Begin Threat Hunting

Updated on

We are going to use the new Observations Tab to Threat Hunt on our estate. An Observation is interesting or suspicious activity in an environment that does not always reach the importance of generating an alert.

The Investigate Tab

Select the Investigate section and in the Observations tab, search for the device (hostname) you wrote down in the previous step

Indicators of Attack

Note: Carbon Black is set to Detection only policy for demonstration purposes. Initial stages of this attack could have been prevented leveraging Carbon Black prevention policies.

We will be starting the Threat Hunting by looking into Indicators of Attack.

Filter the observations using the Indicators of Attack type. For more details on the attack types, please refer to the user guide in console.

You can see that there is an executable, freecoupon_forlife.exe, which is attempting to modify user data files and is also encrypting files. The "i" icon next to the tactic used gives details as to what is going on. The histogram at the top of page shows activity around 5.00pm (your histogram will show activity whenever you launched the attack). We need to look into this.

Observation Analysis

To investigate further, select the process analysis icon on the far right of the observation.

Process Map

You can go through each node (process) and review the process map.

"A picture is worth a thousand words"


The process map shows that freecoupon_forlife.exe was spawned by powershell.exe.

What is freecoupon_forlife.exe? Lets look into this.

Use the Take Action button, and click on Find in VirusTotal" (Note: This will open VirusTotal in a new tab)

VirusTotal shows us that this binary, freecoupon_forlife.exe has been flagged as malicious and is more commonly known as darkside ransomware. How did this get on the machine?

Click on the browser tab that has the Carbon Black Cloud console

Let's look into powershell.exe, the parent process of freecoupon_forlife.exe. Click on powershell.exe to broaden the investigation.


There are 4 instances of powershell.exe running, all being spawned of winword.exe (most likely a word doc).

Select the number 4.


Note: Carbon Black is set to Detection only policy for demonstration purposes. Initial stages of this attack could have been prevented leveraging Carbon Black prevention policies.

We have multiple hits on watchlists (as we do with all stages of this attack). Watchlists provide custom detection and continuous monitoring of the environment. They comprise of reports, which are collections of Indicator of Compromise (IOCs). With Carbon Black XDR, you have the ability to use custom watchlists or use the watchlists that are provided by Carbon Black.

As well as the watchlist hits, we also have netconns being made from powershell.exe.  Let's looks specifically at the netconns. This will provide us more detail into how freecoupon_forlife got onto our network.

Filter on netconns to investigate the network connections

Netconn Visibility

Carbon Black XDR has network connection visibility. Network connection visibility enables customers to visualize and analyze network data in context, using the Carbon Black Cloud. The XDR network telemetry includes continuous capture and analysis of network fingerprints, flow and TLS data, and application-protocol data.

You can see that a https connection was made to freecup0ns.com using TLS 1.2, and the flow events show that we have a large number of bytes received (this would be the download of freecoupon_forlife.exe). We also see information on the certificate and JA3 used - both can be useful for future detection and prevention.

We have visibility of the process and the visibility of the network connection.

There are other instances of powershell.exe running at the same time from the same winword.exe process. Lets look into them.

Powershell.exe Further Insight

In the process tree, select and expand the second powershell.exe instance.

Here we see network discovery tasks such as ipconfig.exe and netstat being run. If we look at the the cmdline (at top of alert tirage screen), we can see that the outputs are being written to a file called fc_info.txt and then are uploaded to a dropbox.tk website.

Uncover Malicious Vector

In the process tree, select and expand the third powershell.exe instance.

This process tree shows us how the text file was opened on the desktop as soon as we enabled the macro on the the word doc. A powershell script was used to open notepad.exe.

Malicious Use of Powershell.exe

In the process tree, select and expand the fourth powershell.exe instance

Here we see that powershell is used to run an executable, freecoupon.exe which in turn runs other cmd.exe and powershell.exe instances. We can see in the cmdline, that a curl is run to c3.freecup0ns.com. A file - freecoupons.exe - is written to \programdata and then executed.

Note: If this command was encoded, Carbon Black would have decoded it automatically.

Looking at the netconns, we can see established and outbound connections to c3.freecup0ns.com.

What happend once freecoupons.exe was ran?

Click on cmd.exe to find out more.


We see that cmd.exe is used to load a payload.bat file. That does not look too great, and we need to know what this payload.bat file does.

Identify C2 Server

Select child process of cmd.exe, powershell.exe. Cmd.exe, runs payload.bat which uses powershell to make network connections.

Filter by "netconn" on the filters on the lift side of the screen.

We see an alert on a connection to (this is our C2 Server).

Lets expand this event.

XDR ThreatHunting

The connection is over 443, We see many XDR TTPs (bypass policy, code_drop, fileless, leverages_system_utility). We also see that XDR sees that the adversary is trying to run malicious code. This is the implant to the C2, the C2 is issuing powershell commands (auto runs) to this machine using a reverse shell over port 443.

We also noticed a strange connection between two machines in my network over port 5985.

Netconn Event

Expand the netconn event

Greater Visibility

The connection is between two machines on my network. We can see that WinRM is being used as this is the user-agent, and we can see bytes being sent. This is indicative of lateral movement. The adversary compromised one machine, and from that, is moving through my network, using WinRM.

We now have a complete picture of what happened, all visible in a single console, with XDR TTP tags, MITRE ATT&CK Framework mapping, and clear descriptions helping make understanding the attack simple.

This behavior of lateral movement using WinRM was also picked up by our Intrusion detection system (IDS) engine. The purpose of IDS is to detect and respond to malicious activity. Carbon Black XDRs IDS instantly identify malicious network behaviors.

We are monitoring the activity on a host for signs of suspicious behavior, such as changes to system files, unauthorized access attempts, or unusual network traffic. We use a mix of signature-based detection and behavioral analysis to identify potential security threats.

Carbon Black XDR provides you the most important observations fast .

Intrusion Detection System (IDS)

Go back to Observations tab (Investigate>Observations), deselect Indicator of attack, and select Intrusion Detection System type.

Expanding the IDS alert gives information on what XDR has seen. You can see we have identified this as lateral movement using windows remote management - for info on any of the fields, select "i" icon.

With Carbon Black XDR, you get complete process, identity, and network visibility. Carbon Black XDR gives you the power to detect, respond, and remediate in real time, stopping active attacks and repairing damage quickly. Reducing complexity and accelerating investigation can greatly reduced dwell time and average time to resolution.

By providing this unmatched visibility into the process and network data, Carbon Black XDR helps to reduce risk and provides you with the tools required to protects against modern threats.

Previous Article Wear A Hat As A Security Operations Center (SOC) Analyst: Lab Instruction
Next Article TechZone | Contact Us | Additional TestDrive Experiences