Threat hunting is a very important activity in securing modern networks. While we want it to be as automated as possible, it requires a degree of human analysis by cybersecurity professionals. Fortunately, VMware Carbon Black Cloud simplifies and enriches the data it shows and alerts on so that even individuals with little to no formal training in threat hunting can understand what is occurring on a system when they see it in their VMware Carbon Black Enterprise EDR dashboard.

Before continuing, it’s important to define what exactly threat hunting is:

Threat hunting is the proactive technique that’s focused on the pursuit of attacks and the evidence that attackers leave behind when they’re conducting reconnaissance, attacking with malware, or exfiltrating sensitive data. Instead of just hoping that technology flags and alerts you to the suspected activity, you apply human analytical capacity and understanding about environment context to more quickly determine when unauthorized activity occurs. This process allows attacks to be discovered earlier with the goal of stopping them before intruders are able to carry out their attack objectives (Gregory, 2017, pg. 1).

The key difference between threat hunting and incident response is that threat hunting is proactive, whereas incident response is reactive. Often times great incident responders make legendary threat hunters because their experience helps them to accurately determine how an attacker will behave and what they might do next.

The VMware Carbon Black Cloud is a security solution suite comprised of the many products that may be used together or alone with a single lightweight sensor and cloud-based console. For the current user experience, we will focus on the following CB product.

​Enterprise EDR (previously named CB ThreatHunter) enables advanced threat-hunting with out-of-the-box watchlists curated by Carbon Black and third parties like MITRE as well as the capabilities for creating and tracking customized indicators of compromise (IOCs). Enterprise EDR continuously collects comprehensive data giving you all the information you need to proactively hunt threats, uncover suspicious behavior, disrupt attacks in progress, repair damage quickly, manage vulnerability, and address gaps in defenses. It allows you to search through raw unfiltered endpoint data by using a powerful query language, even if the endpoint is offline.

For more security best practices for Carbon Black Cloud please visit VMware Carbon Black TechZone here.

Before You Begin

Carbon Black Cloud Background

Threat Hunting

In order to complete this walkthrough please make sure you have the following:

Section 1: Accessing the Environment

First, open a web browser of your choice and navigate to portal.vmtestdrive.com. Select LOG IN. If you do not already have an account please reference the instructions found here.

Enter your TestDrive Username and Password and select ENTER.

Next, locate the Carbon Black EDR product under the Intrinsic Security tab.

Click LAUNCH and LAUNCH VIA WORKSPACE ONE.

A new tab will open with Workspace ONE. Enter your TestDrive username, then hit Next.

On the next screen, enter your TestDrive Password then hit Sign in.

Next, search for the CB Ransomware - Threat Hunting desktop. Click to open into the desktop either via HTML access or Horizon Client access.

Now you'll be on the Carbon Black Ransomware desktop. At this point, you can begin the walkthrough steps listed below.

The following section details the basics of accessing and using the Carbon Black Cloud. If you are familiar with the Carbon Black Cloud you may skip the informational section. For a more in-depth walkthrough of the CBC please see the “Endpoint Standard Hands-On Lab” located here: https://labs.hol.vmware.com/HOL/catalogs/lab/10096

2.1 Accessing the Carbon Black Cloud

The Carbon Black Cloud console is web-based with one lightweight sensor deployed to endpoints. The single sensor allows for consolidation across NGAV, EDR, vulnerability, and security auditing solutions. No configuration or maintenance of on-premises servers is required – offloading work from infrastructure and security teams.

The console is accessed through a supported web browser:

Login to Carbon Black Cloud:

For purposes of this lab use Google Chrome to access the console. On login, you will land on the CBC Dashboard. The main navigation menu is located on the left-hand side of the web console.

CBC Dashboard | The dashboard gives a high-level overview of your environment with interactive widgets.

2.2 Alert Walkthrough

The Alerts page displays events of known threats or potential risks to your environment. To navigate to the Alerts page, select Alerts from the left-hand menu.

