def Run(md5): launch=Launch() args=launch.get_args() cbserverurl,cbapitoken=launch.load_cb_config(args.configfile) parentmd5url=cbserverurl+str("\#search/cb.urlver=1&cb.q.parent_md5=%20") md5url=cbserverurl+str("\#search/cb.urlver=1&cb.q.md5=%20") cb = cbapi.CbApi(cbserverurl, token=cbapitoken, ssl_verify=False) parentquery='parent_md5:'+md5 md5query='md5:'+md5 if md5query.endswith(" "): print colored.red("[-] Bit9 did not capture the MD5 :(\n") else: print colored.yellow("[*] Checking if Parent MD5 process in Carbon Black...") parentresult = cb.process_search(parentquery, sort='start desc') if parentresult['total_results']==0: print colored.cyan("[+] Not a Parent MD5 process") else: cbparentmd5url=parentmd5url+md5+"&sort=&rows=10&start=0" print colored.green("[+] Parent MD5 event found in Carbon Black.") print colored.cyan(cbparentmd5url) print colored.yellow("[*] Checking if MD5 seen in Carbon Black...") md5result = cb.process_search(md5query, sort='start desc') if md5result['total_results'] == 0: print colored.cyan("[+] Not seen in Carbon Black.") else: cbmd5url=md5url+md5+"&sort=&rows=10&start=0" print colored.green("[+] MD5 Found in CB.") print colored.cyan(cbmd5url)
def Run(hashtype,value): launch=Launch() args=launch.get_args() b9serverurl,b9apitoken=launch.load_b9_config(args.configfile) authJson={ 'X-Auth-Token': b9apitoken, 'content-type': 'application/json' } serverurl=b9serverurl+str("/api/bit9platform/v1/") md5url = serverurl+"fileCatalog?q=md5:" sha256url = serverurl+"fileCatalog?q=sha256:" b9StrongCert=True if hashtype=="md5": hashurl=md5url if hashtype=="sha1": hashurl=sha1url if hashtype=="sha256": hashurl=sha256url r = requests.get(hashurl+value, headers=authJson, verify=b9StrongCert) r.raise_for_status() result = r.json() return result
def Run(computername): launch=Launch() args=launch.get_args() cbserverurl,cbapitoken=launch.load_cb_config(args.configfile) headers = {"X-Auth-Token": cbapitoken} resp = requests.get(cbserverurl+str("/api/v1/sensor?hostname="+str(computername)), headers=headers, verify=False) return resp.json()
def do_6(self, args): #Check if computers from list have Bit9 and/or CB installed print colored.magenta("[+] Enter palth of text file: ") usercomputerfile=raw_input() if os.path.isfile(os.path.abspath(usercomputerfile)) == False: print colored.red("[-] "+usercomputerfile+" does not exist") else: ComputerLookup(usercomputerfile) Launch.show_logo2()
def do_3(self, args): # """Go through your environments Fire Eye '[-] File INFO was identified by FireEye as malicious.' Alerts. # Check if the hash is banned, check if it was seen in Carbon Black, # prompt user to ban hash and/or certificate""" print colored.magenta("[?] How many most recent alerts would you like to view?") limit=raw_input("10/20/30/40/etc. ") FireEyeEvents(limit) Launch.show_logo2()
def Run(computername): launch = Launch() args = launch.get_args() cbserverurl, cbapitoken = launch.load_cb_config(args.configfile) headers = {"X-Auth-Token": cbapitoken} resp = requests.get( cbserverurl + str("/api/v1/sensor?hostname=" + str(computername)), headers=headers, verify=False) return resp.json()
def Run(hashvalue): launch=Launch() args=launch.get_args() b9serverurl,b9apitoken=launch.load_b9_config(args.configfile) authJson={ 'X-Auth-Token': b9apitoken, 'content-type': 'application/json' } serverurl=b9serverurl+str("/api/bit9platform/v1/") md5url = serverurl+"fileCatalog?q=md5:" sha256url = serverurl+"fileCatalog?q=sha256:" b9StrongCert=False r = requests.get(md5url+hashvalue, headers=authJson, verify=b9StrongCert) r.raise_for_status() result = r.json() return result
import semanticnet as sn from Launch.Launch import Launch from Carbonblack.GetProcessReport import GetProcessReport from Helpers.CreateTimeTable import CreateTimeTable from Helpers.CreateTimeNodes import CreateTimeNodes from Helpers.AddFileMods import AddFileMods from Helpers.AddRegistryMods import AddRegistryMods from Helpers.AddNetConns import AddNetConns from Helpers.AddFileModThreatIntel import AddFileModThreatIntel from Helpers.AddModulesLoaded import AddModulesLoaded from Helpers.AddModulesLoadedThreatIntel import AddModulesLoadedThreatIntel if __name__ == '__main__': graph = sn.Graph() graph.cache_nodes_by("label") launch = Launch() if len(sys.argv) == 1: launch.show_options() sys.exit() launch.show_logo() args = launch.get_args() #load CB API cb = launch.load_config_file(args.configfile) #Get process report for CB link report = GetProcessReport.Run(cb, args.link) #Create a timetable timetable, timelist = CreateTimeTable.Run(report) #Create time nodes to plot process activity on CreateTimeNodes.Run(graph, timelist) #Add modules loaded to time nodes
#!/usr/bin/env python from Carbonblack.FindCBComputer import FindCBComputer from Carbonblack.FindCBComputerGroup import FindCBComputerGroup from Carbonblack.RemoveCBComputer import RemoveCBComputer from Launch.Launch import Launch from datetime import datetime, timedelta if __name__ == '__main__': #Pull in the Launch module and get cmdline args via argparse. launch=Launch() args=launch.get_args() cbserverurl,cbapitoken=launch.load_cb_config(args.configfile) now = datetime.now() #get computers from sensor group '6', aka 'cloud-ops' cblookup = FindCBComputerGroup.Run(str(args.groupid),cbserverurl,cbapitoken) for computer in cblookup: if computer['uninstall']==False: lastcheckintime = datetime.strptime(str(computer['last_checkin_time'][:19]),"%Y-%m-%d %H:%M:%S") if (now-lastcheckintime) > timedelta(days = int(args.daysoffline)): print computer['computer_name']+str(" has not checked in in over "+str(args.daysoffline)+" days, removing.") RemoveCBComputer.Run(computer['computer_name'], cbserverurl, cbapitoken)