User Guide - ace-ecosystem/cbinterface2 GitHub Wiki

CbInterface User Guide

This section is a work in progress. Everything here has been thrown together in an attempt to scratch many surfaces. So if you have a question about anything, contact me and I'll answer it. If there is interest, I'll create more documentation around any subject.

Also, if you find any issue at all, let me know and I'll fix it. Additionally, feel free to contact me with general questions or anything else and I will try and help. Open an issue on Github or email me.

Remediating a NanoCore Infection

Say you get an alert or discover the following process during an hunting operation. Given the process GUID is SC8EF33S-029256ac-00001160-00000000-1d732b8d5d1aad0, print information on the process:

Investigation

$ cbinterface investigate SC8EF33S-029256ac-00001160-00000000-1d732b8d5d1aad0 -i
------ INFO ------
  Process GUID: SC8EF33S-029256ac-00001160-00000000-1d732b8d5d1aad0
  Process Name: schtasks.exe
  Process PID: 4448
  Process MD5: 2003e9b15e1c502b146dad2e383ac1e3
  Process SHA256: 15018d0093befabba8b927743191030d1f8c17bb97fdb48c2fc3eab20e2d4b3d
  Process Path: c:\windows\syswow64\schtasks.exe
  Process Terminated: True
  Start Time: 2021-04-16 12:05:47.337000+0000
  Command Line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\USLvXvrpWAhCg" /XML "C:\Users\ASDF\AppData\Local\Temp\tmpCC73.tmp"
  Process Reputation: TRUSTED_WHITE_LIST
  Parent Name: c:\users\ASDF\downloads\purchasew111pdf.exe
  Parent GUID: SC8EF33S-029256ac-00001348-00000000-1d732b88c85a110
  Parent SHA256: c200145342cf8f892f422ab46b5c4575272169969d5ada3b0df75de298882ca8
  Username: ['asdf\\asdf']
  Device ID: 49144876
  Device Name: asdfBox
  Device OS: WINDOWS
  External IP: 6.7.3.18
  Internal IP: 10.21.21.110

NOTE: i is shorthand for investigate.. so the above command is also: cbinterface i SC8EF33S-029256ac-00001160-00000000-1d732b8d5d1aad0 -i

To get an idea of where this process came from, print the process ancestry:

$ cbinterface i SC8EF33S-029256ac-00001160-00000000-1d732b8d5d1aad0 -a

------ Process Ancestry ------

  2021-04-16 12:05:47.337000+0000: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\USLvXvrpWAhCg" /XML "C:\Users\ASDF\AppData\Local\Temp\tmpCC73.tmp" | SC8EF33S-029256ac-00001160-00000000-1d732b8d5d1aad0
    2021-04-16 12:03:44.365000+0000: "C:\Users\ASDF\Downloads\PURCHASEW111PDF.exe"  | SC8EF33S-029256ac-00001348-00000000-1d732b88c85a110
      2021-04-16 11:22:20.083000+0000: C:\Windows\Explorer.EXE | SC8EF33S-029256ac-000004f8-00000000-1d732b2c3c62830

From the above, PURCHASEW111PDF.exe looks quite suspect. Let's grab that processes GUID and look at the behavior by first printing the process tree:

$ cbinterface i SC8EF33S-029256ac-00001348-00000000-1d732b88c85a110 -t

------ Process Execution Tree ------

    "C:\Users\ASDF\Downloads\PURCHASEW111PDF.exe"   | SC8EF33S-029256ac-00001348-00000000-1d732b88c85a110
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\USLvXvrpWAhCg" /XML "C:\Users\ASDF\AppData\Local\Temp\tmpCC73.tmp"  | SC8EF33S-029256ac-00001160-00000000-1d732b8d5d1aad0
      "C:\Users\ASDF\Downloads\PURCHASEW111PDF.exe"  | SC8EF33S-029256ac-000010a8-00000000-1d732b8d5f3b1c0
        "schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\ASDF\AppData\Local\Temp\tmpD01B.tmp"  | SC8EF33S-029256ac-000013d4-00000000-1d732b8d6058c10

This does not look legitimate. If you grab the sha256 of PURCHASEW111PDF.exe with the below command:

$ cbinterface i SC8EF33S-029256ac-00001348-00000000-1d732b88c85a110 -i | grep 'Process SHA256'
  Process SHA256: c200145342cf8f892f422ab46b5c4575272169969d5ada3b0df75de298882ca8

You can then look this sha256 up in VT to see that it is a NanoCore RAT.

