Carbon Black Cloud: What does it mean when an application has a hash of 010101...01?

Carbon Black Cloud: What does it mean when an application has a hash of 010101...01?

Environment

  • Carbon Black Cloud Console: All Versions
    • Audit and Remediation (was CB LiveOps)
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
    • Managed Detection (was CB ThreatSight)
  • Apple macOS: All Supported Versions

Question

What does it mean when the hash for an application shows as a long chain of zeroes and ones (010101...01), or when this message is seen for a process shown as UNKNOWN?
Origin: The file with hash 0101010101010101010101010101010101010101010101010101010101010101 was detected by Carbon Black.

Answer

The 0101010101010101010101010101010101010101010101010101010101010101 'synthetic' hash is expected if
  • The process is spawned by a processes that is part of a 'Performs any operation > Bypass' Permissions rule
    Example
    A invokes B, B exhibits behavior
    When A is "bypass any operation", behavior of B is reported with the 010101...01 hash
  • When such child processes exhibit network or API behavior, the event actor process will be reported with the 'synthetic' hash
    Example
    A belongs to a 'Performs any operation > Bypass' rule
    A invokes B, B makes a network connection or API call
    A will be reported with the 010101...01 hash

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎07-16-2020
Views:
492
Contributors