#  <Long Description>
#
#  last updated 2015-06-28 by Ben Johnson [email protected]
#

from cbapi.util.cli_helpers import main_helper

from cbapi.legacy.util.live_response_helpers import LiveResponseHelper


def main(cb, args):
    sensor_id = int(args.get('sensorid'))
    lrh = LiveResponseHelper(cb, sensor_id)
    lrh.start()

    # THIS COULD EASILY BE TURNED INTO A LOOP SO THAT YOU CONTINUOUSLY POLL FOR A SPECIFIC PROCESS AND KILL IT
    processes = lrh.process_list()
    for process in processes:
        path = process.get('path')
        if path.lower().endswith('iexplore.exe'):
            lrh.kill(process.get('pid'))
            print "Killed: %s|%s|%s" % (process.get('path'),
                                        process.get('command_line', ''),
                                        process.get('username', ''))

    lrh.stop()

if __name__ == "__main__":
    required_arg = ("-s", "--sensorid", "store", None, "sensorid", "Sensor id")
    main_helper("Kill all iexplore.exe processes on particular sensor", main, custom_required=[required_arg])
Exemplo n.º 2
0
                "Description": "Please fill in if you intend to share this."
            }
            self.watch_lists.append(wl)

    def export_watchlists(self):
        export = {
            "Author": "Fill in author",
            "ExportDate": time.strftime("%D %H:%M:%S"),
            "ExportDescription": "Fill in description",
            "Watchlists": self.watch_lists,
        }
        output = json.dumps(export, indent=4)
        output_file = open(self.args.get('output_file'), 'w')
        output_file.write(output)
        print("-> Done exporting! <-")

def main(cb, args):
    export = Export(cb, args)
    export.get_watchlists()
    export.export_watchlists()

if __name__ == "__main__":
    selective_export = ("-m", "--selective", "store_true", False, "selective_export", "Select what watchlsits to export")
    output_file = ("-f", "--file", "store", False, "output_file", "Select what file output is written to")
    watchlists = ("-w", "--watchlists", "store", False, "watchlists", "Specific watchlist(s) to export. Can be comma separated.")
    main_helper(
        "Export watchlists into a sharable format",
        main,
        custom_required=[output_file],
        custom_optional=[selective_export,watchlists])
Exemplo n.º 3
0
# -----------------------------------------------------------------------------
#  <Short Description>
#
#  <Long Description>
#
#  last updated 2015-06-28 by Ben Johnson [email protected]
#

import pprint
from cbapi.util.cli_helpers import main_helper

def main(cb, args):

    # perform a single process search
    #
    processes = cb.process_search(args.get('query'))
    
    print "%-20s : %s" % ('Displayed Results', len(processes['results']))
    print "%-20s : %s" % ('Total Results', processes['total_results'])
    print "%-20s : %sms" % ('QTime', int(1000*processes['elapsed']))
    print '\n'

    # for each result 
    for process in processes['results']:
        pprint.pprint(process)
        print '\n'

if __name__ == "__main__":
    required_arg = ("-q", "--query", "store", None, "query", "Process search query")
    main_helper("Generic process search", main, custom_required=[required_arg])
Exemplo n.º 4
0
                    continue
            self.watch_lists.append(watch_list)

    def add_watchlists(self):
        for watch_list in self.watch_lists:
            wl_name = watch_list.get('Name')
            wl_type = watch_list.get('Type')
            wl_url = watch_list.get('SearchString').encode('utf-8')
            print("-> Adding watchlist %s" % wl_name)
            watchlist = self.cb.watchlist_add(
                wl_type,
                wl_name,
                wl_url)
            print("-> Watchlist added [id=%s]" % (watchlist['id']))

def main(cb, args):
    import_wl = ImportWatchlists(cb, args)
    import_wl.get_watchlists()
    import_wl.add_watchlists()

if __name__ == "__main__":
    selective_import = ("-m", "--selective", "store_true", False, "selective_import", "Select what watchlsits to import")
    input_file = ("-f", "--file", "store", False, "input_file", "Select what file holds watchlists")
    watchlists = ("-w", "--watchlists", "store", False, "watchlists", "Specific watchlist(s) to import. Can be comma separated.")
    main_helper(
        "Imports watchlists from a sharable format",
        main,
        custom_required=[input_file],
        custom_optional=[selective_import,watchlists])

