UBS - ace-ecosystem/cbinterface2 GitHub Wiki

Universal Binary Store

From the Carbon Black documentation:

The unified binary store (UBS) is a centralized service that is part of the Carbon Black Cloud. The UBS is responsible for storing all binaries and corresponding metadata for those binaries. The UBS comes packaged in with Enterprise EDR. To obtain the maximum benefit of the UBS, users must opt-into binary uploads.

Enterprise EDR customers are able to utilize the UBS APIs to download binaries as well as retrieve the corresponding metadata. At this time, the UBS’ data retention is infinite, so as long as a user has access to a binary, that user will be able to retrieve the file and any associated metadata.

The UBS obtains data on first execution of a PE for a given device that Enterprise EDR has visibility into. This means that even if some of the metadata around the file changes (such as file path or signature results) the UBS will still only know the original state.

You can use the UBS to pull binaries and get binary information. Here is the command line entry point:

$ cbinterface ubs -h
usage: cbinterface ubs [-h] [--sha256 SHA256HASHES] [--from-stdin] [-g] [-ds]
                       [-ss] [-fps] [-i] [-ci]

optional arguments:
  -h, --help            show this help message and exit
  --sha256 SHA256HASHES
                        The SHA-256 hash of a file you're interested in. Use
                        multiple times to build list.
  --from-stdin          Read SHA-256 hashes piped from stdin to work with.
  -g, --get-file        Attempt to download file content for the SHA-256
                        hashes supplied by `--sha256`
  -ds, --get-device-summary
                        Get an overview of the devices that executed the file.
  -ss, --get-signature-summary
                        Summary of the observed digital signature results for
                        a given SHA-256 hashes.
  -fps, --get-file-path-summary
                        Summary of the observed file paths for a given SHA-256
                        hashes.
  -i, --get-metadata    Get file metadata for give SHA-256 hashes.
  -ci, --combined-info  Combine metadata and summaries per SHA-256

Example: Download Binaries from the CBC

In this example, I have the SHA256 of three files I am interested in obtaining. I pass those three hashes to cbinterface see if the UBS has those files, and to download them if so.

$ cbinterface ubs --sha256 881b4e49d388f5c99dace3709f38b3c9552fdb81fca22ae8f36430a5d299b17b --sha256  87976f3430cc99bc939e0694247c0759961a49832b87218f4313d6fc0bc3a776  --sha256 1dbd339cd0914683e5bc163392b4276b03c1746f39c6980481deda37f2a65b25 -g

2021-04-05 22:45:17 analysis cbinterface.psc.ubs[21166] WARNING UBS did not find result for sha256: 87976f3430cc99bc939e0694247c0759961a49832b87218f4313d6fc0bc3a776
2021-04-05 22:45:17 analysis cbinterface.psc.ubs[21166] INFO  + Wrote: 1dbd339cd0914683e5bc163392b4276b03c1746f39c6980481deda37f2a65b25.zip
2021-04-05 22:45:18 analysis cbinterface.psc.ubs[21166] INFO  + Wrote: 881b4e49d388f5c99dace3709f38b3c9552fdb81fca22ae8f36430a5d299b17b.zip

You can see from the results that two of the three files matching the SHA256 hashes were found and downloaded. I can get the metadata for these files like so:

$ cbinterface ubs --sha256 881b4e49d388f5c99dace3709f38b3c9552fdb81fca22ae8f36430a5d299b17b --sha256  87976f3430cc99bc939e0694247c0759961a49832b87218f4313d6fc0bc3a776  --sha256 1dbd339cd0914683e5bc163392b4276b03c1746f39c6980481deda37f2a65b25 -i
2021-04-05 22:48:11 analysis cbinterface.psc.ubs[21475] WARNING UBS: NOT_FOUND: 87976f3430cc99bc939e0694247c0759961a49832b87218f4313d6fc0bc3a776 not found
[
  {
    "sha256": "881b4e49d388f5c99dace3709f38b3c9552fdb81fca22ae8f36430a5d299b17b",
    "architecture": [
      "x86"
    ],
    "available_file_size": 3836800,
    "charset_id": 1200,
    "comments": null,
    "company_name": "Netskope, Inc.",
    "copyright": "Copyright (c) 2020 Netskope, Inc. All Rights Reserved.",
    "file_available": true,
    "file_description": "Netskope Client Service",
    "file_size": 3836800,
    "file_version": "83.0.0.538",
    "internal_name": "stAgentSvc.exe",
    "lang_id": 1033,
    "md5": "e49be87d1438be50754defc0e59ce13e",
    "original_filename": "stAgentSvc.exe",
    "os_type": "WINDOWS",
    "private_build": null,
    "product_description": null,
    "product_name": "Netskope Client",
    "product_version": "83.0.0.538",
    "special_build": null,
    "trademark": null
  },
  {
    "sha256": "1dbd339cd0914683e5bc163392b4276b03c1746f39c6980481deda37f2a65b25",
    "architecture": [
      "amd64"
    ],
    "available_file_size": 3137920,
    "charset_id": 1200,
    "comments": null,
    "company_name": "Microsoft Corporation",
    "copyright": "Copyright Microsoft Corporation. All rights reserved.",
    "file_available": true,
    "file_description": "Microsoft Edge",
    "file_size": 3137920,
    "file_version": "89.0.774.57",
    "internal_name": "msedge_exe",
    "lang_id": 1033,
    "md5": "19e3f55abc49ebf1e799aad257731654",
    "original_filename": "msedge.exe",
    "os_type": "WINDOWS",
    "private_build": null,
    "product_description": null,
    "product_name": "Microsoft Edge",
    "product_version": "89.0.774.57",
    "special_build": null,
    "trademark": null
  }
]