Regularly review alerts to determine whether action needs to be taken or policies need to be modified. Alert notifications can be set up to email designated administrators when an alert occurs. Alerts can also be forwarded to a SIEM with the Carbon Black open API (https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/).

Alert severity indicates the relative importance of an alert and acts as a prioritization assistant (one being lowest severity and ten being highest, mission-critical). The following describes the ranges of severity:

Filters are available on the left-hand. This can be used to filter into alerts of interest by device, severity, etc.

To view additional information about an alert, click the chevron to expand. The Alert Details show additional information about the processes, behaviors (or TTP’s – Tactics, Techniques, and Procedures), recommended steps for remediation, and notes/tags.

CBC Alerts – Alert Details | Alert Details show additional information for further investigation into malicious/suspicious events.

The Techniques section in Alert Details shows what behaviors, or TTPs (tactics, techniques, and procedures), were exhibited by the specified process. TTP’s are color coded, with red being a higher severity. TTP’s can be clicked into to view further information about the TTP and what it means. Carbon Black also correlates MITRE techniques to TTPs which are also displayed. Clicking a MITRE technique will take you directly to the MITRE page correlating to that technique.

An alert visualization is generated for all alerts that occur. The visualization provides an easy-to-understand and digest view of what occurred during the attack sequence. To view an alert visualization, called Process Analysis, click the tree icon) in the upper right of alert details.

CBC Alerts | You can quickly pivot to the Process Analysis (tree icon), Investigate, or additional actions with the linked buttons.

The Process Analysis displays a tree containing events associated with the alert. A node represents an individual process or event. You can click a node to view additional process details on the right including reputation, TIDs (behaviors), command-line used, and other information. The Alert Triage provides actionable information about the events that occurred during an alert: including where prevention was applied, the source, and what the attacker may have been attempting.

CBC Alerts – Process Analysis| Shows an alert in a visual format; each node can be clicked into for more details about the selected process on the right.

A difference between CB next-gen AV (NGAV) and endpoint detection and response (EDR) are alert types. EDR alerts are generated from watchlists.

Using the Filters tab, you can filter the alert type Watchlists to focus on alerts related to active threat hunting.

CBC Alerts – Type filter for Watchlists

EDR alerts also provide more granular information. An administrator can see all log information for any selected node/process: every registry mod, module load, file modification, cross-process, script load, netconn, child process, etc which provides context-enriched information for threat hunting.

CBC Alerts – Additional information

2.3 Policies Walkthrough

The CBC Endpoint Standard solution offers flexible Policies. Policies determine preventative rules as well as sensor functionality. Carbon Black gives administrators to control and visibility into how prevention works in your environment.

Each endpoint with a sensor installed will belong to a single policy. A policy defines how the sensor should behave on the endpoint, blocking/preventative rules, exclusions and allowances, and other configurations.

In this lab, we have put the Horizon TestDrive endpoints into the ‘CB-Ransomware-ThreatHunting’ policy group that copies settings from 'Monitored'.

The Standard policy group comes Out Of The Box (OOTB) alongside the Monitored and Advanced policies and is meant to act as a day-one, production viable policy that gives additional preventative layers beyond a traditional AV.

To view information about Policies and the Standard Policy Rules, navigate using the main left-hand menu to Enforce -> Policies. On the ‘Prevention’ tab you can see rules associated with the selected policy group.

CBC Policies – Prevention Rules| Carbon Black offers OOTB production viable policies for day-one use while giving admins visibility and customizability into what is prevented and allowed.

3.1 User background [hypothetical] story

An attacker has been doing reconnaissance of a user over social media and publically available information using Open Source Intelligence (OSINT) tools. The attacker has realized the user has been posting free coupons. The attacker has set up a command and control (C2) website with a deceiving name "freecoupons.foryou" to manipulate this user.

Note: The website freecoupons.foryou is set up internally in TestDrive network for demonstration purposes and can not be accessed over the internet.

