def Run(md5):
launch=Launch()
args=launch.get_args()
cbserverurl,cbapitoken=launch.load_cb_config(args.configfile)
parentmd5url=cbserverurl+str("\#search/cb.urlver=1&cb.q.parent_md5=%20")
md5url=cbserverurl+str("\#search/cb.urlver=1&cb.q.md5=%20")
cb = cbapi.CbApi(cbserverurl,
token=cbapitoken,
ssl_verify=False)
parentquery='parent_md5:'+md5
md5query='md5:'+md5
if md5query.endswith(" "):
print colored.red("[-] Bit9 did not capture the MD5 :(\n")
else:
print colored.yellow("[*] Checking if Parent MD5 process in Carbon Black...")
parentresult = cb.process_search(parentquery, sort='start desc')
if parentresult['total_results']==0:
print colored.cyan("[+] Not a Parent MD5 process")
else:
cbparentmd5url=parentmd5url+md5+"&sort=&rows=10&start=0"
print colored.green("[+] Parent MD5 event found in Carbon Black.")
print colored.cyan(cbparentmd5url)
print colored.yellow("[*] Checking if MD5 seen in Carbon Black...")
md5result = cb.process_search(md5query, sort='start desc')
if md5result['total_results'] == 0:
print colored.cyan("[+] Not seen in Carbon Black.")
else:
cbmd5url=md5url+md5+"&sort=&rows=10&start=0"
print colored.green("[+] MD5 Found in CB.")
print colored.cyan(cbmd5url)
def Run(hashtype,value):
launch=Launch()
args=launch.get_args()
b9serverurl,b9apitoken=launch.load_b9_config(args.configfile)
authJson={
'X-Auth-Token': b9apitoken,
'content-type': 'application/json'
}
serverurl=b9serverurl+str("/api/bit9platform/v1/")
md5url = serverurl+"fileCatalog?q=md5:"
sha256url = serverurl+"fileCatalog?q=sha256:"
b9StrongCert=True
if hashtype=="md5":
hashurl=md5url
if hashtype=="sha1":
hashurl=sha1url
if hashtype=="sha256":
hashurl=sha256url
r = requests.get(hashurl+value, headers=authJson, verify=b9StrongCert)
r.raise_for_status()
result = r.json()
return result
def Run(computername):
launch=Launch()
args=launch.get_args()
cbserverurl,cbapitoken=launch.load_cb_config(args.configfile)
headers = {"X-Auth-Token": cbapitoken}
resp = requests.get(cbserverurl+str("/api/v1/sensor?hostname="+str(computername)), headers=headers, verify=False)
return resp.json()
def Run(computername):
launch = Launch()
args = launch.get_args()
cbserverurl, cbapitoken = launch.load_cb_config(args.configfile)
headers = {"X-Auth-Token": cbapitoken}
resp = requests.get(
cbserverurl + str("/api/v1/sensor?hostname=" + str(computername)),
headers=headers,
verify=False)
return resp.json()
def Run(computername):
launch=Launch()
args=launch.get_args()
b9serverurl,b9apitoken=launch.load_b9_config(args.configfile)
authJson={
'X-Auth-Token': b9apitoken,
'content-type': 'application/json'
}
serverurl=b9serverurl+str("/api/bit9platform/v1/")
computernameurl=serverurl+"computer?q=name:"
computerurl=serverurl+"Computer/"
b9StrongCert=True
r = requests.get(computernameurl+computername, headers=authJson, verify=b9StrongCert)
r.raise_for_status()
result = r.json()
return result
def Run(term, value, limit):
launch = Launch()
args = launch.get_args()
b9serverurl, b9apitoken = launch.load_b9_config(args.configfile)
authJson = {"X-Auth-Token": b9apitoken, "content-type": "application/json"}
serverurl = b9serverurl + str("/api/bit9platform/v1/")
eventurl = serverurl + "event"
b9StrongCert = True
r = requests.get(
eventurl + "?q=" + term + ":" + value + "&limit=" + limit + "&sort=receivedTimestamp%20DESC",
headers=authJson,
verify=b9StrongCert,
)
r.raise_for_status()
result = r.json()
return result
def Run(hashvalue):
launch=Launch()
args=launch.get_args()
b9serverurl,b9apitoken=launch.load_b9_config(args.configfile)
authJson={
'X-Auth-Token': b9apitoken,
'content-type': 'application/json'
}
serverurl=b9serverurl+str("/api/bit9platform/v1/")
md5url = serverurl+"fileCatalog?q=md5:"
sha256url = serverurl+"fileCatalog?q=sha256:"
b9StrongCert=False
r = requests.get(md5url+hashvalue, headers=authJson, verify=b9StrongCert)
r.raise_for_status()
result = r.json()
return result
def Run(hashstate):
launch=Launch()
args=launch.get_args()
b9serverurl,b9apitoken=launch.load_b9_config(args.configfile)
authJson={
'X-Auth-Token': b9apitoken,
'content-type': 'application/json'
}
serverurl=b9serverurl+str("/api/bit9platform/v1/")
certificateurl=serverurl+"publisher/"
b9StrongCert=True
print colored.yellow("[*] Banning certificate for "+hashstate[0]['publisher']+"...")
