ProcessQuerying

Process Querying

Search for processes with lucene syntax and/or value searches.

Note: If a query returns a lot of results, a warning will be printed before the console is flooded. You can change this (like if you're sending results to a file or less) with the --no-warnings (-nw) flag.

$ cbinterface query -h
usage: cbinterface query [-h] [-s START_TIME] [-e LAST_TIME] [-nw]
                                [-ad] [--facets]
                                query

positional arguments:
  query                 the process search query you'd like to execute

optional arguments:
  -h, --help            show this help message and exit
  -s START_TIME, --start-time START_TIME
                        Start time of the process. Format:'Y-m-d H:M:S' UTC
  -e LAST_TIME, --last-time LAST_TIME
                        Narrow to processes with start times BEFORE this
                        end/last time. Format:'Y-m-d H:M:S' UTC
  -nw, --no-warnings    Don't warn before printing large query results
  -ad, --all-details    Print all available process info (all fields).
  --facets              Retrieve statistical facets for this query.

PSC EDR Example

The guide built into the product is great for field explanations. Publicly, you can find search fields documented here, as well.

$ cbinterface query 'parent_name:svchost.exe process_name:rundll32.exe'
2021-03-12 14:46:33 analysis cbinterface.psc.cli[5724] INFO searching psc:default environment..
2021-03-12 14:46:39 analysis cbinterface.psc.query[5724] INFO got 108 process results.
Print all results? (y/n) [y]


------------------------- QUERY RESULTS -------------------------
  -------------------------
  Process GUID: 7W2FQEEY-02361dc7-00000804-00000000-1d7174c85597069
  Process Name: rundll32.exe
  Process PID: 2052
  Process MD5: ef3179d498793bf4234f708d3be28633
  Process SHA256: b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
  Process Path: c:\windows\system32\rundll32.exe
  Process Terminated: True
  Start Time: 2021-03-12 09:32:25.290000-0500
  Command Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
  Process Reputation: ADAPTIVE_WHITE_LIST
  Parent Name: c:\windows\system32\svchost.exe
  Parent GUID: 7W2FQEEY-02361dc7-00000388-00000000-1d709ea65c739de
  Parent SHA256: 643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7
  Username: ['YHP2BG\\NeoLite6']
  Device ID: 37100999
  Device Name: yhp2bg
  Device OS: WINDOWS
  External IP: 174.87.68.13
  Internal IP: 10.0.2.15

<ommitted more results>

Response Example

$ cbinterface query 'parent_name:svchost.exe process_name:rundll32.exe cmdline:AutoRun.inf'
2021-02-10 04:00:10 analysis cbinterface.cli[7211] INFO searching acmecomp environment..
2021-02-10 04:00:10 analysis cbinterface.query[7211] INFO got 27 process results grouped by id.
Print all results? (y/n) [y] y

------------------------- QUERY RESULTS -------------------------

  -------------------------
  Process GUID: 000059af-0000-2e74-01d6-ff16835f6f89
  Process Name: rundll32.exe
  Process PID: 11892
  Process MD5: 80f8e0c26028e83f1ef371d7b44de3df
  Process Path: c:\windows\system32\rundll32.exe
  Process Status: Terminated
  Command Line: rundll32.exe C:\WINDOWS\system32\davclnt.dll,DavSetCookie removedName http://serverName/folder/process/AutoRun.inf
  Parent Name: svchost.exe
  Parent GUID: 000059af-0000-4428-01d6-f96379775e63
  Hostname: computer00601
  Username: DOMAIN\Pete
  Start Time: 2021-02-09 19:05:21.244000
  Last Update Time: 2021-02-09 19:05:21.715000
  Sensor ID: 32958
  Comms IP: 192.168.252.192
  Interface IP: 192.168.252.192
  GUI Link: https://carbonblack.acmecomp/#analyze/000059af-0000-2e74-01d6-ff16835f6f89/1612897752481

