Domain-Based IOC Detection for Carbon Black in Uncoder AI

[post-views]
June 04, 2025 · 2 min read
Domain-Based IOC Detection for Carbon Black in Uncoder AI

How It Works

1. IOC Extraction

Uncoder AI scans the threat report (left panel) and identifies malicious network infrastructure associated with:

  • HATVIBE and CHERRYSYSPY loaders

  • Suspicious communication and command-and-control domains like:
    • trust-certificate.net
    • namecheap.com
    • enrollmenttdm.com
    • n247.com
    • mtw.ru

Explore Uncoder AI

These domains are associated with:

  • Fake certificate lures
  • Python-based loaders
  • Malicious HTA stagers
  • Credential theft via phishing or post-exploitation scripts

2. Carbon Black Query Generation

On the right, Uncoder AI generates a Carbon Black threat hunting query using the netconn_domain field:

(netconn_domain:trust-certificate.net OR 

 netconn_domain:namecheap.com OR 

 netconn_domain:enrollmenttdm.com OR 

 netconn_domain:n247.com OR 

 netconn_domain:mtw.ru)

This logic searches for outbound connections from any process to the listed domains — allowing defenders to trace C2 activity or staged malware delivery.

Why It’s Effective

  • Field-specific formatting: Automatically uses netconn_domain — the correct field for Carbon Black network telemetry.
  • Scalable IOC inclusion: Easily supports multiple domain entries in a single line for batch-hunting.
  • Immediate usability: Output is plug-and-play for Carbon Black consoles, with no syntax editing needed.

Operational Value

Security teams using VMware Carbon Black can leverage this feature to:

  • Proactively hunt for infections tied to the HATVIBE and CHERRYSYSPY malware families
  • Detect suspicious domain beacons linked to post-compromise activity
  • Accelerate incident response by pivoting directly from threat intel to platform-native detection queries

Explore Uncoder AI

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts