Domain-Based IOC Detection for Carbon Black in Uncoder AI

How It Works

1. IOC Extraction

Uncoder AI scans the threat report (left panel) and identifies malicious network infrastructure associated with:

• HATVIBE and CHERRYSYSPY loaders
  
  
• Suspicious communication and command-and-control domains like:
  
  • trust-certificate.net
    
  • namecheap.com
    
  • enrollmenttdm.com
    
  • n247.com
    
  • mtw.ru

Explore Uncoder AI

These domains are associated with:

• Fake certificate lures
  
• Python-based loaders
  
• Malicious HTA stagers
  
• Credential theft via phishing or post-exploitation scripts
  
  

2. Carbon Black Query Generation

On the right, Uncoder AI generates a Carbon Black threat hunting query using the netconn_domain field:

(netconn_domain:trust-certificate.net OR 

 netconn_domain:namecheap.com OR 

 netconn_domain:enrollmenttdm.com OR 

 netconn_domain:n247.com OR 

 netconn_domain:mtw.ru)

This logic searches for outbound connections from any process to the listed domains — allowing defenders to trace C2 activity or staged malware delivery.

Why It’s Effective

• Field-specific formatting: Automatically uses netconn_domain — the correct field for Carbon Black network telemetry.
  
• Scalable IOC inclusion: Easily supports multiple domain entries in a single line for batch-hunting.
  
• Immediate usability: Output is plug-and-play for Carbon Black consoles, with no syntax editing needed.

Operational Value

Security teams using VMware Carbon Black can leverage this feature to:

• Proactively hunt for infections tied to the HATVIBE and CHERRYSYSPY malware families
  
• Detect suspicious domain beacons linked to post-compromise activity
  
• Accelerate incident response by pivoting directly from threat intel to platform-native detection queries

Explore Uncoder AI