TestDrive / Networking and Intrinsic Security Walkthroughs / VMware Carbon Black Cloud

Threat Hunting with Carbon Black XDR (Phishing turned into ransomware)

Updated on Jul 27, 2023

What is Threat Hunting?

Threat hunting is the practice of proactively searching for security threats and vulnerabilities in an environment before they can be exploited by attackers. It involves analyzing data from various sources, such as process events, network traffic, and user behavior, to identify signs of malicious activity that may have evaded traditional security measures such as firewalls and antivirus software.

Carbon Black XDR extends endpoint detection and response by enabling security operations teams to visualize and analyze across network, endpoint, workload, and user data in context. Carbon Black XDR surfaces new results by preserving and extending the endpoint, network, workload, and user contexts during analysis and display, giving you all the information you need to proactively hunt threats, uncover suspicious behavior and lateral movement, disrupt attacks in progress, repair damage quickly, manage vulnerability and address gaps in defenses.

The key difference between threat hunting and incident response is that threat hunting is proactive, the goal of threat hunting is to detect and mitigate threats before they can cause damage. Incident response is reactive, the goal of incident response is to minimize the damage caused by the incident and prevent it from happening again. Often times great incident responders make legendary threat hunters because their experience helps them to accurately determine how an attacker will behave and what they might do next.

Accessing the TestDrive Experience
- Access TestDrive LIVE environment
- Access Carbon Black Cloud within TestDrive environment
Section 2: Attack Stages
Section 3: Lab time

1. Accessing the TestDrive Experience

1.1. Access TestDrive LIVE environment

In order to complete this walkthrough please make sure you have the following:

A valid account in the VMware TestDrive environment (if you do not have one sign up here)
Allowed outbound communication of TCP & UDP ports 80, 443, 8443; and if using PCoIP, both TCP & UDP 4172 from the computer you are accessing TestDrive.
A Horizon Client is installed on your machine

Access the TestDrive portal at portal.vmtestdrive.com; sign in with your TestDrive account email and password.

Navigate to the 'Intrinsic Security' tab to view security related experiences.

Locate the appropriate experience. This user experience is Threat Hunting with Carbon Black XDR. Once located, click the 'launch' button.

Login with your TestDrive username and password. On the next screen, if not displayed, search apps for 'Carbon Black XDR' in the search-box.

Click to open the VDI desktop via either the Horizon App or the web-based console.

1.2. Access Carbon Black Cloud within TestDrive environment

Once you gain access to TestDrive environment
Make sure you are logged into a TestDrive VDI Windows environment
- Your username should be VMWDP\xxxx
On the desktop, you will find a text file ReadMe
In this ReadMe text file, you will find all the information about how to log into Carbon Black Cloud

2. Attack Stages

2.1. A phishing email to the victim

An attacker has been doing reconnaissance of a user over social media and publicly available information using Open Source Intelligence (OSINT) tools. The attacker has noticed that the user has been posting free coupons. The attacker has set up a command and control (C2) website with a deceiving name "freecup0ns.tk" to manipulate this user.

Note: The website freecup0ns.tk is set up for demonstration purposes.

The user has received a macro-enabled word in an email. Once the document is opened and enabled content, Google Chrome is opened with a website freecup0ns.tk and notepad automatically. An attacker could print anything on this notepad.

2.2. What's visible to the victim

Victim only see a Google Chrome and notepad opened up on their screens, which can be seen as benign and not linked to any malicious activity.

Furthermore, from the endpoint ,only legitimate protocols are used during this attack, which again is not suspicious or even considered to be blocked.

What is actually happening on the endpoint

Attacker have crafted this attack to make it look benign and evade all traditional network and endpoint security products.

So this is what visible to victim:

Email with an attachment (word document)
Email came from a legit domain and the Word document doesn't look suspicious
After opening the Word document (+enable content):
- Google Chrome opens with a coupon website.
- A text file is opened in notepad
- All network connections were made over legitimate protocols

None of these actions would have triggered a user to be suspicious.

What else happened at the victim's endpoint:

Download of an implant from attacker's staging server
Execution of implant on victim's endpoint establishing connection over port 443 to attacker's command and control (C2) server
Once the C2 Server sees the implant, an autorun is used to move the implant laterally to another machine (victim 2). This is done using WinRM
- From this moment, the attacker can run any PowerShell command on victim 1 and victim 2 machine.
Attacker ran a PowerShell script, password spraying the AD server, targeting known users.
Execution of local endpoint reconnaissance commands such as (systeminfo, arp, hostname etc.) and outputs saved locally on the endpoint.
File transfer of locally saved file with endpoint reconnaissance to attacker's server to gain insight of this endpoint, this could have been any other files such as all word or Excel files from the endpoint to attacker's server as well
Download of darkside ransomware from attackers' staging server
Execution the ransomware
Clearing of all the logs

All of this telemetry data is captured by Carbon Black XDR and you will review it in the next section.

