def get_process_file_cb(action, success, incident, results, handle):
if not success:
return
phantom.debug(results)
parameters = []
result_items = phantom.parse_success(results)
phantom.debug(result_items)
phantom.debug(results)
for item in result_items:
parameters.append({
"vault_id": item['vault_id'],
'file_name': item['name']
})
#vault_id = results[0]['action_results'][0]['data'][0]['vault_id']
phantom.act('detonate file',
parameters=parameters,
assets=["threatgrid"],
callback=detonate_file_cb)
return
def whois_cb(action, success, incident, results, handle):
phantom.debug('Action: {0} {1}'.format(action['action_name'], (' SUCCEEDED' if success else ' FAILED')))
if not success:
return
success_results = phantom.parse_success(results)
for result in success_results:
phantom.debug('IP: '+str(result['query'])+' is in Country: '+str(result['asn_country_code']))
return
def list_vms_cb(action, success, incident, results, handle):
phantom.debug('VSphere list vms'+(' SUCCEEDED' if success else ' FAILED'))
if not success:
return
attacked_ips = phantom.victim_ips(incident)
success_results = phantom.parse_success(results)
for vm_info in success_results:
if 'ip' in vm_info:# if the VM is running, it will have an IP
if vm_info['ip'] in attacked_ips: #if the IP address of the VM is the attacked IP
phantom.act('snapshot vm', parameters=[{'vmx_path':vm_info['vmx_path'],'download': False}], callback=generic_cb)
phantom.act('get process file', parameters=[{'name':'*infostealer*','ip_hostname':attacked_ips[0]}], assets=['domainctrl1'], callback=get_process_file_cb)
def whois_cb(action, success, incident, results, handle):
phantom.debug('Action ' + action +
(' SUCCEEDED' if success else ' FAILED'))
if not success:
return
success_results = phantom.parse_success(results)
for result in success_results:
phantom.debug('IP: ' + str(result['query']) + ' is in Country: ' +
str(result['asn_country_code']))
return
def get_process_file_cb(action, success, offense, results, handle):
if not success:
return
parameters = []
result_items = phantom.parse_success(results)
for item in result_items:
parameters.append({ "vault_id": item['vault_id'], 'file_name': item['name']})
phantom.act('detonate file', parameters=parameters, assets=['Cuckoo'], callback=detonate_file_cb)
return
def get_system_attrib_cb(action_name, status, incident, results, handle):
"""Callback for the get system attribute action"""
phantom.debug('Action: {0} {1}'.format(
action_name, (' SUCCEEDED' if status else ' FAILED')))
if (status == False):
return
# get the handle which is the machine info
machine = eval(handle)
phantom.debug("Working on '{0}' with ip '{1}'".format(
machine['name'], machine['ip']))
success_list = phantom.parse_success(results)
phantom.debug('success_list: ' + str(success_list))
phantom.debug('results: ' + str(results))
params = []
# We are carrying out the action for a single machine at a time, so there will be only one machine_info
machine_info = success_list[0]
phantom.debug('Machine: {0} is {1}'.format(
machine_info['name'], machine_info['operatingSystem']))
# Add the netbootmirrordatafile variable value
params.append({
'hostname':
machine_info['name'],
'attribute_name':
'netbootmirrordatafile',
'attribute_value':
'BootImagePath=Boot\\x64\\Images\\boot.wim;WdsUnattendFilePath=WDSClientUnattend\\WDSClientUnattend.xml;JoinDomain=1;'
})
# Add the extensionattribute1 variable value
params.append({
'hostname': machine_info['name'],
'attribute_name': 'extensionattribute1',
'attribute_value': 'admin,Office,NYC,Y'
})
phantom.act("set system attribute",
parameters=params,
assets=['domainctrl2'],
callback=set_system_attrib_cb,
handle=handle)
return
def get_process_file_cb(action, success, offense, results, handle):
if not success:
return
parameters = []
result_items = phantom.parse_success(results)
for item in result_items:
parameters.append({
"vault_id": item['vault_id'],
'file_name': item['name']
})
phantom.act('detonate file',
parameters=parameters,
assets=['Cuckoo'],
callback=detonate_file_cb)
return
def check_domain_connectivity_cb(action, success, incident, results, handle):
if not success:
return
success_list = phantom.parse_success(results)
