Esempi in Python per ProcessView.get_asset

Esempio n. 1

File: main.py Progetto: grapl-security/grapl-analyzers

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        rare_read_file = False

        for read_file in response.get_read_files():
            count = self.counter.get_count_for(
                ProcessQuery().with_process_name(eq="osascript")
                .with_read_files(
                    FileQuery().with_file_path(read_file.get_file_path())
                )
            )
            if count < 4:
                rare_read_file = True
                break

        if rare_read_file:
            output.send(
                ExecutionHit(
                    analyzer_name="Osascript Process Execution - Rare File Read",
                    node_view=response,
                    risk_score=5,
                    lenses=asset_id,
                )
            )

Esempio n. 2

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        output.send(
            ExecutionHit(
                analyzer_name="Suspicious svchost",
                node_view=response,
                risk_score=75,
                lenses=[
                    ("hostname", asset_id),
                ],
                risky_node_keys=[
                    # the asset and the process
                    response.get_asset().node_key,
                    response.node_key,
                ],
            ))

Esempio n. 3

File: main.py Progetto: grapl-security/grapl-analyzers

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        output.send(
            ExecutionHit(analyzer_name="Cmd Child Network",
                         node_view=response,
                         risk_score=5,
                         lenses=asset_id))

Esempio n. 4

 def on_response(self, response: ProcessView, output: Any):
     hostname = response.get_asset().get_hostname()
     output.send(
         ExecutionHit(
             analyzer_name='CmdChildOfDns',
             node_view=response,
             risk_score=100,
             lenses=[('hostname', hostname)],
         ))

Esempio n. 5

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        output.send(
            ExecutionHit(
                analyzer_name="Python Process With Many Shells",
                node_view=response,
                risk_score=5,
                lenses=asset_id,
            ))

Esempio n. 6

File: main.py Progetto: grapl-security/grapl-analyzers

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        output.send(
            ExecutionHit(
                analyzer_name="Process Deletes Binary File",
                node_view=response,
                risk_score=20,
                lenses=asset_id,
            ))

Esempio n. 7

File: main.py Progetto: grapl-security/grapl-analyzers

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        output.send(
            ExecutionHit(
                analyzer_name="Powershell With Child Process",
                node_view=response,
                risk_score=25,
                lenses=asset_id,
            ))

Esempio n. 8

File: main.py Progetto: grapl-security/grapl-analyzers

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        output.send(
            ExecutionHit(
                analyzer_name="Exploiting SetupComplete.cmd CVE-2019-1378",
                node_view=response,
                risk_score=50,
                lenses=asset_id,
            ))

Esempio n. 9

File: main.py Progetto: grapl-security/grapl-analyzers

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        output.send(
            ExecutionHit(
                analyzer_name="Common Target Application With Child Process",
                node_view=response,
                risk_score=75,
                lenses=asset_id,
            ))

Esempio n. 10

File: main.py Progetto: patrickod/grapl

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        output.send(
            ExecutionHit(
                analyzer_name="Suspicious svchost",
                node_view=response,
                risk_score=75,
                lenses=asset_id
            )
        )

Esempio n. 11

    def on_response(self, response: ProcessView, output: Any):
        print(f'Unpacked process: {response.get_process_name()}')
        asset_id = response.get_asset().get_hostname()

        output.send(
            ExecutionHit(
                analyzer_name="Process Executing From Unpacked File",
                node_view=response,
                risk_score=15,
                lenses=asset_id,
            ))

Esempio n. 12

File: main.py Progetto: grapl-security/grapl-analyzers

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        output.send(
            ExecutionHit(
                analyzer_name="Browser Created File",
                node_view=response,
                risk_score=5,
                lenses=asset_id,
            )
        )

Esempio n. 13

    def on_response(self, response: ProcessView, output: Any) -> None:
        count = self.counter.get_count_for(
            parent_process_name=response.get_process_name(),
            child_process_name="cmd.exe",
        )

        asset_id = response.get_asset().get_hostname()

        if count <= 3:
            output.send(
                ExecutionHit(
                    analyzer_name="Rare Parent of cmd.exe",
                    node_view=response,
                    risk_score=10,
                    lenses=[("hostname", asset_id)],
                ))

Esempio n. 14

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        count = self.counter.get_count_for(
            parent_process_name=output.get_parent().get_process_name(),
            child_process_name=output.get_process_name(),
        )

        if count <= 2:
            output.send(
                ExecutionHit(
                    analyzer_name="Unique Windows Builtin Execution",
                    node_view=response,
                    risk_score=15,
                    lenses=asset_id,
                ))

Esempio n. 15

File: main.py Progetto: grapl-security/grapl-analyzers

        def on_response(self, child: ProcessView, output: Any):
            asset_id = child.get_asset().get_hostname()

            parent = child.get_parent()

            child_user_id = get_user_id(child)
            parent_user_id = get_user_id(parent)

            if child_user_id != parent_user_id:

                output.send(
                    ExecutionHit(
                        analyzer_name="Parent Child User Mismatch",
                        node_view=child,
                        risk_score=25,
                        lenses=asset_id,
                    ))

Esempio n. 16

File: main.py Progetto: grapl-security/grapl-analyzers

    def on_response(self, response: ProcessView, output: Any):
        asset_id = response.get_asset().get_hostname()

        count = self.counter.get_count_for(
            grand_parent_process_name=response.get_parent().get_parent().
            get_process_name(),
            grand_child_process_name=response.get_process_name(),
        )

        print(f'Counted {count} for parent -> ssh')

        if count <= 3:
            output.send(
                ExecutionHit(
                    analyzer_name="Rare GrandParent of SSH",
                    node_view=response,
                    risk_score=5,
                    lenses=asset_id,
                ))