Environment
- Carbon Black Cloud (Formerly PSC) Console: All supported versions
Objective
Explain how to identify a fileless script execution block policy action, where no TTP is shown relevant to the block (i.e: TTP: Fileless) and why there is no TTP
Resolution
Looking at a relevant block event in the console, check for the following:
- TTP for 'Policy Deny' or 'Policy Terminate' - this confirms that a policy action has taken place
- Check your Policy Blocking & Isolation Rules for 'Executes a Fileless Script', and match it to either the Process or the Target involved in the event
- 'Target Command Line' will contain an event that shows a command interpreter, calling another file, that exists on the machine, in a fileless way ( /c ) - example below:
- Target command line: C:\WINDOWS\system32\cmd.exe /c ""C:\Users\sample\AppData\Local\Microsoft\Windows\INetCache\IE\ABC1234\samplebatchfile.bat" "
- As the file is on disk, it does not meet the criteria outlined in the User Guide, for the TTP:Fileless to appear, as it states the following:
- A script interpreter is acting on a script that is not present on disk
Additional Notes
See the TTP Reference Table in the In-Product User Guide, for a description of all TTP
Related Content