Purpose: To look for suspicious behavior based on unusual command lines.
Description: Reports or prevents behavior by common applications that is suspicious based on command line.
Enabled by Default: | No |
Platform: | Windows |
Minimum Agent Version Required: | 8.0.0 |
Rapid Config Settings
As with most rapid configs, you can:
-
Enable or disable the rapid config.
-
Specify what policies the rapid config applies to.
In addition, you can choose to Do Nothing, Report, or Block the specific items or behaviors.
For each of the following sections, specify what action you require.
Netsh.exe
Use this group to specify how to handle suspicious Netsh command lines. Netsh is the Network shell command line utility.
- *Report Or Block Execution Of Netsh With Suspicious Command Lines:
- Should execution of Netsh with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
- Netsh Command Lines To Report:
- Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following are listed:
- Command Lines That Should Not Be Reported:
- Execution of command lines specified here will not be reported or blocked.
Odbcconf.exe
Use this group to specify how to handle suspicious Odbcconf command lines. Odbcconf is a utility for configuring ODBC drivers.
- *Report Or Block Execution Of Odbcconf With Suspicious Command Lines:
- Should execution of Odbcconf with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
- Odbcconf Command Lines To Report:
- Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following is listed:
- Command Lines That Should Not Be Reported:
- Execution of command lines specified here will not be reported or blocked.
Register-cimprovider.exe
Use this group to specify how to handle suspicious Register-cimprovider command lines. Register-cimprovider is a utility for registering Windows Management Infrastructure providers.
- *Report Or Block Execution Of Register-cimprovider With Suspicious Command Lines:
- Should execution of Register-cimprovider with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
- Register-cimprovider Command Lines To Report:
- Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following is listed:
- Command Lines That Should Not Be Reported:
- Execution of command lines specified here will not be reported or blocked. You can add or remove items from this list. By default, the following is listed:
Runonce.exe
Use this group to specify how to handle suspicious Runonce command lines. Runonce is an application typically used to install drivers and services at startup.
- *Report Or Block Execution Of Runonce With Suspicious Command Lines:
- Should execution of Runonce with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
- Runonce Command Lines To Report:
- Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following is listed:
- Command Lines That Should Not Be Reported:
- Execution of command lines specified here will not be reported or blocked.
sc.exe
Use this group to specify how to handle suspicious sc command lines. sc is the Service Control Manager.
- *Report Or Block Execution Of Sc With Suspicious Command Lines:
- Should execution of Sc with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
- Sc Command Lines To Report:
- Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following is listed:
- Command Lines That Should Not Be Reported:
- Execution of command lines specified here will not be reported or blocked.
Winword.exe
Use this group to specify how to handle suspicious Winword command lines. Winword is the Micorosoft Office Word application.
- *Report Or Block Execution Of Winword With Suspicious Command Lines:
- Should execution of Winword with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
- Winword Command Lines To Report:
- Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following is listed:
- Command Lines That Should Not Be Reported:
- Execution of command lines specified here will not be reported or blocked.