3. Lab Time

3.1. Wear a hat as a Victim

In this section, you will go through the experience the attack as a victim.

This attack is a phishing email turned into a ransomware.

3.1.1. Brief Instructions

Set up outlook without an email account. For more instructions in detail, CLICK HERE.
Open & Export, Import from another program or file
Import Outlook Data File (.pst) located C:\Users\Public\Desktop\Carter.Hale
- Note: Please be sure to import pst file from the given location.
Open the Word document attachment in the email from Jeremy Jones ([email protected])

For elaborated step-by-step walkthrough and detailed instructions, CLICK HERE.

3.1.2. Elaborated Instructions

On the desktop, double click the shortcut named "Outlook No Account" to launch Outlook.

2. After Outlook is launched, click on the File tab in the Outlook window.

3. Select Open & Export then select Import/Export

4. Select Import from another program or file then click on Next

5. Select Outlook Data File (.pst)

Note: Don't click anywhere other than Browse

6. Click on Browse...

7. Type in the Windows explorer browser.

C:\Users\Public\Desktop\

Note: It is important that you type the exact location.

Tip: If you are using Horizon client (not browser), you can copy/paste this location from this guide to TestDrive user experience environment.

8. Select Carter.Hale (This is the outlook pst file)

9. Click on Open

Note: Verify that you are importing the right pst file such as Carter.Hale.pst

10. Click on Next

11. Click on Finish.

12. Click on Inbox

[Optional] Read the email from Jeremy Jones ([email protected])

13. Click and open attachment, the Word document

14. Click on Enable Editing

15. Click on Enable Content

You will see Google Chrome and notepad opened up automatically and a file called README.27xxxxx is created on the desktop (there is a delay in download, so you may need to wait a few minutes. The users files have ben encrypted.

16. Open README.XXXXXXX

3.2. Wear a hat as a security operations center (SOC) analyst

In this section, you will go through the experience of a SOC analyst, working from with the Carbon Black Cloud console. We will be investigating what happened.

3.2.1. Let the games begin of threat hunting

A few things, you want to keep it handy for the next steps:

Log into Carbon Black Cloud. Here are the steps.
Make a note of your logged in TestDrive windows VDI hostname and IP. Here are the steps.

Once you know the hostname and you are logged into CB console, proceed with the next steps.

3.3. Threat Hunting using Carbon Black XDR

We are going to use the new Observations Tab to threat hunt on our estate. An Observation is interesting or suspicious activity in an environment that does not always reach the importance of generating an alert.

Select the Investigate section and in the observations tab, search for the device (hostname) you have written it down in the previous step

Note: Carbon Black is set to Detection only policy for demonstration purposes. Initial stages of this attack could have been prevented leveraging Carbon Black prevention policies.

We will be starting the Threat hunting by looking into Indicators of attack.

2. Filter the observations using the indicators of attack type. For more details on the observation types, please refer to the user guide in console.

You can see that there is a executable, freecoupon_forlife.exe, which is attempting to modify user data files and is also encrypting files. The i icon next to the tactic used gives details as to what is going on, The histogram at the top of page shows activity around 5.00pm (your histogram will show activity whenever you launched the attack). We need to look into this.

3. To investigate further, select the triage icon on the far right of the observation.

5. You can go through each node (process) and review the process map.

"A picture is worth a thousand words"

The process map shows that freecoupon_forlife.exe was spawned by powershell.exe, what is freecoupon_forlife.exe? Lets look into this.

6. Use the take action button, and Find the binary in VirusTotal.

VirusTotal shows us that this binary, freecoupon_forlife.exe has been flagged as malicious and is more commonly known as darkside ransomware. How did this get on my machine?

7. Lets look into powershell.exe, the parent process of freecoupon_forlife.exe. Click on Powershell.exe to broaden the investigation.

There are 4 instances of powershell.exe running, all being spawned of winword.exe (most likely a word doc).

8. Select the number 4.

Note: Carbon Black is set to Detection only policy for demonstration purposes. Initial stages of this attack could have been prevented leveraging Carbon Black prevention policies.

