Github: https://github.com/tstillz/cbr-stack In this blog post, we will cover how we perform stacking using Carbon Black Response and how we can use this methodology to find anomalies in your environment. In reality, an awesome threat hunter would like to have the following data at their disposal: Type Code Details Real Time RT Real time process executions and its context Forensic FZ Live forensic data such as prefetch, appcompat, registry keys, etc.. Network NT PCAP and extracted metadata Logs LG Endpoint, firewalls, proxies, AV, Web logs, etc.. Binaries BIN Executables collected in real time or on-demand Memory MEM Real time inspection or dumping of processes/system memory For this blog post, we will focus on Real Time ( RT) process executions within Carbon Black Response. The concept of stacking is simple, we start with collecting data of the same type and choose specific fields in which we want to perform frequency analy
Malware Research, Tools, Incident Response and Hunting