[Carbon Black FAQ] 認識 Cb Response 的威脅情資

新世代端點防護品牌Carbon Black內建21個威脅情資來源，畫面範例如下：

其中具有 Cb Logo 的，是 Carbon Black 自己提供的威脅情資。每個都有不同的目的與應用，以右上角的 Cb Advanced Threat 為例，是設計來針對各種 APT 的攻擊手法(TTP)進行收集情資。

Q: Cb Advanced Threat威脅情資裡面有哪些內容呢?

A:  下面網址呈現了該威脅情資的內容摘要，該情資每天會更新內容。

https://www.carbonblack.com/cbfeeds/advancedthreat_feed.xhtml

該情資目前有 58 條手法、議題，都是 APT 活動的可能跡象。

以其中第一條 Possible ransomware file artifact勒索軟體相關的檔案跡象為例，畫面說明如下。

其中也會說明這條情資規則的分數，以及是否可能會造成誤判。

下面列出目前 Cb Advanced Threat 威脅情資的58種項目條列 (2017-12-14 為止)

• Possible ransomware file artifact
• Possible credential theft or misuse
• Execution from trash bin
• Possible WMI command invocation
• Possible Flashback infection
• Modification of /etc/rc.common
• Possible iWorm infection
• Suspicious OSX persistence mechanism
• Execution from APT staging area
• Possible wirenet and/or netweird activity
• Suspicious process name
• Possible WireLurker infection
• Processes with obfuscated extensions
• Possible malicious powershell activity
• Possible ZeroAccess activity
• Possible BlackPOS malware registry artifact
• WinRM command activity
• Attempted OSX password hash collection
• Execution from System Volume Information folder
• Known malware file name
• Possible Olyx/Lasyr activity
• Modification of powershell execution policy
• Possible Point-of-sale malware file artifact
• Powershell executed with encoded instructions
• Operation Blockbuster query
• Possible WMI Persistence
• Suspicious local password change
• Possible APT backdoor installation
• Possible Tibet.c backdoor installation
• Suspicious process execution
• Modification of launchd.conf
• Suspicious shell activity
• Execution from Recycle Bin
• ntvdm.exe spawned by office application
• Proxy Modifications By Shell/Script Process
• Retefe Child Processes
• WinVerifyTrust Abuse
• Powershell Running MimiKatz
• Attempted Whitelisting Bypass
• NotPetya Filemods
• Unusual RunDll Child AcceptEula
• Unusual RunDll Child Scheduled Tasks
• Disguised Psexec - Internal Name
• Notepad and MSDCSC Launched
• WMI Launching MSHTA Launching Script Interpreters
• File Deletion With Ping
• Changes to Known DLLs registry
• Run Key Added With Suspicious Value Path
• RegSvr32 Making Network Connections
• Word Spawning Command Process
• Process Spawning Both Notepad and Vssadmin
• Process Running From Tasks Directory
• Process Running From Debug Directory
• Lsass Writing Binaries to Disk
• Services null Instance registry key
• Known Bad Child Processes of Lsass
• Bad Rabbit - Tricks are for Kids
• MS Office Vuln - CVE-2017-11882 – query

 

Q:    Cb 的威脅情資多久會更新一次?

A:     每個威脅情資依據其屬性與資料來源不同，有些是幾分鐘更新一次，有些是一天更新一次。

        更新的模式，預設都是 Incremental Update/差異式更新，

        一旦新的情資被更新到 Db Response Server，

        馬上會對主機中對單位內所有端點收集到的歷史資料進行比對。

        觸發時可以產生 Alert ，也可以設定 Email通知或啟動 Syslog 事件傳送。