logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

How to recreate default watchlists provided with Cb Response if they have been deleted

How to recreate default watchlists provided with Cb Response if they have been deleted

Version

All versions of Cb Response.


Topic
How to recreate default watchlists provided with Cb Response if they have been deleted.

Steps

Default watchlists can be added back into Cb Response after deletion through the GUI by using the following steps for each watchlist below:

1) navigate to Respond > Processes (or Binaries)

2)  add the URL query (noted below) to the URL bar.

3)  Create a new watchlist by clicking the wrench (to the right of the search field) and Add Watchlist.

The default watchlists are stored in /usr/share/cb/setup/watchlists/. You can use the name found in the .conf file or something original.

Default Process Watchlists:

Autoruns (autoruns.conf) -

#search/cb.urlver=1&q=(regmod%3Aregistry\machine\software\microsoft\windows\ nt\currentversion\winlogon\userinit or regmod%3Aregistry\machine\software\microsoft\windows\ nt\currentversion\winlogon\shell or regmod%3Asoftware\microsoft\windows\currentversion\explorer\browser\ helper\ objects\* or regmod%3Asoftware\microsoft\windows\currentversion\run\*)&sort=start desc&rows=10

USB drive usage (thumb_drive.conf ) -

#search/cb.urlver=1&q=(regmod%3Aregistry\machine\system\currentcontrolset\control\deviceclasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\* or regmod%3Aregistry\machine\currentcontrolset\control\deviceclasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*)&sort=&rows=10

Newly Installed Applications (new_apps.conf) -

#search/cb.urlver=1&q=-path%3Ac%3A\windows\*&cb.q.regmod=registry\machine\software\microsoft\windows\currentversion\uninstall&sort=&rows=10

Netconns to .cn or .ru (ru_or_cn_netconn.conf) -

#search/cb.urlver=1&q=(domain%3A.cn or domain%3A.ru)&sort=&rows=10

Filemods to Webroot (webroot.conf) -

cb.urlver=1&q=filemod%3Ainetpub\wwwroot\*&sort=&rows=10

Non-System Filemods to system32 (system32.conf) -

#search/cb.urlver=1&q=-path%3Ac%3A\windows\*&cb.q.filemod=c%3A\windows\system32\*&sort=&rows=10

Default Binary Watchlists:

Newly Loaded Modules (newly_loaded_modules.conf) -

#binaries/cb.urlver=1&q=is_executable_image%3Afalse&sort=server_added_timestamp desc&rows=10

Newly Executed Applications (newly_executed_applications.conf)

#binaries/cb.urlver=1&q=is_executable_image%3Atrue&sort=server_added_timestamp desc&rows=10
Labels (1)
Labels:
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
nking
Creation Date:
‎06-03-2016
Views:
1812
Contributors
logo