data = {'publisherState': 3}
r = requests.put(certificateurl+str(hashstate[0]['publisherId']), json.dumps(data), headers=authJson, verify=b9StrongCert)
r.raise_for_status()
fileRule = r.json()
print colored.green("[+] "+hashstate[0]['publisher']+" certificate has been Banned!")
def Run(hashvalue, rulename):
launch = Launch()
args = launch.get_args()
b9serverurl, b9apitoken = launch.load_b9_config(args.configfile)
authJson = {"X-Auth-Token": b9apitoken, "content-type": "application/json"}
serverurl = b9serverurl + str("/api/bit9platform/v1/")
fileruleurl = serverurl + "fileRule"
b9StrongCert = True
print colored.yellow("[*] Banning " + hashvalue + "...")
data = {"hash": hashvalue, "fileState": 3, "policyIds": "0", "name": rulename}
r = requests.post(fileruleurl, json.dumps(data), headers=authJson, verify=b9StrongCert)
r.raise_for_status()
fileRule = r.json()
try:
print colored.green("[+] " + str(rulename) + " " + str(hashvalue) + " Banned!")
except:
print colored.yellow("[*] Can't print strange characters, need to learn 2 codec")
pass
from Helpers.AddFileMods import AddFileMods
from Helpers.AddRegistryMods import AddRegistryMods
from Helpers.AddNetConns import AddNetConns
from Helpers.AddFileModThreatIntel import AddFileModThreatIntel
from Helpers.AddModulesLoaded import AddModulesLoaded
from Helpers.AddModulesLoadedThreatIntel import AddModulesLoadedThreatIntel
if __name__ == '__main__':
graph = sn.Graph()
graph.cache_nodes_by("label")
launch = Launch()
if len(sys.argv) == 1:
launch.show_options()
sys.exit()
launch.show_logo()
args = launch.get_args()
#load CB API
cb = launch.load_config_file(args.configfile)
#Get process report for CB link
report = GetProcessReport.Run(cb, args.link)
#Create a timetable
timetable, timelist = CreateTimeTable.Run(report)
#Create time nodes to plot process activity on
CreateTimeNodes.Run(graph, timelist)
#Add modules loaded to time nodes
#AddModulesLoaded.Run(graph, timetable, report)
#Add file modifications
AddFileMods.Run(graph, timetable, report)
#Add Netcons
AddNetConns.Run(graph, timetable, report)
#!/usr/bin/env python
from Carbonblack.FindCBComputer import FindCBComputer
from Carbonblack.FindCBComputerGroup import FindCBComputerGroup
from Carbonblack.RemoveCBComputer import RemoveCBComputer
from Launch.Launch import Launch
from datetime import datetime, timedelta
if __name__ == '__main__':
#Pull in the Launch module and get cmdline args via argparse.
launch=Launch()
args=launch.get_args()
cbserverurl,cbapitoken=launch.load_cb_config(args.configfile)
now = datetime.now()
#get computers from sensor group '6', aka 'cloud-ops'
cblookup = FindCBComputerGroup.Run(str(args.groupid),cbserverurl,cbapitoken)
for computer in cblookup:
if computer['uninstall']==False:
lastcheckintime = datetime.strptime(str(computer['last_checkin_time'][:19]),"%Y-%m-%d %H:%M:%S")
if (now-lastcheckintime) > timedelta(days = int(args.daysoffline)):
print computer['computer_name']+str(" has not checked in in over "+str(args.daysoffline)+" days, removing.")
