Kirk's Endpoint Standard Kung Fu Blog 

There are times when using a tool like Endpoint Standard can make your job easier and give you visibility into your environment you previously never had. Besides the standard searches in VMware CB Endpoint Standard that can show a reputation or for testing a policy rule, for example, you can also use common admin tool commands to leverage things in Defense that could be considered unique use cases to bring additional value for yourself and your organization.

I’ve learned many "Kung Fu" tips and tricks that can help make your job easier or give you ideas to help make your job or your time spent in Endpoint Standard more productive. Using some kung fu can help you get more value out of the tool and help make your job a bit easier hopefully. I will be releasing a kung fu tip or trick each week so feel free to visit the posts and pick and choose the ones that are helpful for you.

To get notified whenever I add a new tip, simply subscribe to this post via the ellipsis option menu and select "Subscribe".

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #1 -- Using Windows Event Reporting (werfault.exe) for a memory dump

If you wanted to look for machines in your network that may be generating a memory dump due to errors with the OS or applications not playing nicely in the environment you could search for werfault.exe.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #2 -- Doing an investigation in potentially suspicious directories and looking for files that have an unknown or not listed reputation

Let's say I have a reason to believe that a host on my network is generating alerts and may be appearing to be suspicious. I want to take a look to see if the machine has had any garbage run in the AppData or Temp directories and may not be a "trusted file" to Carbon Black. I could run a query like this below.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #3 -- AV being blamed for things like blocking files or applications not running properly

It can be helpful for admins and sometimes a necessity to look into something and see if the problem really is something else on the actual OS or other applications.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #4 -- MSHTA abuse

Today let's have a brief discussion of why and how are things like mshta being abused in the wild? HTA is short for HTML application which consists of HTML and one or more scripting languages supported by IE aka Internet Explorer.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #5 -- Adding the network component can make a search more useful

Today let's have a brief discussion of how looking at information with external network connections can make a normal search much more interesting. Let's look at a few queries that could be interesting and to give you some ideas in your environment.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #6 -- Looking for NetSh firewall commands that may have ran

Let's have a brief discussion on why it may be interesting to see if anyone ran any commands to say turn off the Windows firewall for example. I am on vacation so this post is short but could be very useful. Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #7 -- Looking for file sharing connections to other systems

Windows supports file and printer sharing traffic by using the Server Message Block (SMB) protocol directly hosted on TCP. The SMB protocol enables “inter-process communication,” using the protocol to allow services and applications to talk/communicate via the network. So we would expect our internal systems like our desktops and laptops to be connected via TCP port 445 to our file server(s), but it may be interesting to exclude those and see what else your systems may be connecting to.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #8 -- Searching for "interesting" things via the threat score

Today let's say you are in the investigate page and you want to do some searching for some "interesting" things in your environment but not sure where to start. You could start by searching for a threat score. So we have threat scores from 1-10 in order of severity. So if you wanted to for example search for something with a 4 you can do a search like this.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #9 -- Searching for "interesting" things via the threat score and/or kill chain status

Let's continue where we left off last week in that we created a query to look for threats with a score of 4 and above. Now, what if we also want to use the kill chain to help us to see how far a possible attack may have gotten in our network.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #10 -- Using the syslogLevel search string to find or hunt for interesting things

Today let's discuss how to search for the field known as syslogLevel in the product. The things you need to know first of course is we have 2 fields that you all know in CB Defense for threats and we classify them as either"Observed" or "Threats".  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #11 -- Looking for a specific OS or all OS'es

Sometimes it is helpful to see all Windows machines or Mac machines and what versions they are running. Being able to know this and also by the policy can also be helpful information as well.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #12 -- Looking for a specific hash

This week let's say we want to do an investigation of a hash. The question is should I search for the target hash or the parent hash or the selected hash?  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #13 -- PowerShell spawning a browser

So I saw PowerShell this week invoking a browser in an environment and thought that may be a good simple query to share with folks. That normally should NOT normally be happening. If you have any hits on the queries below it may be good to investigate it.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #14 -- Filtering on events with a given event type

This week let's cover the event types below we can search for.  Read more... 

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #15 -- Port searching

Let's have a quick discussion on how to search for applications using ports in your environment to add to your kung fu skills.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #16 -- What is Powershell doing in your network?

Today let's take a look for a few PowerShell commands.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #17 -- Are your domain controllers making connections to international sites or your domain admins surfing on a DC?

I find in many environments that when I hunt with customers that I ask them are your domain admins surfing on the DC's? They should not be and should be doing any internet searches on their desktop or laptop and not on the DC. If you want to check to see if your domain admins are doing this, you can run a query like this.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #18 -- Adversaries may attempt to try to get a listing of local system or domain accounts using tools that are already on the OS

What are some tools used to grab domain or local accounts potentially? Today let's focus on 2 in particular in ldifde.exe and csvde.exe.  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #19 -- Using a wildcard in your searches

I have been asked the question enough by customers that I figured a quick blog post on it may help some folks. The question is, "Can you search and use wildcards?"  Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #20 -- Rundll32 executing scripts or proxying execution in your environment

I saw this on a call last week, and the alert in your alert page would like like this. Where the application rundll32.exe injected code into a System process (lsass.exe). Threat score:5.   Read more...

