The Carbon Black Threat Analysis Unit (TAU) crafts and publishes high-fidelity prevention rules to 3.6+ Windows sensors. These rules protect you from a variety of late-breaking, high-impact attacks without having to change policy configurations.

Core Preventions are enabled out-of-the-box and do not require user configuration to begin protecting your environment. These rule groups require no sensor updates; new preventions are automatically delivered as they become available.

Despite the high-fidelity and low false positive rate of these preventions, sometimes business-critical assets perform certain behaviors that trigger false positives. Therefore, policy configuration options let you set TAU-published prevention categories to Alert Only if necessary.

The six core prevention configuration categories to which the TAU team publishes are:

  • Advanced Scripting Prevention: Addresses malicious fileless and file-backed scripts that leverage native programs and common scripting languages.
  • Carbon Black Threat Intel: Addresses common and pervasive TTPs used for malicious activity as well as living off the land TTPs/behaviors that TAU detects.
  • Credential Theft: Addresses threat actors obtaining credentials and relies on detecting the malicious use of TTPs/behaviors that indicate such activity.
  • Defense Evasion: Addresses common TTPs/behaviors that threat actors use to avoid detection such as uninstalling or disabling security software, obfuscating or encrypting data/scripts and abusing trusted processes to hide and masquerade their malicious activity.
  • Persistence: Addresses common TTPs/behaviors that threat actors use to retain access to systems across restarts, changed credentials, and other interruptions that can cut off their access.
  • Privilege Escalation: Addresses behaviors that indicate that a threat actor gained elevated access through a bug or misconfiguration in an operating system and leverages the detection of TTPs/behaviors to prevent such activity.