Get all the Events

It is helpful to review all of the process events around the execution we know about. I like to write everything to a file I call a "lr_lite" file. The -w flag means to walk the process tree and inspect every process. By default, this means that all process events are printed for every process in the process tree.

$ cbinterface i SC8EF33S-029256ac-00001348-00000000-1d732b88c85a110 -w > lr_lite.SC8EF33S-029256ac-00001348-00000000-1d732b88c85a110.txt

Now you can less or grep the above file as needed. If you just want to see network connections and file modifications for every process in the process tree, you could execute the following:

cbinterface i SC8EF33S-029256ac-00001348-00000000-1d732b88c85a110 -w -nc -fm

For this sample, you can study the event data in the above "lr_lite" file to find all artifacts needing remediation.

Contain the host

Next, if this was a real incident, we would contain the host. The following command accomplishes this:

$ cbinterface live-response asdfBox -q
2021-04-20 11:39:48 analysis cbinterface.psc.cli[17209] INFO searching for device...
2021-04-20 11:39:49 analysis cbinterface.psc.device[17209] INFO got 1 device results.
2021-04-20 11:39:49 analysis cbinterface.psc.cli[17209] INFO setting quarantine on 1 devices... 👀
2021-04-20 11:39:49 analysis cbinterface.psc.cli[17209] INFO device 43144876:asdfBox hasn't checked in for: 15:18:09.319961
2021-04-20 11:39:49 analysis cbinterface.psc.cli[17209] WARNING device 43144876:asdfBox appears offline 💤
2021-04-20 11:39:49 analysis cbinterface.psc.cli[17209] INFO device 43144876:asdfBox will change quarantine state when it comes online 👌
2021-04-20 11:39:49 analysis cbinterface.psc.cli[17209] INFO Device 43144876:asdfBox is set to quarantine.

Question: Where did this come from?

$ cbinterface query 'filemod_name:PURCHASEW111PDF.exe'
2021-04-20 12:20:41 analysis cbinterface.psc.cli[25232] INFO searching psc:default environment..
2021-04-20 12:20:43 analysis cbinterface.psc.query[25232] INFO got 1 process results.

------------------------- QUERY RESULTS -------------------------
  -------------------------
  Process GUID: SC8EF33S-029256ac-00000f50-00000000-1d732b87f03aeb0
  Process Name: unace.exe
  Process PID: 3920
  Process MD5: c09afd4d99c9b697064b87ab258a0c60
  Process SHA256: 8abb49b815a2f57e22f21967b9059dd3d4a22d75c8460ae893ff7fc5d30cfec5
  Process Path: c:\program files\peazip\res\unace\unace.exe
  Process Terminated: True
  Start Time: 2021-04-16 12:03:21.703000+0000
  Command Line: "C:\Program Files\PeaZip\res\unace\unace.exe" x "C:\Users\ASDF\Downloads\PURCHASEW111PDF.ace"
  Process Reputation: ADAPTIVE_WHITE_LIST
  Parent Name: c:\program files\peazip\peazip.exe
  Parent GUID: SC8EF33S-029256ac-000010d0-00000000-1d732b87d30ea80
  Parent SHA256: 2018fc221b19af341f68db733f454aa48b62ab3712aa0b4fab950094828a79e5
  Username: ['asdfBox\\ASDF']
  Device ID: 43144876
  Device Name: asdfBox
  Device OS: WINDOWS
  External IP: 47.67.54.3
  Internal IP: 10.21.21.110

From above, looks like the exe file was extracted from an archive named PURCHASEW111PDF.ace. Where did that come from?

$ cbinterface query filemod_name:PURCHASEW111PDF.ace
2021-04-20 12:23:29 analysis cbinterface.psc.cli[25791] INFO searching psc:default environment..
2021-04-20 12:23:32 analysis cbinterface.psc.query[25791] INFO got 1 process results.

------------------------- QUERY RESULTS -------------------------
  -------------------------
  Process GUID: SC8EF33S-029256ac-00000d40-00000000-1d732b7d479a990
  Process Name: firefox.exe
  Process PID: 3392
  Process MD5: a64451c6ab4ec7664c16f9aa082911b9
  Process SHA256: ee77516268d63ac2cb4d76535f3b3ba04f085de2f98fa32b45743fbb407b2a7e
  Process Path: c:\program files\mozilla firefox\firefox.exe
  Process Terminated: True
  Start Time: 2021-04-16 11:58:35.586000+0000
  Command Line: "C:\Program Files\Mozilla Firefox\firefox.exe"
  Process Reputation: TRUSTED_WHITE_LIST
  Parent Name: c:\program files\mozilla firefox\firefox.exe
  Parent GUID: SC8EF33S-029256ac-00000cb8-00000000-1d732b7d474e6d0
  Parent SHA256: ee77516268d63ac2cb4d76535f3b3ba04f085de2f98fa32b45743fbb407b2a7e
  Username: ['asdfBox\\ASDF']
  Device ID: 43144876
  Device Name: asdfBox
  Device OS: WINDOWS
  External IP: 47.67.54.3
  Internal IP: 10.21.21.110

Looks like it was downloaded from the above firefox process. Here are the filemod events:

$ cbinterface proc SC8EF33S-029256ac-00000d40-00000000-1d732b7d479a990 -fm | grep 'purchasew111pdf'
 @2021-04-16 12:02:50.266000+0000: |MOD_OPEN,OPEN_WRITE| c:\users\ASDF\downloads\purchasew111pdf.ace
 @2021-04-16 12:00:27.938000+0000: |CREATE,OPEN_READ| c:\users\ASDF\downloads\purchasew111pdf.ace
 @2021-04-16 12:00:28.020000+0000: |MOD_OPEN,OPEN_WRITE| c:\users\ASDF\downloads\purchasew111pdf.ace
 @2021-04-16 12:00:28.020000+0000: |MOD_OPEN,OPEN_WRITE| c:\users\ASDF\downloads\purchasew111pdf.ace
 @2021-04-16 12:00:28.071000+0000: |CREATE,MOD_OPEN,OPEN_WRITE| c:\users\ASDF\downloads\purchasew111pdf.ace:zone.identifier

I'm not going to show the next steps but if you collected browsing history on the host you would see that the user visited a personal web-mail account, and the above purchasew111pdf.ace file was downloaded from a dropbox link.

Collect File

We can collect interesting files from a live response session on the host, or if you have the Universal Binary Store (UBS) configured and the interesting file is a binary, you can pull the file from UBS.

From UBS

You can pull the binary from the Universal Binary Store (UBS) and get the information the UBS has on the RAT with the following command:

$ cbinterface ubs --sha256 c200145342cf8f892f422ab46b5c4575272169969d5ada3b0df75de298882ca8 -i -g
2021-04-20 10:45:31 analysis cbinterface.psc.ubs[6693] INFO  + Wrote: c200145342cf8f892f422ab46b5c4575272169969d5ada3b0df75de298882ca8.zip
[
  {
    "sha256": "c200145342cf8f892f422ab46b5c4575272169969d5ada3b0df75de298882ca8",
    "architecture": [
      "x86"
    ],
    "available_file_size": 878184,
    "charset_id": 1200,
    "comments": null,
    "company_name": "Questionnaire Mobile",
    "copyright": "Copyright \u00a9 2008",
    "file_available": true,
    "file_description": "BO",
    "file_size": 878184,
    "file_version": "2.8.3.0",
    "internal_name": "UmAlQuraCalendar.exe",
    "lang_id": null,
    "md5": "b1b14a0212210466ad311acbc4938302",
    "original_filename": "UmAlQuraCalendar.exe",
    "os_type": "WINDOWS",
    "private_build": null,
    "product_description": null,
    "product_name": "BO",
    "product_version": "2.8.3.0",
    "special_build": null,
    "trademark": null
  }
]

You will have to unzip the c200145342cf8f892f422ab46b5c4575272169969d5ada3b0df75de298882ca8.zip written above to get the filedata.

From the Host

If you do not have UBS enabled for your tenant or the file you wish to collect is not in the UBS (perhaps it's not a binary), the following command demonstrates collecting the file though a live response session:

cbinterface lr asdfBox collect -f "C:\Users\ASDF\Downloads\PURCHASEW111PDF.ace"

Remediation

For this NanoCore installation, there are two scheduled tasks used for persistence. To remediate this infection, we need to delete those scheduled tasks, kill all running malicious processes, and delete the malicious files.

First, write a remediation template:

$ cbinterface lr asdfBox remediate --write-template 
2021-04-20 12:31:12 analysis cbinterface.cli[27389] INFO  + wrote remediate.ini

Next, edit the remediate.ini file to include all processes, files, registry key/values, schedule tasks, services, directories, that need be destroyed.