Exemplo n.º 5
0
from cbapi.util.cli_helpers import main_helper
from cbapi.util.live_response_helpers import LiveResponseHelper

def main(cb, args):
    lfile = args.get('lfile')
    rfile = args.get('rfile')
    sensor_id = int(args.get('sensorid'))
    lrh = LiveResponseHelper(cb, sensor_id)
    lrh.start()
    
    print "[*] Attempting to upload file: %s" % lfile
    results = lrh.put_file(rfile, lfile)
    print "\n[+] Results:\n============"
    for i in results:
        print i + ' = ' + str(results[i])
    lrh.stop()

if __name__ == "__main__":
    sensor_arg = ("-s", "--sensorid", "store", None, "sensorid", "Sensor id")
    lfile_arg = ("-l", "--localfile", "store", None, "lfile", "Local File Path")
    rfile_arg = ("-r", "--remotefile", "store", None, "rfile", "Remote File Path")
    main_helper("Place a file on remote sensor", main, custom_required=[sensor_arg, lfile_arg, rfile_arg])
Exemplo n.º 6
0
                    continue
            self.watch_lists.append(watch_list)

    def add_watchlists(self):
        for watch_list in self.watch_lists:
            wl_name = watch_list.get('Name')
            wl_type = watch_list.get('Type')
            wl_url = watch_list.get('SearchString').encode('utf-8')
            print("-> Adding watchlist %s" % wl_name)
            watchlist = self.cb.watchlist_add(
                wl_type,
                wl_name,
                wl_url)
            print("-> Watchlist added [id=%s]" % (watchlist['id']))

def main(cb, args):
    import_wl = ImportWatchlists(cb, args)
    import_wl.get_watchlists()
    import_wl.add_watchlists()

if __name__ == "__main__":
    selective_import = ("-m", "--selective", "store_true", False, "selective_import", "Select what watchlsits to import")
    input_file = ("-f", "--file", "store", False, "input_file", "Select what file holds watchlists")
    watchlists = ("-w", "--watchlists", "store", False, "watchlists", "Specific watchlist(s) to import. Can be comma separated.")
    main_helper(
        "Imports watchlists from a sharable format",
        main,
        custom_required=[input_file],
        custom_optional=[selective_import,watchlists])

Exemplo n.º 7
0
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# -----------------------------------------------------------------------------
#  <Short Description>
#
#  <Long Description>
#
#  last updated 2015-06-28 by Ben Johnson [email protected]
#

from cbapi.util.cli_helpers import main_helper

def main(cb, args):
    query = args.get('query')
    print "%s,%s,%s,%s,%s,%s" % ("hostname", "username", "start", "parent_path", "path", "cmdline")
    for (proc, proc_details, parent_details) in \
            cb.process_search_and_detail_iter(query):

            print "%s,%s,%s,%s,%s,%s" % (proc.get('hostname'),
                                         proc.get('username'),
                                         proc.get('start'),
                                         parent_details.get('path'),
                                         proc.get('path'),
                                         proc_details.get('cmdline'))

if __name__ == "__main__":
    required_arg = ("-q", "--query", "store", None, "query", "Process search query")
    main_helper("Generic process search", main, custom_required=[required_arg])
Exemplo n.º 8
0
        export = {
            "Author": "Fill in author",
            "ExportDate":
            datetime.datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"),
            "ExportDescription": "Fill in description",
            "Watchlists": self.watch_lists,
        }
        output = json.dumps(export, indent=4)
        output_file = open(self.args.get('output_file'), 'w')
        output_file.write(output)
        print("-> Done exporting! <-")


