# <Long Description> # # last updated 2015-06-28 by Ben Johnson [email protected] # from cbapi.util.cli_helpers import main_helper from cbapi.legacy.util.live_response_helpers import LiveResponseHelper def main(cb, args): sensor_id = int(args.get('sensorid')) lrh = LiveResponseHelper(cb, sensor_id) lrh.start() # THIS COULD EASILY BE TURNED INTO A LOOP SO THAT YOU CONTINUOUSLY POLL FOR A SPECIFIC PROCESS AND KILL IT processes = lrh.process_list() for process in processes: path = process.get('path') if path.lower().endswith('iexplore.exe'): lrh.kill(process.get('pid')) print "Killed: %s|%s|%s" % (process.get('path'), process.get('command_line', ''), process.get('username', '')) lrh.stop() if __name__ == "__main__": required_arg = ("-s", "--sensorid", "store", None, "sensorid", "Sensor id") main_helper("Kill all iexplore.exe processes on particular sensor", main, custom_required=[required_arg])
"Description": "Please fill in if you intend to share this." } self.watch_lists.append(wl) def export_watchlists(self): export = { "Author": "Fill in author", "ExportDate": time.strftime("%D %H:%M:%S"), "ExportDescription": "Fill in description", "Watchlists": self.watch_lists, } output = json.dumps(export, indent=4) output_file = open(self.args.get('output_file'), 'w') output_file.write(output) print("-> Done exporting! <-") def main(cb, args): export = Export(cb, args) export.get_watchlists() export.export_watchlists() if __name__ == "__main__": selective_export = ("-m", "--selective", "store_true", False, "selective_export", "Select what watchlsits to export") output_file = ("-f", "--file", "store", False, "output_file", "Select what file output is written to") watchlists = ("-w", "--watchlists", "store", False, "watchlists", "Specific watchlist(s) to export. Can be comma separated.") main_helper( "Export watchlists into a sharable format", main, custom_required=[output_file], custom_optional=[selective_export,watchlists])
# ----------------------------------------------------------------------------- # <Short Description> # # <Long Description> # # last updated 2015-06-28 by Ben Johnson [email protected] # import pprint from cbapi.util.cli_helpers import main_helper def main(cb, args): # perform a single process search # processes = cb.process_search(args.get('query')) print "%-20s : %s" % ('Displayed Results', len(processes['results'])) print "%-20s : %s" % ('Total Results', processes['total_results']) print "%-20s : %sms" % ('QTime', int(1000*processes['elapsed'])) print '\n' # for each result for process in processes['results']: pprint.pprint(process) print '\n' if __name__ == "__main__": required_arg = ("-q", "--query", "store", None, "query", "Process search query") main_helper("Generic process search", main, custom_required=[required_arg])
continue self.watch_lists.append(watch_list) def add_watchlists(self): for watch_list in self.watch_lists: wl_name = watch_list.get('Name') wl_type = watch_list.get('Type') wl_url = watch_list.get('SearchString').encode('utf-8') print("-> Adding watchlist %s" % wl_name) watchlist = self.cb.watchlist_add( wl_type, wl_name, wl_url) print("-> Watchlist added [id=%s]" % (watchlist['id'])) def main(cb, args): import_wl = ImportWatchlists(cb, args) import_wl.get_watchlists() import_wl.add_watchlists() if __name__ == "__main__": selective_import = ("-m", "--selective", "store_true", False, "selective_import", "Select what watchlsits to import") input_file = ("-f", "--file", "store", False, "input_file", "Select what file holds watchlists") watchlists = ("-w", "--watchlists", "store", False, "watchlists", "Specific watchlist(s) to import. Can be comma separated.") main_helper( "Imports watchlists from a sharable format", main, custom_required=[input_file], custom_optional=[selective_import,watchlists])
