Today, I release CB Bot! CB Bot is a threat hunting and incident response web application framework to use with Carbon Black (CB) Defense. Not only will you be able to run commands and execute files, but you will also be able to upload and download any files you want within your environment! I've created this a while back with the amazing help of an awesome buddy of mine (who wanted to remain anonymous) because we felt that CB should be able to help users hunt and find evil quicker.

Before We Get Started

For folks who haven't met me, I am an automation freak. I try to automate almost anything I can. I truly believe that automation should not replace a person, but instead, make a person perform better and work faster. Especially in incident response investigations, where time is critical, I believe that automation is key.

So with that said, before you continue, make sure you follow along if you can! If you have a Carbon Black account and want to test this out, clone the CB Bot repository: https://www.github.com/allthingsdfir/cb-bot. Make sure you install it and configure it, as mentioned in the Github repository, before you read on. If you do not have Carbon Black, don't worry, hopefully this blog post will give you an idea for your  environment's own EDR platform and how to automate to do better threat hunting activities.

The Basics

In order to start sweeping (hunting) for evil across your CB environment, first log into CB Bot and head over to the Endpoints page on the navigation pane to your left. Once you're there, just click the Refresh List button on the top right corner of the page and this will create a task for you. Results should be fairly quick, but you can check out the job you've created on the Tasks page.

In CB Bot, there are two (2) kinds of tasks: a job or a sweep. The task that we just ran to refresh the endpoint list in your CB environment is a job. There is only one job at the moment, but as CB Bot gets smarter, there will be more jobs to do. Sweeps, on the other hand, are the different hunts that you can run in your environment. When you go to your Tasks page, you'll get to see both of them. In Figure 1 below, you'll see just one (1) task created, which is the "Refresh Endpoint List" job.

Figure 1: Screenshot of the Tasks page

You'll notice that on the top right of the page there is a message box. These are alerts created whenever a task completes or errors out. So whenever you run something and log back in a couple of hours later, if a task finishes, CB Bot will let you know via an alert. Now, if you want to check out the Endpoints page, you'll see all of the endpoints reporting in your CB environment. You can also check the total number of endpoints in the Home page as shown in Figure 2 below. You'll also notice that the Last Updated Endpoint List section indicates when was the last time a CB Bot user has refreshed the list.

Figure 2: Home page with the total endpoints checking in CB

Let's Sweep!

Now that we have all the endpoints in our environment, we can start sweeping (hunting). You'll notice that when you click the Sweep tab on the navigation pane, two (2) options pop up: build and run. Installing CB Bot out of the box comes with default sweeps and I've created these to facilitate the threat hunting processes for any CB environment. However, that does not mean that these are the only sweeps available. You can most certainly build one by going to the build section of the Sweep tab. This will allow you to see all the sweeps that have been created and allow you create sweeps of your own.

Pro Tip: You can create custom sweeps per operating system. Just make sure to indicate what operating system you want to run this sweep on and CB Bot will take care of that for you.

Assuming you've created your own sweep type or are using one of the ones I've created, you can go to the run section of the Sweep tab to start sweeping! It's quite simple. All you need to do is select the Sweep Type and fill out all of the necessary details below such as Sweep Name. For example, let's sweep for "AppCompatCache". Figure 3 will show how I've configured this sweep.

Figure 3: AppCompat build sweep details

And that's it! All you do now is click the Run Sweep! button below and CB Bot will take care of the rest. Once you have that going, you can check the status of the sweep by clicking on the Tasks page as you can see below in Figure 4.

Figure 4: Task page with sweep task created

In fact, in this page you can pause a sweep or restart it as you see fit. I've had to occasionally restart sweeps since I wanted to make sure to give CB Bot a break sometimes. If for some reason sweeps don't get completed, at least you can take a closer look at the sweep details to understand why the unfinished endpoints keep failing. In most cases it could be due to the minimum check in time (i.e. review the settings for CB Bot) or because of certain script fails. In my experience with many EDR tools in the past, getting to around 90 percent sweep completion is more than enough to find some evil. Figure 5 shows a screenshot of the sweep details for our recently created "AppCompat Hunt" sweep.

Figure 5: "AppCompat Hunt" Sweep details

When CB Bot collects results from a sweep, it will place it in a directory for CB Bot users to download. In order to access the data, just SFTP to your CB Bot instance, and you should see a folder called sweep_output, and within it will be all of your sweeps following the naming convention <task_number>_<sweep_name>. I use FileZilla to connect to my demo server, and it will look something like Figure 6 below.

Figure 6: SFTP session showing sweep data

Conclusion

CB Bot should make it a lot easier for CB users to hunt across their network. Granted, this type of hunt will collect historical data and does not implement any of the real-time data that CB collects. However, having historical data is good to have from time to time. I enjoy performing routine check-ups on things like Run keys, AppCompatCache data, or even Terminal Services event logs to see what has been happening.

Due to my lack in proper coding training (i.e. I never took a Python course ever in my life), I'm sure that CB Bot could be far more efficient. Right now, my goal is to create more sweeps so that those who do use this tool, can benefit tremendously from it as I have in the past. If you're interested in contributing to CB Bot and providing some sweeps of your own, I would be more than glad to have your sweep on this repo. If you see a bug, or something that could be done to make CB Bot far more efficient, please do let me know! I'm always willing to learn how to make things better. Hope you all enjoy! Happy hunting.