Full Report
How It Works 1. IOC Extraction Uncoder AI scans the threat report (left panel) and identifies malicious network infrastructure associated with: HATVIBE and CHERRYSYSPY loaders Suspicious communication and command-and-control domains like: trust-certificate.net namecheap.com enrollmenttdm.com n247.com mtw.ru Explore Uncoder AI These domains are associated with: Fake certificate lures Python-based loaders Malicious HTA stagers Credential theft via […] The post Domain-Based IOC Detection for Carbon Black in Uncoder AI appeared first on SOC Prime.
Analysis Summary
# Tool/Technique: Domain-Based IOC Detection for Carbon Black in Uncoder AI
## Overview
This article details a capability within the Uncoder AI platform—specifically, the generation of domain-based Indicators of Compromise (IOC) detection queries tailored for use with VMware Carbon Black endpoint detection and response (EDR) solutions. This process allows security teams to proactively hunt for infections and detect suspicious beaconing associated with specific malware families by leveraging network telemetry fields relevant to Carbon Black.
## Technical Details
- Type: Tool/Technique (Detection Engineering Workflow)
- Platform: VMware Carbon Black (Endpoint Security Platform)
- Capabilities: Automatic conversion of domain IOCs into executable Carbon Black queries using the correct telemetry fields (`netconn_domain`). Scalable inclusion of multiple domains.
- First Seen: June 04, 2025 (Date of publication)
## MITRE ATT&CK Mapping
The primary focus of this capability is on detecting Command and Control (C2) aspects of network communication post-compromise.
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol**
- T1071.001 - Web Protocols (Implied, as domain lookups/connections are often HTTP/S based)
## Functionality
### Core Capabilities
- **IOC Extraction**: Pulling domain-based threat intelligence.
- **Carbon Black Query Generation**: Automatically constructs valid detection queries for Carbon Black consoles.
- **Telemetry Field Utilization**: Specifically uses the `netconn_domain` field within Carbon Black network telemetry for accurate matching.
- **Scalability**: Supports batch hunting by allowing multiple domain entries in a single query line.
### Advanced Features
- Output is "plug-and-play" for Carbon Black, requiring no manual syntax editing by the analyst.
- Facilitates proactive hunting and accelerates incident response by pivoting directly from threat intelligence to high-fidelity detection logic.
## Indicators of Compromise
- File Hashes: N/A (Focus is on network IOCs/domains)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: The method is designed to detect connections to domains associated with:
- **HATVIBE** malware family
- **CHERRYSYSPY** malware family
- Behavioral Indicators: Detecting suspicious domain beacons tied to post-compromise activity.
## Associated Threat Actors
The detection logic specifically targets IOCs related to malware families known to be used by various threat actors, including:
- Actors deploying **HATVIBE**
- Actors deploying **CHERRYSYSPY**
(Note: The article does not explicitly name the Threat Actors, only the malware families.)
## Detection Methods
The technique described is a generation method for creating detection content:
- **Signature-based detection**: The generated output creates a signature (query) designed to match specific network connections in Carbon Black logs.
- **Behavioral detection**: Focuses on detecting "suspicious domain beacons."
- **YARA rules if available**: Not directly addressed; this is a platform-specific query language output.
## Mitigation Strategies
- **Prevention measures**: Ensuring EDR/Security solutions (like Carbon Black) are deployed and collecting necessary network connection events.
- **Hardening recommendations**: Monitoring and blocking connections to identified malicious domains proactively via network perimeter controls.
## Related Tools/Techniques
- **Uncoder AI**: The platform used to generate the tailored queries.
- **VMware Carbon Black**: The target endpoint security platform.
- **HATVIBE**
- **CHERRYSYSPY**