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #21 -- Good applications that invoke untrusted processes when malware installed itself as a service

I have seen on customer calls where malware or suspect malware has installed itself as a Windows service. This typically happens when customers may be in a monitored policy or a policy that may not be strong enough, and they may want to search for these kinds of activities. Let's try a few queries that may be helpful for an investigation like this.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #22 -- Browsers spawning a command interpreter

This week I was thinking that something I have seen in environments is when a browser is calling PowerShell or wscript, for example. Should this be happening in your environment? The answer is well it depends and you should verify if you have it happen. You can run a few simple queries to look for this kind of activity in your environment.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #23 -- Looking for files in the downloads folder that may have a questionable reputation

I have a short post today, but had a customer ask me if we could see what his users were downloading. He also was concerned about files that may not have a "good reputation". You can use a query like this to find things that are in a download folder.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #24 -- Querying for scheduled tasks that may be creating files that you may have deleted but keep coming back (Part 1)

I had a customer call this week where the Defense admin told me "Kirk, I keep deleting this file and it keeps coming back." I said well most likely if you have verified the hash that is because a scheduled task could be recreating it. He then, of course, asked me how would I find out if that is the case. Well glad you asked :) So first let's discuss how would we look for scheduled tasks in general.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #25 -- Querying for scheduled tasks that may be creating files that you may have deleted but keep coming back (Part 2)

This week we will use Live Response queries to hunt for a scheduled task on the same box. So instead of querying in Defense, let's try to do the same scenario with Live Response.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #26 -- Searching for unsigned executable

There was a customer question posted here asking how can you search for an unsigned executable in CB Defense. Good question. There are multiple ways, depending on what you are looking to do.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #27 -- Cmd Intrepreters that were blocked by Endpoint Standard

I had a customer ask me the other day how he could find out how many things have been blocked since he put in a cmd interpreter rule.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #28 -- Hunting for files being uploaded or data being accessed using Endpoint Standard

I was working with a customer a few weeks ago, and I asked them if they looked for things that were uploaded. I wondered if they looked for this while hunting and if they tried to see if items were being accessed by systems or people, they would not expect to see. As the answer came back no, I told them we should search to "see" what is normal.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #29 -- Hunting for possible persistence in your environment

I was helping customers as I normally do and have been hearing several questions around how can I see if an attacker or software is "persistent" in my environment. Persistence techniques give the attacker or adversary the ability to maintain access to compromised systems.  Read more

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #30 -- Questionable paths that have files that may be creating new files, accessing your data, modifying the registry or making network connections

We all know there are some paths in Windows that tend to make a security person cringe at times where "junk" can run. We can block this in CB Defense, but it becomes hard as some valid apps try to run in the directories. So what is precisely running in temp directories, and what is it doing in your environment? Let's build out a few queries to help you do some digging.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #31 -- Using "normal" TTP's that are more a type of system type function to learn about your environment and detect unwanted applications/programs

There are some TTP's that show up often that many customers tend to ignore or not use because they may be noisy, but they can give you some good information about your network or help to find forgotten scripts or tools that may have been forgotten about or the person who created them has left your company. We can hunt across your environment and look for machines or applications that may be emailing or modifying a service or even trying to run as a system utility. This can be helpful and you will get things you don't care to see so you can "NOT" those out and I will provide an example below. Let's get started.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #32 -- Reviewing certain TTP's to see across your environment and are they causing observed or threat type of events in your network?

I was working with a customer who was wanting to review a few TTP's and hunt across the environment to see if they had any hits or anything interesting. I have 3 TTP's below as examples, but you can do this with any TTP that may interest you. I show how below to look for TTP's that generate observed or threat type of activity.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #33 -- Reviewing TRUSTED_WHITE applications that may be being abused

Some applications that tend to be trusted but are leveraged as living off the land binaries, and therefore they tend to not "stand out" as quickly to a security analyst. I had a customer running the queries below, and we reviewed the results together.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #34 -- Searching for Javascript in your environment

I have a short post today but had a customer ask me what attacks I was seeing in customer's environments that they were not normally blocking. Thinking about this for a second, my mind came right to javascript. Many customers fail to put rules in to block it as they may have legitimate javascript running in their environment. I would suggest you search to see what you have happening in your environment before ever putting in any blocking rule.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #35 -- RDP making connections internationally?

I was on a call where a customer told me they did not do business with any countries internationally. I knew though, between web browsers and Office and many applications, they may still have some things that would be deemed "interesting". So we ran a quick query to see what all in their environment was connecting internationally.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #36 -- Shadow copies being leveraged by wmic in your environment?