def main(cb, args):
    export = Export(cb, args)
    export.get_watchlists()
    export.export_watchlists()


if __name__ == "__main__":
    selective_export = ("-m", "--selective", "store_true", False,
                        "selective_export", "Select what watchlsits to export")
    output_file = ("-f", "--file", "store", False, "output_file",
                   "Select what file output is written to")
    watchlists = ("-w", "--watchlists", "store", False, "watchlists",
                  "Specific watchlist(s) to export. Can be comma separated.")
    main_helper("Export watchlists into a sharable format",
                main,
                custom_required=[output_file],
                custom_optional=[selective_export, watchlists])
Exemplo n.º 9
0
from cbapi import CbApi
import base64
import re

def main (cb, args):
  
  powershells=cb.process_search_iter('process_name:powershell.exe')
  for s in powershells:
    if s['cmdline']:
      encoded = re.search('\-[eE][nN][cC][oOdDeEcCmMaAnN]*\s([A-Za-z0-9\+/=]+)', s['cmdline'])
      if encoded != None:
        i = encoded.group(1)
        if not re.search('[a-zA-Z0-9\+/]+={1,2}$', i):
          trailingBytes = len(i) % 4
          if trailingBytes == 3:
            i = i + '='
          elif trailingBytes == 2:
            i = i + '=='
        decodedCommand = base64.standard_b64decode(i)
        try:
          a = decodedCommand.encode('ascii','replace')
          print "Powershell Decoded Command\n%s/#analyze/%s/1\n%s\n\n" % (args['server_url'],s['id'], a.replace('\0',""))
        except UnicodeError:
          print "Powershell Decoded Command\n%s/#analyze/%s/1\nNon-ASCII decoding, encoded form printed to assist more research\n%s\n" % (args['server_url'],s['id'], s['cmdline'])
          pass
            


if __name__ == "__main__":
    main_helper("Decode Powershell Encoded Commands", main, custom_required=None)
Exemplo n.º 10
0

    for proc in procs['results']:
        events = cb.process_events(proc['id'],proc['segment_id'])
        try:
            start = datetime.datetime.strptime(proc['start'],"%Y-%m-%dT%H:%M:%S.%fZ")
            end = datetime.datetime.strptime(proc['last_update'], "%Y-%m-%dT%H:%M:%S.%fZ")
            runtime = int((end-start).total_seconds())
        except:
            # there were some unknown processes with no known start time or 
            # no known last update
            if not args['skip_unknown']:
                runtime=1
            else:
                continue
        
        rate = proc['netconn_count']/float(runtime)
        if rate > int(args['conn_rate']):
            url = '%s/#analyze/%s/%s'%(args['server_url'],proc['id'],proc['segment_id'])
            print "%s|%s|%.4f"%(url,
                                    proc['process_name'],rate)


if __name__ == "__main__":
    optional_arg = [("-g","--gt-count","store",100,"gt_count","Filter processes with greater than [--gt-count] network events"),("-r","--rate","store",100.0,"conn_rate","Alert on processes with more than [--rate] network connections per second"),
                    ("-s","--skip_unknown","store_true",False,"skip_unknown","Skip processes with unknown start or last update")]

    main_helper("High avg. netconn/second alert",main,custom_optional=optional_arg)


Exemplo n.º 11
0
#  <Long Description>
#
#  last updated 2015-06-28 by Ben Johnson [email protected]
#

from cbapi.util.cli_helpers import main_helper


def main(cb, args):
    start = args.get('start')
    print "%s,%s,%s,%s,%s,%s" % ("hostname", "username", "start",
                                 "parent_path", "path", "cmdline")
    for (proc, proc_details, parent_details) in \
            cb.process_search_and_detail_iter(
                   'start:%s process_name:net.exe -cmdline:"net stop" -cmdline:"net files" -cmdline:"net sessions"' % start):

        print "%s,%s,%s,%s,%s,%s" % (
            proc.get('hostname'), proc.get('username'), proc.get('start'),
            parent_details.get('path'), proc.get('path'),
            proc_details.get('cmdline'))


