What caught my attention was a string ‘IsRunningCarbon’ that I came across when i was eyeballing some of the logs generated by my batch analysis script.<\/p>\n
It was placed among many other interesting strings f.ex.:<\/p>\n
- \n
- IsTestingBox<\/li>\n
- IsVirtualMachine<\/li>\n
- HasVirtualDrive<\/li>\n
- IsRunningOnVMWare<\/li>\n
- IsRunningOnHyperV<\/li>\n
- IsRunningOnVBox<\/li>\n
- IsRunningOnXEN<\/li>\n
- IsRunningVPN<\/li>\n
- IsRunningIPSECLP2<\/li>\n
- IsRunningOpenVPN<\/li>\n
- IsRunningPPTP<\/li>\n
- IsRunningTools<\/li>\n
- IsRunningFiddler<\/li>\n
- IsRunningFiddlerCert<\/li>\n
- IsRunningDeepFreeze<\/li>\n
- IsRunningPacketCapture<\/li>\n
- IsRunningAVs<\/li>\n
- IsRunningESET<\/li>\n
- IsRunningVipre<\/li>\n
- IsRunningCarbon<\/li>\n
- IsFlashInstalled<\/li>\n<\/ul>\n
so it looked like a part of a generic ‘sandbox\/monitor\/security product detection’ pack of routines.<\/p>\n
When loaded into ILSPY, the code of the function referenced by the name turned out to be a simple ‘directory present’ check (if the ‘CarbonBlack’ directory exists in a predetermined location), but the message the existence of this routine in the code sends to the EDR vendors is that they start to be recognized.<\/p>\n
![\"carbon\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2015\/11\/carbon.png\")
<\/a>Perhaps it’s not a big deal, but certainly notable. Maybe it is time to introduce randomization in the way EDR-specific directories are named? Or hide them completely (rootkit)?<\/p>\nOf course, the detection of EDR was always possible, but since now it is being actively done I bet it’s just a matter of time when we will see first evasions…<\/p>\n","protected":false},"excerpt":{"rendered":"
I have recently came across an non-intriguing intriguing sample belonging to a family of applications commonly known as a PUA\/PUP (Potentially Unwanted Application\/Program). The ‘intriguing’ part is that it is the first one I have ever came across that actively … Continue reading