2014 User Xchange - Boston, MA

 View Only
  • 1.  Carbon Black Tactics - Patterns of Compromise

    Posted Dec 09, 2014 02:56 PM
      |   view attached

    jdarby‌ takes us on a stroll through common malware tells along with accessing the powerful Carbon Black API!



  • 2.  RE: Carbon Black Tactics - Patterns of Compromise

    Posted Jun 13, 2015 04:21 AM

    When talking about identifying often-targeted applications spawning cmd.exe, I don't believe the query displayed is correct.

    childproc_name:cmd.exe AND (parent_name:iexplore.exe OR parent_name:firefox.exe OR parent_name:chrome.exe OR parent_name:acrord32.exe OR parent_name:java.exe OR parent_name:javaw.exe OR parent_name:*flash*)

    With that query, it would identify a.exe in this example.

    javaw.exe --spawns--> a.exe --spawns--> cmd.exe

    In this scenario javaw.exe is the parent process of a.exe and cmd.exe is the child process of a.exe, so a.exe would match. I believe this is the desired query:

    childproc_name:cmd.exe AND (process_name:iexplore.exe OR process_name:firefox.exe OR process_name:chrome.exe OR process_name:acrord32.exe OR process_name:java.exe OR process_name:javaw.exe OR process_name:*flash*)

    Which would match:

    javaw.exe --spawns--> cmd.exe



  • 3.  RE: Carbon Black Tactics - Patterns of Compromise

    Posted Jun 18, 2015 04:43 AM

    Hello, do you mind uploading the file again please ?

    Thanks



  • 4.  RE: Carbon Black Tactics - Patterns of Compromise

    Posted Jun 18, 2015 03:48 PM

    You are absolutely correct in your query syntax.  Sorry for the late reply, just wanted to ensure our query in the Bit9 Threat Intel Cloud was correct and it is:

    cb.urlver=1&q=(process_name%3Aiexplore.exe%20OR%20process_name%3Afirefox.exe%20OR%20process_name%3Achrome.exe%20OR%20process_name%3Aacrord32.exe%20OR%20process_name%3Ajava.exe%20OR%20process_name%3Ajavaw.exe)%20AND%20childproc_name%3Acmd.exe&cb.q.os_type=(os_type%3A%22windows%22)

    This is from our Suspicious Indicators feed and as you can see it matches the query that you suggested with the addition of limiting it to the windows platform.

    The actual query from the tactics presentation would find java.exe->random.exe->cmd.exe or browser->random.exe->cmd.exe which is still a pretty good query to use while hunting.

    Thanks so much contributing!