Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Enterprise EDR: Wildcards are not working in the process_cmdline field

Enterprise EDR: Wildcards are not working in the process_cmdline field

Environment

  • Enterprise EDR Console:  All versions
  • Enterprise EDR Sensor:    All versions

Symptoms

Go to investigate page; processes tab:
these queries return the expected results:

process_cmdline:c\:\\windows\\system32\\msiexec.exe
process_cmdline:c\:\\windows\\system32\\.exe        (finds all *.exe processes as it should)
but the wildcard with process_cmdline is NOT returning any hits (no syntax error but no hits):
process_cmdline:c\:\\windows\\system32\\*.exe
process_cmdline:c\:\\windows\\system32\\\*.exe
process_cmdline:c\:\\windows\\system32\\msi*.exe
process_cmdline:c\:\\windows\\system32\\msi\*.exe
process_cmdline:c\:/\windows/\system32/\msi*.exe

Cause

This is issue LC-1075. "Due to specifics in parsing paths of "cmdline" queries wildcards are not always handled correctly."
 

Resolution

LC-1075 will be fixed in a future server-side version. 
As a workaround until then, use escaped whitespace-s instead of path separators together with trailing wildcard only.
For example:
process_cmdline:c\:\ windows\ system32\ msiex*

 

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-18-2021
Views:
409
Contributors