def SAMLoadWidgets():
global _widgets
if 0 == len( _widgets ):
_widgets.update( Actor.importLib( 'GenericWidgets', '*' ) )
_widgets.update( Actor.importLib( 'ProcessWidgets', '*' ) )
_widgets.update( Actor.importLib( 'TimeWidgets', '*' ) )
return _widgets
def reload( self ):
class _unnamedSymbolGroup( object ):
pass
tmpTags = json.loads( Actor.readRelativeFile( 'rp_hcp_tags.json' ) )
for group in tmpTags[ 'groups' ]:
gName = group[ 'groupName' ]
for definition in group[ 'definitions' ]:
tName = str( definition[ 'name' ] )
tValue = str( definition[ 'value' ] )
fullName = '%s.%s' % ( gName, tName )
self.lookups[ tValue ] = fullName
self.lookups[ fullName ] = tValue
if not hasattr( self, gName ):
setattr( self, gName, _unnamedSymbolGroup() )
setattr( getattr( self, gName ), tName, tValue )
def reload(self):
class _unnamedSymbolGroup(object):
pass
tmpTags = json.loads(Actor.readRelativeFile('rp_hcp_tags.json'))
for group in tmpTags['groups']:
gName = group['groupName']
for definition in group['definitions']:
tName = str(definition['name'])
tValue = str(definition['value'])
fullName = '%s.%s' % (gName, tName)
self.lookups[tValue] = fullName
self.lookups[fullName] = tValue
if not hasattr(self, gName):
setattr(self, gName, _unnamedSymbolGroup())
setattr(getattr(self, gName), tName, tValue)
def reload(self):
class _unnamedSymbolGroup(object):
pass
try:
tmpTags = Actor.readRelativeFile('rp_hcp_tags.json')
except:
tmpTags = open(
os.path.join(os.path.abspath(os.path.dirname(__file__)),
'rp_hcp_tags.json'), 'r').read()
tmpTags = json.loads(tmpTags)
for group in tmpTags['groups']:
gName = group['groupName']
for definition in group['definitions']:
tName = str(definition['name'])
tValue = str(definition['value'])
fullName = '%s.%s' % (gName, tName)
self.lookups[tValue] = fullName
self.lookups[fullName] = tValue
if not hasattr(self, gName):
setattr(self, gName, _unnamedSymbolGroup())
setattr(getattr(self, gName), tName, tValue)
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import traceback
import hashlib
import time
import uuid
import base64
import random
import string
import struct
import hmac
CassDb = Actor.importLib('utils/hcp_databases', 'CassDb')
CassPool = Actor.importLib('utils/hcp_databases', 'CassPool')
class IdentManager(Actor):
def init(self, parameters, resources):
self._db = CassDb(parameters['db'],
'hcp_analytics',
consistencyOne=True)
self.db = CassPool(self._db,
rate_limit_per_sec=parameters['rate_limit_per_sec'],
maxConcurrent=parameters['max_concurrent'],
blockOnQueueSize=parameters['block_on_queue_size'])
self.db.start()
# Copyright 2015 refractionPOINT
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
ProcessBurst = Actor.importLib( 'analytics/StateAnalysis/descriptors', 'ProcessBurst' )
class NixReconTools ( object ):
def __init__( self, fromActor ):
pass
def getDescriptor( self ):
reconBurst = ProcessBurst( procRegExp = r'.*/((ifconfig)|(arp)|(route)|(ping)|(traceroute)|(nslookup)|(netstat)|(wget)|(curl))',
nPerBurst = 3,
withinMilliSeconds = 5 * 1000,
isForWindows = False )
return reconBurst
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import msgpack
import base64
import random
import json
import time_uuid
CassDb = Actor.importLib( '../utils/hcp_databases', 'CassDb' )
CassPool = Actor.importLib( '../utils/hcp_databases', 'CassPool' )
CreateOnAccess = Actor.importLib( '../utils/hcp_helpers', 'CreateOnAccess' )
class AnalyticsReporting( Actor ):
def init( self, parameters, resources ):
self.ttl = parameters.get( 'ttl', ( 60 * 60 * 24 * 365 ) )
self._db = CassDb( parameters[ 'db' ], 'hcp_analytics', consistencyOne = True )
self.db = CassPool( self._db,
rate_limit_per_sec = parameters[ 'rate_limit_per_sec' ],
maxConcurrent = parameters[ 'max_concurrent' ],
blockOnQueueSize = parameters[ 'block_on_queue_size' ] )
self.report_stmt_rep = self.db.prepare( 'INSERT INTO detects ( did, gen, source, dtype, events, detect, why ) VALUES ( ?, dateOf( now() ), ?, ?, ?, ?, ? ) USING TTL %d' % self.ttl )
self.report_stmt_rep.consistency_level = CassDb.CL_Ingest
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import time
from sets import Set
import uuid
import json
import tld
import tld.utils
BEAdmin = Actor.importLib('../admin_lib', 'BEAdmin')
EventInterpreter = Actor.importLib('../utils/EventInterpreter',
'EventInterpreter')
Host = Actor.importLib('../utils/ObjectsDb', 'Host')
HostObjects = Actor.importLib('../utils/ObjectsDb', 'HostObjects')
FluxEvent = Actor.importLib('../utils/ObjectsDb', 'FluxEvent')
ObjectTypes = Actor.importLib('../utils/ObjectsDb', 'ObjectTypes')
Atoms = Actor.importLib('../utils/ObjectsDb', 'Atoms')
ObjectKey = Actor.importLib('../utils/ObjectsDb', 'ObjectKey')
RelationNameFromId = Actor.importLib('../utils/ObjectsDb',
'RelationNameFromId')
ObjectNormalForm = Actor.importLib('../utils/ObjectsDb', 'ObjectNormalForm')
KeyValueStore = Actor.importLib('../utils/ObjectsDb', 'KeyValueStore')
AgentId = Actor.importLib('../utils/hcp_helpers', 'AgentId')
_xm_ = Actor.importLib('../utils/hcp_helpers', '_xm_')
_x_ = Actor.importLib('../utils/hcp_helpers', '_x_')
"requirements" : "",
"feeds" : [ "notification.EXEC_OOB" ],
"platform" : "windows",
"author" : "*****@*****.**",
"version" : "1.0",
"scaling_factor" : 1000,
"n_concurrent" : 5,
"usage" : {}
}
LC_DETECTION_MTD_END
'''
