Carbon Black Cloud and Audit/Remediation

Updated on

The Carbon Black Cloud Workload Protection (CWP) solution can be accessed through both the Carbon Black Cloud Console and the Carbon Black vCenter plugin.

1. Accessing Carbon Black Cloud

The Carbon Black Cloud console is web-based with one lightweight agent deployed to endpoints.

The console is accessed through a supported web browser: 

  • Windows: Chrome, Edge, Firefox 
  • macOS: Chrome, Firefox, Safari 

Login to Carbon Black Cloud: 

  • URL: https://defense-prod05.conferdeploy.net/
  • User: (listed in text file on the Carbon Black Cloud desktop)  
  • Password: (listed in text file on the Carbon Black Cloud desktop)
  • Click the "Carbon Black Cloud" Chrome Link
  • Login with credentials listed in text file on the desktop

If you are an existing Carbon Black Cloud customer using the next-generation AV, EDR, container security, or other solution the Cloud Workload Protection solution lives in the same cloud-based console. CWP vulnerability information lives in the Vulnerabilities tab.

  • On the left side navigation menu, click "Harden" to expose menu options
  • Click "Vulnerabilities" to view vulnerability information

2. CWP

CWP gives teams a shared truth of risk, minimizing friction between teams such as infrastructure and security. Teams have the same visibility and understanding of vulnerabilities whether they are viewing information in the Carbon Black Cloud or within the vCenter plug-in.

Vulnerabilities can be explored within the Carbon Black Cloud in the same method used in Section 4.

For a more guided experience on using the Carbon Black Cloud for vulnerabilities see Module 4 of the CWP Hands-on Lab simulation: https://labs.hol.vmware.com/HOL/catalogs/lab/10212

3. Audit and Remediation

To gather stateful information which is correlated to vulnerabilities another part of the Carbon Black Solution suite is leveraged called Audit and Remediation. Audit and Remediation allows administrators to ask questions on the environment across hardware, software, and network variables at scale. Cloud Workload Protection customers have access to the full Audit and Remediation solution beyond its use in vulnerability assessment. This portion of the experience will walk through using Audit and Remediation.

If you are not currently logged in to the Carbon Black Cloud console see section 5.1 for how to log in.

  • On the left-hand navigation menu click Live Query to expand the menu
  • Click New Query menu option

Numerous queries are pre-built and come OOTB with Audit and Remediation - called recommended queries. Pre-built queries full under IT Hygiene, Vulnerability Management, Threat Hunting, and Compliance use cases. Recommended queries can be filtered by selecting a use case, filtering by applicable OS, or searching for keyword(s).

Queries can be run on a one-off basis or scheduled to run automatically (daily, weekly, monthly, etc.). Query results can be viewed in the console or exported.

  • Click Vulnerability Management to review queries falling under this use case

CWP and Audit/Remediation give administrators a greater understanding of what they are securing. We will review a recommended query to better understand the information Audit and Remediation can provide.

  • Scroll down to the Installed Windows Applications query
  • Click the 'plus' to expand and view SQL

6. Installed Windows Applications

The Installed Windows Applications query returns information about applications installed by msiexec.exe. By expanding a query you can view the SQL code used in the query. Audit and Remediation leverages osquery and standard SQL syntax. 

osquery schema can be viewed on the following page: https://osquery.io/schema/4.5.0

Beyond recommended queries, administrators can create their own, custom queries to suit any number of use cases. Queries are built using standard SQL syntax and the previously linked osquery schema.

7. Create Custom Query

We will create a custom query that looks at the value for the 'LimitBlankPasswordUse' registry key. The value for this registry key can be 1 or 0; 1 being recommend as this prevents netconns from accessing endpoint with a blank password. An attacker could change the registry key to gain access to an environment.

This query comes from the Carbon Black Query Exchange. The query exchange is an open forum for Carbon Black customers to share queries they've created - or leverage queries others have created. The Query Exchange is linked on the top right of the page. Note that only Carbon Black customers can access the Query Exchange.

Queries can be run environment-wide or on a specific endpoint(s) or policy group. Let's run this query on a specific workload.

  • Click 'Endpoints' hyperlink to expose endpoint selection
  • Type in 'cb-win-10' and select the workload

8. Run Custom Query

  • In the 'SQL' textbox copy and paste the following query
WHEN 1 THEN "Blank Password Auth via Network Not Possible"
WHEN 0 THEN "Blank Password Auth via Network Possible"
END "LimitBlankPasswordUse"
FROM registry WHERE PATH="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa";
Click to copy

9. Run Custom Query

  • In the 'Query Name' text box enter 'YOUR NAME - TD'
  • Click 'Run' to run your newly created query

Query results can be viewed in the console or exported.

10. Query Results

  • Click 'Query Results' on the left-hand menu under the parent 'Live Query'
  • Select your query to view results
Previous Article Identifying Risks
Next Article Resources