This purpose of this post is to provide Cb customers with product status updates involving the Process Doppelganger technique across Cb Defense, Cb Protection and Cb Response.
The SRC (Security Response Center) team at Carbon Black has been closely working with the Product Management, Engineering and Cb Threat Analysis Unit (TAU) teams to understand the scope, impact and remediation steps across the Cb product suite. Please view the relevant product sections below for more information.
For information on Process Doppelganging, see TAU-TIN.
The Cb Defense Product Management and engineering teams have identified necessary product code changes, that once implemented will allow Cb Defense to identify the doppelganger technique. The resources to make these code changes are being identified and scheduled into different planning increments based off of ongoing development needs. Once the updates have been implemented and tested, they will be released.
We are working on an agent level change to identify NTFS transactions; and a server level change to include a Rapid Config to report or block transacted MMap Reads, Executions or Script Executions.
These fixes will be in Cb Protection 8.0 P7. Customers will have to upgrade their Cb Protection servers and agents to detect and/or prevent this technique. Cb Protection 8.0 P7 GA date is currently TBD.
The Cb Response Product Management and Engineering teams have identified necessary product code changes, that once implemented, will allow Cb Response to identify the doppelganger technique. We are prioritizing this work against ongoing development needs and will be scheduling these code changes into upcoming planning increments. Once the updates have been implemented and tested, they will be released.
We will modify this post as updates become available and encourage you to follow this post. To receive the most recent information via email notification, please check ‘Inbox’ for this post as indicated in the following example screenshot: