Github: https://github.com/tstillz/cbr-chrome
In this blog post, I’m releasing a Chrome extension I wrote to help responders and analysts perform quick lookups on key information in Carbon Black Response such as a hostname, ip address, mac address, binary name, md5 hash and a binaries internal name. The results are returned in a nice scrollable results pane. I’ve used this tool during many engagements to quickly research what the hostname or IP address was of a given asset accessed by an attacker. This extension is far from perfect but it’s very simple and extensible. Feel free to modify as you see fit.
To install the Chrome extension, go to chrome://extensions in your chrome browser address bar and ensure Developer mode is enabled:
In this blog post, I’m releasing a Chrome extension I wrote to help responders and analysts perform quick lookups on key information in Carbon Black Response such as a hostname, ip address, mac address, binary name, md5 hash and a binaries internal name. The results are returned in a nice scrollable results pane. I’ve used this tool during many engagements to quickly research what the hostname or IP address was of a given asset accessed by an attacker. This extension is far from perfect but it’s very simple and extensible. Feel free to modify as you see fit.
To install the Chrome extension, go to chrome://extensions in your chrome browser address bar and ensure Developer mode is enabled:
After you update the config.json file with your Carbon Black Response URL and API token (found under your Profile > API Token page), you can load CBR-Chrome extension clicking the Load Unpacked button. This will bring up a dialog box. Locate the extensions directory on your system and click Select. If successful, you should see the following extension show up in your extensions list.
Once loaded, you should also see an icon in the top right corner of your browser.

Inside the input box, you can type in any hostname, ip address, mac address or even parts of an ip/mac address or hostname to see all matching items. The image below shows a partial hostname search.
Inside the input box, you can type in any hostname, ip address, mac address or even parts of an ip/mac address or hostname to see all matching items. The image below shows a partial hostname search.
Next, we show a partial ip address search below.
I also added in the ability to search key binary terms, currently limited to md5, name and internal (binaries internal name). The images below show an example for each search prefix.
I hope this extension is helpful for those using Carbon Black Response. Happy Hunting!
This is awesome, thanks Tim!
ReplyDelete