Today, I release CB Bot! CB Bot is a threat hunting and incident response web application framework to use with Carbon Black (CB) Defense. Not only will you be able to run commands and execute files, but you will also be able to upload and download any files you want within your environment! I've created this a while back with the amazing help of an awesome buddy of mine (who wanted to remain anonymous) because we felt that CB should be able to help users hunt and find evil quicker.
Before We Get Started
For folks who haven't met me, I am an automation freak. I try to automate almost anything I can. I truly believe that automation should not replace a person, but instead, make a person perform better and work faster. Especially in incident response investigations, where time is critical, I believe that automation is key.
So with that said, before you continue, make sure you follow along if you can! If you have a Carbon Black account and want to test this out, clone the CB Bot repository: https://www.github.com/allthingsdfir/cb-bot. Make sure you install it and configure it, as mentioned in the Github repository, before you read on. If you do not have Carbon Black, don't worry, hopefully this blog post will give you an idea for your environment's own EDR platform and how to automate to do better threat hunting activities.
In order to start sweeping (hunting) for evil across your CB environment, first log into CB Bot and head over to the
Endpoints page on the navigation pane to your left. Once you're there, just click the
Refresh List button on the top right corner of the page and this will create a task for you. Results should be fairly quick, but you can check out the job you've created on the
In CB Bot, there are two (2) kinds of tasks: a job or a sweep. The task that we just ran to refresh the endpoint list in your CB environment is a job. There is only one job at the moment, but as CB Bot gets smarter, there will be more jobs to do. Sweeps, on the other hand, are the different hunts that you can run in your environment. When you go to your
Tasks page, you'll get to see both of them. In Figure 1 below, you'll see just one (1) task created, which is the "Refresh Endpoint List" job.
You'll notice that on the top right of the page there is a message box. These are alerts created whenever a task completes or errors out. So whenever you run something and log back in a couple of hours later, if a task finishes, CB Bot will let you know via an alert. Now, if you want to check out the
Endpoints page, you'll see all of the endpoints reporting in your CB environment. You can also check the total number of endpoints in the
Home page as shown in Figure 2 below. You'll also notice that the
Last Updated Endpoint List section indicates when was the last time a CB Bot user has refreshed the list.
Now that we have all the endpoints in our environment, we can start sweeping (hunting). You'll notice that when you click the
Sweep tab on the navigation pane, two (2) options pop up:
run. Installing CB Bot out of the box comes with default sweeps and I've created these to facilitate the threat hunting processes for any CB environment. However, that does not mean that these are the only sweeps available. You can most certainly build one by going to the
build section of the
Sweep tab. This will allow you to see all the sweeps that have been created and allow you create sweeps of your own.
Pro Tip: You can create custom sweeps per operating system. Just make sure to indicate what operating system you want to run this sweep on and CB Bot will take care of that for you.
Assuming you've created your own sweep type or are using one of the ones I've created, you can go to the
run section of the
Sweep tab to start sweeping! It's quite simple. All you need to do is select the
Sweep Type and fill out all of the necessary details below such as
Sweep Name. For example, let's sweep for "AppCompatCache". Figure 3 will show how I've configured this sweep.
And that's it! All you do now is click the
Run Sweep! button below and CB Bot will take care of the rest. Once you have that going, you can check the status of the sweep by clicking on the
Tasks page as you can see below in Figure 4.
In fact, in this page you can pause a sweep or restart it as you see fit. I've had to occasionally restart sweeps since I wanted to make sure to give CB Bot a break sometimes. If for some reason sweeps don't get completed, at least you can take a closer look at the sweep details to understand why the unfinished endpoints keep failing. In most cases it could be due to the minimum check in time (i.e. review the settings for CB Bot) or because of certain script fails. In my experience with many EDR tools in the past, getting to around 90 percent sweep completion is more than enough to find some evil. Figure 5 shows a screenshot of the sweep details for our recently created "AppCompat Hunt" sweep.
When CB Bot collects results from a sweep, it will place it in a directory for CB Bot users to download. In order to access the data, just SFTP to your CB Bot instance, and you should see a folder called
sweep_output, and within it will be all of your sweeps following the naming convention
<task_number>_<sweep_name>. I use FileZilla to connect to my demo server, and it will look something like Figure 6 below.
CB Bot should make it a lot easier for CB users to hunt across their network. Granted, this type of hunt will collect historical data and does not implement any of the real-time data that CB collects. However, having historical data is good to have from time to time. I enjoy performing routine check-ups on things like Run keys, AppCompatCache data, or even Terminal Services event logs to see what has been happening.
Due to my lack in proper coding training (i.e. I never took a Python course ever in my life), I'm sure that CB Bot could be far more efficient. Right now, my goal is to create more sweeps so that those who do use this tool, can benefit tremendously from it as I have in the past. If you're interested in contributing to CB Bot and providing some sweeps of your own, I would be more than glad to have your sweep on this repo. If you see a bug, or something that could be done to make CB Bot far more efficient, please do let me know! I'm always willing to learn how to make things better. Hope you all enjoy! Happy hunting.