Purpose:To look for suspicious behavior based on unusual command lines.

Description: Reports or prevents behavior by common applications that is suspicious based on command line.

Enabled by Default: No
Platform: Windows
Minimum Agent Version Required: 8.0.0

The Edit Rapid Config page for the Suspicious Command Line Protection N-Z Rapid Config

Rapid Config Settings

As with most rapid configs, you can:

  • Enable or disable the rapid config.

  • Specify what policies the rapid config applies to.

In addition, you can choose to Do Nothing, Report, or Block the specific items or behaviors.

Note: RECOMMENDATION: We recommend setting each section to Report prior to setting to Block. Use the resulting events to ensure that legitimate behavior will not be impacted.

For each of the following sections, specify what action you require.

Netsh.exe

Use this group to specify how to handle suspicious Netsh command lines. Netsh is the Network shell command line utility.

The Netsh.exe settings for the Suspicious Command Line Protection N-Z Rapid Config

*Report Or Block Execution Of Netsh With Suspicious Command Lines:
Should execution of Netsh with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Netsh Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following are listed:
  • <cmdline:*add*>Netsh.exe
  • <cmdline:*delete*>Netsh.exe
  • <cmdline:*export*>Netsh.exe
  • <cmdline:*import*>Netsh.exe
  • <cmdline:*off*>Netsh.exe
  • <cmdline:*portproxy*>Netsh.exe
  • <cmdline:*show*>Netsh.exe
  • <cmdline:*trace*>Netsh.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.

Odbcconf.exe

Use this group to specify how to handle suspicious Odbcconf command lines. Odbcconf is a utility for configuring ODBC drivers.

The Odbcconf.exe settings for the Suspicious Command Line Protection N-Z Rapid Config

*Report Or Block Execution Of Odbcconf With Suspicious Command Lines:
Should execution of Odbcconf with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Odbcconf Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following is listed:
  • <cmdline:*-f*.rsp*>Odbcconf.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.

Register-cimprovider.exe

Use this group to specify how to handle suspicious Register-cimprovider command lines. Register-cimprovider is a utility for registering Windows Management Infrastructure providers.

The Register-cimprovider.exe settings for the Suspicious Command Line Protection N-Z Rapid Config

*Report Or Block Execution Of Register-cimprovider With Suspicious Command Lines:
Should execution of Register-cimprovider with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Register-cimprovider Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following is listed:
  • <cmdline:*-path*>Register-cimprovider.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked. You can add or remove items from this list. By default, the following is listed:
  • <cmdline:*protectionmanagement.dll*>Register-cimprovider.exe

Runonce.exe

Use this group to specify how to handle suspicious Runonce command lines. Runonce is an application typically used to install drivers and services at startup.

The Runonce.exe settings for the Suspicious Command Line Protection N-Z Rapid Config

*Report Or Block Execution Of Runonce With Suspicious Command Lines:
Should execution of Runonce with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Runonce Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following is listed:
  • <cmdline:*/AlternateShellStartup*>Runonce.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.

sc.exe

Use this group to specify how to handle suspicious sc command lines. sc is the Service Control Manager.

The sc.exe settings for the Suspicious Command Line Protection N-Z Rapid Config

*Report Or Block Execution Of Sc With Suspicious Command Lines:
Should execution of Sc with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Sc Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following is listed:
  • <cmdline:*create*>sc.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.

Winword.exe

Use this group to specify how to handle suspicious Winword command lines. Winword is the Micorosoft Office Word application.

The Winword.exe settings for the Suspicious Command Line Protection N-Z Rapid Config

*Report Or Block Execution Of Winword With Suspicious Command Lines:
Should execution of Winword with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Winword Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following is listed:
  • <cmdline:*/l*>Winword.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.