コード例 #1
0
def get_process_file_cb(action, success, incident, results, handle):

    if not success:
        return

    phantom.debug(results)

    parameters = []

    result_items = phantom.parse_success(results)

    phantom.debug(result_items)

    phantom.debug(results)

    for item in result_items:
        parameters.append({
            "vault_id": item['vault_id'],
            'file_name': item['name']
        })
        #vault_id = results[0]['action_results'][0]['data'][0]['vault_id']

    phantom.act('detonate file',
                parameters=parameters,
                assets=["threatgrid"],
                callback=detonate_file_cb)

    return
コード例 #2
0
def whois_cb(action, success, incident, results, handle):
    phantom.debug('Action: {0} {1}'.format(action['action_name'], (' SUCCEEDED' if success else ' FAILED')))
    if not success:
        return

    success_results = phantom.parse_success(results)
    for result in success_results:
        phantom.debug('IP: '+str(result['query'])+' is in Country: '+str(result['asn_country_code']))
    
    return
コード例 #3
0
ファイル: zeus_playbook.py プロジェクト: Gwindfan/playbooks
def list_vms_cb(action, success, incident, results, handle):
    phantom.debug('VSphere list vms'+(' SUCCEEDED' if success else ' FAILED'))
    if not success:
        return
    attacked_ips = phantom.victim_ips(incident)
    success_results = phantom.parse_success(results)
    for vm_info in success_results:
        if 'ip' in vm_info:# if the VM is running, it will have an IP
            if vm_info['ip'] in attacked_ips: #if the IP address of the VM is the attacked IP
                phantom.act('snapshot vm', parameters=[{'vmx_path':vm_info['vmx_path'],'download': False}], callback=generic_cb)
    phantom.act('get process file', parameters=[{'name':'*infostealer*','ip_hostname':attacked_ips[0]}], assets=['domainctrl1'], callback=get_process_file_cb)
コード例 #4
0
def whois_cb(action, success, incident, results, handle):
    phantom.debug('Action ' + action +
                  (' SUCCEEDED' if success else ' FAILED'))
    if not success:
        return

    success_results = phantom.parse_success(results)
    for result in success_results:
        phantom.debug('IP: ' + str(result['query']) + ' is in Country: ' +
                      str(result['asn_country_code']))

    return
コード例 #5
0
def get_process_file_cb(action, success, offense, results, handle):

    if not success:
        return
    
    parameters = []
    result_items = phantom.parse_success(results)
    for item in result_items:
        parameters.append({ "vault_id": item['vault_id'], 'file_name': item['name']})
    
    phantom.act('detonate file', parameters=parameters, assets=['Cuckoo'], callback=detonate_file_cb)

    return
コード例 #6
0
def get_system_attrib_cb(action_name, status, incident, results, handle):
    """Callback for the get system attribute action"""

    phantom.debug('Action: {0} {1}'.format(
        action_name, (' SUCCEEDED' if status else ' FAILED')))

    if (status == False):
        return

    # get the handle which is the machine info
    machine = eval(handle)

    phantom.debug("Working on '{0}' with ip '{1}'".format(
        machine['name'], machine['ip']))
    success_list = phantom.parse_success(results)

    phantom.debug('success_list: ' + str(success_list))
    phantom.debug('results: ' + str(results))

    params = []

    # We are carrying out the action for a single machine at a time, so there will be only one machine_info
    machine_info = success_list[0]
    phantom.debug('Machine: {0} is {1}'.format(
        machine_info['name'], machine_info['operatingSystem']))

    # Add the netbootmirrordatafile variable value
    params.append({
        'hostname':
        machine_info['name'],
        'attribute_name':
        'netbootmirrordatafile',
        'attribute_value':
        'BootImagePath=Boot\\x64\\Images\\boot.wim;WdsUnattendFilePath=WDSClientUnattend\\WDSClientUnattend.xml;JoinDomain=1;'
    })

    # Add the extensionattribute1 variable value
    params.append({
        'hostname': machine_info['name'],
        'attribute_name': 'extensionattribute1',
        'attribute_value': 'admin,Office,NYC,Y'
    })

    phantom.act("set system attribute",
                parameters=params,
                assets=['domainctrl2'],
                callback=set_system_attrib_cb,
                handle=handle)

    return
コード例 #7
0
def get_process_file_cb(action, success, offense, results, handle):

    if not success:
        return

    parameters = []
    result_items = phantom.parse_success(results)
    for item in result_items:
        parameters.append({
            "vault_id": item['vault_id'],
            'file_name': item['name']
        })

    phantom.act('detonate file',
                parameters=parameters,
                assets=['Cuckoo'],
                callback=detonate_file_cb)

    return
コード例 #8
0
def check_domain_connectivity_cb(action, success, incident, results, handle):

    if not success:
        return
    
    success_list = phantom.parse_success(results)
    