# Dump the results of the ping command, the ip address of the domain pinged will change if it is blocked or not.
phantom.debug("Results:\n{0}".format(json.dumps(success_list, indent=4 * ' ')))
if (handle is None):
return
handle_dict = json.loads(handle)
add_block = handle_dict['add_block']
if (add_block):
add_domains_to_block_list()
return
def get_process_file_cb(action, success, incident, results, handle):
if not success:
return
phantom.debug(results)
parameters = []
result_items = phantom.parse_success(results)
phantom.debug(result_items)
phantom.debug(results)
for item in result_items:
parameters.append({ "vault_id": item['vault_id'], 'file_name': item['name'], 'force_analysis': False })
#vault_id = results[0]['action_results'][0]['data'][0]['vault_id']
phantom.act('detonate file', parameters=parameters, assets=["anubis"], callback=detonate_file_cb)
return
def list_devices_cb(action, success, incident, results, handle):
if not success:
return
result_items = phantom.parse_success(results)
phantom.debug(result_items)
parameters = []
for item in result_items:
if ('uuid' not in item):
continue
param = {"uuid": item["uuid"]}
parameters.append(param)
phantom.act('get system info', parameters=parameters, assets=["mobileiron"], callback=get_system_info_cb)
return
def list_sessions_cb(action, success, container, results, handle):
if not success:
return
result_items = phantom.parse_success(results)
phantom.debug(json.dumps(result_items, indent=4))
parameters = []
for item in result_items:
if ('calling_station_id' not in item):
continue
param = {"ip_macaddress": item["calling_station_id"]}
parameters.append(param)
phantom.act('quarantine device', parameters=parameters, assets=["ciscoise"], callback=quarantine_device_cb)
return
def list_blocked_domains_cb(action, success, incident, results, handle):
if not success:
return
success_list = phantom.parse_success(results)
phantom.debug("Domain Block List:\n{0}".format(json.dumps(success_list, indent=4 * ' ')))
# unblock all of them, start with a clean slate.
parameters = []
for domain_entry in success_list:
domain = domain_entry['name']
parameters.append({'domain': domain})
if (parameters):
phantom.act('unblock domain', parameters=parameters, assets=['opendns_umbrella'], callback=unblock_domains_cleanup_cb)
else:
check_domain_connectivity()
return
def get_system_attrib_cb(action, status, incident, results, handle):
"""Callback for the get system attribute action"""
phantom.debug('Action: {0} {1}'.format(action['action_name'], (' SUCCEEDED' if status else ' FAILED')))
if (status == False):
return
# get the handle which is the machine info
machine = eval(handle)
phantom.debug("Working on '{0}' with ip '{1}'".format(machine['name'], machine['ip']))
success_list = phantom.parse_success(results)
phantom.debug('success_list: ' + str(success_list))
phantom.debug('results: ' + str(results))
params = []
# We are carrying out the action for a single machine at a time, so there will be only one machine_info
machine_info = success_list[0]
phantom.debug('Machine: {0} is {1}'.format(machine_info['name'], machine_info['operatingSystem']))
# Add the netbootmirrordatafile variable value
params.append({'hostname':machine_info['name'],
'attribute_name':'netbootmirrordatafile',
'attribute_value':'BootImagePath=Boot\\x64\\Images\\boot.wim;WdsUnattendFilePath=WDSClientUnattend\\WDSClientUnattend.xml;JoinDomain=1;'})
# Add the extensionattribute1 variable value
params.append({'hostname':machine_info['name'],
'attribute_name':'extensionattribute1',
'attribute_value':'admin,Office,NYC,Y'})
phantom.act("set system attribute", parameters=params, assets=['domainctrl2'],
callback=set_system_attrib_cb, handle=handle)
return
def list_vms_cb(action, success, incident, results, handle):
phantom.debug('VSphere list vms' +
(' SUCCEEDED' if success else ' FAILED'))
if not success:
return
attacked_ips = phantom.victim_ips(incident)
success_results = phantom.parse_success(results)
for vm_info in success_results:
if 'ip' in vm_info: # if the VM is running, it will have an IP
if vm_info[
'ip'] in attacked_ips: #if the IP address of the VM is the attacked IP
phantom.act('snapshot vm',
parameters=[{
'vmx_path': vm_info['vmx_path'],
'download': False
}],
callback=generic_cb)
phantom.act('get process file',
parameters=[{
'name': '*infostealer*',
'ip_hostname': attacked_ips[0]
}],
assets=['domainctrl1'],
callback=get_process_file_cb)