For this example, and for the sake of brevity, here are the critical ones:

$ cat remediate.ini
[files]
file1=c:\users\ASDF\downloads\purchasew111pdf.ace
file2=c:\users\ASDF\downloads\purchasew111pdf.exe
file3=c:\users\ASDF\appdata\roaming\uslvxvrpwahcg.exe
file4=C:\Users\ASDF\AppData\Local\Temp\tmpD01B.tmp
file5=C:\Users\ASDF\AppData\Local\Temp\tmpCC73.tmp

[process_names]
proc1=uslvxvrpwahcg.exe
proc2=purchasew111pdf.exe

[scheduled_tasks]
task1=DHCP Monitor
task2=Updates\USLvXvrpWAhCg

Finally, the following command will execute the above remediation with a single live response session:

cbinterface lr asdfBox remediate -rs remediate.ini

Creating a Playbook

In this example, I will create a playbook that downloads a file, executes a couple commands, and uploads a file.

First, write the playbook.ini template file to have something to start with:

$ cbinterface live-response hostname playbook --write-template 
2021-04-08 18:08:33 analysis cbinterface.cli[14333] INFO  + wrote playbook.ini

Make sure and read the comments in that playbook.ini template.

Next, I edited the contents of the playbook.ini to be the following:

[overview]
name=Full Collection
description=Execute a full live response collection on this host.

[command_download_lr]
operation=download
file_path=/opt/skelator/collection/lr.exe
client_file_path={WORK_DIR}\lr.exe

[command_extract_lr]
operation=run
command={WORK_DIR}\lr.exe -y
wait_for_output=no
wait_for_completion=yes

[command_execute_collection]
operation=run
command={WORK_DIR}\lr\win32\tools\collect.bat
wait_for_output=no
wait_for_completion=yes
; 30 minute timeout ( should take less than 10 )
wait_timeout=1800

[upload_result]
operation=upload
path={WORK_DIR}\lr\win32\output\{HOSTNAME}.{WILDMATCH}.7z
post_completion_command=streamline.py *.7z

Everything in brackets is a placeholder for a predefined value that cbinterface will add (details in playbook.ini), except for the "{WILDMATCH}". The "{WILDMATCH}" is a special directive for the upload command that can be use on the path variable to match on files that look like the file in the path variable.

Finally, I saved that file to full_collection.ini and added it to the global config playbook section, seen below:

$ cat /etc/carbonblack/cbinterface.ini 
[playbooks]
full_collect=/etc/carbonblack/playbook_configs/full_collection.ini

Hopefully that's pretty self explanatory after reading the comments in the playbook.ini template file.

Migrate Response Watchlists to PSC EDR Intel

There are three different ways to migrate Response Watchlists to PSC EDR Watchlists:

  1. One-to-One
  2. Many-to-One
  3. Many-to-Two (Not connected to CLI)

All of the above use the yield_reports_created_from_response_watchlists to convert Response Watchlists into PSC EDR Reports. That function converts the Response queries to valid PSC EDR queries. If a query doesn't validate/convert, a log is generated and it is skipped. If it does validate, a Report is generated. If the Watchlist, in Response, was really slow or had errors the resulting PSC EDR Report will be set to "ignore" automatically. Additionally, I passed all the available context about the Response Watchlist into the description of the resulting Reports.

NOTE: I've found that the order of operation has changed and parenthese must be put around OR items if they were not previously. This means you need to review all watchlists where you use OR and make sure parentheses are appropriately placed around the OR'd items.

This example response query: process_name:schtasks.exe cmdline:""DHCP Monitor"" OR cmdline:""WAN Host""

Would become: process_name:schtasks.exe process_cmdline:"\"DHCP\ Monitor\"" OR process_cmdline:"\"WAN\ Host\""

And needs to be like: process_name:schtasks.exe (process_cmdline:"\"DHCP\ Monitor\"" OR process_cmdline:"\"WAN\ Host\"")

The Migration Strategy

With over over 300 custom Response Watchlists, here is the strategy I used to migrate them to PSC EDR Watchlists:

  1. First, I separated the watchlists with true positive detections and low FP rates using our ACE Alert metrics. I put the names of these Watchlists into a txt file and then exported them from response using the following command:

    cat ~smcfeely/working/cbmigration/uniq.high_fidelity.watchlists.txt | cbinterface response_watchlist --watchlist-names-from-stdin -json > high_fid.response_watchlists.json

  2. Next, I used the command below to import these Response Watchlists into a single PSC EDR Watchlist I called "ACE Higher Fidelity Response Watchlists":

    cbinterface intel migrate ~smcfeely/working/cbmigration/high_fid.response_watchlists.json --many-to-one

  3. After that, I exported the remaining custom Response Watchlists into another json file and called the convert_response_watchlists_to_grouped_psc_edr_watchlists function from a python terminal to organize the Response Watchlists into two PSC EDR Watchlists, one for Response Watchlists that have never had a hit and then the ones remaining are lower fidelity and went into a "Low Fidelity" PSC EDR Watchlist.