Environment
- Carbon Black Cloud (Formerly PSC) Console: All supported versions
- Endpoint Standard (Formerly CB Defense) Sensor: 3.1 and above
- Microsoft Windows: All Versions
Symptoms
- Observe Alert "The application cmd.exe invoked another application (cmd.exe) on behalf of explorer.exe. A Deny\Terminate Policy Action was applied."
- Event Description "The application C:\Windows\System32\cmd.exe invoked the application C:\Windows\System32\cmd.exe. The operation was blocked by Cb Defense."
- FILELESS TTP is not attached to the event
Cause
- The sensor blocks scripts (cmd, bat, etc..) due to policy rule: Application at path: **\cmd.exe Executes a fileless script Deny\Terminate operation
- The script is is interpreted as being FILELESS because script is executed using cmd.exe /c. Example:
C:\Windows\system32\cmd.exe /c "C:\path\scriptname.cmd"
Resolution
- REMOVE Blocking & Isolation rule: Application at path: **\cmd.exe Executes a fileless script Deny\Terminate operation
OR
- ADD Permission rule: Application at path: C:\Windows\System32\cmd.exe Executes a fileless script Allow & Log
Additional Notes
- The cmd /c switch starts a new CMD shell, carries out the command specified by string, and then terminates