CB-Boost is a tool utilized Carbon Black API to run Incident response actions, and detection use cases that requires automation.
CB-Boost's detection use cases are not meant to be full detection use cases, but it only contains what requires programmatically analysis of the output of certain use cases. To create a simple use case just do it using watchlists.
CB-Boost's IR capabilities is coming soon!.
- TimeLine Activity
- Osquery (bypass the 200 device limitation)
- Detect DLL Hijacking [sideLoading/OrderHijacking].
- Integration with HijackLibs
- Detection Based on the DLL Path
- Detection Based on The Process Path (not recommended)
- Detect Hidden Accounts
-
Execute PowerShell/Command Prompt commands
-
Upload & Run executables and retrieve the output.
-
git clone --recurse-submodules https://github.com/karemfaisal/CB-Boost -
pip install -r requirements -
cbapi-response configure-
Will promote you to enter the your CB-EDR Data [URI, Token, Profile Name]
-
cbapi-response could be found in the venv path or pip's scripts' path
-
For DLLHijacking detection
-
Point to the folder contains HijackLibs rules or minimal rules that you want to search for.
python3 main.py --rules rule.yml --profile "default"
python3 main.py -h[*Output]
usage: main.py [-h] [-r RULES] [-p PROFILES]
optional arguments:
-h, --help show this help message and exit
-r RULES, --rules RULES
path to the CB-Boost yaml file path
-p PROFILES, --profiles PROFILES
profiles name for running the API separated by ',' ex:
Karem,Ali