if __name__ == "__main__":
    required_arg = (
        "-s", "--start", "store", None, "start",
        "Process start time to query for, example, -2h for any net.exe processes started in past 2 hours"
    )
    main_helper("Search for net.exe processes",
                main,
                custom_required=[required_arg])
Exemplo n.º 12
0
#  <Short Description>
#
#  <Long Description>
#
#  last updated 2015-06-28 by Ben Johnson [email protected]
#

from cbapi.util.cli_helpers import main_helper

def main(cb, args):
    query = args.get('query')
    print "%s,%s,%s,%s,%s,%s" % ("hostname", "username", "start", "parent_path", "path", "cmdline")
    for binary in cb.binary_search_iter(query, rows=100):
        print "%s,%s,%s,%s,%s" % (binary.get('md5'),
                                  binary.get('server_added_timestamp'),
                                  binary.get('digsig_result'),
                                  binary.get('company_name'),
                                  binary.get('file_version')
        )

            # print "%s,%s,%s,%s,%s,%s" % (proc.get('hostname'),
            #                              proc.get('username'),
            #                              proc.get('start'),
            #                              parent_details.get('path'),
            #                              proc.get('path'),
            #                              proc_details.get('cmdline'))

if __name__ == "__main__":
    required_arg = ("-q", "--query", "store", None, "query", "Binary search query")
    main_helper("Generic binary search", main, custom_required=[required_arg])
Exemplo n.º 13
0
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# -----------------------------------------------------------------------------
#  <Short Description>
#
#  <Long Description>
#
#  last updated 2015-06-28 by Ben Johnson [email protected]
#

from cbapi.util.cli_helpers import main_helper

def main(cb, args):

    print "UI Logins (CoreServicesUIAgent)"

    for proc in cb.process_search_iter('process_name:CoreServicesUIAgent', start=0, rows=200):
        print "%s,%s,%s" % (proc.get('start'), proc.get('hostname'), proc.get('username'))
    print

    print "SSH Sessions (sshd -> bash)"

    for proc in cb.process_search_iter('parent_name:sshd process_name:bash', start=0, rows=200):
        print "%s,%s,%s" % (proc.get('start'), proc.get('hostname'), proc.get('username'))
    print

if __name__ == "__main__":
    main_helper("Search for OSX logins via particular processes.", main)
Exemplo n.º 14
0
    listener = ExtensionFileWatcherAndGrabber(args.get('server_url'), cb,
                                              username, password, extensions,
                                              output)

    try:
        print "Extension File Watcher and Grabber -- started.  Watching for:", extensions
        listener.process()
    except KeyboardInterrupt:
        print >> sys.stderr, "Caught Ctrl-C"
        listener.stop()
    print "Extension File Watcher and Grabber -- stopped."


if __name__ == "__main__":
    required_args = [
        ("-i", "--username", "store", None, "username",
         "CB messaging username"),
        ("-p", "--password", "store", None, "password",
         "CB messaging password"),
        ("-e", "--extensions", "store", None, "extensions",
         "Extensions to watch for (e.g .dmp, .vbs), comma-delimited"),
        ("-o", "--output", "store", None, "output",
         "Output directory for captured files")
    ]

    main_helper(
        "Subscribe to message bus events and for each file with specified extension, go retrieve it.",
        main,
        custom_required=required_args)
Exemplo n.º 15
0
#
#  last updated 2015-06-28 by Ben Johnson [email protected]
#