###############################################################################
from beach.actor import Actor
import re
ObjectTypes = Actor.importLib( 'utils/ObjectsDb', 'ObjectTypes' )
StatelessActor = Actor.importLib( 'Detects', 'StatelessActor' )
_x_ = Actor.importLib( 'utils/hcp_helpers', '_x_' )
class OobExec ( StatelessActor ):
def init( self, parameters, resources ):
super( OobExec, self ).init( parameters, resources )
self.dotNet = re.compile( r'.*\\Microsoft.NET\\.*' )
def process( self, detects, msg ):
routing, event, mtd = msg.data
# We can get false positives on executables running .net because of JIT
if not self.dotNet.match( _x_( event, 'notification.EXEC_OOB/base.FILE_PATH' ) ):
detects.add( 90, 'execution outside of known modules detected in memory', event )
"requirements" : "",
"feeds" : [],
"platform" : "windows",
"author" : "*****@*****.**",
"version" : "1.0",
"scaling_factor" : 500,
"n_concurrent" : 5,
"usage" : {}
}
LC_DETECTION_MTD_END
'''
###############################################################################
from beach.actor import Actor
import re
ProcessDescendant = Actor.importLib( 'analytics/StateAnalysis/descriptors', 'ProcessDescendant' )
StatefulActor = Actor.importLib( 'Detects', 'StatefulActor' )
class WinScriptedPayload ( StatefulActor ):
def initMachines( self, parameters ):
self.shardingKey = 'agentid'
scriptEngines = re.compile( r'.*(/|\\)(((w|c)script))\.exe', re.IGNORECASE )
sensitiveApps = re.compile( r'.*(/|\\)((((rundll32)|(explorer)|(iexplore)|(svchost)|(icacls)|(bcdedit)|(wbadmin)|(attrib)|(calc)|(notepad))\.exe)|((?<!\.exe)$))', re.IGNORECASE )
suspiciousDocs = re.compile( r'.*\.(exe|bat|vbs|js|hta|scr)', re.IGNORECASE )
scriptedPayload = ProcessDescendant( name = 'windows_scripted_payload',
priority = 90,
summary = 'A script engine has executed what looks like a suspicious payload',
parentRegExp = scriptEngines,
isDirectOnly = False,
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
from sets import Set
import hashlib
import base64
import uuid
import msgpack
import sys
import time
import re
import time_uuid
AgentId = Actor.importLib( './hcp_helpers', 'AgentId' )
_ = Actor.importLib( 'Symbols', 'Symbols' )()
HbsCollectorId = Actor.importLib( './hcp_helpers', 'HbsCollectorId' )
rSequence = Actor.importLib( './rpcm', 'rSequence' )
rList = Actor.importLib( './rpcm', 'rList' )
rpcm = Actor.importLib( './rpcm', 'rpcm' )
class _collector( object ):
def __init__( self ):
self._isEnabled = True
if hasattr( self, 'init' ):
self.init()
def enable( self ):
self._isEnabled = True
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import traceback
import hashlib
import time
import ipaddress
rpcm = Actor.importLib( 'utils/rpcm', 'rpcm' )
rList = Actor.importLib( 'utils/rpcm', 'rList' )
rSequence = Actor.importLib( 'utils/rpcm', 'rSequence' )
AgentId = Actor.importLib( 'utils/hcp_helpers', 'AgentId' )
RingCache = Actor.importLib( 'utils/hcp_helpers', 'RingCache' )
HcpModuleId = Actor.importLib( 'utils/hcp_helpers', 'HcpModuleId' )
Symbols = Actor.importLib( 'Symbols', 'Symbols' )()
class TaskingProxy( Actor ):
def init( self, parameters, resources ):
self.cachedEndpoints = RingCache( maxEntries = 1000 )
self.sensorDir = self.getActorHandle( resources[ 'sensor_dir' ] )
self.handle( 'task', self.task )
def deinit( self ):
pass
# Copyright 2015 refractionPOINT
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
StateMachineDescriptor = Actor.importLib( './', 'StateMachineDescriptor' )
State = Actor.importLib( './', 'State' )
StateTransition = Actor.importLib( './', 'StateTransition' )
NewProcessNamed = Actor.importLib( './transitions', 'NewProcessNamed' )
HistoryOlderThan = Actor.importLib( './transitions', 'HistoryOlderThan' )
RunningPidReset = Actor.importLib( './transitions', 'RunningPidReset' )
AlwaysReturn = Actor.importLib( './transitions', 'AlwaysReturn' )
EventOfType = Actor.importLib( './transitions', 'EventOfType' )
ParentProcessInHistory = Actor.importLib( './transitions', 'ParentProcessInHistory' )
NotParentProcessInHistory = Actor.importLib( './transitions', 'NotParentProcessInHistory' )
def ProcessBurst( name, procRegExp, nPerBurst, withinSeconds ):
states = []
for i in xrange( 0, nPerBurst ):
states.append( State( StateTransition( isRecordOnMatch = True,
isReportOnMatch = False if i < nPerBurst - 1 else True,
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
from sets import Set
import hashlib
import base64
import uuid
import msgpack
import sys
import time
import re
import time_uuid
AgentId = Actor.importLib( './hcp_helpers', 'AgentId' )
chunks = Actor.importLib( './hcp_helpers', 'chunks' )
tsToTime = Actor.importLib( './hcp_helpers', 'tsToTime' )
timeToTs = Actor.importLib( './hcp_helpers', 'timeToTs' )
normalAtom = Actor.importLib( './hcp_helpers', 'normalAtom' )
CassDb = Actor.importLib( './hcp_databases', 'CassDb' )
CassPool = Actor.importLib( './hcp_databases', 'CassPool' )
def ObjectNormalForm( objName, objType, isCaseSensitive = False ):
caseSensitiveTypes = ( ObjectTypes.AUTORUNS,
ObjectTypes.CMD_LINE,
ObjectTypes.FILE_NAME,
ObjectTypes.FILE_PATH,
ObjectTypes.HANDLE_NAME,
ObjectTypes.MODULE_NAME,
ObjectTypes.PACKAGE,
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import hashlib
from sets import Set
import time
StateMachine = Actor.importLib( 'analytics/StateAnalysis', 'StateMachine' )
