The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  VMware Carbon Black  > Carbanak+FIN7 Configuration


VMware Carbon Black Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

VMware Carbon Black Cloud with NSX Advanced Threat Prevention
The following Carbon Black Cloud modules were leveraged for the test:

  • Next-gen AV
  • Behavioral EDR
  • Audit & Remediation
  • Enterprise EDR
VMware Carbon Black Cloud Windows Sensor version: 3.6.0.1857
VMware Carbon Black Cloud Linux Sensor version: 2.9.0.312585

Product Description

VMware Carbon Black Cloud™ is a cloud native endpoint, workload, and container protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay. VMware’s offering provides deep network data visibility and detection with NSX Advanced Threat Protection. The cloud native protection platform enables customers to utilise different modular capabilities to identify risk, prevent, detect and respond to known and unknown threats using a single lightweight agent and an easy-to-use console. Its universal, lightweight sensor serves as both a continuous event recorder and preventive action agent. For detection and response purposes, the VMware Carbon Black Cloud captures all process executions and associated metadata, file modifications, registry modifications, network connections, module loads, fileless script executions, and cross-process behaviors (i.e. Process injection). All this behavioral activity is captured and streamed live to your cloud instance for visualization, searching, alerting, and blocking. This allows for both real-time and historical threat hunting across your environment. The VMware Carbon Black Cloud also keeps track of every application executed in your environment and its metadata, including a copy of that binary for forensics purposes.

These features enable customers, MSSP, and IR partners to:

  • Receive threat prevention updates deployed by Carbon Black to prevent the latest attack techniques focused on behavioral attributes in seconds
  • Rapidly deploy custom detections in the form of threat intelligence indicators focusing on the same behavioral attributes
  • Map alerts and detection techniques directly to MITRE ATT&CK
  • Search for binary prevalence, process masquerading, binary signing issuers, and forensic capture for post analysis
  • Robust and highly extensible API. Some examples of 3rd party API integrations are:
  • YARA
  • Out of the box SIEM and SOAR API integrations
  • Binary Detonation and Sandboxing Uploads
  • Network security/service appliances (DNS, IDS, IPS, DHCP)
  • File integrity monitoring – VMware Carbon Black Cloud can alert any time files, file paths, registry keys, and registry hives are modified

Product Configuration

Next-gen AV, Behavioral EDR, and NSX Advanced Threat Prevention detection capabilities are all configured as “out of the box”

The following Watchlist Feeds were enabled for Enterprise EDR:

  • MITRE ATT&CK
  • Advanced Threats
  • Carbon Black Community
  • Endpoint Visibility
  • AMSI Threat Intelligence
  • Carbon Black Suspicious Indicators

Carbon Black Cloud Audit & Remediation was used to perform various host interrogation tasks when needed, through the built-in recommended queries that ship with the product.

Note: Carbon Black Next-gen AV prevention capabilities were disabled as part of the MITRE testing. Although prevention was turned off, the Carbon Black sensor machine learning and heuristics engines was still enabled and set to alert only.