So multiple forms of ransomware out there may try to manipulate shadow copies. There are also cases where WMIC is used in conjunction with shadow copies. WMIC, of course, is a TRUSTED_WHITE reputation as it is a Microsoft process, so it may be an interesting search in your environment to see if you find this happening.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #37 -- Windows event log management tool use

WevtUtil.exe is the Windows event log tool to help let you manage event logs. You can do lots of things with this tool. I also think it would be interesting to see where this tool is running in our environment and make sure it is being used for good and not for clearing logs for other more nefarious purposes.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #38 -- Microsoft binaries that can proxy execution of code

The .NET Framework tools make it easier for you to create, deploy, and manage applications and components that target the .NET Framework.  Regasm and Regsvcs are both Microsoft binaries that are used to register an assembly file with COM objects. These binaries are found in the .NET framework, and since they are trusted, Microsoft utilities can be used as another method to bypass AppLocker restrictions and execute arbitrary code. Adversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #39 -- Reviewing the use of reg, which allows you to view or configure registry entries or remote computers

So with CB Defense you can search for some "interesting" registry key information that could be helpful in your environment.  The reg command is used for performing operations on registry subkey information and values in registry entries. You can string other commands with it and search for them within the command line.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #40 -- Looking for signed or unsigned files

Sometimes it is helpful to see files that are signed on a particular endpoint or to find files that may not be signed by vendors. You can search for those by doing some searches like this below.

While you can search across the entire database that will bring back many results so instead of doing it by endpoint or maybe policy may be more helpful. I will show you how to do both.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #41 -- Uninstalls via the command line

Sometimes it may be useful to see what is being uninstalled via a command line. You can search for the word uninstall in your search, but we can put some other combinations that may make your searches more interesting.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #42 -- PowerShell making network connections and leveraging potentially suspicious reputations

I had a customer recently ask me how to search for PowerShell, launching an application that would make network connections. We also discussed looking for things that made network connections with a NOT_LISTED or UNKNOWN reputation. We built the query on our call together.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #43 -- Mac sensor collects and displays "bytes sent" and "bytes received" which can help correlate malicious downloads and to identify open sessions to C2

Today I wanted to show something currently you can only do on the Mac sensor, and wouldn't it be nice to be able to do this on the Windows and Linux sensor as well?  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #44 -- WMIC doing "interesting" things in your environment

The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI). WMIC is compatible with existing shells and utility commands. It can be used for things like enhancing administrative capabilities for local and remote systems and can be used to query system settings, stop processes, and locally or remotely execute scripts.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #45 -- Event log clearing or management in your environment

I wanted to show today how you could find something like someone running a command to wipe event logs for example by running a command like using wevtutil.exe\ cl so you could look for that command line, but it may make more sense first to review if event logs are being accessed at all by Windows event log tools.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #46 -- Looking for things at the the attack stage

If you use the target value variable in the UI for calculating threat level on systems based on what is important in your environment, you can also query for that via the command line as well. So, for instance, if you had servers as your policy name with essential servers in it and have the target value set to High, you can query machines that are in High and also say at a specific part of the attack stages of the kill chain.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #47 -- Finding files that have a LOCAL_WHITE Reputation

I was working with a customer who was new to his company. He said he was trying to figure out what software had been around in their environment for a long time. I told him, "While I can't tell you that I can show you how to find software that was installed previous to our sensor, which would indicate software that was on the endpoint before we installed." He asked me how and I showed him a few queries like the ones below.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #48 -- Searching for FQDN

I sometimes have wanted to look for an FQDN when doing a network search. It is easy to search for by simply doing something like this.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #49 -- Searching for a PID of a process

This will be a short post today, but I hope it helps someone out in the future. Sometimes it can be helpful if you see a PID in an alert and want to know what other applications and processes is that PID interacting with you can do some searches across the environment to find out. You can query several fields in this way.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #50 -- Searching Reputations

Sometimes you will want to search for files by reputation, and this could include parent reputation or target or child reputations. I wanted to give an example of each to help anyone out who may want to save or try some new searches out.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #51 -- Searching or alerting on TTP's that may be deemed "interesting."

I had a customer ask me which TTP's I thought were interesting that I saw on customer calls. I thought about it a minute and suggested a few to maybe set up notifications for, so they are like a watchlist type of functionality.  Read more.

--------------------------------------------------------------------------

Endpoint Standard Kung Fu tip #52 -- Querying via the API for returning two days of events or two weeks of events from a particular host

I usually give ideas of threat hunting queries or queries to find certain things, and while this post is along those lines, it is over the API instead of the regular investigate page.

Using the API I wanted to return events for 2 days across my machines. I wanted to write this data to a CSV file as well. You can simply install curl and run the command like this. Using the -o will write to a file.

Read more.

Filter Tags

Blog