The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  VMware Carbon Black  >  APT29 Configuration

VMware Carbon Black Configuration

Product Versions

VMware Carbon Black Cloud Endpoint Enterprise with Threatsight

The above SKU includes the following VMware Carbon Black Cloud products:

  • Next-gen AV
  • Behavioral EDR
  • Audit & Remediation
  • Enterprise EDR
  • Managed Detection

VMware Carbon Black Cloud Sensor version:


VMware Carbon Black Cloud is a cloud-native endpoint protection platform with Next-gen AV, EDR, and Audit and Remediation capabilities from a single console. Its universal, lightweight sensor serves as both a continuous event recorder and preventive action agent. For detection and response purposes, the Carbon Black Cloud captures all process executions and associated metadata (e.g. file mods, reg mods), file modifications, registry modifications, network connections, module loads, fileless script executions, and cross-process behaviors (i.e. Process injection). All of this behavioral activity is captured and streamed live to your cloud instance for visualization, searching, alerting, and blocking. This allows for both real-time and historical threat hunting across your environment. The Carbon Black Cloud also keeps track of every process executed in your environment and its metadata, including a copy of that binary for forensics purposes. These features enable customers, MSSP, and IR partners to:

  • Receive threat prevention updates deployed by Carbon Black to prevent the latest attack techniques focused on behavioral attributes in seconds
  • Rapidly deploy custom detections in the form of threat intelligence indicators focusing on the same behavioral attributes
  • Mapping alerts and detection techniques directly to MITRE ATT&CK
  • Search for binary prevalence, process masquerading, binary signing issuers, and forensic capture for post analysis
  • Robust and highly extensible API. Some examples of 3rd party API integrations are:
    • YARA
    • Pre-packaged SIEM and SOAR integrations
    • Binary Detonation and Sandboxing Uploads
    • Network security/service appliances (DNS, IDS, IPS, DHCP)
  • File integrity monitoring - Carbon Black Cloud can alert any time files, file paths, registry keys, and registry hives are modified

Product Configuration

All VMware Carbon Black Cloud threat intelligence feeds were enabled and configured to alert during testing. CBTH email notifications were integrated with Slack for immediate coordination of incoming alerts across the blue team. (Note: Although we enabled alerting for all threat intelligence feeds, most customers do not do this. Instead, customers will take the detections from these feeds, tune them to their environments, and configure custom detections.)

The following threat intelligence feeds provided all of the alerting and detections during the evaluation:

  • Advanced Threats
  • Cb Community
  • Endpoint Visibility
  • AMSI Threat Intelligence
  • Cb Suspicious Indicators

Cb LiveOps was used to perform various host interrogation tasks when needed, through the built-in recommended queries that ship with the product.

Note: CB Defense prevention capabilities were disabled as part of the MITRE testing. Although prevention was turned off, the Carbon Black sensor machine learning and heuristics engines was still enabled and set to alert only.