The user has received a macro-enabled excel and saved it on the desktop. Once opened the document, there are numerous coupon codes with the button "Free coupons". User would like to get more coupons so they can share them with friends. Once clicked on the button, google chrome is opened with a website freecoupons.foryou. Once the user explores that website and clicks on my coupon webpage. It will prompt the user to download an executable with the name of free_coupon.exe. The user is determined to get free coupons and consequently install the executable free_coupon.exe which leads to a ransomware attack.

3.2 Security Operations Center (SOC) analyst [hypothetical] story

As part of creating custom alerts for organizations' crown jewels the SOC has created a custom watchlist with a custom Indicator of Compromise (IOC) to alert when an SSH connection is made directly to the coreDB server where some of the protected data (e.g. health records, patient history) lives.

A direct SSH connection to the server is not allowed. However, the SSH service must remain open for automation workflows. The SOC has realized that adversaries have used Nmap to scan their network(s) to find vulnerabilities and move laterally for widespread compromise. Thus the SOC has created the previously described custom watchlist in the Carbon Black Cloud to alert when an SSH to coreDB is initiated.

As part of company policy macros are not supposed to be utilized. The SOC has set up out-of-the-box IOCs to alert if macros or Nmap are used in the organization. The name of the watchlist the SOC team has created is "Crown Jewels Alert":

For more information about watchlists review the following guide here.

Spearphishing is a common technique to infiltrate and gain initial access to an environment. Much of the data attackers use to make an email seem legitimate is available online – and even posted by companies themselves. Public information such as employees, current projects, organizational charts, and so forth can be used to make a message appear legitimate to even discerning employees.

4.1 Excel Macro-Enabled

According to VMware Threat Research blog post - VMware Threat Landscape Report Blog, "Although the malicious payloads found in email-based attacks frequently change, the vast majority of cybercriminals were observed using three basic strategies: malicious attachments, links to malicious web pages, and enticements to perform transactions."

In this TestDrive user experience, a user has received a macro-enabled excel file and saved it on the desktop. For years, Excel-based macros delivered via phishing campaigns have been a popular choice in delivering malicious payloads. This was made abundantly clear after research done by the VMware Lastline Research Group shed new light on the frightening evolution of macro code weaponization, with a new wave of samples appearing on nearly a weekly basis.

This Excel spreadsheet has a hidden code that triggers upon a user click on a button in Excel named FreeCoupons.

On button click (the code):

Here is a screenshot of hidden code in the Excel file and the button that triggers it.

4.2 Website - FreeCoupons.foryou

Once the user clicks on the macro-enabled button and all the hidden code has run. User will see google chrome with a website opened freecoupons.foryou.

The adversary is hoping the user to fall for this website and go through different pages and make the user believe that this is a legitimate website. Once the user clicks on my coupon webpage, there will be a prompt to download an executable file name free_coupon.exe. Once the user installs this executable, a ransomware attack will be completed and a ransom screen will show up.

Here is a step-by-step user web click-flow for this lab.

For demonstration purposes, we have set the Carbon Black Policy to monitor only. Keep in mind same attack would be prevented with an appropriate policy configuration.

During this lab, we want to give you a complete experience of ransomware attacks so the policies are set not to prevent this attack.

Short version:

Step by step elaborated version:

3. Open an excel name FreeCoupons located on the Desktop.

4. Click on the "Free Coupons 100% off" button. This will open a google chrome with a website freecoupons.foryou.

Notice that prevention is NOT applied based upon the configured policies for demonstration purposes. When we visit the Carbon Black console, we can dig further into how we saw ransomware-like behaviors to detect and prevent similar attacks.

5. You can minimize the putty window.

6. Once the website freecoupons.foryou has opened automatically in google chrome. You can either explore the web pages such as Coupons, Coupon Code, Brands, Blog, etc., or navigate directly to the last menu My coupons.