StateEvent = Actor.importLib( 'analytics/StateAnalysis', 'StateEvent' )
CreateOnAccess = Actor.importLib( 'hcp_helpers', 'CreateOnAccess' )
def GenerateDetectReport( agentid, msgIds, cat, detect ):
if type( msgIds ) is not tuple and type( msgIds ) is not list:
msgIds = ( msgIds, )
if type( agentid ) is tuple or type( agentid ) is list:
agentid = ' / '.join( agentid )
reportId = hashlib.sha256( str( msgIds ) ).hexdigest()
return { 'source' : agentid, 'msg_ids' : msgIds, 'cat' : cat, 'detect' : detect, 'report_id' : reportId }
class StatelessActor ( Actor ):
def init( self, parameters ):
if not hasattr( self, 'process' ):
raise Exception( 'Stateless Actor has no "process" function' )
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from sets import Set
from beach.actor import Actor
_xm_ = Actor.importLib( '../utils/hcp_helpers', '_xm_' )
_x_ = Actor.importLib( '../utils/hcp_helpers', '_x_' )
exeFromPath = Actor.importLib( '../utils/hcp_helpers', 'exeFromPath' )
ObjectTypes = Actor.importLib( '../utils/ObjectsDb', 'ObjectTypes' )
ObjectNormalForm = Actor.importLib( '../utils/ObjectsDb', 'ObjectNormalForm' )
AgentId = Actor.importLib( '../utils/hcp_helpers', 'AgentId' )
class AnalyticsIntake( Actor ):
def init( self, parameters, resources ):
self.handle( 'analyze', self.analyze )
self.analytics_stateless = self.getActorHandle( resources[ 'stateless' ], timeout = 30, nRetries = 3 )
self.analytics_stateful = self.getActorHandle( resources[ 'stateful' ], timeout = 30, nRetries = 3 )
self.analytics_modeling = self.getActorHandle( resources[ 'modeling' ], timeout = 120, nRetries = 3 )
self.async_builder = self.getActorHandle( resources[ 'relation_builder' ], timeout = 120, nRetries = 3 )
self.analytics_investigation = self.getActorHandle( resources[ 'investigation' ], timeout = 120, nRetries = 3 )
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import re
_x_ = Actor.importLib( '../../utils/hcp_helpers', '_x_' )
_xm_ = Actor.importLib( '../../utils/hcp_helpers', '_xm_' )
def NewProcessNamed( regexp ):
try:
regexp.match( '' )
except:
regexp = re.compile( regexp )
def _processNamed( history, event ):
newProcName = _x_( event.event, 'notification.NEW_PROCESS/base.FILE_PATH' )
if newProcName is not None and regexp.match( newProcName ):
return True
else:
return False
return _processNamed
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import os
import json
import uuid
import base64
import urllib
import urllib2
from sets import Set
AgentId = Actor.importLib('utils/hcp_helpers', 'AgentId')
class WebHookOutput(Actor):
def init(self, parameters, resources):
self.deploymentManager = self.getActorHandle(resources['deployment'],
nRetries=3,
timeout=30)
self.identManager = self.getActorHandle(resources['identmanager'],
nRetries=3,
timeout=30)
self.hooks = {}
self.refreshHooks()
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import base64
import M2Crypto
import zlib
import time
import struct
import binascii
import traceback
import hashlib
rpcm = Actor.importLib( '../rpcm', 'rpcm' )
rList = Actor.importLib( '../rpcm', 'rList' )
rSequence = Actor.importLib( '../rpcm', 'rSequence' )
AgentId = Actor.importLib( '../hcp_helpers', 'AgentId' )
_xm_ = Actor.importLib( '../hcp_helpers', '_xm_' )
_x_ = Actor.importLib( '../hcp_helpers', '_x_' )
HcpDb = Actor.importLib( '../hcp_databases', 'HcpDb' )
ip_to_tuple = Actor.importLib( '../hcp_helpers', 'ip_to_tuple' )
HcpOperations = Actor.importLib( '../hcp_helpers', 'HcpOperations' )
HcpModuleId = Actor.importLib( '../hcp_helpers', 'HcpModuleId' )
PooledResource = Actor.importLib( '../hcp_helpers', 'PooledResource' )
class BeaconProcessor( Actor ):
def init( self, parameters ):
self.private_key = M2Crypto.RSA.load_key_string( parameters[ '_priv_key' ] )
self.handle( 'beacon', self.processBeacon )
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import time
import time_uuid
import uuid
import base64
import msgpack
import datetime
import random
import traceback
from sets import Set
CassDb = Actor.importLib('../utils/hcp_databases', 'CassDb')
AgentId = Actor.importLib('../utils/hcp_helpers', 'AgentId')
_x_ = Actor.importLib('../utils/hcp_helpers', '_x_')
_xm_ = Actor.importLib('../utils/hcp_helpers', '_xm_')
ObjectTypes = Actor.importLib('../utils/ObjectsDb', 'ObjectTypes')
RelationName = Actor.importLib('../utils/ObjectsDb', 'RelationName')
ObjectKey = Actor.importLib('../utils/ObjectsDb', 'ObjectKey')
class AnalyticsModeling(Actor):
def init(self, parameters, resources):
self.modelingLevel = 10
self.deploymentmanager = self.getActorHandle(resources['deployment'],
timeout=30,
nRetries=3)
self.refreshConfigs()
# Copyright 2015 refractionPOINT
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
ObjectTypes = Actor.importLib( '../../ObjectsDb', 'ObjectTypes' )
StatelessActor = Actor.importLib( '../../Detects', 'StatelessActor' )
_x_ = Actor.importLib( '../../hcp_helpers', '_x_' )
class ExecNotOnDisk ( StatelessActor ):
def init( self, parameters ):
super( ExecNotOnDisk, self ).init( parameters )
def process( self, msg ):
routing, event, mtd = msg.data
detects = []
if _x_( event, '?/base.HASH' ) is None:
detects.append( ( event, None ) )
return detects
from beach.beach_api import Beach
import json
import hashlib
try:
# When used by the random python script
# import normally
from rpcm import rpcm
from rpcm import rSequence
from rpcm import rList
from Symbols import Symbols
from signing import Signing
from hcp_helpers import AgentId
except:
# When in an actor, use the relative import
from beach.actor import Actor
rpcm = Actor.importLib('utils/rpcm', 'rpcm')
rSequence = Actor.importLib('utils/rpcm', 'rSequence')
rList = Actor.importLib('utils/rpcm', 'rList')
Symbols = Actor.importLib('Symbols', 'Symbols')
Signing = Actor.importLib('signing', 'Signing')
AgentId = Actor.importLib('utils/hcp_helpers', 'AgentId')
#===============================================================================
# Library section to be used by Python code for automation
#===============================================================================
class BEAdmin(object):
token = None
def __init__(self, beach_config, token, timeout=1000 * 10):
self.token = token
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
_x_ = Actor.importLib("./hcp_helpers", "_x_")
_xm_ = Actor.importLib("./hcp_helpers", "_xm_")
exeFromPath = Actor.importLib("./hcp_helpers", "exeFromPath")
# The event tuples are: ( eventTypeDescription, funcForKey, funcForShortKey, funcForNarrative )
_eventTypes = {
"notification.NEW_PROCESS": (
"new process starting",
lambda x: _x_(x, "?/base.FILE_PATH"),
lambda x: exeFromPath(_x_(x, "?/base.FILE_PATH")),
lambda x: "The process %s with pid %s is starting." % (_x_(x, "?/base.FILE_PATH"), _x_(x, "?/base.PROCESS_ID")),
),
"notification.TERMINATE_PROCESS": (
"a process is terminating",
lambda x: _x_(x, "?/base.PROCESS_ID"),
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import hashlib
Hunt = Actor.importLib( '../../Hunts', 'Hunt' )
_xm_ = Actor.importLib( '../../hcp_helpers', '_xm_' )
_x_ = Actor.importLib( '../../hcp_helpers', '_x_' )
exeFromPath = Actor.importLib( '../../hcp_helpers', 'exeFromPath' )
class SuspectedDropperHunt ( Hunt ):
detects = ( 'WinSuspExecName', )
def init( self, parameters ):
super( SuspectedDropperHunt, self ).init( parameters )
def updateHunt( self, context, newMsg ):
if newMsg is None:
source = context[ 'source' ].split( ' / ' )[ 0 ]
inv_id = context[ 'report_id' ]
detect = context[ 'detect' ]
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import msgpack
import base64
import random
CassDb = Actor.importLib( '../hcp_databases', 'CassDb' )
CassPool = Actor.importLib( '../hcp_databases', 'CassPool' )
class AnalyticsReporting( Actor ):
def init( self, parameters ):
self._db = CassDb( parameters[ 'db' ], 'hcp_analytics', consistencyOne = True )
self.db = CassPool( self._db,
rate_limit_per_sec = parameters[ 'rate_limit_per_sec' ],
maxConcurrent = parameters[ 'max_concurrent' ],
blockOnQueueSize = parameters[ 'block_on_queue_size' ] )
self.report_stmt_rep = self.db.prepare( 'INSERT INTO reports ( repid, gen, source, dtype, events, detect ) VALUES ( ?, dateOf( now() ), ?, ?, ?, ? ) USING TTL %d' % ( 60 * 60 * 24 * 7 * 4 ) )
self.report_stmt_rep.consistency_level = CassDb.CL_Ingest
self.report_stmt_tl = self.db.prepare( 'INSERT INTO report_timeline ( d, ts, repid ) VALUES ( ?, now(), ? ) USING TTL %d' % ( 60 * 60 * 24 * 7 * 4 ) )
self.report_stmt_tl.consistency_level = CassDb.CL_Ingest
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import time
from sets import Set
BEAdmin = Actor.importLib( '../admin_lib', 'BEAdmin' )
Host = Actor.importLib( '../ObjectsDb', 'Host' )
HostObjects = Actor.importLib( '../ObjectsDb', 'HostObjects' )
FluxEvent = Actor.importLib( '../ObjectsDb', 'FluxEvent' )
ObjectTypes = Actor.importLib( '../ObjectsDb', 'ObjectTypes' )
ObjectKey = Actor.importLib( '../ObjectsDb', 'ObjectKey' )
RelationNameFromId = Actor.importLib( '../ObjectsDb', 'RelationNameFromId' )
Reporting = Actor.importLib( '../ObjectsDb', 'Reporting' )
KeyValueStore = Actor.importLib( '../ObjectsDb', 'KeyValueStore' )
AgentId = Actor.importLib( '../hcp_helpers', 'AgentId' )
_xm_ = Actor.importLib( '../hcp_helpers', '_xm_' )
_x_ = Actor.importLib( '../hcp_helpers', '_x_' )
class ModelView( Actor ):
def init( self, parameters ):
self.admin = BEAdmin( parameters[ 'beach_config' ], None )
"description" : "Hunter that investigates VT hits.",
"requirements" : "",
"feeds" : [],
"platform" : "all",
"author" : "*****@*****.**",
"version" : "1.0",
"scaling_factor" : 10000,
"n_concurrent" : 5,
"usage" : {}
}
LC_DETECTION_MTD_END
'''
###############################################################################
from beach.actor import Actor
Hunter = Actor.importLib('Hunters', 'Hunter')
_xm_ = Actor.importLib('utils/hcp_helpers', '_xm_')
_x_ = Actor.importLib('utils/hcp_helpers', '_x_')
InvestigationNature = Actor.importLib('utils/hcp_helpers',
'InvestigationNature')
InvestigationConclusion = Actor.importLib('utils/hcp_helpers',
'InvestigationConclusion')
MemoryAccess = Actor.importLib('utils/hcp_helpers', 'MemoryAccess')
MemoryType = Actor.importLib('utils/hcp_helpers', 'MemoryType')
normalAtom = Actor.importLib('utils/hcp_helpers', 'normalAtom')
AgentId = Actor.importLib('utils/hcp_helpers', 'AgentId')
class VirusTotalHunter(Hunter):
detects = ('VirusTotalKnownBad', )
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
from sets import Set
HcpCli = Actor.importLib( '../admin_cli', 'HcpCli' )
class AutoTasking( Actor ):
def init( self, parameters, resources ):
