def Run(md5): launch=Launch() args=launch.get_args() cbserverurl,cbapitoken=launch.load_cb_config(args.configfile) parentmd5url=cbserverurl+str("\#search/cb.urlver=1&cb.q.parent_md5=%20") md5url=cbserverurl+str("\#search/cb.urlver=1&cb.q.md5=%20") cb = cbapi.CbApi(cbserverurl, token=cbapitoken, ssl_verify=False) parentquery='parent_md5:'+md5 md5query='md5:'+md5 if md5query.endswith(" "): print colored.red("[-] Bit9 did not capture the MD5 :(\n") else: print colored.yellow("[*] Checking if Parent MD5 process in Carbon Black...") parentresult = cb.process_search(parentquery, sort='start desc') if parentresult['total_results']==0: print colored.cyan("[+] Not a Parent MD5 process") else: cbparentmd5url=parentmd5url+md5+"&sort=&rows=10&start=0" print colored.green("[+] Parent MD5 event found in Carbon Black.") print colored.cyan(cbparentmd5url) print colored.yellow("[*] Checking if MD5 seen in Carbon Black...") md5result = cb.process_search(md5query, sort='start desc') if md5result['total_results'] == 0: print colored.cyan("[+] Not seen in Carbon Black.") else: cbmd5url=md5url+md5+"&sort=&rows=10&start=0" print colored.green("[+] MD5 Found in CB.") print colored.cyan(cbmd5url)
def Run(hashtype,value): launch=Launch() args=launch.get_args() b9serverurl,b9apitoken=launch.load_b9_config(args.configfile) authJson={ 'X-Auth-Token': b9apitoken, 'content-type': 'application/json' } serverurl=b9serverurl+str("/api/bit9platform/v1/") md5url = serverurl+"fileCatalog?q=md5:" sha256url = serverurl+"fileCatalog?q=sha256:" b9StrongCert=True if hashtype=="md5": hashurl=md5url if hashtype=="sha1": hashurl=sha1url if hashtype=="sha256": hashurl=sha256url r = requests.get(hashurl+value, headers=authJson, verify=b9StrongCert) r.raise_for_status() result = r.json() return result
def Run(computername): launch=Launch() args=launch.get_args() cbserverurl,cbapitoken=launch.load_cb_config(args.configfile) headers = {"X-Auth-Token": cbapitoken} resp = requests.get(cbserverurl+str("/api/v1/sensor?hostname="+str(computername)), headers=headers, verify=False) return resp.json()
def Run(computername): launch = Launch() args = launch.get_args() cbserverurl, cbapitoken = launch.load_cb_config(args.configfile) headers = {"X-Auth-Token": cbapitoken} resp = requests.get( cbserverurl + str("/api/v1/sensor?hostname=" + str(computername)), headers=headers, verify=False) return resp.json()
def Run(computername): launch=Launch() args=launch.get_args() b9serverurl,b9apitoken=launch.load_b9_config(args.configfile) authJson={ 'X-Auth-Token': b9apitoken, 'content-type': 'application/json' } serverurl=b9serverurl+str("/api/bit9platform/v1/") computernameurl=serverurl+"computer?q=name:" computerurl=serverurl+"Computer/" b9StrongCert=True r = requests.get(computernameurl+computername, headers=authJson, verify=b9StrongCert) r.raise_for_status() result = r.json() return result
def Run(term, value, limit): launch = Launch() args = launch.get_args() b9serverurl, b9apitoken = launch.load_b9_config(args.configfile) authJson = {"X-Auth-Token": b9apitoken, "content-type": "application/json"} serverurl = b9serverurl + str("/api/bit9platform/v1/") eventurl = serverurl + "event" b9StrongCert = True r = requests.get( eventurl + "?q=" + term + ":" + value + "&limit=" + limit + "&sort=receivedTimestamp%20DESC", headers=authJson, verify=b9StrongCert, ) r.raise_for_status() result = r.json() return result
def Run(hashvalue): launch=Launch() args=launch.get_args() b9serverurl,b9apitoken=launch.load_b9_config(args.configfile) authJson={ 'X-Auth-Token': b9apitoken, 'content-type': 'application/json' } serverurl=b9serverurl+str("/api/bit9platform/v1/") md5url = serverurl+"fileCatalog?q=md5:" sha256url = serverurl+"fileCatalog?q=sha256:" b9StrongCert=False r = requests.get(md5url+hashvalue, headers=authJson, verify=b9StrongCert) r.raise_for_status() result = r.json() return result
def Run(hashstate): launch=Launch() args=launch.get_args() b9serverurl,b9apitoken=launch.load_b9_config(args.configfile) authJson={ 'X-Auth-Token': b9apitoken, 'content-type': 'application/json' } serverurl=b9serverurl+str("/api/bit9platform/v1/") certificateurl=serverurl+"publisher/" b9StrongCert=True print colored.yellow("[*] Banning certificate for "+hashstate[0]['publisher']+"...") data = {'publisherState': 3} r = requests.put(certificateurl+str(hashstate[0]['publisherId']), json.dumps(data), headers=authJson, verify=b9StrongCert) r.raise_for_status() fileRule = r.json() print colored.green("[+] "+hashstate[0]['publisher']+" certificate has been Banned!")
