ProcessQuerying - ace-ecosystem/cbinterface2 GitHub Wiki
Process Querying
Search for processes with lucene syntax and/or value searches.
Note: If a query returns a lot of results, a warning will be printed before the console is flooded. You can change this (like if you're sending results to a file or less) with the --no-warnings (-nw) flag.
$ cbinterface query -h
usage: cbinterface query [-h] [-s START_TIME] [-e LAST_TIME] [-nw]
[-ad] [--facets]
query
positional arguments:
query the process search query you'd like to execute
optional arguments:
-h, --help show this help message and exit
-s START_TIME, --start-time START_TIME
Start time of the process. Format:'Y-m-d H:M:S' UTC
-e LAST_TIME, --last-time LAST_TIME
Narrow to processes with start times BEFORE this
end/last time. Format:'Y-m-d H:M:S' UTC
-nw, --no-warnings Don't warn before printing large query results
-ad, --all-details Print all available process info (all fields).
--facets Retrieve statistical facets for this query.
PSC EDR Example
The guide built into the product is great for field explanations. Publicly, you can find search fields documented here, as well.
$ cbinterface query 'parent_name:svchost.exe process_name:rundll32.exe'
2021-03-12 14:46:33 analysis cbinterface.psc.cli[5724] INFO searching psc:default environment..
2021-03-12 14:46:39 analysis cbinterface.psc.query[5724] INFO got 108 process results.
Print all results? (y/n) [y]
------------------------- QUERY RESULTS -------------------------
-------------------------
Process GUID: 7W2FQEEY-02361dc7-00000804-00000000-1d7174c85597069
Process Name: rundll32.exe
Process PID: 2052
Process MD5: ef3179d498793bf4234f708d3be28633
Process SHA256: b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
Process Path: c:\windows\system32\rundll32.exe
Process Terminated: True
Start Time: 2021-03-12 09:32:25.290000-0500
Command Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
Process Reputation: ADAPTIVE_WHITE_LIST
Parent Name: c:\windows\system32\svchost.exe
Parent GUID: 7W2FQEEY-02361dc7-00000388-00000000-1d709ea65c739de
Parent SHA256: 643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7
Username: ['YHP2BG\\NeoLite6']
Device ID: 37100999
Device Name: yhp2bg
Device OS: WINDOWS
External IP: 174.87.68.13
Internal IP: 10.0.2.15
<ommitted more results>
Response Example
$ cbinterface query 'parent_name:svchost.exe process_name:rundll32.exe cmdline:AutoRun.inf'
2021-02-10 04:00:10 analysis cbinterface.cli[7211] INFO searching acmecomp environment..
2021-02-10 04:00:10 analysis cbinterface.query[7211] INFO got 27 process results grouped by id.
Print all results? (y/n) [y] y
------------------------- QUERY RESULTS -------------------------
-------------------------
Process GUID: 000059af-0000-2e74-01d6-ff16835f6f89
Process Name: rundll32.exe
Process PID: 11892
Process MD5: 80f8e0c26028e83f1ef371d7b44de3df
Process Path: c:\windows\system32\rundll32.exe
Process Status: Terminated
Command Line: rundll32.exe C:\WINDOWS\system32\davclnt.dll,DavSetCookie removedName http://serverName/folder/process/AutoRun.inf
Parent Name: svchost.exe
Parent GUID: 000059af-0000-4428-01d6-f96379775e63
Hostname: computer00601
Username: DOMAIN\Pete
Start Time: 2021-02-09 19:05:21.244000
Last Update Time: 2021-02-09 19:05:21.715000
Sensor ID: 32958
Comms IP: 192.168.252.192
Interface IP: 192.168.252.192
GUI Link: https://carbonblack.acmecomp/#analyze/000059af-0000-2e74-01d6-ff16835f6f89/1612897752481
-------------------------
Process GUID: 00006a99-0000-59ac-01d6-feff3879acfd
Process Name: rundll32.exe
Process PID: 22956
Process MD5: 80f8e0c26028e83f1ef371d7b44de3df
Process Path: c:\windows\system32\rundll32.exe
Process Status: Terminated
Command Line: rundll32.exe C:\WINDOWS\system32\davclnt.dll,DavSetCookie serverName http://example.com/folder/AutoRun.inf
Parent Name: svchost.exe
Parent GUID: 00006a99-0000-5448-01d6-fed7b2708931
Hostname: computer01035
Username: DOMAIN\Sara
Start Time: 2021-02-09 16:18:37.162000
Last Update Time: 2021-02-09 16:18:37.887000
Sensor ID: 47299
Comms IP: 185.220.101.14
Interface IP: 192.168.1.89
GUI Link: https://carbonblack.acmecomp/#analyze/00006a99-0000-59ac-01d6-feff3879acfd/1612887600302
<ommitted more results>
Facets
Use the --facets option to get facet data on the command line.
cbinterface query 'parent_name:svchost.exe process_name:rundll32.exe' --facets
Example
$ cbinterface query 'parent_name:svchost.exe process_name:rundll32.exe' --facets
2021-03-12 14:58:27 analysis cbinterface.psc.cli[7867] INFO searching psc:default environment..
2021-03-12 14:58:34 analysis cbinterface.psc.query[7867] INFO got 108 process results.
2021-03-12 14:58:34 analysis cbinterface.psc.cli[7867] INFO getting facet data...
2021-03-12 14:58:53 analysis cbinterface.psc.query[7867] WARNING problem enumerating child process names: maximum recursion depth exceeded
------------------------- FACET HISTOGRAMS -------------------------
parent_name results: 1
--------------------------------
svchost.exe: 108 - 100.% ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
process_name results: 1
--------------------------------
rundll32.exe: 108 - 100.% ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
process_reputation results: 2
--------------------------------
ADAPTIVE_WHITE_LIST: 52 - 48.1% ■■■■■■■■■■■■■■■■■■■■■■■■
TRUSTED_WHITE_LIST: 56 - 51.8% ■■■■■■■■■■■■■■■■■■■■■■■■■
process_username results: 4
--------------------------------
CURN982JH\sean: 13 - 12.0% ■■■■■■
YHP2BG\NeoLite6: 22 - 20.3% ■■■■■■■■■■
NT AUTHORITY\SYSTEM: 36 - 33.3% ■■■■■■■■■■■■■■■■
RIPDOM\A343932: 37 - 34.2% ■■■■■■■■■■■■■■■■■
process_sha256 results: 3
--------------------------------
9f1e56a3bf293ac536cf4b8dad57040797d62dbb0ca19c4ed9683b5565549481: 23 - 21.2% ■■■■■■■■■■
01b407af0200b66a34d9b1fa6d9eaab758efa36a36bb99b554384f59f8690b1a: 33 - 30.5% ■■■■■■■■■■■■■■■
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa: 52 - 48.1% ■■■■■■■■■■■■■■■■■■■■■■■■
device_name results: 4
--------------------------------
vcr0121823: 14 - 12.9% ■■■■■■
curn982jh: 15 - 13.8% ■■■■■■
ripdom\vcr0121823: 27 - 25.0% ■■■■■■■■■■■■
yhp2bg: 52 - 48.1% ■■■■■■■■■■■■■■■■■■■■■■■■
device_os results: 1
--------------------------------
WINDOWS: 108 - 100.% ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
childproc_name results: 0
--------------------------------
Print all results? (y/n) [y] n