self.hbs_key = parameters.get( '_hbs_key', None )
if self.hbs_key is None: raise Exception( 'missing HBS key' )
self.cli = HcpCli( self._beach_config_path,
parameters.get( 'auth_token', '' ),
self.hbs_key,
parameters.get( 'log_file', None ) )
self.sensor_qph = parameters.get( 'sensor_qph', 50 )
self.global_qph = parameters.get( 'global_qph', 200 )
self.allowed_commands = Set( parameters.get( 'allowed', [] ) )
self.handle( 'task', self.handleTasking )
self.sensor_stats = {}
self.global_stats = 0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
from sets import Set
ObjectTypes = Actor.importLib( '../utils/ObjectsDb', 'ObjectTypes' )
HostObjects = Actor.importLib( '../utils/ObjectsDb', 'HostObjects' )
BEAdmin = Actor.importLib( '../admin_lib', 'BEAdmin' )
AgentId = Actor.importLib( '../utils/hcp_helpers', 'AgentId' )
chunks = Actor.importLib( '../utils/hcp_helpers', 'chunks' )
class StatsComputer( Actor ):
def init( self, parameters, resources ):
HostObjects.setDatabase( parameters[ 'scale_db' ] )
self.be = BEAdmin( self._beach_config_path, None )
self.lastStats = {}
self.schedule( 3600, self.computeRelation,
parentType = ObjectTypes.PROCESS_NAME,
childType = ObjectTypes.FILE_PATH,
# Copyright 2015 refractionPOINT
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
ObjectTypes = Actor.importLib( 'utils/ObjectsDb', 'ObjectTypes' )
StatelessActor = Actor.importLib( 'Detects', 'StatelessActor' )
AgentId = Actor.importLib( 'utils/hcp_helpers', 'AgentId' )
import os
import traceback
import StringIO
import base64
import urllib2
import yara
class YaraUpdater ( StatelessActor ):
def init( self, parameters, resources ):
super( YaraUpdater, self ).init( parameters, resources )
self.rulesDir = parameters.get( 'rules_dir', None )
if self.rulesDir is not None:
# Copyright 2015 refractionPOINT # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. from beach.actor import Actor StateMachineDescriptor = Actor.importLib( './', 'StateMachineDescriptor' ) State = Actor.importLib( './', 'State' ) StateTransition = Actor.importLib( './', 'StateTransition' ) NewProcessNamed = Actor.importLib( './transitions', 'NewProcessNamed' ) HistoryOlderThan = Actor.importLib( './transitions', 'HistoryOlderThan' ) RunningPidReset = Actor.importLib( './transitions', 'RunningPidReset' ) AlwaysReturn = Actor.importLib( './transitions', 'AlwaysReturn' ) EventOfType = Actor.importLib( './transitions', 'EventOfType' ) ParentProcessInHistory = Actor.importLib( './transitions', 'ParentProcessInHistory' ) InverseTransition = Actor.importLib( './transitions', 'InverseTransition' ) SensorRestart = Actor.importLib( './transitions', 'SensorRestart' ) AndTransitions = Actor.importLib( './transitions', 'AndTransitions' ) OrTransitions = Actor.importLib( './transitions', 'OrTransitions' ) NewDocumentNamed = Actor.importLib( './transitions', 'NewDocumentNamed' ) def ProcessBurst( name, priority, summary, procRegExp, nPerBurst, withinMilliSeconds ):
# Copyright 2015 refractionPOINT
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
AgentId = Actor.importLib('../hcp_helpers', 'AgentId')
class AnalyticsStateless(Actor):
def init(self, parameters):
self.handleCache = {}
self.modules = {
'notification.NEW_PROCESS': [
'analytics/stateless/suspexecloc/',
'analytics/stateless/batchselfdelete/',
'analytics/stateless/firewallclimods/',
'analytics/stateless/known_objects/'
],
'notification.TERMINATE_PROCESS': [
'analytics/stateless/suspexecloc/',
'analytics/stateless/batchselfdelete/'
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import traceback
import hashlib
import time
import ipaddress
CassDb = Actor.importLib( 'utils/hcp_databases', 'CassDb' )
CassPool = Actor.importLib( 'utils/hcp_databases', 'CassPool' )
rpcm = Actor.importLib( 'utils/rpcm', 'rpcm' )
rList = Actor.importLib( 'utils/rpcm', 'rList' )
rSequence = Actor.importLib( 'utils/rpcm', 'rSequence' )
AgentId = Actor.importLib( 'utils/hcp_helpers', 'AgentId' )
class PersistentTasking( Actor ):
def init( self, parameters, resources ):
self._db = CassDb( parameters[ 'db' ], 'hcp_analytics', consistencyOne = True )
self.db = CassPool( self._db,
rate_limit_per_sec = parameters[ 'rate_limit_per_sec' ],
maxConcurrent = parameters[ 'max_concurrent' ],
blockOnQueueSize = parameters[ 'block_on_queue_size' ] )
self.recordLive = self.db.prepare( 'UPDATE sensor_states SET alive = dateOf(now()), ext_ip = ?, int_ip = ?, hostname = ? WHERE org = ? AND subnet = ? AND unique = ? AND platform = ?' )
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
from sets import Set
import hashlib
import base64
import uuid
import msgpack
import sys
import time
import re
import time_uuid
AgentId = Actor.importLib('hcp_helpers', 'AgentId')
chunks = Actor.importLib('hcp_helpers', 'chunks')
tsToTime = Actor.importLib('hcp_helpers', 'tsToTime')
timeToTs = Actor.importLib('hcp_helpers', 'timeToTs')
CassDb = Actor.importLib('hcp_databases', 'CassDb')
CassPool = Actor.importLib('hcp_databases', 'CassPool')
def ObjectNormalForm(objName, objType, isCaseSensitive=False):
caseSensitiveTypes = (ObjectTypes.AUTORUNS, ObjectTypes.CMD_LINE,
ObjectTypes.FILE_NAME, ObjectTypes.FILE_PATH,
ObjectTypes.HANDLE_NAME, ObjectTypes.MODULE_NAME,
ObjectTypes.PACKAGE, ObjectTypes.PROCESS_NAME,
ObjectTypes.SERVICE_NAME)
if ObjectTypes.FILE_HASH == objType:
try:
# See the License for the specific language governing permissions and
# limitations under the License.
import sys
import os
import re
import datetime
from collections import OrderedDict
import collections
import functools
from functools import wraps
import inspect
from contextlib import contextmanager
from beach.actor import Actor
rSequence = Actor.importLib( 'rpcm', 'rSequence' )
import hmac, base64, struct, hashlib, time, string, random
def _xm_( o, path, isWildcardDepth = False ):
def _isDynamicType( e ):
eType = type( e )
return issubclass( eType, dict ) or issubclass( eType, list ) or issubclass( eType, tuple )
def _isListType( e ):
eType = type( e )
return issubclass( eType, list ) or issubclass( eType, tuple )
def _isSeqType( e ):
import time
import time_uuid
import uuid
import base64
import msgpack
import datetime
import os
import json
import logging
import logging.handlers
import random
import traceback
from sets import Set
import boto3
import tempfile
AgentId = Actor.importLib( '../utils/hcp_helpers', 'AgentId' )
_x_ = Actor.importLib( '../utils/hcp_helpers', '_x_' )
_xm_ = Actor.importLib( '../utils/hcp_helpers', '_xm_' )
Mutex = Actor.importLib( '../utils/hcp_helpers', 'Mutex' )
ObjectTypes = Actor.importLib( '../utils/ObjectsDb', 'ObjectTypes' )
RelationName = Actor.importLib( '../utils/ObjectsDb', 'RelationName' )
ObjectKey = Actor.importLib( '../utils/ObjectsDb', 'ObjectKey' )
class StorageCoProcessor( object ):
def init( self, parameters, resources, fromActor ):
self._actor = fromActor
self.modelingLevel = 10
self._use_b64 = False
self._is_flat = False
self.loggingDir = ''
self.file_logger = None
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import msgpack
import base64
import random
import json
import time_uuid
AgentId = Actor.importLib('utils/hcp_helpers', 'AgentId')
CassDb = Actor.importLib('../utils/hcp_databases', 'CassDb')
CassPool = Actor.importLib('../utils/hcp_databases', 'CassPool')
CreateOnAccess = Actor.importLib('../utils/hcp_helpers', 'CreateOnAccess')
class AnalyticsReporting(Actor):
def init(self, parameters, resources):
self._db = CassDb(parameters['db'],
'hcp_analytics',
consistencyOne=True)
self.db = CassPool(self._db,
rate_limit_per_sec=parameters['rate_limit_per_sec'],
maxConcurrent=parameters['max_concurrent'],
blockOnQueueSize=parameters['block_on_queue_size'])
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from sets import Set
from beach.actor import Actor
_xm_ = Actor.importLib('../hcp_helpers', '_xm_')
_x_ = Actor.importLib('../hcp_helpers', '_x_')
exeFromPath = Actor.importLib('../hcp_helpers', 'exeFromPath')
ObjectTypes = Actor.importLib('../ObjectsDb', 'ObjectTypes')
ObjectNormalForm = Actor.importLib('../ObjectsDb', 'ObjectNormalForm')
AgentId = Actor.importLib('../hcp_helpers', 'AgentId')
class AnalyticsIntake(Actor):
def init(self, parameters):
self.handle('analyze', self.analyze)
self.analytics_stateless = self.getActorHandle(
'analytics/stateless/intake', timeout=30, nRetries=3)
self.analytics_stateful = self.getActorHandle(
'analytics/stateful/intake', timeout=30, nRetries=3)
self.analytics_modeling = self.getActorHandle(
"n_concurrent" : 5,
"isIsolated" : True,
"usage" : {
"types" : "list of object types",
"db" : "hostname of the scale database",
"rate_limit_per_sec" : "max number of queries per second",
"max_concurrent" : "max number of concurrent queries",
"block_on_queue_size" : "the number of elements in backlog before blocking"
}
}
LC_DETECTION_MTD_END
'''
###############################################################################
from beach.actor import Actor
ObjectTypes = Actor.importLib('utils/ObjectsDb', 'ObjectTypes')
HostObjects = Actor.importLib('utils/ObjectsDb', 'HostObjects')
StatelessActor = Actor.importLib('Detects', 'StatelessActor')
CassDb = Actor.importLib('utils/hcp_databases', 'CassDb')
CassPool = Actor.importLib('utils/hcp_databases', 'CassPool')
from sets import Set
class NewObjects(StatelessActor):
def init(self, parameters, resources):
super(NewObjects, self).init(parameters, resources)
self.db = parameters['db']
self.typesOfInterest = Set(parameters.get('types', []))
self.typesOfInterest = map(lambda x: ObjectTypes.forward[x],
self.typesOfInterest)
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import re
_x_ = Actor.importLib('utils/hcp_helpers', '_x_')
class NixPrivilegeElevation(object):
def __init__(self, fromActor):
pass
def analyze(self, event, sensor, *args):
if sensor.aid.isWindows():
return False
procUid = _x_(event.data, '?/base.USER_ID')
procPath = _x_(event.data, '?/base.FILE_PATH')
if procUid is not None and 0 == procUid and procPath is not None and not procPath.lower(
).endswith('sudo'):
parentUid = _x_(event.data, '?/base.PARENT/base.USER_ID')
from beach.beach_api import Beach
import json
import hashlib
try:
# When used by the random python script
# import normally
from rpcm import rpcm
from rpcm import rSequence
from rpcm import rList
from Symbols import Symbols
from signing import Signing
from hcp_helpers import AgentId
except:
# When in an actor, use the relative import
from beach.actor import Actor
rpcm = Actor.importLib( 'rpcm', 'rpcm' )
rSequence = Actor.importLib( 'rpcm', 'rSequence' )
rList = Actor.importLib( 'rpcm', 'rList' )
Symbols = Actor.importLib( 'Symbols', 'Symbols' )
Signing = Actor.importLib( 'signing', 'Signing' )
AgentId = Actor.importLib( 'hcp_helpers', 'AgentId' )
#===============================================================================
# Library section to be used by Python code for automation
#===============================================================================
class BEAdmin( object ):
token = None
def __init__( self, beach_config, token, timeout = 1000 * 10 ):