# in the github repo, cbapi is not in the example directory

from cbapi.util.cli_helpers import main_helper

def main(cb, args):

    input_file = args.get('inputfile')

    f = file(input_file, "rb")
    lines = f.read().split("\r")

    for line in lines:
        filepath = line.strip()
        if len(filepath) == 0:
            continue

        for (proc, events) in cb.process_search_and_events_iter("filemod:%s" % filepath):
            hostname = proc.get('hostname')
            for filemod in events.get('filemod_complete', []):
                print filemod

            print "%s, %s, %s" % (hostname, proc.get('path'), filepath)

if __name__ == "__main__":
    required_arg = ("-i", "--inputfile", "store", None, "inputfile", "List of filemod paths to search for")
    main_helper("Search for processes modifying particular filepaths", main, custom_required=[required_arg])
            traceback.print_exc()


def main(cb, args):

    username = args.get("username")
    password = args.get("password")
    output = args.get("output")
    extensions = args.get("extensions").split(",")


    listener = ExtensionFileWatcherAndGrabber(args.get('server_url'), cb, username, password, extensions, output)

    try:
        print "Extension File Watcher and Grabber -- started.  Watching for:", extensions
        listener.process()
    except KeyboardInterrupt:
        print >> sys.stderr, "Caught Ctrl-C"
        listener.stop()
    print "Extension File Watcher and Grabber -- stopped."

if __name__ == "__main__":
    required_args =[("-i", "--username", "store", None, "username", "CB messaging username"),
                    ("-p", "--password", "store", None, "password", "CB messaging password"),
                    ("-e", "--extensions", "store", None, "extensions", "Extensions to watch for (e.g .dmp, .vbs), comma-delimited"),
                    ("-o", "--output", "store", None, "output", "Output directory for captured files")]

    main_helper("Subscribe to message bus events and for each file with specified extension, go retrieve it.",
                main,
                custom_required=required_args)
Exemplo n.º 17
0
from cbapi.util.cli_helpers import main_helper


def main(cb, args):

    input_file = args.get('inputfile')

    f = file(input_file, "rb")
    lines = f.read().split("\r")

    for line in lines:
        filepath = line.strip()
        if len(filepath) == 0:
            continue

        for (proc, events) in cb.process_search_and_events_iter("filemod:%s" %
                                                                filepath):
            hostname = proc.get('hostname')
            for filemod in events.get('filemod_complete', []):
                print filemod

            print "%s, %s, %s" % (hostname, proc.get('path'), filepath)


if __name__ == "__main__":
    required_arg = ("-i", "--inputfile", "store", None, "inputfile",
                    "List of filemod paths to search for")
    main_helper("Search for processes modifying particular filepaths",
                main,
                custom_required=[required_arg])
Exemplo n.º 18
0
#  <Short Description>
#
#  <Long Description>
#
#  last updated 2015-06-28 by Ben Johnson [email protected]
#

from cbapi.util.cli_helpers import main_helper

def main(cb, args):
    start = args.get('start')

    for (proc, events) in \
        cb.process_search_and_events_iter(
               'start:%s regmod:registry\\machine\\system\\currentcontrolset\\control\\deviceclasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\\*' % start):

        for event in events.get('regmod_complete', []):
                fields = event.split('|')
                regpath = fields[2]
                if "{53f56307-b6bf-11d0-94f2-00a0c91efb8b}" in regpath:
                    pieces = regpath.split("usbstor#disk&")
                    if len(pieces) < 2:
                        print "WARN::::", pieces
                    else:
                        device_info = pieces[1] #.split('{53f56307-b6bf-11d0-94f2-00a0c91efb8b}')[0]
                        print device_info

if __name__ == "__main__":
    required_arg = ("-s", "--start", "store", None, "start", "Process start time to query for, example, -2h for any processes started in past 2 hours")
    main_helper("Search for usb device usages", main, custom_required=[required_arg])
Exemplo n.º 19
0
from cbapi.util.cli_helpers import main_helper
from cbapi.util.live_response_helpers import LiveResponseHelper


def main(cb, args):
    filepath = args.get('filepath')
    sensor_id = int(args.get('sensorid'))
    lrh = LiveResponseHelper(cb, sensor_id)
    lrh.start()
    print "[*] Attempting to delete file: %s" % filepath
    results = lrh.del_file(filepath)
    print "\n[+] Results:\n============"
    for i in results:
        print i + ' = ' + str(results[i])
    lrh.stop()