    # Dump the results of the ping command, the ip address of the domain pinged will change if it is blocked or not.
    phantom.debug("Results:\n{0}".format(json.dumps(success_list, indent=4 * ' ')))
    
    if (handle is None):
        return
    
    handle_dict = json.loads(handle)
    
    add_block = handle_dict['add_block']
    
    if (add_block):
        add_domains_to_block_list()
    
    return
コード例 #9
0
ファイル: anubis_app.py プロジェクト: Gwindfan/playbooks
def get_process_file_cb(action, success, incident, results, handle):

    if not success:
        return

    phantom.debug(results)

    parameters = []

    result_items = phantom.parse_success(results)

    phantom.debug(result_items)

    phantom.debug(results)

    for item in result_items:
        parameters.append({ "vault_id": item['vault_id'], 'file_name': item['name'], 'force_analysis': False })
        #vault_id = results[0]['action_results'][0]['data'][0]['vault_id']

    phantom.act('detonate file', parameters=parameters, assets=["anubis"], callback=detonate_file_cb)

    return
コード例 #10
0
def list_devices_cb(action, success, incident, results, handle):

    if not success:
        return
    
    result_items = phantom.parse_success(results)
                
    phantom.debug(result_items)
              
    parameters = []
    
    for item in result_items:
        
        if ('uuid' not in item):
            continue
            
        param = {"uuid": item["uuid"]}
        parameters.append(param)

    phantom.act('get system info', parameters=parameters, assets=["mobileiron"], callback=get_system_info_cb)

    return
コード例 #11
0
def list_sessions_cb(action, success, container, results, handle):

    if not success:
        return
    
    result_items = phantom.parse_success(results)
                
    phantom.debug(json.dumps(result_items, indent=4))
              
    parameters = []
    
    for item in result_items:
        
        if ('calling_station_id' not in item):
            continue
            
        param = {"ip_macaddress": item["calling_station_id"]}
        parameters.append(param)

    phantom.act('quarantine device', parameters=parameters, assets=["ciscoise"], callback=quarantine_device_cb)

    return
コード例 #12
0
def list_blocked_domains_cb(action, success, incident, results, handle):

    if not success:
        return
    
    success_list = phantom.parse_success(results)
    
    phantom.debug("Domain Block List:\n{0}".format(json.dumps(success_list, indent=4 * ' ')))
    
    
    # unblock all of them, start with a clean slate.
    parameters = []
    for domain_entry in success_list:
        domain = domain_entry['name']
        parameters.append({'domain': domain})
    
    if (parameters):
        phantom.act('unblock domain', parameters=parameters, assets=['opendns_umbrella'], callback=unblock_domains_cleanup_cb)
    else:
        check_domain_connectivity()

    return
コード例 #13
0
def get_system_attrib_cb(action, status, incident, results, handle):
    """Callback for the get system attribute action"""

    phantom.debug('Action: {0} {1}'.format(action['action_name'], (' SUCCEEDED' if status else ' FAILED')))

    if (status == False):
        return

    # get the handle which is the machine info
    machine = eval(handle)
    
    phantom.debug("Working on '{0}' with ip '{1}'".format(machine['name'], machine['ip']))
    success_list = phantom.parse_success(results)
		
    phantom.debug('success_list: ' + str(success_list))
    phantom.debug('results: ' + str(results))
    
    params = []

    # We are carrying out the action for a single machine at a time, so there will be only one machine_info
    machine_info = success_list[0]
    phantom.debug('Machine: {0} is {1}'.format(machine_info['name'], machine_info['operatingSystem']))

    # Add the netbootmirrordatafile variable value
    params.append({'hostname':machine_info['name'], 
        'attribute_name':'netbootmirrordatafile',
        'attribute_value':'BootImagePath=Boot\\x64\\Images\\boot.wim;WdsUnattendFilePath=WDSClientUnattend\\WDSClientUnattend.xml;JoinDomain=1;'})

    # Add the extensionattribute1 variable value
    params.append({'hostname':machine_info['name'], 
        'attribute_name':'extensionattribute1',
        'attribute_value':'admin,Office,NYC,Y'})

    phantom.act("set system attribute", parameters=params, assets=['domainctrl2'], 
            callback=set_system_attrib_cb, handle=handle)
    
    return
コード例 #14
0
def list_vms_cb(action, success, incident, results, handle):
    phantom.debug('VSphere list vms' +
                  (' SUCCEEDED' if success else ' FAILED'))
    if not success:
        return
    attacked_ips = phantom.victim_ips(incident)
    success_results = phantom.parse_success(results)
    for vm_info in success_results:
        if 'ip' in vm_info:  # if the VM is running, it will have an IP
            if vm_info[
                    'ip'] in attacked_ips:  #if the IP address of the VM is the attacked IP
                phantom.act('snapshot vm',
                            parameters=[{
                                'vmx_path': vm_info['vmx_path'],
                                'download': False
                            }],
                            callback=generic_cb)
    phantom.act('get process file',
                parameters=[{
                    'name': '*infostealer*',
                    'ip_hostname': attacked_ips[0]
                }],
                assets=['domainctrl1'],
                callback=get_process_file_cb)