We have multiple hits on watchlists (as we do with all stages of this attack). Watchlists provide custom detection and continuous monitoring of the environment. They compromise of reports, which are collections of IOCs. With Carbon Black XDR, you have the ability to use custom watchlists or use the watchlists that are provided by Carbon Black.

As well as the watchlist hits, we also have netconns being made from powershell.exe. Lets looks specifically at the netconns. This will provide us more detail into how freecoupon_forlife got onto our network.

9. filter on netconns to investigate the network connections

Carbon Black XDR has network connection visibility. Network connection visibility enables customers to visualize and analyze network data in context, using the Carbon Black Cloud. The XDR network telemetry includes continuous capture and analysis of network fingerprints, flow and TLS data, and application-protocol data.

You can see that a https connection was made to freecup0ns.com using TLS 1.2, and the flow events show that we have a large number of bytes received (this would be the download of freecoupon_forlife.exe). I also see information on the certificate and JA3 used - both can be useful for future detection and prevention.

We have visibility of the process and the visibility of the network connection.

There are other instances of powershell.exe running at the same time, from the same winword.exe process, lets look into them.

10. In process tree, select and expand the second powershell.exe instance.

Here we see network discovery tasks, such as ipconfig.exe and netstat being run. If we look at the the cmdline (at top of page), we can see that the outputs are being written to a file called fc_info.txt and then are uploaded to a dropbox.tk website.

11. In process tree, select and expand the third powershell.exe instance.

This process tree shows us how the text file was opened on the desktop as soon as we enabled the macro on the the word doc. A powershell script was used to open notepad.exe.

12. In process tree, select and expand the forth powershell.exe instance

Here we see that powershell is used to run an executable, freecoupon.exe which in turn runs other cmd.exe and powershell.exe instances. I can see in the cmdline, that a curl is run to c3.freecup0ns.com, a file freecoupons.exe is written to \programdata and the executed.

Note: if this command was encoded, Carbon Black would have decoded it automatically.

By filtering for netconn events only, I can see established and outbound connections to c3.freecup0ns.com.

What happend once freecoupons.exe is run?

13. Click on cmd.exe to find out more.

We see that cmd.exe is used to load a payload.bat file. That does not look too great, and we need to know what this payload.bat file does.

14. Select child process of cmd.exe, powershell.exe

cmd.exe, runs payload.bat which uses powershell to make network connections. Again by filtering for netconn events, I see an alert on a connection to 192.168.52.131 (this is our C2 Server).

15. Lets expand this event by clicking the arrow.

The connection is over 443, I see many TTPs (bypass policy, code_drop, fileless, leverages_system_utility). I also see that XDR sees that the adversary is trying to run malicious code. This is the implant to the C2, the C2 is issuing powershell commands (auto runs) to this machine using a reverse shell over 443.

Scrolling further through the netconn events, I also notice a strange connection between two machines in my network over 5985.

16. Expand the establishing netconn event

The connection is between two machines on my network. I can see that WinRM is being used as this is the user-agent, and I can see bytes being sent. This is indicative of lateral movement. The adversary comprised one machine, and from that, is moving through my network, using WinRM.

We now have a complete picture of what happened, all visible in a single console, with XDR TTP tags, MITRE ATT&CK Framework mapping and clear descriptions helping make understanding the attack simple.

This behavior of lateral movement using WinRM was also picked up by our Intrusion detection system (IDS) engine. The purpose of IDS is to detect and respond to malicious activity. Carbon Black XDRs IDS instantly identify malicious network behavior's.

We are monitoring the activity on a host for signs of suspicious behaviour, such as changes to system files, unauthorized access attempts, or unusual network traffic. We use a mix of signature-based detection and behavioural analysis to identify potential security threats.

We provide you the most important observations fast .

17. Go back to Observations tab (Investigate>Observations) deselect Indicator of attack and select Intrusion Detection System type.

Expanding the IDS alert gives information on what XDR has seen. You can see we have seen this as lateral movement using windows remote management - for info on any of the fields, select i icon.

With Carbon Black XDR, you get complete process, identity and network visibility. Carbon Black XDR gives you the power to detect, respond and remediate in real time, stopping active attacks and repairing damage quickly. Reducing complexity, accelerating investigations and greatly reduced dwell time and average time to detection and time to resolution.

By providing this unmatched visibility into the process and network data, Carbon Black XDR helps to reduce risk and provides you with the tools required to protects against modern threats.