def Run(hashvalue, rulename): launch = Launch() args = launch.get_args() b9serverurl, b9apitoken = launch.load_b9_config(args.configfile) authJson = {"X-Auth-Token": b9apitoken, "content-type": "application/json"} serverurl = b9serverurl + str("/api/bit9platform/v1/") fileruleurl = serverurl + "fileRule" b9StrongCert = True print colored.yellow("[*] Banning " + hashvalue + "...") data = {"hash": hashvalue, "fileState": 3, "policyIds": "0", "name": rulename} r = requests.post(fileruleurl, json.dumps(data), headers=authJson, verify=b9StrongCert) r.raise_for_status() fileRule = r.json() try: print colored.green("[+] " + str(rulename) + " " + str(hashvalue) + " Banned!") except: print colored.yellow("[*] Can't print strange characters, need to learn 2 codec") pass
from Helpers.AddFileMods import AddFileMods from Helpers.AddRegistryMods import AddRegistryMods from Helpers.AddNetConns import AddNetConns from Helpers.AddFileModThreatIntel import AddFileModThreatIntel from Helpers.AddModulesLoaded import AddModulesLoaded from Helpers.AddModulesLoadedThreatIntel import AddModulesLoadedThreatIntel if __name__ == '__main__': graph = sn.Graph() graph.cache_nodes_by("label") launch = Launch() if len(sys.argv) == 1: launch.show_options() sys.exit() launch.show_logo() args = launch.get_args() #load CB API cb = launch.load_config_file(args.configfile) #Get process report for CB link report = GetProcessReport.Run(cb, args.link) #Create a timetable timetable, timelist = CreateTimeTable.Run(report) #Create time nodes to plot process activity on CreateTimeNodes.Run(graph, timelist) #Add modules loaded to time nodes #AddModulesLoaded.Run(graph, timetable, report) #Add file modifications AddFileMods.Run(graph, timetable, report) #Add Netcons AddNetConns.Run(graph, timetable, report)
#!/usr/bin/env python from Carbonblack.FindCBComputer import FindCBComputer from Carbonblack.FindCBComputerGroup import FindCBComputerGroup from Carbonblack.RemoveCBComputer import RemoveCBComputer from Launch.Launch import Launch from datetime import datetime, timedelta if __name__ == '__main__': #Pull in the Launch module and get cmdline args via argparse. launch=Launch() args=launch.get_args() cbserverurl,cbapitoken=launch.load_cb_config(args.configfile) now = datetime.now() #get computers from sensor group '6', aka 'cloud-ops' cblookup = FindCBComputerGroup.Run(str(args.groupid),cbserverurl,cbapitoken) for computer in cblookup: if computer['uninstall']==False: lastcheckintime = datetime.strptime(str(computer['last_checkin_time'][:19]),"%Y-%m-%d %H:%M:%S") if (now-lastcheckintime) > timedelta(days = int(args.daysoffline)): print computer['computer_name']+str(" has not checked in in over "+str(args.daysoffline)+" days, removing.") RemoveCBComputer.Run(computer['computer_name'], cbserverurl, cbapitoken)