from cbapi.util.cli_helpers import main_helper from cbapi.util.live_response_helpers import LiveResponseHelper def main(cb, args): lfile = args.get('lfile') rfile = args.get('rfile') sensor_id = int(args.get('sensorid')) lrh = LiveResponseHelper(cb, sensor_id) lrh.start() print "[*] Attempting to upload file: %s" % lfile results = lrh.put_file(rfile, lfile) print "\n[+] Results:\n============" for i in results: print i + ' = ' + str(results[i]) lrh.stop() if __name__ == "__main__": sensor_arg = ("-s", "--sensorid", "store", None, "sensorid", "Sensor id") lfile_arg = ("-l", "--localfile", "store", None, "lfile", "Local File Path") rfile_arg = ("-r", "--remotefile", "store", None, "rfile", "Remote File Path") main_helper("Place a file on remote sensor", main, custom_required=[sensor_arg, lfile_arg, rfile_arg])
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. # # ----------------------------------------------------------------------------- # <Short Description> # # <Long Description> # # last updated 2015-06-28 by Ben Johnson [email protected] # from cbapi.util.cli_helpers import main_helper def main(cb, args): query = args.get('query') print "%s,%s,%s,%s,%s,%s" % ("hostname", "username", "start", "parent_path", "path", "cmdline") for (proc, proc_details, parent_details) in \ cb.process_search_and_detail_iter(query): print "%s,%s,%s,%s,%s,%s" % (proc.get('hostname'), proc.get('username'), proc.get('start'), parent_details.get('path'), proc.get('path'), proc_details.get('cmdline')) if __name__ == "__main__": required_arg = ("-q", "--query", "store", None, "query", "Process search query") main_helper("Generic process search", main, custom_required=[required_arg])
export = { "Author": "Fill in author", "ExportDate": datetime.datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"), "ExportDescription": "Fill in description", "Watchlists": self.watch_lists, } output = json.dumps(export, indent=4) output_file = open(self.args.get('output_file'), 'w') output_file.write(output) print("-> Done exporting! <-") def main(cb, args): export = Export(cb, args) export.get_watchlists() export.export_watchlists() if __name__ == "__main__": selective_export = ("-m", "--selective", "store_true", False, "selective_export", "Select what watchlsits to export") output_file = ("-f", "--file", "store", False, "output_file", "Select what file output is written to") watchlists = ("-w", "--watchlists", "store", False, "watchlists", "Specific watchlist(s) to export. Can be comma separated.") main_helper("Export watchlists into a sharable format", main, custom_required=[output_file], custom_optional=[selective_export, watchlists])
from cbapi import CbApi import base64 import re def main (cb, args): powershells=cb.process_search_iter('process_name:powershell.exe') for s in powershells: if s['cmdline']: encoded = re.search('\-[eE][nN][cC][oOdDeEcCmMaAnN]*\s([A-Za-z0-9\+/=]+)', s['cmdline']) if encoded != None: i = encoded.group(1) if not re.search('[a-zA-Z0-9\+/]+={1,2}$', i): trailingBytes = len(i) % 4 if trailingBytes == 3: i = i + '=' elif trailingBytes == 2: i = i + '==' decodedCommand = base64.standard_b64decode(i) try: a = decodedCommand.encode('ascii','replace') print "Powershell Decoded Command\n%s/#analyze/%s/1\n%s\n\n" % (args['server_url'],s['id'], a.replace('\0',"")) except UnicodeError: print "Powershell Decoded Command\n%s/#analyze/%s/1\nNon-ASCII decoding, encoded form printed to assist more research\n%s\n" % (args['server_url'],s['id'], s['cmdline']) pass if __name__ == "__main__": main_helper("Decode Powershell Encoded Commands", main, custom_required=None)
for proc in procs['results']: events = cb.process_events(proc['id'],proc['segment_id']) try: start = datetime.datetime.strptime(proc['start'],"%Y-%m-%dT%H:%M:%S.%fZ") end = datetime.datetime.strptime(proc['last_update'], "%Y-%m-%dT%H:%M:%S.%fZ") runtime = int((end-start).total_seconds()) except: # there were some unknown processes with no known start time or # no known last update if not args['skip_unknown']: runtime=1 else: continue rate = proc['netconn_count']/float(runtime) if rate > int(args['conn_rate']): url = '%s/#analyze/%s/%s'%(args['server_url'],proc['id'],proc['segment_id']) print "%s|%s|%.4f"%(url, proc['process_name'],rate) if __name__ == "__main__": optional_arg = [("-g","--gt-count","store",100,"gt_count","Filter processes with greater than [--gt-count] network events"),("-r","--rate","store",100.0,"conn_rate","Alert on processes with more than [--rate] network connections per second"), ("-s","--skip_unknown","store_true",False,"skip_unknown","Skip processes with unknown start or last update")] main_helper("High avg. netconn/second alert",main,custom_optional=optional_arg)
