In the following article we want to assist organizations in searching Carbon Black Response in identifying any endpoints that may have accessed malicious or suspicious domains. 

Use cases:

  • You receive a phishing email and want to determine whether any beaconing has occurred
  • You run up against a credential harvesting campaign and would like to determine how many credentials were collected 
  • You need to find a domain that is the subject of an investigation 

Domain Search

Once you have a suspect domain, open Process Search
https://<subdomain>-cb.my.redcanary.co/#/search

In Process Search, type:

Domain:baddomain.com 

Results of this search will determine if any data exists in Carbon Black Response for the suspect domain. The absence of results means that there are NO instances of this domain recorded within Carbon Black Response (be sure to double-check spelling). 

Newly Observed Binaries

Next, you will want to identify any new binaries (Portable Executables) or DLLs that were downloaded and executed, relative to this domain (around the time the domain was visited).

From within Binary Search
(https://<subdomain>.my.redcanary.co/#/binaries/cb.urlver=1&sort=server_added_timestamp%20desc&rows=10&start=0)

Search for newly unsigned executables:

is_executable_image:"true"  digsig_result:"Unsigned" 

Adding context, you may want to include specific hosts to your search.
To search for a specific hostname, use:

sensor_id:<sensorid_of_computer>  is_executable_image:"true"  digsig_result:"Unsigned" 

This will show us if any new unsigned binaries have executed on this single endpoint within the time frame given in our search.

In order to check which DLLs were loaded, alter your search as follows: 

sensor_id:<sensorid_of_computer> digsig_result:”Unsigned”  is_executable_image:”false” 

This results in a broad view that is intentionally noisy. At this point, we want to identify anything suspicious that is relevant to our current investigation.  

Reviewing every domain a user visits from a browser is not practical. If this was an example of a phishing/credential harvesting domain, we may get lucky by narrowing it down to the computer and the Outlook.exe process.


Process Search and Outlook

In Process Search:

hostname:<computername> parent_name:outlook.exe 

Example of Outlook spawning iexplore.exe and we see the malicious domain in the Command Line field:

Additionally,  the following query will find any browser being spawned from Outlook:

parent_name:outlook.exe (process_name:iexplore.exe OR process_name:chrome.exe OR process_name:microsoftedge.exe OR process_name:firefox.exe) hostname:<computername> 

We will need to review the Command Line data in Process Analysis to see the domain. Most of the results will be filled with legitimate domains and day to day activity. Attempt to narrow the time of the original click and you will then be able to potentially identify the malicious domain. Downloading the CSV from Process Search will provide a full list of Command Lines for each event found.

Happy Hunting!

Did this answer your question?