading often execute processes in ways that don't align with normal behavior. CBC’s behavioral analytics can detect these anomalies, such as:
    • A trusted process spawning from an unusual directory Regsvr32.exe making network connections is not “normal” behavior. 
  • CBC can build watchlists to look for things running in unexpected directories
    • Example: process_name:svchost.exe AND -process_path:C:\Windows\System32\
      • This query finds instances where svchost.exe is running outside its expected location.
• Live Query
  • CBC Live Query can search for suspicious executables with unexpected paths, altered timestamps, or renamed binaries.
    • Example: SQL > Copy > Edit > SELECT path, checksum FROM processes WHERE path NOT LIKE 'C:\Windows\System32\%';
      • This helps detect executables running from non-standard locations.

CBC can also prevent execution of renamed system binaries using custom policies. Reputation rules can also be used as if an attacker renames a system binary, the reputation score of the file may drop or change from trusted_white, helping flag it.