Skip to content
/ CBR-Queries Public

Collection of useful, up to date, Carbon Black Response Queries

83 stars 21 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

MHaggis/CBR-Queries

BranchesTags

Repository files navigation

Carbon Black Response - Queries

Most recently added queries below.

Domain Fronts

domain:azurewebsites.net OR domain:appspot.com OR domain:amazonaws.com OR domain:windows.net OR domain:cloudfront.net OR domain:akamai.net OR domain:akamaiedge.net OR domain:kunlungr.com

From Here

Interesting behaviors

process_name:whoami.exe crossproc_name:wmiprvse.exe

parent_name:explorer.exe process_name:whoami.exe

parent_name:explorer.exe process_name:whoami.exe crossproc_name:wmiprvse.exe

Things

process_name:rundll32.exe modload:amsi.dll

process_name:rundll32.exe (modload:scrobj.dll OR modload:clr.dll)

process_name:rundll32.exe (modload:scrobj.dll OR modload:clr.dll) -username:SYSTEM cmdline:advpack.dll

process_name:rundll32.exe (modload:scrobj.dll OR modload:clr.dll) cmdline:ieadvpack.dll

process_name:rundll32.exe (modload:scrobj.dll OR modload:clr.dll) cmdline:syssetup.dll

process_name:cscript.exe (modload:scrobj.dll AND modload:clr.dll)

parent_name:cmd.exe process_name:installutil.exe modload:clr.dll -username:SYSTEM

process_name:installutil.exe modload:clr.dll -username:SYSTEM -cmdline:realtek

parent_name:cmd.exe process_name:installutil.exe modload:clr.dll

process_name:installutil.exe modload:clr.dll -username:SYSTEM cmdline:.dll

process_name:installutil.exe cmdline:.dll -username:SYSTEM

stuff

process_name:excel.exe|winword.exe|powerpnt.exe (cmdline:.dll OR cmdline:.exe)

process_name:control.exe

process_name:winword.exe cmdline:http:\

parent_name:winword.exe process_name:rundll32.exe netconn_count:[1 TO *]

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL c:\users\public\test2.dll

modload:mscor* AND modload:clr.dll AND -process_name:mscorsvw.exe AND path:c:\users* AND modload:samlib.dll

wscript stuff

internal_name:wscript.exe -process_name:wscript.exe

parent_name:taskeng.exe internal_name:wscript.exe -process_name:wscript.exe

path:AppData\Roaming\*

internal_name:schtasks.exe -process_name:schtasks.exe

Check Yo RDP

-file_version:6.1.7601.24441 observed_filename:termdd.sys

Conhost

childproc_name:conhost.exe

Eternalblue-Doublepulsar-Metasploit

filemod:

etebcore-2.x86.dll  
eternalblue-2.2.0.fb  
eternalchampion-2.0.0.fb

modload:

trch-1.dll
libxml2.dll
tucl-1.dll
coli-0.dll
exma-1.dll
tibe-2.dll
cnli-1.dll
xdvl-0.dll
crli-0.dll
ssleay32.dll
libeay32.dll
trfo-2.dll
posh-0.dll
ucl.dll
zlib1.dll

(regmod:"\registry\machine\software\microsoft\windows defender security center\notifications\disablenotifications")

(regmod:"\registry\machine\software\policies\microsoft\windows defender\disableantispyware")

is_executable_image_filewrite:true AND process_name:powershell.exe

cmdline:--* AND netconn_count:[2 TO *] AND modload:"c:\windows\syswow64\bcrypt.dll" AND digsig_result:"Untrusted Root"

process_name:winword.exe regmod:software\microsoft\windows\currentversion\run\* modload:vbe*.dll

parent_name:winword.exe regmod:software\microsoft\windows\currentversion\run\* childproc_name:winword.exe childproc_name:cmd.exe

process_name:regsvr32.exe AND cmdline:f1 AND childproc_name:rundll32.exe AND childproc_count:[2 TO *]

About

Collection of useful, up to date, Carbon Black Response Queries

Resources

Readme
Activity

Stars

83 stars

Watchers

12 watching

Forks

21 forks
Report repository

Releases

No releases published

Packages

No packages published