System Forensics

All your artifacts are belong to me.

A Look at Carbon Black

I’ve heard (read) Harlan Carvey talk [1] about Carbon Black, and how it’s such a great tool so I finally went out to the web and was pleased to see that you can download a 30 day full version trial of Carbon Black (CB) [2]. That’s exactly what I did so I could test it out.

Full Disclosure: I don’t work for Carbon Black, I don’t get money from them, and I don’t get free software from them. Even if I did; however, it wouldn’t change my opinions in writing this post.

For the most part I accepted the default configurations. From what I see it looks like it’s pretty “run with it” out of the box assuming you’re not going to be integrating it with various logging products/plugins like Splunk, Arcsight, etc.

As far as my lab goes I configured the Carbon Black Server on a Windows 7 machine and used Windows XP as the client.

Here are some of the steps I took to get this up and running. I wont get into the install details as much because that’s not the point of the post. It’s very simple to get it up and running so I don’t believe it warrants much time.

The install window while I was installing the server portion on Windows 7.

Here is the standard configuration I used. It was pretty much all filled out except the Name and Reachable IP address, which I changed to fit my lab environment. Note: I did make one modification after I took this image. I changed the Check-In Interval time to 10 seconds so I didn’t have to wait so long between infections before I started to receive data. The default is 900 seconds.

The client install is a bit different. You have to generate it from within the server software. It’s similar to McAfee ePO/HBSS for those of you that use/manage it. You have to click the, “Hosts” tab on the top, and then select, “Client Install”. Once you do that you can proceed to generate the client install package. I’m assuming you could then deploy this to all your clients via SCCM, or some other tool you use in your organization. I simply moved it over to my desktop and installed it.

OK, so now I have the installer. Now it was time to do the installation. After the installation I waited a few seconds and then went back to the server. As you can see here, my client has checked into the server and it’s now showing that I have one host that’s running Windows XP Pro SP3.

I might add that Carbon Black has a Splunk App, but I wasn’t able to get it working for some reason.

In either case, the integration with Splunk makes this even better IMHO (as a Splunk user myself). Keep that in the back of your mind when you’re looking at these two examples.

Test One:

First up is going to be the MBR malware I blogged about here [3].

So here you can see the piece of malware executed, and it also provides the execution path. You also see an MD5 hash of the file, the PID of the file, whether it is signed or not, and a time stamp.

So let’s assume you’re running Splunk, and you have a list of known good MD5s on your baseline.

You’re Splunk query could search any instances of new processes that aren’t signed, between a certain date, and have it only reply back with ones that don’t match any of your known good MD5 hashes. You could then configure an alert for this, and notify you in the future automatically. Your Splunk-fu is limitless at that point.

This is a quick screen shot of the modules list of this particular exe file.

This is the file modification tab within CB, and as you can see here you’re getting a lot of .tmp files in the temp dir. This can be another good location to look for possible malware execution, or even rouge installs from applications that aren’t approved to be on the network.

Again, Splunk will be your friend.

So let’s assume that we now know this box is compromised, but the user has since deleted the .exe file, or the malware itself deleted it.

Well, you can simply save the binary out of CB like we do here and analyze the file offline within your malware lab. This is one reason I like analyzing malware with CaptureBAT. It will save the deleted .exe files that malware likes to get rid of once it executes.

A simple check online and you see very quickly that this is a malicious file. Now your incident response procedures can be activated (if they haven’t been already) and hopefully you can contain it in a timely manner.

Test 2:

Let’s take a quick look at a Zeus variant this time.

At first I execute the malware, and then wait a few seconds before I navigate to the CB dashboard.

Here you see that PID 948 – 1w66.exe was executed, and then it spawned PID 1584, which is xouse.exe. This file activity mirrors up with typical Zeus behavior. It will create a random generated file into Application Data on XP, or AppData on Windows 7.

Let’s drill down a bit more on 1w66.exe. There is a file modifications tab you can click on next to each process. In this case I selected the file modification tab for 1w66.exe, and you can see here what file modifications were made by this particular executable.

Next you will see the registry modifications were made.

And then lastly you can see the modules loaded again:

And then here is another example of what CB showed you in their video when looking at the Autorun key via Sysinternals. [4] Now you will know it’s not just advertisement hype. It works great.

Here is the Autoruns output. You can see here that we have our piece of malware. Let’s copy the path of execution here and plug it into CB.

Their is our hit when we plug it into the All Modules Loads tab.

Next we can plug it into the All File Mods tab and see how it got there. Now this is only one machine, but imagine if you had 20 infections. You could easily identify those systems using CB or Splunk to pull that data.

So i’ll bring this to a close. As you can see Carbon Black has a lot of things going for it. I don’t know how resource intensive this would be on a network of 20,000 clients, but i’ll let you figure that one out.

The big selling point I see with this is its integration with Splunk. I’m a big Splunk fan and the fact that the CB team has already developed you a Splunk App (for free) speaks volumes.

I also think that this can be used for more than just security. Let’s say you’re going to be purchasing some new Adobe Acrobat licenses and one group of people says, “We need 300 copies. One for everyone in the company.”

Well, you should be able to do a quick search for that particular .exe file and figure out using Splunk how many people over X amount of days actually executed Adobe. Let’s say you find that only 10% of the users use it over the course of 60 days. Do you really need 300 copies? Maybe not, and you might have just paid for your annual support for Carbon Black by saving some extra money on licenses. Think outside of security when trying to sell these tools to leadership.

I didn’t see this feature listed, but it would be nice to have a “wake up” feature that would wake up the client agents and have them report immediately upon wake up. I like the wake up feature in McAfee ePO, but that’s just my opinion.

Go ahead and download the product and see what you think yourself. [2]



, , ,

Comments are currently closed.

2 thoughts on “A Look at Carbon Black

  • Keydet89 says:

    Very interesting write-up.

    I also think that this can be used for more than just security.

    Yes…yes, it can. I’ve listed some “case studies” that the Cb guys shared with me, both on my blog and in my book. Cb provides the resources you need to make a number of valuable business decisions, many outside the scope of security.

    One example that does have to do with security is a vulnerability assessment. Dan Guido wrote about intel-driven defense; it would be relatively trivial, once you have a populated Cb database, to comb your infrastructure for systems vulnerable to the 13 to 15 vulns actually used.

  • […] something like Carbon Black in addition to windows event logs. I did a blog post about CarbonBlack here. It’s cheap […]