7. Once clicked on the My coupons web page, you will be promoted to download free_coupon.exe. Download and save it.

8. Once downloaded, you can install it by double-clicking on it from the google chrome download bar towards the bottom of google chrome.

Click on Run once prompted.

9. As soon as you run the executable you will see additional files related to ransomware (in Downloads/Desktop folders).

Note: This is a safe/isolated TestDrive environment to detonate ransomware attacks for demonstration purposes only. Don't detonate ransomware in production environments.

10. Finally, you will see a ransomware note on your desktop. Please ignore this message and do not click on any of the buttons on the ransomware message to avoid steps beyond this demonstration.

We will now pivot to the Carbon Black Console to review information about the attack we just ran. Open Cabon Black Console.

Brief version:

You can use the file ReadMe on the desktop to find the URL, username, and password to log into the CB console.

Using CB filters, you can narrow down your search for your endpoint (or the endpoint in question during threat hunting).

Note: if you don't know what is your device name, in the next step we have guidance to retrieve that information.

Option 1: Open a command prompt and type the following command:

Option 2: In windows settings, click on About and you can view the Device name.

Option 3: (Only applicable to this TestDrive user experience): On desktop, BGinfo is enabled where you can view the hostname. This is only visible prior to the Ransomware attack.

You can filter all the alerts for your device only, set the time range to 3 hours.

Also, ensure the toggle is off for Group alerts to keep all the alerts ungrouped for this exercise.

We will start threat hunting with an alert triggered using a custom IOC with severity 10 (highest).

Once you click on the chevron of this alert, an analyst can get cursory information such as an exact indicator of compromise (IOC) trigger, process name, Device information, etc.

For further process investigation, click on the 3-prong icon of the selected event.

This gives you a visual representation of the process involved in this alert.

As you view on the right side of this alert tirage view, you will get information about the process and techniques. During active threat hunting, the information about techniques used is very important to know the skill level and motives of an adversary.

As a SOC analyst, you have started investigating this threat but you need additional information to determine the impact and widespread of this potential threat.

Within the same screen, you can click on parent processes to get a visualization of the involved processes.

Click on powershell.exe process.

Click on parent (left side) of powershell.exe process.

Within minutes, an analyst can see the excel process triggered chrome.exe process along with powershell.exe which consequently leads to the putty.exe (where the original alert was triggered).

Now, that you have seen an excel process triggered chrome.exe. Let's expand that process.

Note: make sure to turn on Group by hash which helps to organize process tree visualization.

We see 3 child processes grouped by hashes. You can analyze other child processes, for this lab the interesting one is free_coupon.exe.

Once you expand free_coupon.exe, you will see child processes indicating to wannacry ransomware.

From a watchlist-triggered alert to a ransomware attack incident, all threat hunting was performed using VMware Carbon Black Cloud.

Within the same process tree, while you have free_coupon.exe selected. Click on the SHA-256 to determine the widespread across all organizations at all times.

Your view is switched from Alerts to Investigate automatically.

Click on Enriched Events.

Be sure to select the time range All available to check the widespread of this executable.

Verify that all filters are Clear. Click on Devices to check all the endpoints hit by the same ransomware across all assets which are equipped with Carbon Black sensor.

This lab is for demonstration purposes so widespread is contained to very few endpoints. However, in production environments results may vary.

The following section is not part of the threat hunting lab.

Clear all search queries from Investigate search bar. Select Enriched Events.

Click on the drop-down from the search bar, and select Suggested.

You can select any of the pre-built queries and review the results.

VMware Carbon Black Cloud Enterprise EDR enables you to modernize and mature your Security Operation Centers (SOC) to defend your organizations from unknown or modern attacks. VMware Security is enabling SOC teams to reduce mean time to detect and respond to threats to reduce the dwell time of adversaries being in the environment.

As demonstrated, using custom and threat watchlists threat hunting is simplified using Carbon Black enriched data. Leveraging Carbon Black automated queries, you were also able