if __name__ == "__main__":
    sensor_arg = ("-s", "--sensorid", "store", None, "sensorid", "Sensor id")
    file_arg = ("-f", "--filepath", "store", None, "filepath", "File Path")
    main_helper("Remove file from remote sensor",
                main,
                custom_required=[sensor_arg, file_arg])
Exemplo n.º 20
0
from cbapi.util.cli_helpers import main_helper


def main(cb, args):
    for (proc, events) in cb.process_search_and_events_iter(r"process_name:cmd.exe (filemod:*.exe or filemod:*.dll)"):
        filemods = events.get("process", {}).get("filemod_complete", [])
        for filemod in filemods:

            print filemod
            # TODO -- figure out fields
            action, timestamp, filepath, md5, junk1, junk2 = filemod.split("|")

            filepath = filepath.lower()
            if not filepath.endswith(".exe") or not filepath.endswith(".dll"):
                continue

            if action == "1":
                action = "CREATE"
            elif action == "2":
                action = "MODIFY"
            elif action == "4":
                action = "DELETE"
            elif action == "8":
                action = "EXECUTABLE_WRITE"

            print "%s,%s,%s,%s,%s,%s" % (timestamp, proc["hostname"], proc["username"], proc["path"], filepath, action)


if __name__ == "__main__":
    main_helper("Search for cmd.exe writing to exe and dll filepaths", main)
Exemplo n.º 21
0
from cbapi.util.cli_helpers import main_helper

from cbapi.legacy.util.live_response_helpers import LiveResponseHelper


def main(cb, args):
    lfile = args.get('lfile')
    rfile = args.get('rfile')
    sensor_id = int(args.get('sensorid'))
    lrh = LiveResponseHelper(cb, sensor_id)
    lrh.start()

    print "[*] Attempting to upload file: %s" % lfile
    results = lrh.put_file(rfile, lfile)
    print "\n[+] Results:\n============"
    for i in results:
        print i + ' = ' + str(results[i])
    lrh.stop()


if __name__ == "__main__":
    sensor_arg = ("-s", "--sensorid", "store", None, "sensorid", "Sensor id")
    lfile_arg = ("-l", "--localfile", "store", None, "lfile",
                 "Local File Path")
    rfile_arg = ("-r", "--remotefile", "store", None, "rfile",
                 "Remote File Path")
    main_helper("Place a file on remote sensor",
                main,
                custom_required=[sensor_arg, lfile_arg, rfile_arg])
Exemplo n.º 22
0
from cbapi.util.cli_helpers import main_helper
from cbapi.util.live_response_helpers import LiveResponseHelper

def main(cb, args):
    filepath = args.get('filepath')
    sensor_id = int(args.get('sensorid'))
    lrh = LiveResponseHelper(cb, sensor_id)
    lrh.start()
    print "[*] Attempting to delete file: %s" % filepath
    results = lrh.del_file(filepath)
    print "\n[+] Results:\n============"
    for i in results:
        print i + ' = ' + str(results[i])
    lrh.stop()

if __name__ == "__main__":
    sensor_arg = ("-s", "--sensorid", "store", None, "sensorid", "Sensor id")
    file_arg = ("-f", "--filepath", "store", None, "filepath", "File Path")
    main_helper("Remove file from remote sensor", main, custom_required=[sensor_arg, file_arg])
Exemplo n.º 23
0
            continue
        regmod_regexes.append(re.compile(line))


    listener = RegistryModWatcherAndValueGrabber(args.get('server_url'), cb, username, password, regmod_regexes, verbose)

    try:
        if verbose:
            print "Registry Mod Watcher and Grabber -- started.  Watching for:", regpaths_data
        else:
            print "Registry Mod Watcher and Grabber -- started. Watching for %d regexes" % len(regmod_regexes)

        listener.process()
    except KeyboardInterrupt:
        print >> sys.stderr, "Caught Ctrl-C"
        listener.stop()
    print "Registry Mod Watcher and Grabber -- stopped."

if __name__ == "__main__":