# <Long Description> # # last updated 2015-06-28 by Ben Johnson [email protected] # from cbapi.util.cli_helpers import main_helper def main(cb, args): start = args.get('start') print "%s,%s,%s,%s,%s,%s" % ("hostname", "username", "start", "parent_path", "path", "cmdline") for (proc, proc_details, parent_details) in \ cb.process_search_and_detail_iter( 'start:%s process_name:net.exe -cmdline:"net stop" -cmdline:"net files" -cmdline:"net sessions"' % start): print "%s,%s,%s,%s,%s,%s" % ( proc.get('hostname'), proc.get('username'), proc.get('start'), parent_details.get('path'), proc.get('path'), proc_details.get('cmdline')) if __name__ == "__main__": required_arg = ( "-s", "--start", "store", None, "start", "Process start time to query for, example, -2h for any net.exe processes started in past 2 hours" ) main_helper("Search for net.exe processes", main, custom_required=[required_arg])
# <Short Description> # # <Long Description> # # last updated 2015-06-28 by Ben Johnson [email protected] # from cbapi.util.cli_helpers import main_helper def main(cb, args): query = args.get('query') print "%s,%s,%s,%s,%s,%s" % ("hostname", "username", "start", "parent_path", "path", "cmdline") for binary in cb.binary_search_iter(query, rows=100): print "%s,%s,%s,%s,%s" % (binary.get('md5'), binary.get('server_added_timestamp'), binary.get('digsig_result'), binary.get('company_name'), binary.get('file_version') ) # print "%s,%s,%s,%s,%s,%s" % (proc.get('hostname'), # proc.get('username'), # proc.get('start'), # parent_details.get('path'), # proc.get('path'), # proc_details.get('cmdline')) if __name__ == "__main__": required_arg = ("-q", "--query", "store", None, "query", "Binary search query") main_helper("Generic binary search", main, custom_required=[required_arg])
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. # # ----------------------------------------------------------------------------- # <Short Description> # # <Long Description> # # last updated 2015-06-28 by Ben Johnson [email protected] # from cbapi.util.cli_helpers import main_helper def main(cb, args): print "UI Logins (CoreServicesUIAgent)" for proc in cb.process_search_iter('process_name:CoreServicesUIAgent', start=0, rows=200): print "%s,%s,%s" % (proc.get('start'), proc.get('hostname'), proc.get('username')) print print "SSH Sessions (sshd -> bash)" for proc in cb.process_search_iter('parent_name:sshd process_name:bash', start=0, rows=200): print "%s,%s,%s" % (proc.get('start'), proc.get('hostname'), proc.get('username')) print if __name__ == "__main__": main_helper("Search for OSX logins via particular processes.", main)
listener = ExtensionFileWatcherAndGrabber(args.get('server_url'), cb, username, password, extensions, output) try: print "Extension File Watcher and Grabber -- started. Watching for:", extensions listener.process() except KeyboardInterrupt: print >> sys.stderr, "Caught Ctrl-C" listener.stop() print "Extension File Watcher and Grabber -- stopped." if __name__ == "__main__": required_args = [ ("-i", "--username", "store", None, "username", "CB messaging username"), ("-p", "--password", "store", None, "password", "CB messaging password"), ("-e", "--extensions", "store", None, "extensions", "Extensions to watch for (e.g .dmp, .vbs), comma-delimited"), ("-o", "--output", "store", None, "output", "Output directory for captured files") ] main_helper( "Subscribe to message bus events and for each file with specified extension, go retrieve it.", main, custom_required=required_args)