def Run(hashstate,event): launch=Launch() args=launch.get_args() b9serverurl,b9apitoken=launch.load_b9_config(args.configfile) authJson={ 'X-Auth-Token': b9apitoken, 'content-type': 'application/json' } serverurl=b9serverurl+str("/api/bit9platform/v1/") b9StrongCert=True if event==None: if hashstate[0]['effectiveState']!='Banned': print colored.yellow("[*] Hash is not Banned") CheckExecution.Run(hashstate[0]['md5']) print colored.cyan("https://www.virustotal.com/latest-report.html?resource="+str(hashstate[0]['sha256'])) print colored.cyan("[i] Prevalence: "+str(hashstate[0]['prevalence'])) print colored.cyan("[?] File Name: "+str(hashstate[0]['fileName'])) print colored.cyan("[?] Path: "+str(hashstate[0]['pathName'])) try: print colored.magenta("[?] "+str(hashstate[0]['fileName'])+" is not Banned, shall we?") except: print colored.yellow("[*] Can't print filename, strange characters.") pass userinput=GetUserInput.Run() if userinput==True: BanHash.Run(hashstate[0]['sha256'], hashstate[0]['fileName']) if userinput==False: print colored.yellow("[*] Okay then, not banning the hash.") if hashstate[0]['publisherState']>0: print colored.magenta("[?] "+hashstate[0]['fileName']+" also has a publisher, "+hashstate[0]['publisher']+" shall we Ban it?") userinput=GetUserInput.Run() if userinput==True: BanCertificate.Run(hashstate) if userinput==False: print colored.yellow("[*] Okay then, not banning the Certificate.") else: print colored.yellow("[*] Hash is banned.") print colored.magenta("[?] Check Carbon Black?") userinput=GetUserInput.Run() if userinput==True: CheckExecution.Run(hashstate[0]['md5']) else: if hashstate[0]['effectiveState']!='Banned': print colored.yellow("[*] Hash is not Banned") CheckExecution.Run(hashstate[0]['md5']) print colored.cyan("https://www.virustotal.com/latest-report.html?resource="+str(hashstate[0]['sha256'])) print colored.cyan("[i] Prevalence: "+str(hashstate[0]['prevalence'])) try: print colored.cyan("[i] Path: "+str(event['pathName'])) except: print colored.yellow("[*] Can't print out path, probably some character encoding issues...") print event pass print colored.cyan("[i] Hostname: "+str(event['computerName'])) if hashstate[0]['publisher']=='': pass else: try: print colored.cyan("[i] Publisher: "+str(hashstate[0]['publisher'])) except: print colored.yellow("[*] Can't print out publisher, strange characters, need to encode.") try: print colored.magenta("[?] "+str(hashstate[0]['fileName'])+" is not Banned, shall we?") except: print colored.yellow("[*] Can't print filename, strange characters.") pass userinput=GetUserInput.Run() if userinput==True: BanHash.Run(hashstate[0]['sha256'], hashstate[0]['fileName']) if userinput==False: print colored.yellow("[*] Okay then, not banning the hash.") if hashstate[0]['publisherState']>0: print colored.magenta("[?] "+hashstate[0]['fileName']+" also has a publisher, "+hashstate[0]['publisher']+" shall we Ban it?") userinput=GetUserInput.Run() if userinput==True: BanCertificate.Run(hashstate) if userinput==False: print colored.yellow("[*] Okay then, not banning the Certificate.") else: if hashstate[0]['fileName']==None: print colored.yellow("[*] Hash "+str(hashstate[0]['sha256'])+" is Banned but has no File Name, "+"https://www.virustotal.com/latest-report.html?resource="+str(hashstate[0]['sha256'])) else: try: print colored.yellow("[*] "+str(hashstate[0]['fileName'])+" is "+hashstate[0]['effectiveState']+", https://www.virustotal.com/latest-report.html?resource="+str(hashstate[0]['sha256'])) except: print colored.yellow("[*] Strange characters, can't print.") pass