    ## YOU CAN USE data/autoruns_regexes.txt to test ##
    
    required_args =[("-i", "--username", "store", None, "username", "CB messaging username"),
                    ("-p", "--password", "store", None, "password", "CB messaging password"),
                    ("-r", "--regpaths_file", "store", None, "regpaths_file", "File of newline delimited regexes for regpaths")]
    optional_args = [("-v", "--verbose", "store_true", False, "verbose", "Enable verbose output")]
    main_helper("Subscribe to message bus events and for each registry modification that matches one of our supplied regexes, go retrieve value.",
                main,
                custom_required=required_args,
                custom_optional=optional_args)
Exemplo n.º 24
0
from cbapi.util.cli_helpers import main_helper


def main(cb, args):
    start = args.get("start")
    print "%s,%s,%s,%s,%s,%s" % ("hostname", "username", "start", "parent_path", "path", "cmdline")
    for (proc, proc_details, parent_details) in cb.process_search_and_detail_iter(
        'start:%s process_name:net.exe -cmdline:"net stop" -cmdline:"net files" -cmdline:"net sessions"' % start
    ):

        print "%s,%s,%s,%s,%s,%s" % (
            proc.get("hostname"),
            proc.get("username"),
            proc.get("start"),
            parent_details.get("path"),
            proc.get("path"),
            proc_details.get("cmdline"),
        )


if __name__ == "__main__":
    required_arg = (
        "-s",
        "--start",
        "store",
        None,
        "start",
        "Process start time to query for, example, -2h for any net.exe processes started in past 2 hours",
    )
    main_helper("Search for net.exe processes", main, custom_required=[required_arg])
Exemplo n.º 25
0
            continue
        regmod_regexes.append(re.compile(line))


    listener = RegistryModWatcherAndValueGrabber(args.get('server_url'), cb, username, password, regmod_regexes, verbose)

    try:
        if verbose:
            print "Registry Mod Watcher and Grabber -- started.  Watching for:", regpaths_data
        else:
            print "Registry Mod Watcher and Grabber -- started. Watching for %d regexes" % len(regmod_regexes)

        listener.process()
    except KeyboardInterrupt:
        print >> sys.stderr, "Caught Ctrl-C"
        listener.stop()
    print "Registry Mod Watcher and Grabber -- stopped."

if __name__ == "__main__":

    ## YOU CAN USE data/autoruns_regexes.txt to test ##
    
    required_args =[("-i", "--username", "store", None, "username", "CB messaging username"),
                    ("-p", "--password", "store", None, "password", "CB messaging password"),
                    ("-r", "--regpaths_file", "store", None, "regpaths_file", "File of newline delimited regexes for regpaths")]
    optional_args = [("-v", "--verbose", "store_true", False, "verbose", "Enable verbose output")]
    main_helper("Subscribe to message bus events and for each registry modification that matches one of our supplied regexes, go retrieve value.",
                main,
                custom_required=required_args,
                custom_optional=optional_args)
Exemplo n.º 26
0
def main(cb, args):
    for (proc, events) in cb.process_search_and_events_iter(
            r"process_name:cmd.exe (filemod:*.exe or filemod:*.dll)"):
        filemods = events.get('process', {}).get('filemod_complete', [])
        for filemod in filemods:

            print filemod
            # TODO -- figure out fields
            action, timestamp, filepath, md5, junk1, junk2 = filemod.split('|')

            filepath = filepath.lower()
            if not filepath.endswith(".exe") or not filepath.endswith(".dll"):
                continue

            if action == "1":
                action = "CREATE"
            elif action == "2":
                action = "MODIFY"
            elif action == "4":
                action = "DELETE"
            elif action == "8":
                action = "EXECUTABLE_WRITE"

            print "%s,%s,%s,%s,%s,%s" % (timestamp, proc['hostname'],
                                         proc['username'], proc['path'],
                                         filepath, action)


if __name__ == "__main__":
    main_helper("Search for cmd.exe writing to exe and dll filepaths", main)