# # last updated 2015-06-28 by Ben Johnson [email protected] # # in the github repo, cbapi is not in the example directory from cbapi.util.cli_helpers import main_helper def main(cb, args): input_file = args.get('inputfile') f = file(input_file, "rb") lines = f.read().split("\r") for line in lines: filepath = line.strip() if len(filepath) == 0: continue for (proc, events) in cb.process_search_and_events_iter("filemod:%s" % filepath): hostname = proc.get('hostname') for filemod in events.get('filemod_complete', []): print filemod print "%s, %s, %s" % (hostname, proc.get('path'), filepath) if __name__ == "__main__": required_arg = ("-i", "--inputfile", "store", None, "inputfile", "List of filemod paths to search for") main_helper("Search for processes modifying particular filepaths", main, custom_required=[required_arg])
traceback.print_exc() def main(cb, args): username = args.get("username") password = args.get("password") output = args.get("output") extensions = args.get("extensions").split(",") listener = ExtensionFileWatcherAndGrabber(args.get('server_url'), cb, username, password, extensions, output) try: print "Extension File Watcher and Grabber -- started. Watching for:", extensions listener.process() except KeyboardInterrupt: print >> sys.stderr, "Caught Ctrl-C" listener.stop() print "Extension File Watcher and Grabber -- stopped." if __name__ == "__main__": required_args =[("-i", "--username", "store", None, "username", "CB messaging username"), ("-p", "--password", "store", None, "password", "CB messaging password"), ("-e", "--extensions", "store", None, "extensions", "Extensions to watch for (e.g .dmp, .vbs), comma-delimited"), ("-o", "--output", "store", None, "output", "Output directory for captured files")] main_helper("Subscribe to message bus events and for each file with specified extension, go retrieve it.", main, custom_required=required_args)
from cbapi.util.cli_helpers import main_helper def main(cb, args): input_file = args.get('inputfile') f = file(input_file, "rb") lines = f.read().split("\r") for line in lines: filepath = line.strip() if len(filepath) == 0: continue for (proc, events) in cb.process_search_and_events_iter("filemod:%s" % filepath): hostname = proc.get('hostname') for filemod in events.get('filemod_complete', []): print filemod print "%s, %s, %s" % (hostname, proc.get('path'), filepath) if __name__ == "__main__": required_arg = ("-i", "--inputfile", "store", None, "inputfile", "List of filemod paths to search for") main_helper("Search for processes modifying particular filepaths", main, custom_required=[required_arg])
# <Short Description> # # <Long Description> # # last updated 2015-06-28 by Ben Johnson [email protected] # from cbapi.util.cli_helpers import main_helper def main(cb, args): start = args.get('start') for (proc, events) in \ cb.process_search_and_events_iter( 'start:%s regmod:registry\\machine\\system\\currentcontrolset\\control\\deviceclasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\\*' % start): for event in events.get('regmod_complete', []): fields = event.split('|') regpath = fields[2] if "{53f56307-b6bf-11d0-94f2-00a0c91efb8b}" in regpath: pieces = regpath.split("usbstor#disk&") if len(pieces) < 2: print "WARN::::", pieces else: device_info = pieces[1] #.split('{53f56307-b6bf-11d0-94f2-00a0c91efb8b}')[0] print device_info if __name__ == "__main__": required_arg = ("-s", "--start", "store", None, "start", "Process start time to query for, example, -2h for any processes started in past 2 hours") main_helper("Search for usb device usages", main, custom_required=[required_arg])
from cbapi.util.cli_helpers import main_helper from cbapi.util.live_response_helpers import LiveResponseHelper def main(cb, args): filepath = args.get('filepath') sensor_id = int(args.get('sensorid')) lrh = LiveResponseHelper(cb, sensor_id) lrh.start() print "[*] Attempting to delete file: %s" % filepath results = lrh.del_file(filepath) print "\n[+] Results:\n============" for i in results: print i + ' = ' + str(results[i]) lrh.stop() if __name__ == "__main__": sensor_arg = ("-s", "--sensorid", "store", None, "sensorid", "Sensor id") file_arg = ("-f", "--filepath", "store", None, "filepath", "File Path") main_helper("Remove file from remote sensor", main, custom_required=[sensor_arg, file_arg])
