logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: Live Response Execfg and Exec Command Unintended Behavior

EDR: Live Response Execfg and Exec Command Unintended Behavior

Environment

  • EDR Server: All Supported
  • EDR Sensor: All Supported

Question

Unintended binary file execution

Answer

  • The Live Repsonse execfg and exec commands use the Microsoft CreateProcess API on the sensor
  • If an absolute path is not provided to the binary a different binary of the same name may be executed

Additional Notes

For Example:

If the following command is executed in the Live Response session 
c:\Windows\Carbonblack> execfg powershell.exe Get-Host
  • If Powershell.exe does not existed by default in the c:\Windows\CarbonBlack directory 
  • The above command will cause Windows to use the search order behavior
  • Powershell.exe will be executed and the results returned to the Live Response console session, but it may not be the version expected

 

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎12-14-2022
Views:
865
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.