  -------------------------
  Process GUID: 00006a99-0000-59ac-01d6-feff3879acfd
  Process Name: rundll32.exe
  Process PID: 22956
  Process MD5: 80f8e0c26028e83f1ef371d7b44de3df
  Process Path: c:\windows\system32\rundll32.exe
  Process Status: Terminated
  Command Line: rundll32.exe C:\WINDOWS\system32\davclnt.dll,DavSetCookie serverName http://example.com/folder/AutoRun.inf
  Parent Name: svchost.exe
  Parent GUID: 00006a99-0000-5448-01d6-fed7b2708931
  Hostname: computer01035
  Username: DOMAIN\Sara
  Start Time: 2021-02-09 16:18:37.162000
  Last Update Time: 2021-02-09 16:18:37.887000
  Sensor ID: 47299
  Comms IP: 185.220.101.14
  Interface IP: 192.168.1.89
  GUI Link: https://carbonblack.acmecomp/#analyze/00006a99-0000-59ac-01d6-feff3879acfd/1612887600302

<ommitted more results>

Facets

Use the --facets option to get facet data on the command line.

cbinterface query 'parent_name:svchost.exe process_name:rundll32.exe' --facets

Example

$ cbinterface query 'parent_name:svchost.exe process_name:rundll32.exe' --facets
2021-03-12 14:58:27 analysis cbinterface.psc.cli[7867] INFO searching psc:default environment..
2021-03-12 14:58:34 analysis cbinterface.psc.query[7867] INFO got 108 process results.
2021-03-12 14:58:34 analysis cbinterface.psc.cli[7867] INFO getting facet data...
2021-03-12 14:58:53 analysis cbinterface.psc.query[7867] WARNING problem enumerating child process names: maximum recursion depth exceeded

------------------------- FACET HISTOGRAMS -------------------------

	parent_name results: 1
	--------------------------------
svchost.exe:   108 -  100.% ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■


	process_name results: 1
	--------------------------------
rundll32.exe:   108 -  100.% ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■


	process_reputation results: 2
	--------------------------------
ADAPTIVE_WHITE_LIST:    52 -  48.1% ■■■■■■■■■■■■■■■■■■■■■■■■
 TRUSTED_WHITE_LIST:    56 -  51.8% ■■■■■■■■■■■■■■■■■■■■■■■■■


	process_username results: 4
	--------------------------------
    CURN982JH\sean:    13 -  12.0% ■■■■■■
     YHP2BG\NeoLite6:    22 -  20.3% ■■■■■■■■■■
NT AUTHORITY\SYSTEM:    36 -  33.3% ■■■■■■■■■■■■■■■■
    RIPDOM\A343932:    37 -  34.2% ■■■■■■■■■■■■■■■■■


	process_sha256 results: 3
	--------------------------------
9f1e56a3bf293ac536cf4b8dad57040797d62dbb0ca19c4ed9683b5565549481:    23 -  21.2% ■■■■■■■■■■
01b407af0200b66a34d9b1fa6d9eaab758efa36a36bb99b554384f59f8690b1a:    33 -  30.5% ■■■■■■■■■■■■■■■
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa:    52 -  48.1% ■■■■■■■■■■■■■■■■■■■■■■■■


	device_name results: 4
	--------------------------------
        vcr0121823:    14 -  12.9% ■■■■■■
        curn982jh:    15 -  13.8% ■■■■■■
 ripdom\vcr0121823:    27 -  25.0% ■■■■■■■■■■■■
         yhp2bg:    52 -  48.1% ■■■■■■■■■■■■■■■■■■■■■■■■


	device_os results: 1
	--------------------------------
WINDOWS:   108 -  100.% ■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■


	childproc_name results: 0
	--------------------------------

Print all results? (y/n) [y] n

CBInterface

Home
Configuration & Setup
Functionality
- CB Product Independent
  - Process Querying
  - Process Investigation
  - Live Response
  - Enumerations
  - Sessions
- CBC/CB PSC Only
- CB Response Only
  - Sensor Queries
  - Watchlists
How-To & Examples
- Remediating Malware Infection
- Live Response
  - Collect a File
  - Kill a Process
  - Collecting Browsing History
  - Remediation Script
  - Delete a File
  - Containing Device
  - Close LR Session
- Download Binary from CBC UBS
- Creating Playbooks
- Response to PSC Migration
- Search for Alerts on host
- Tune a Query based PSC Watchlist

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ProcessQuerying