from cbapi.util.cli_helpers import main_helper def main(cb, args): for (proc, events) in cb.process_search_and_events_iter(r"process_name:cmd.exe (filemod:*.exe or filemod:*.dll)"): filemods = events.get("process", {}).get("filemod_complete", []) for filemod in filemods: print filemod # TODO -- figure out fields action, timestamp, filepath, md5, junk1, junk2 = filemod.split("|") filepath = filepath.lower() if not filepath.endswith(".exe") or not filepath.endswith(".dll"): continue if action == "1": action = "CREATE" elif action == "2": action = "MODIFY" elif action == "4": action = "DELETE" elif action == "8": action = "EXECUTABLE_WRITE" print "%s,%s,%s,%s,%s,%s" % (timestamp, proc["hostname"], proc["username"], proc["path"], filepath, action) if __name__ == "__main__": main_helper("Search for cmd.exe writing to exe and dll filepaths", main)
from cbapi.util.cli_helpers import main_helper from cbapi.legacy.util.live_response_helpers import LiveResponseHelper def main(cb, args): lfile = args.get('lfile') rfile = args.get('rfile') sensor_id = int(args.get('sensorid')) lrh = LiveResponseHelper(cb, sensor_id) lrh.start() print "[*] Attempting to upload file: %s" % lfile results = lrh.put_file(rfile, lfile) print "\n[+] Results:\n============" for i in results: print i + ' = ' + str(results[i]) lrh.stop() if __name__ == "__main__": sensor_arg = ("-s", "--sensorid", "store", None, "sensorid", "Sensor id") lfile_arg = ("-l", "--localfile", "store", None, "lfile", "Local File Path") rfile_arg = ("-r", "--remotefile", "store", None, "rfile", "Remote File Path") main_helper("Place a file on remote sensor", main, custom_required=[sensor_arg, lfile_arg, rfile_arg])
continue regmod_regexes.append(re.compile(line)) listener = RegistryModWatcherAndValueGrabber(args.get('server_url'), cb, username, password, regmod_regexes, verbose) try: if verbose: print "Registry Mod Watcher and Grabber -- started. Watching for:", regpaths_data else: print "Registry Mod Watcher and Grabber -- started. Watching for %d regexes" % len(regmod_regexes) listener.process() except KeyboardInterrupt: print >> sys.stderr, "Caught Ctrl-C" listener.stop() print "Registry Mod Watcher and Grabber -- stopped." if __name__ == "__main__": ## YOU CAN USE data/autoruns_regexes.txt to test ## required_args =[("-i", "--username", "store", None, "username", "CB messaging username"), ("-p", "--password", "store", None, "password", "CB messaging password"), ("-r", "--regpaths_file", "store", None, "regpaths_file", "File of newline delimited regexes for regpaths")] optional_args = [("-v", "--verbose", "store_true", False, "verbose", "Enable verbose output")] main_helper("Subscribe to message bus events and for each registry modification that matches one of our supplied regexes, go retrieve value.", main, custom_required=required_args, custom_optional=optional_args)
from cbapi.util.cli_helpers import main_helper def main(cb, args): start = args.get("start") print "%s,%s,%s,%s,%s,%s" % ("hostname", "username", "start", "parent_path", "path", "cmdline") for (proc, proc_details, parent_details) in cb.process_search_and_detail_iter( 'start:%s process_name:net.exe -cmdline:"net stop" -cmdline:"net files" -cmdline:"net sessions"' % start ): print "%s,%s,%s,%s,%s,%s" % ( proc.get("hostname"), proc.get("username"), proc.get("start"), parent_details.get("path"), proc.get("path"), proc_details.get("cmdline"), ) if __name__ == "__main__": required_arg = ( "-s", "--start", "store", None, "start", "Process start time to query for, example, -2h for any net.exe processes started in past 2 hours", ) main_helper("Search for net.exe processes", main, custom_required=[required_arg])
def main(cb, args): for (proc, events) in cb.process_search_and_events_iter( r"process_name:cmd.exe (filemod:*.exe or filemod:*.dll)"): filemods = events.get('process', {}).get('filemod_complete', []) for filemod in filemods: print filemod # TODO -- figure out fields action, timestamp, filepath, md5, junk1, junk2 = filemod.split('|') filepath = filepath.lower() if not filepath.endswith(".exe") or not filepath.endswith(".dll"): continue if action == "1": action = "CREATE" elif action == "2": action = "MODIFY" elif action == "4": action = "DELETE" elif action == "8": action = "EXECUTABLE_WRITE" print "%s,%s,%s,%s,%s,%s" % (timestamp, proc['hostname'], proc['username'], proc['path'], filepath, action) if __name__ == "__main__": main_helper("Search for cmd.exe writing to exe and dll filepaths", main)