In Carbon Black Cloud, depending on the offering you enable, a script host replacement can occur.
In different pages of the Carbon Black Cloud console UI, you can view a different name for the same process. The name of the process calling a script is replaced with the name of the script (file) being called by that process.
For example, an event in the Carbon Black Cloud console shows PowerShell.exe as the process name and another event shows the myscript.ps1 script name as the process.
The change of the name of the calling process with the name of the script being called is referred as script host replacement.
When you enable the Enterprise EDR offering and navigate to the Process Analysis page, you can view the name for the calling process as PowerShell.exe. The sensor does not perform name replacement and the process name displays the same everywhere.
When you enable the Endpoint Standard offering and navigate to the Alert Triage page, you can view the name for the calling process as myscript.ps1 due to the script host replacement. Here the sensor presents the script name as the process name when PowerShell runs a .ps1 file to ease the security analyst in seeing the behavior without investigating the event. This is also true for the V6 Alerts API.
When both, Enterprise EDR and Endpoint Standard features are enabled, the script host replacement occurs.
- enhanced:true - returns only the events that list the script (file) name as the process name.
- enhanced:false - returns only the events that list the process name as is.