Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: The sensor blocks scripts (cmd, bat, etc..) due to being fileless

Carbon Black Cloud: The sensor blocks scripts (cmd, bat, etc..) due to being fileless

Environment

  • Carbon Black Cloud (Formerly PSC) Console: All supported versions
  • Endpoint Standard (Formerly CB Defense) Sensor: 3.1 and above
  • Microsoft Windows: All Versions

Symptoms

  • Observe Alert "The application cmd.exe invoked another application (cmd.exe) on behalf of explorer.exe. A Deny\Terminate Policy Action was applied."
  • Event Description "The application C:\Windows\System32\cmd.exe invoked the application C:\Windows\System32\cmd.exe. The operation was blocked by Cb Defense."
  • FILELESS TTP is not attached to the event

Cause

  • The sensor blocks scripts (cmd, bat, etc..) due to policy rule: Application at path: **\cmd.exe Executes a fileless script Deny\Terminate operation 
  • The script is is interpreted as being FILELESS because script is executed using cmd.exe /c. Example:
C:\Windows\system32\cmd.exe /c "C:\path\scriptname.cmd"

Resolution

  • REMOVE Blocking & Isolation rule: Application at path: **\cmd.exe Executes a fileless script Deny\Terminate operation 
OR
  • ADD Permission rule: Application at path: C:\Windows\System32\cmd.exe Executes a fileless script Allow & Log

Additional Notes

  • The cmd /c switch starts a new CMD shell, carries out the command specified by string, and then terminates

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
6929