Knowledge Base

Yes

Environment

Endpoint Standard (formerly CB Defense) Web Console: All Versions
Endpoint Standard Sensor: All Versions
Policy Action blocks with TTP: HAS_SCRIPT_DLL

Question

What rule is causing blocks due to a Deny operation or Terminate process policy action, with the TTP 'HAS_SCRIPT_DLL'?

Answer

The TTP 'HAS_SCRIPT_DLL' can be linked to the 'Invokes a command interpreter', 'Scrapes memory of another process' or the 'Injects code or modifies memory of another process' Operation Attempt of a policy rule

Additional Notes

The TTP 'HAS_SCRIPT_DLL' is defined as when a process loads an in-memory script interpreter.
Feature Request to rename this TTP to better match the Operation Attempt: Cb Defense: Rename TTP 'HAS_SCRIPT_DLL' to better match Operation Attempt it is associated with
Feature Request to show which rule caused the block right on the event/alert: Endpoint Standard: What rule is causing policy action blocks with the TTP: HAS_SCRIPT_DLL?

Knowledge Base

Endpoint Standard: What rule is causing policy action blocks with the TTP: HAS_SCRIPT_DLL?

Endpoint Standard: What rule is causing policy action blocks with the TTP: HAS_SCRIPT_DLL?

Environment

Question

Answer

Additional Notes

Related Content

Carbon Black Cloud

Endpoint Standard

Knowledge Base

Endpoint Standard: What rule is causing policy action blocks with the TTP: HAS_SCRIPT_DLL?

Endpoint Standard: What rule is causing policy action blocks with the TTP: HAS_SCRIPT_DLL?

Environment

Question

Answer

Additional Notes

Related Content

Carbon Black Cloud

Endpoint Standard

Thank you for your feedback.

Thank you for your feedback.