self.token = token
self.beach = Beach( beach_config, realm = 'hcp' )
# Copyright 2015 refractionPOINT
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
StatelessActor = Actor.importLib( '../../Detects', 'StatelessActor' )
ObjectTypes = Actor.importLib( '../../ObjectsDb', 'ObjectTypes' )
class TestDetection ( StatelessActor ):
def init( self, parameters ):
super( TestDetection, self ).init( parameters )
def process( self, msg ):
routing, event, mtd = msg.data
detects = []
for o in mtd[ 'obj' ].get( ObjectTypes.FILE_PATH, [] ):
if 'hcp_evil_detection_test' in o:
detects.append( ( event, ( ( 'file_hash',
event.get( 'notification.NEW_PROCESS', {} )
.get( 'base.FILE_PATH' ) ),
( 'remain_live', 60 ),
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import time
import time_uuid
import uuid
import base64
import msgpack
import datetime
import random
from sets import Set
CassDb = Actor.importLib( '../hcp_databases', 'CassDb' )
CassPool = Actor.importLib( '../hcp_databases', 'CassPool' )
AgentId = Actor.importLib( '../hcp_helpers', 'AgentId' )
_x_ = Actor.importLib( '../hcp_helpers', '_x_' )
_xm_ = Actor.importLib( '../hcp_helpers', '_xm_' )
ObjectTypes = Actor.importLib( '../ObjectsDb', 'ObjectTypes' )
RelationName = Actor.importLib( '../ObjectsDb', 'RelationName' )
ObjectKey = Actor.importLib( '../ObjectsDb', 'ObjectKey' )
class AnalyticsModeling( Actor ):
def init( self, parameters ):
self._db = CassDb( parameters[ 'db' ], 'hcp_analytics', consistencyOne = True )
self.db = CassPool( self._db,
rate_limit_per_sec = parameters[ 'rate_limit_per_sec' ],
maxConcurrent = parameters[ 'max_concurrent' ],
blockOnQueueSize = parameters[ 'block_on_queue_size' ] )
# Copyright 2015 refractionPOINT
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
AgentId = Actor.importLib( '../hcp_helpers', 'AgentId' )
class AnalyticsStateful( Actor ):
def init( self, parameters ):
self.handleCache = {}
self.statefulCommon = self.getActorHandleGroup( 'analytics/stateful/modules/common/',
mode = 'affinity',
timeout = 30,
nRetries = 3 )
self.statefulWindows = self.getActorHandleGroup( 'analytics/stateful/modules/windows/',
mode = 'affinity',
timeout = 30,
nRetries = 3 )
self.statefulOsx = self.getActorHandleGroup( 'analytics/stateful/modules/osx/',
mode = 'affinity',
timeout = 30,
# Copyright 2015 refractionPOINT
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
ObjectTypes = Actor.importLib('../../ObjectsDb', 'ObjectTypes')
ObjectKey = Actor.importLib('../../ObjectsDb', 'ObjectKey')
StatelessActor = Actor.importLib('../../Detects', 'StatelessActor')
RingCache = Actor.importLib('../../hcp_helpers', 'RingCache')
class KnownObjects(StatelessActor):
def init(self, parameters):
super(KnownObjects, self).init(parameters)
self.known = {}
self.infoCache = RingCache(maxEntries=100, isAutoAdd=False)
self.source_refresh_sec = parameters.get('source_refresh_sec', 3600)
self.source_cat = parameters.get('source', 'sources/known_objects/')
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
from beach.patrol import Patrol
Mutex = Actor.importLib('../utils/hcp_helpers', 'Mutex')
import urllib2
import json
import tempfile
class CapabilityManager(Actor):
def init(self, parameters, resources):
self.scale = parameters['scale']
self.patrol = Patrol(self._beach_config_path,
realm='hcp',
identifier=self.__class__.__name__,
scale=self.scale,
sync_frequency=60.0)
self.patrol.start()
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import hashlib
from sets import Set
import time
SAMLoadWidgets = Actor.importLib( 'analytics/StateAnalysis', 'SAMLoadWidgets' )
def GenerateDetectReport( agentid, msgIds, cat, detect ):
if type( msgIds ) is not tuple and type( msgIds ) is not list:
msgIds = ( msgIds, )
if type( agentid ) is tuple or type( agentid ) is list:
agentid = ' / '.join( agentid )
reportId = hashlib.sha256( str( msgIds ) ).hexdigest()
return { 'source' : agentid, 'msg_ids' : msgIds, 'cat' : cat, 'detect' : detect, 'report_id' : reportId }
class StatelessActor ( Actor ):
def init( self, parameters ):
if not hasattr( self, 'process' ):
raise Exception( 'Stateless Actor has no "process" function' )
self._reporting = self.getActorHandle( 'analytics/report' )
self._tasking = None
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
from beach.utils import loadModuleFrom
import traceback
import json
import uuid
import time
import msgpack
import base64
from contextlib import contextmanager
EventDSL = Actor.importLib( '../utils/EventInterpreter', 'EventDSL' )
AgentId = Actor.importLib( '../utils/hcp_helpers', 'AgentId' )
StateMachine = Actor.importLib( '../analytics/StateAnalysis', 'StateMachine' )
_StateMachineContext = Actor.importLib( '../analytics/StateAnalysis', '_StateMachineContext' )
StateEvent = Actor.importLib( '../analytics/StateAnalysis', 'StateEvent' )
HostObjects = Actor.importLib( '../utils/ObjectsDb', 'HostObjects' )
KeyValueStore = Actor.importLib( '../utils/ObjectsDb', 'KeyValueStore' )
Atoms = Actor.importLib( '../utils/ObjectsDb', 'Atoms' )
class _TaskResp ( object ):
def __init__( self ):
self._inv = inv
self.wasReceived = False
self.responses = []
self._event = Event()
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import traceback
import hashlib
import time
import ipaddress
import uuid
from sets import Set
CassDb = Actor.importLib('utils/hcp_databases', 'CassDb')
CassPool = Actor.importLib('utils/hcp_databases', 'CassPool')
rpcm = Actor.importLib('utils/rpcm', 'rpcm')
rList = Actor.importLib('utils/rpcm', 'rList')
rSequence = Actor.importLib('utils/rpcm', 'rSequence')
AgentId = Actor.importLib('utils/hcp_helpers', 'AgentId')
class AuditManager(Actor):
def init(self, parameters, resources):
