This section shows how we can investigate each process, command, binary using Carbon Black
1. Initial Attack Vector determination
1. From outlook to word, which indicates that it was an attachment.
Leverage CB, where watchlist is providing information that it is a part of Initial Access and have Visual Basic. This information can help you determine the initial vector of how the attack started.
2. Alert Triage using Watchlist hits
2. From winword, multiple child processes are created.
Watchlist hits are providing the clear information about the stage of attack along with information like Spearphishing attachment. Again, this is valuable information during alert triage, where additional context is increasing the confidence to formulate next steps.
3. Process Analysis - chrome.exe
3. Select chrome.exe process and check the website accessed at the device.
You can either use this information for further investigation or check the blast radius and see who else is going to that website from your organization.
4. Process Analysis - powershell.exe
4. Select 1st powershell.exe and use Carbon Black reveal feature to see the command used.
Note: if this command was encoded, Carbon Black would have decoded it automatically.
5. Script Insights
5. You can see the information, such as which github location was used to download the scripts, etc.
6. Expand 1st powershell.exe process
6. [Optional] expand the 1st powershell.exe until the last child process.
7. Expand 2nd powershell.exe process
7. Expand the 2nd powershell.exe and see the child processes such as
All of these commands, we use in daily routing. However, not used all at once in such a short time. Especially, not as a child process from outlook, word etc.
8. Expand 3rd powershell.exe process
8. Expand the 3rd powershell.exe and review the child process. You see a node name
Tip: Right click to open Binary Details to preserve the screen you are currently at.
9. You can click on Binary Details to get additional information about this executable.
Tip: If you did click on Binary Details and not the right click to open in a new tab. You can use the browser "click to go back" button to get to the same screen. You may have to reopen some processes the way you had previously.
9. Take Action
10. Furthermore, while highlighting
freecoupon_forlife.exe you can click on Take Action (Orange Button) and select Find in VirusTotal
This will open a new tab of auto filled with a hash of this executable,
10. Review Ransomware Binary
11. You can review that this binary name
freecoupon_forlife.exe is associated with darkside ransomware
11. Expand 4th powershell.exe process
12. Expand the 4th and last powershell.exe and review the child processes.
12. Review free_coupon.exe events
13. Select and highlight free_coupon.exe and scroll down to review events related to this node.
13. Filter events by netconn
14. Filter the events by netconn
"This was the part of reverse shell stage of the attack"
Note: The connections were outbound using 443 which is allowed in almost all firewalls to access all popular websites. As a threat hunter, you will see this as an anomaly to record since this executable is not approved and trying to reach outbound connections.