RemoveCBComputer.Run(computer['computer_name'], cbserverurl, cbapitoken)
def Run(hashstate,event):
launch=Launch()
args=launch.get_args()
b9serverurl,b9apitoken=launch.load_b9_config(args.configfile)
authJson={
'X-Auth-Token': b9apitoken,
'content-type': 'application/json'
}
serverurl=b9serverurl+str("/api/bit9platform/v1/")
b9StrongCert=True
if event==None:
if hashstate[0]['effectiveState']!='Banned':
print colored.yellow("[*] Hash is not Banned")
CheckExecution.Run(hashstate[0]['md5'])
print colored.cyan("https://www.virustotal.com/latest-report.html?resource="+str(hashstate[0]['sha256']))
print colored.cyan("[i] Prevalence: "+str(hashstate[0]['prevalence']))
print colored.cyan("[?] File Name: "+str(hashstate[0]['fileName']))
print colored.cyan("[?] Path: "+str(hashstate[0]['pathName']))
try:
print colored.magenta("[?] "+str(hashstate[0]['fileName'])+" is not Banned, shall we?")
except:
print colored.yellow("[*] Can't print filename, strange characters.")
pass
userinput=GetUserInput.Run()
if userinput==True:
BanHash.Run(hashstate[0]['sha256'], hashstate[0]['fileName'])
if userinput==False:
print colored.yellow("[*] Okay then, not banning the hash.")
if hashstate[0]['publisherState']>0:
print colored.magenta("[?] "+hashstate[0]['fileName']+" also has a publisher, "+hashstate[0]['publisher']+" shall we Ban it?")
userinput=GetUserInput.Run()
if userinput==True:
BanCertificate.Run(hashstate)
if userinput==False:
print colored.yellow("[*] Okay then, not banning the Certificate.")
else:
print colored.yellow("[*] Hash is banned.")
print colored.magenta("[?] Check Carbon Black?")
userinput=GetUserInput.Run()
if userinput==True:
CheckExecution.Run(hashstate[0]['md5'])
else:
if hashstate[0]['effectiveState']!='Banned':
print colored.yellow("[*] Hash is not Banned")
CheckExecution.Run(hashstate[0]['md5'])
print colored.cyan("https://www.virustotal.com/latest-report.html?resource="+str(hashstate[0]['sha256']))
print colored.cyan("[i] Prevalence: "+str(hashstate[0]['prevalence']))
try:
print colored.cyan("[i] Path: "+str(event['pathName']))
except:
print colored.yellow("[*] Can't print out path, probably some character encoding issues...")
print event
pass
print colored.cyan("[i] Hostname: "+str(event['computerName']))
if hashstate[0]['publisher']=='':
pass
else:
try:
print colored.cyan("[i] Publisher: "+str(hashstate[0]['publisher']))
except:
print colored.yellow("[*] Can't print out publisher, strange characters, need to encode.")
try:
print colored.magenta("[?] "+str(hashstate[0]['fileName'])+" is not Banned, shall we?")
except:
print colored.yellow("[*] Can't print filename, strange characters.")
pass
userinput=GetUserInput.Run()
if userinput==True:
BanHash.Run(hashstate[0]['sha256'], hashstate[0]['fileName'])
if userinput==False:
print colored.yellow("[*] Okay then, not banning the hash.")
if hashstate[0]['publisherState']>0:
print colored.magenta("[?] "+hashstate[0]['fileName']+" also has a publisher, "+hashstate[0]['publisher']+" shall we Ban it?")
userinput=GetUserInput.Run()
if userinput==True:
BanCertificate.Run(hashstate)
if userinput==False:
print colored.yellow("[*] Okay then, not banning the Certificate.")
else:
if hashstate[0]['fileName']==None:
print colored.yellow("[*] Hash "+str(hashstate[0]['sha256'])+" is Banned but has no File Name, "+"https://www.virustotal.com/latest-report.html?resource="+str(hashstate[0]['sha256']))
else:
try:
print colored.yellow("[*] "+str(hashstate[0]['fileName'])+" is "+hashstate[0]['effectiveState']+", https://www.virustotal.com/latest-report.html?resource="+str(hashstate[0]['sha256']))
except:
print colored.yellow("[*] Strange characters, can't print.")
pass
