At Bit9 + Carbon Black, we realize that customers want to easily access their own data and allow integrations with various tools. Consequently, one of the core strengths of the Carbon Black platform is its REST API, which allows you to do whatever you want with your Carbon Black data.
We also like to leverage open-source tools and give back when we can. “CRITs” is an open-source tool that allows you to collect, organize and, ultimately, use threat intelligence. We recently released a Carbon Black service for CRITs in our GitHub repo. The service is also available through the CRITs GitHub repo.
We’ll talk about how to set the service up, then demonstrate what you can do with it. The service works for files (known as “samples” in CRITs), IP addresses, and domain names. It depends on the Python Carbon Black client API available here.
After placing the carbonblack_service into your crits_services directory, it will show up under “Services” in the CRITs control panel.
From there, just click on the Carbon Black name and we can configure it. The first thing to do is to enable it. If you want the service to run automatically when you add new data, enable “triage.”
After that, set up the connection information to the Carbon Black server. You’ll need to give CRITs the address of the server and an API token to use to authenticate to the server.
You can then set the length of time for the service to poll the Carbon Black server for data and you can set an initial delay time if you want as well.
After setting these up, you’re ready to use the Carbon Black service. In a previous blog post, we talked about a PlugX variant with the MD5 of 076ae76dcd0946ff913a9ce033e0ca55. We’ll use this piece of malware as our example and show what the Carbon Black service will do when you add it to CRITs.
Assuming you have triage enabled, when you upload the sample to CRITs, the Carbon Black service will query your Carbon Black server for all information it has on processes with that MD5. You’ll click on the “Analysis” tab and then click on “Carbon Black” to view your data.
The first thing you’ll see when the service is done is an overview of all the processes found with the MD5 of the sample you submitted. You can quickly see the name of the file run, the name of the host it was run on, and the user who ran it. You also get a count of the events recorded by Carbon Black.
It will show you the module loads for that process.
You’ll also see the file modification events. Here, you can see the malware writing the DLL file and the DAT file in the user’s temp directory like discussed in our blog post about this malware.
The service also tells you about the child processes started by this malware.
It will then give you the information about the child process as well.
In this example, the child process has a lot of registry modifications, which are also displayed by the Carbon Black service.
The net positive of all of this is as soon as you add the sample into CRITs, the Carbon Black service will query your infrastructure and quickly show you if and where in your environment you have seen this process.
The CRITs Carbon Black service is not limited to files though. If you add an IP or domain to CRITs, the Carbon Black service will query for those in your infrastructure as well.
Using that PlugX variant as our example again, we listed 18.104.22.168 as an IOC in our blog post. When you add that IP to CRITs and the Carbon Black service runs, you’ll get all the processes that connect to that IP. You’ll also get the hostname of system, the username the process was running as, and a list of all the times that IP was connected to, including the domain name if one was resolved.
If you use CRITs to track malware, using the Carbon Black service is a great way to enrich the data you already have.