Skip to main content

Carbon Black Response: CBR Chrome

Github: https://github.com/tstillz/cbr-chrome 

In this blog post, I’m releasing a Chrome extension I wrote to help responders and analysts perform quick lookups on key information in Carbon Black Response such as a hostname, ip address, mac address, binary name, md5 hash and a binaries internal name. The results are returned in a nice scrollable results pane. I’ve used this tool during many engagements to quickly research what the hostname or IP address was of a given asset accessed by an attacker. This extension is far from perfect but it’s very simple and extensible. Feel free to modify as you see fit. 

To install the Chrome extension, go to chrome://extensions in your chrome browser address bar and ensure Developer mode is enabled:
After you update the config.json file with your Carbon Black Response URL and API token (found under your Profile > API Token page), you can load CBR-Chrome extension clicking the Load Unpacked button. This will bring up a dialog box. Locate the extensions directory on your system and click Select. If successful, you should see the following extension show up in your extensions list.

Once loaded, you should also see an icon in the top right corner of your browser.


Inside the input box, you can type in any hostname, ip address, mac address or even parts of an ip/mac address or hostname to see all matching items. The image below shows a partial hostname search.  
 

Next, we show a partial ip address search below.

I also added in the ability to search key binary terms, currently limited to md5, name and internal (binaries internal name). The images below show an example for each search prefix.




I hope this extension is helpful for those using Carbon Black Response. Happy Hunting!

Acknowledgements

Special thanks to Mike Scutt (@OMGAPT), Jason Garman and the CB team for all the help.

Comments

Post a Comment

Popular posts from this blog

Revealing malware relationships with GraphDB: Part 1

In this post, we will learn how using a Graph Database like Neo4j can help visualize malware relationships and extend these relationships to identify patterns between samples. Before we dig into Neo4j, let’s start with some fundamental graph terminologies:   
Nodes represent entities such as a human, car, laptop or phone. Properties are attributes nodes can contain. A steering wheel or tires would be a property of the “car” node. Labels are a way to group together nodes of a similar type. For example, a label of “FastFood” may include nodes such as “Taco Bell, McDonald’s, and Chipotle”. Edges (or vertices) represent the relationship connection between two nodes. Relationships can also have their own properties. Getting started with Neo4jLink: https://neo4j.com/
Neo4j is a Graph Database commonly known for its pure simplicity and easy to use interface. I find the structure of a graph database quite fascinating, on top of learning how to normalize malware analysis data for each sample into a …

Analyzing and detecting web shells

Of the various pieces of malware i’ve analyzed, I still find web shells to be the most fascinating. While this not a new topic, i've been asked by others to do a write up on web shells, so here it is ;). 
For those new to web shells, think of this type of malware as code designed to be executed by the web server - instead of writing a backdoor in C, for example, an attacker can write malicious PHP and upload the code directly to a vulnerable web server. Web shells span across many different languages and server types. Let's take a looks at some common servers and some web extensions:
Operating System Service Binary Name Extensions Windows IIS (Internet Information Services) w3wp.exe .asp/.aspx Windows/Linux apache/apache2/nginx httpd/httpd.exe/nginx .php Windows/Linux Apache Tom

Introduction to Malware Analysis

Why malware analysisMalware analysis (“MA”) is a fun and excited journey for anyone new or seasoned in the career field. Taking a specimen (malware sample) and reverse engineering it to better understand its inner workings can be a long, tedious adventure. With the sheer number of malware samples circulating the internet, in addition to the various formats specimens are found in, makes malware analysis a good challenge. Outside of learning MA as a hobby, here are some other reasons why we perform malware analysis:To better understand how a specimen works. This may yield certain unique attributes about how the malware was written, methods it performs or its dependencies.To collect intelligence and build Indicators of Compromise (“IOCs”), usually comprised of Host Based Indicators (“HBIs”) and/or Network Based Indicators (“NBIs”).For general knowledge or research purposes.How do I get started?!If you’re new to malware analysis, you want to ensure you’ve taken the right precautions befor…