Active 2024-10-20

CBR-Queries

Collection of useful, up to date, Carbon Black Response Queries for threat hunting and detection.

carbon-black edr hunting queries detection
View on GitHub
Quickstart
Get started instantly
git clone https://github.com/MHaggis/CBR-Queries.git

The Problem

Carbon Black Response is a powerful EDR tool, but writing effective queries requires deep knowledge of the query syntax and attack techniques. Defenders often struggle to translate threat intelligence into actionable queries.

The Solution

CBR-Queries provides a curated collection of ready-to-use Carbon Black Response queries organized by technique and use case. Each query includes documentation explaining what it detects and potential false positives to watch for.

Impact

Enables defenders to quickly operationalize threat intelligence in their Carbon Black environment. The query collection covers common attack techniques and is regularly updated based on new threats.

Overview

A collection of Carbon Black Response queries designed for threat hunting and detection. Queries are organized by MITRE ATT&CK technique and include documentation for each.

Categories

  • Initial Access: Queries for detecting initial compromise
  • Execution: Suspicious process execution patterns
  • Persistence: Registry modifications, scheduled tasks, services
  • Defense Evasion: Process injection, masquerading
  • Credential Access: LSASS access, credential dumping
  • Discovery: Reconnaissance activities
  • Lateral Movement: Remote execution, pass-the-hash
  • Collection: Data staging and compression
  • Exfiltration: Suspicious network activity

Example Queries

Suspicious PowerShell Execution

process_name:powershell.exe AND (cmdline:"-enc" OR cmdline:"-e " OR cmdline:"bypass")

LSASS Access

crossproc_type:open_process AND crossproc_target:lsass.exe

Contributing

Have a query that’s worked well for you? Contributions are welcome!

Enhance your Carbon Black hunting capabilities

Get Started Report Issue

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub
Active

ClickGrab

Finding ClickFix and FakeCAPTCHA like it's 1999. Detection and hunting tools for clipboard hijacking attacks.

clickfix fakecaptcha detection hunting +1
View Module → GitHub