self._db = CassDb(parameters['db'],
'hcp_analytics',
consistencyOne=True)
self.db = CassPool(self._db,
rate_limit_per_sec=parameters['rate_limit_per_sec'],
maxConcurrent=parameters['max_concurrent'],
# Copyright 2015 refractionPOINT
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
_x_ = Actor.importLib('../utils/hcp_helpers', '_x_')
_xm_ = Actor.importLib('../utils/hcp_helpers', '_xm_')
Host = Actor.importLib('../utils/ObjectsDb', 'Host')
BEAdmin = Actor.importLib('../admin_lib', 'BEAdmin')
import logging
import logging.handlers
class CEFDetectsOutput(Actor):
def init(self, parameters, resources):
self.admin = BEAdmin(self._beach_config_path, None)
Host.setDatabase(self.admin, parameters['scale_db'])
self._cef_logger = logging.getLogger('limacharlie_detects_cef')
handler = logging.handlers.SysLogHandler(
address=parameters.get('siem_server', '/dev/log'))
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
from beach.patrol import Patrol
synchronized = Actor.importLib( '../utils/hcp_helpers', 'synchronized' )
import urllib2
import json
class CapabilityManager( Actor ):
def init( self, parameters, resources ):
self.scale = parameters[ 'scale' ]
self.patrol = Patrol( self._beach_config_path,
realm = 'hcp',
identifier = self.__class__.__name__,
scale = self.scale )
self.patrol.start()
self.detectSecretIdent = parameters[ 'detect_secret_ident' ]
self.detectTrustedIdent = parameters[ 'detect_trusted_ident' ]
self.hunterSecretIdent = parameters[ 'hunter_secret_ident' ]
# Copyright 2015 refractionPOINT
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
ObjectTypes = Actor.importLib( '../../ObjectsDb', 'ObjectTypes' )
StatefulActor = Actor.importLib( '../../Detects', 'StatefulActor' )
class WinReconTools ( StatefulActor ):
def initMachines( self, parameters ):
self.shardingKey = 'agentid'
self.machines = {
'sensor_restarting' :
'''
SAMTimeBurst( parameters = { 'within' : 10, 'min_burst' : 3 } )
.feed_from( SAMSelector( parameters = {
'event/notification.NEW_PROCESS/base.FILE_PATH' : r'.*(/|\\\)((ipconfig)|(arp)|(route)|(ping)|(traceroute)|(nslookup)|(netstat)|(wmic)|(net\d?)|(whoami)|(systeminfo))\.exe' } ) )
'''
}
def processDetects( self, detects ):
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import virustotal
RingCache = Actor.importLib('../hcp_helpers', 'RingCache')
class VirusTotalActor(Actor):
def init(self, parameters):
self.key = parameters.get('_key', None)
if self.key is None: self.logCritical('missing API key')
# Maximum number of queries per minute
self.qpm = parameters.get('qpm', 4)
if self.key is not None:
self.vt = virustotal.VirusTotal(self.key, limit_per_min=self.qpm)
# Cache size
self.cache_size = parameters.get('cache_size', 1000)
# Copyright 2015 refractionPOINT
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
ProcessDescendant = Actor.importLib( '../../analytics/StateAnalysis/descriptors', 'ProcessDescendant' )
EventBurst = Actor.importLib( '../../analytics/StateAnalysis/descriptors', 'EventBurst' )
StatefulActor = Actor.importLib( '../../Detects', 'StatefulActor' )
class SensorIssues ( StatefulActor ):
def initMachines( self, parameters ):
self.shardingKey = 'agentid'
#TODO: vary the logic for other platforms and ensure it's the right executable name.
hcpProcesses = r'.*(/|\\)((rphcp)|(hcp_.+))\.exe'
anyApps = r'.*'
hcpSpawningProcesses = ProcessDescendant( name = 'hcp_spawns_anything',
parentRegExp = hcpProcesses,
childRegExp = anyApps,
isDirectOnly = True )
# See the License for the specific language governing permissions and
# limitations under the License.
import sys
import os
import re
import datetime
from collections import OrderedDict
import collections
import functools
from functools import wraps
import inspect
from contextlib import contextmanager
from beach.actor import Actor
rSequence = Actor.importLib('rpcm', 'rSequence')
import hmac, base64, struct, hashlib, time, string, random
def _xm_(o, path, isWildcardDepth=False):
def _isDynamicType(e):
eType = type(e)
return issubclass(eType, dict) or issubclass(
eType, list) or issubclass(eType, tuple)
def _isListType(e):
eType = type(e)
return issubclass(eType, list) or issubclass(eType, tuple)
def _isSeqType(e):
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import virustotal
ObjectTypes = Actor.importLib( '../../ObjectsDb', 'ObjectTypes' )
StatelessActor = Actor.importLib( '../../Detects', 'StatelessActor' )
RingCache = Actor.importLib( '../../hcp_helpers', 'RingCache' )
class VirusTotal ( StatelessActor ):
def init( self, parameters ):
super( VirusTotal, self ).init( parameters )
self.key = parameters.get( 'key', None )
if self.key is None: raise Exception( 'missing API key' )
# Maximum number of queries per minute
self.qpm = parameters.get( 'qpm', 4 )
self.vt = virustotal.VirusTotal( self.key, limit_per_min = self.qpm )
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from beach.actor import Actor
import traceback
import hashlib
import time
rpcm = Actor.importLib( 'utils/rpcm', 'rpcm' )
rList = Actor.importLib( 'utils/rpcm', 'rList' )
rSequence = Actor.importLib( 'utils/rpcm', 'rSequence' )
AgentId = Actor.importLib( 'utils/hcp_helpers', 'AgentId' )
HbsCollectorId = Actor.importLib( 'utils/hcp_helpers', 'HbsCollectorId' )
CassDb = Actor.importLib( 'utils/hcp_databases', 'CassDb' )
CassPool = Actor.importLib( 'utils/hcp_databases', 'CassPool' )
HcpOperations = Actor.importLib( 'utils/hcp_helpers', 'HcpOperations' )
HcpModuleId = Actor.importLib( 'utils/hcp_helpers', 'HcpModuleId' )
def audited( f ):
def wrapped( self, *args, **kwargs ):
self.auditor.shoot( 'audit', { 'data' : args[ 0 ].data, 'cmd' : args[ 0 ].req } )
r = f( self, *args, **kwargs )
return r
return wrapped