f9cea291-9030-4e41-9836-6dd9274d6df4.md

Products: VMware - Carbon Black Cloud

Rules

Rule ID	Rule Name
MATCH-S00139	Abnormal Parent-Child Process Combination
MATCH-S00686	Base64 Decode in Command Line
MATCH-S00269	Clipboard Copied
MATCH-S00525	Credential Dumping Via Copy Command From Shadow Copy
MATCH-S00526	Credential Dumping Via Symlink To Shadow Copy
MATCH-S00543	Detect Psexec With Accepteula Flag
MATCH-S00568	Dnscat Execution
FIRST-S00028	First Seen Common Windows Recon Commands From User
FIRST-S00076	First Seen Net Command Use on Host
FIRST-S00038	First Seen Wget Usage from User
FIRST-S00040	First Seen cURL execution from User
MATCH-S00429	LSASS Memory Dumping
MATCH-S00352	MSHTA Suspicious Execution
MATCH-S00161	Malicious PowerShell Get Commands
MATCH-S00190	Malicious PowerShell Invoke Commands
MATCH-S00198	Malicious PowerShell Keywords
MATCH-S00331	MavInject Process Injection
MATCH-S00355	Meterpreter or Cobalt Strike Getsystem Service Start
MATCH-S00419	Multiple File Extensions
MATCH-S00156	New Suspicious cmd.exe / regedit.exe / powershell.exe Service Launch
MATCH-S00402	Normalized Security Signal
MATCH-S00136	PowerShell Encoded Command
MATCH-S00149	PowerShell File Download
MATCH-S00449	Powershell Execution Policy Bypass
MATCH-S00167	Recon Using Common Windows Commands
MATCH-S00328	Rubeus Hack Tool
MATCH-S00153	Scheduled Task Created via PowerShell
MATCH-S00529	Schtasks Scheduling Job On Remote System
MATCH-S00547	Script Execution Via WMI
MATCH-S00296	Shadow Copies Deletion Using OS Utilities
MATCH-S00406	Shadow Copy Creation
OUTLIER-S00009	Spike in PowerShell Command Line Length From Host
MATCH-S00359	Suspicious Certutil Command
MATCH-S00191	Suspicious PowerShell Keywords
MATCH-S00164	Suspicious Shells Spawned by Web Servers
LEGACY-S00108	Threat Intel - Matched File Hash
MATCH-S00588	Trickbot Malware Recon Activity
MATCH-S00150	WMI Launching Shell
MATCH-S00570	WMIPRVSE Spawning Process
MATCH-S00400	Web Download via Office Binaries
MATCH-S00181	Windows - Domain Trust Discovery
MATCH-S00162	Windows - Network trace capture using netsh.exe
MATCH-S00159	Windows - Permissions Group Discovery
MATCH-S00276	Windows - Possible Squiblydoo Technique Observed
MATCH-S00281	Windows - PowerShell Process Discovery
MATCH-S00185	Windows - Remote System Discovery
MATCH-S00272	Windows - Rogue Domain Controller - dcshadow
MATCH-S00170	Windows - Scheduled Task Creation
MATCH-S00178	Windows Query Registry
LEGACY-S00171	Windows Service Executed from Nonstandard Execution Path
MATCH-S00435	XSL Script Processing
MATCH-S00919	chage command use on host

Log Mappers

Log Mapper ID	Log Mapper Name
c79ca29b-5742-4668-982f-7ef30300299d	Carbon Black Cloud - CONTAINER_RUNTIME
81112448-48b5-4799-bc6e-a712a87ca34c	Carbon Black Cloud - FACET
1780bb82-3701-457c-a922-33e7a397199e	Carbon Black Cloud - Observation event
50ee5df8-20ae-4183-a282-b96369005935	Carbon Black Cloud API Call
4acf430c-7582-4e40-a3ce-050f7f78bd29	Carbon Black Cloud Alert - CB_ANALYTICS
020bc223-86b6-4b9b-9c39-4864eed1510b	Carbon Black Cloud Alert - Tuned Activity
dd54ac26-28af-431e-b488-8c51ad764016	[Carbon Black Cloud Alert - WATCHLIST
821e00a8-8bd7-42ce-8414-4e04db6a5e37	Carbon Black Cloud Cross Process Event
ea82e9f2-d2a1-4150-b47b-1af1f38d14e4	Carbon Black Cloud File Modification
ce848916-0ff5-4c9c-9817-8e6d1af3b9b1	Carbon Black Cloud Module Load
3fe47187-8a81-4e1a-b80b-c0f2c4237ff6	Carbon Black Cloud Network Connection
9564da72-7e2e-4a97-bc3b-0367314f15c8	Carbon Black Cloud Process Auditing
82792c8e-dbec-4e10-ae42-b6a0944dec23	Carbon Black Cloud Registry Modification
c56b1897-8e99-42f8-a5bc-9b56a4b7ab43	Carbon Black Cloud Script Load
d6296fb1-a1b1-4431-a93d-566cfef15a45	Carbon Black Cloud Watchlist Hit