Explanation
The Investigate page in the VMware Carbon Black Cloud Endpoint Standard console is where the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA.
The Investigate page allows the administrator to use advanced search techniques to query the endpoint data collected by the VMware Carbon Black Cloud sensors. The administrator can use various fields and operators to filter and refine the search results, such as process_name, file_name, file_path, file_type, file_description, and more. The administrator can also use the processtree view to visualize the process execution and the event details to examine the process activity. For example, the administrator can use the following search query to find all the processes that have a file type of Excel VBA:
file_type:EXCEL_VBA
This query will return all the processes that have a file type of EXCEL_VBA, which is a file type that indicates the file contains Excel VBA code. The file_type field is a string that indicates the type of the file based on its content and format. The possible values for this field are:
EXE: Executable file
DLL: Dynamic-link library file
SYS: System file
BAT: Batch file
CMD: Command file
VBS: Visual Basic Script file
JS: JavaScript file
PS1: PowerShell Script file
HTA: HTML Application file
MSI: Windows Installer file
DOC: Microsoft Word document file
XLS: Microsoft Excel spreadsheet file
PPT: Microsoft PowerPoint presentation file
PDF: Portable Document Format file
SWF: Shockwave Flash file
JAR: Java Archive file
CLASS: Java class file
PY: Python script file
SH: Shell script file
PL: Perl script file
RB: Ruby script file
PHP: PHP script file
ASP: Active Server Pages file
ASPX: Active Server Pages Extended file
HTML: HyperText Markup Language file
XML: Extensible Markup Language file
DOCM: Microsoft Word document with macros file
XLAM: Microsoft Excel add-in with macros file
XLSM: Microsoft Excel spreadsheet with macros file
XLTM: Microsoft Excel template with macros file
PPTM: Microsoft PowerPoint presentation with macros file
POTM: Microsoft PowerPoint template with macros file
PPAM: Microsoft PowerPoint add-in with macros file
EXCEL_VBA: Excel Visual Basic for Applications file
WORD_VBA: Word Visual Basic for Applications file
POWERPOINT_VBA: PowerPoint Visual Basic for Applications file
OUTLOOK_VBA: Outlook Visual Basic for Applications file
ACCESS_VBA: Access Visual Basic for Applications file
PROJECT_VBA: Project Visual Basic for Applications file
VISIO_VBA: Visio Visual Basic for Applications file
PUBLISHER_VBA: Publisher Visual Basic for Applications file
INFOPATH_VBA: InfoPath Visual Basic for Applications file
ONENOTE_VBA: OneNote Visual Basic for Applications file
UNKNOWN: Unknown file type
Therefore, by using the Investigate page in the VMware Carbon Black Cloud Endpoint Standard console, the security administrator can perform a search to further inspect the script-based attack that was coded into Excel VBA. References:
Investigate Endpoint Data - VMware Docs, Overview section.
Advanced Search Techniques - VMware Docs, Using Fields section, file_type subsection.