Access official resources from Carbon Black experts
Version
All versions of Cb Response.
Topic
How to recreate default watchlists provided with Cb Response if they have been deleted.
Steps
Default watchlists can be added back into Cb Response after deletion through the GUI by using the following steps for each watchlist below:
1) navigate to Respond > Processes (or Binaries)
2) add the URL query (noted below) to the URL bar.
3) Create a new watchlist by clicking the wrench (to the right of the search field) and Add Watchlist.
The default watchlists are stored in /usr/share/cb/setup/watchlists/. You can use the name found in the .conf file or something original.
Autoruns (autoruns.conf) -
#search/cb.urlver=1&q=(regmod%3Aregistry\machine\software\microsoft\windows\ nt\currentversion\winlogon\userinit or regmod%3Aregistry\machine\software\microsoft\windows\ nt\currentversion\winlogon\shell or regmod%3Asoftware\microsoft\windows\currentversion\explorer\browser\ helper\ objects\* or regmod%3Asoftware\microsoft\windows\currentversion\run\*)&sort=start desc&rows=10
USB drive usage (thumb_drive.conf ) -
#search/cb.urlver=1&q=(regmod%3Aregistry\machine\system\currentcontrolset\control\deviceclasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\* or regmod%3Aregistry\machine\currentcontrolset\control\deviceclasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*)&sort=&rows=10
Newly Installed Applications (new_apps.conf) -
#search/cb.urlver=1&q=-path%3Ac%3A\windows\*&cb.q.regmod=registry\machine\software\microsoft\windows\currentversion\uninstall&sort=&rows=10
Netconns to .cn or .ru (ru_or_cn_netconn.conf) -
#search/cb.urlver=1&q=(domain%3A.cn or domain%3A.ru)&sort=&rows=10
Filemods to Webroot (webroot.conf) -
cb.urlver=1&q=filemod%3Ainetpub\wwwroot\*&sort=&rows=10
Non-System Filemods to system32 (system32.conf) -
#search/cb.urlver=1&q=-path%3Ac%3A\windows\*&cb.q.filemod=c%3A\windows\system32\*&sort=&rows=10
Newly Loaded Modules (newly_loaded_modules.conf) -
#binaries/cb.urlver=1&q=is_executable_image%3Afalse&sort=server_added_timestamp desc&rows=10
Newly Executed Applications (newly_executed_applications.conf)
#binaries/cb.urlver=1&q=is_executable_image%3Atrue&sort=server_added_timestamp desc&rows=10
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.