def Run(md5):
launch=Launch()
args=launch.get_args()
cbserverurl,cbapitoken=launch.load_cb_config(args.configfile)
parentmd5url=cbserverurl+str("\#search/cb.urlver=1&cb.q.parent_md5=%20")
md5url=cbserverurl+str("\#search/cb.urlver=1&cb.q.md5=%20")
cb = cbapi.CbApi(cbserverurl,
token=cbapitoken,
ssl_verify=False)
parentquery='parent_md5:'+md5
md5query='md5:'+md5
if md5query.endswith(" "):
print colored.red("[-] Bit9 did not capture the MD5 :(\n")
else:
print colored.yellow("[*] Checking if Parent MD5 process in Carbon Black...")
parentresult = cb.process_search(parentquery, sort='start desc')
if parentresult['total_results']==0:
print colored.cyan("[+] Not a Parent MD5 process")
else:
cbparentmd5url=parentmd5url+md5+"&sort=&rows=10&start=0"
print colored.green("[+] Parent MD5 event found in Carbon Black.")
print colored.cyan(cbparentmd5url)
print colored.yellow("[*] Checking if MD5 seen in Carbon Black...")
md5result = cb.process_search(md5query, sort='start desc')
if md5result['total_results'] == 0:
print colored.cyan("[+] Not seen in Carbon Black.")
else:
cbmd5url=md5url+md5+"&sort=&rows=10&start=0"
print colored.green("[+] MD5 Found in CB.")
print colored.cyan(cbmd5url)
def Run(hashtype,value):
launch=Launch()
args=launch.get_args()
b9serverurl,b9apitoken=launch.load_b9_config(args.configfile)
authJson={
'X-Auth-Token': b9apitoken,
'content-type': 'application/json'
}
serverurl=b9serverurl+str("/api/bit9platform/v1/")
md5url = serverurl+"fileCatalog?q=md5:"
sha256url = serverurl+"fileCatalog?q=sha256:"
b9StrongCert=True
if hashtype=="md5":
hashurl=md5url
if hashtype=="sha1":
hashurl=sha1url
if hashtype=="sha256":
hashurl=sha256url
r = requests.get(hashurl+value, headers=authJson, verify=b9StrongCert)
r.raise_for_status()
result = r.json()
return result
def Run(computername):
launch=Launch()
args=launch.get_args()
cbserverurl,cbapitoken=launch.load_cb_config(args.configfile)
headers = {"X-Auth-Token": cbapitoken}
resp = requests.get(cbserverurl+str("/api/v1/sensor?hostname="+str(computername)), headers=headers, verify=False)
return resp.json()
def do_6(self, args):
#Check if computers from list have Bit9 and/or CB installed
print colored.magenta("[+] Enter palth of text file: ")
usercomputerfile=raw_input()
if os.path.isfile(os.path.abspath(usercomputerfile)) == False:
print colored.red("[-] "+usercomputerfile+" does not exist")
else:
ComputerLookup(usercomputerfile)
Launch.show_logo2()
def do_3(self, args):
# """Go through your environments Fire Eye '[-] File INFO was identified by FireEye as malicious.' Alerts.
# Check if the hash is banned, check if it was seen in Carbon Black,
# prompt user to ban hash and/or certificate"""
print colored.magenta("[?] How many most recent alerts would you like to view?")
limit=raw_input("10/20/30/40/etc. ")
FireEyeEvents(limit)
Launch.show_logo2()
def Run(computername):
launch = Launch()
args = launch.get_args()
cbserverurl, cbapitoken = launch.load_cb_config(args.configfile)
headers = {"X-Auth-Token": cbapitoken}
resp = requests.get(
cbserverurl + str("/api/v1/sensor?hostname=" + str(computername)),
headers=headers,
verify=False)
return resp.json()
def Run(hashvalue):
launch=Launch()
args=launch.get_args()
b9serverurl,b9apitoken=launch.load_b9_config(args.configfile)
authJson={
'X-Auth-Token': b9apitoken,
'content-type': 'application/json'
}
serverurl=b9serverurl+str("/api/bit9platform/v1/")
md5url = serverurl+"fileCatalog?q=md5:"
sha256url = serverurl+"fileCatalog?q=sha256:"
b9StrongCert=False
r = requests.get(md5url+hashvalue, headers=authJson, verify=b9StrongCert)
r.raise_for_status()
result = r.json()
return result
import semanticnet as sn
from Launch.Launch import Launch
from Carbonblack.GetProcessReport import GetProcessReport
from Helpers.CreateTimeTable import CreateTimeTable
from Helpers.CreateTimeNodes import CreateTimeNodes
from Helpers.AddFileMods import AddFileMods
from Helpers.AddRegistryMods import AddRegistryMods
from Helpers.AddNetConns import AddNetConns
from Helpers.AddFileModThreatIntel import AddFileModThreatIntel
from Helpers.AddModulesLoaded import AddModulesLoaded
from Helpers.AddModulesLoadedThreatIntel import AddModulesLoadedThreatIntel
if __name__ == '__main__':
graph = sn.Graph()
graph.cache_nodes_by("label")
launch = Launch()
if len(sys.argv) == 1:
launch.show_options()
sys.exit()
launch.show_logo()
args = launch.get_args()
#load CB API
cb = launch.load_config_file(args.configfile)
#Get process report for CB link
report = GetProcessReport.Run(cb, args.link)
#Create a timetable
timetable, timelist = CreateTimeTable.Run(report)
#Create time nodes to plot process activity on
CreateTimeNodes.Run(graph, timelist)
#Add modules loaded to time nodes
#!/usr/bin/env python
from Carbonblack.FindCBComputer import FindCBComputer
from Carbonblack.FindCBComputerGroup import FindCBComputerGroup
from Carbonblack.RemoveCBComputer import RemoveCBComputer
from Launch.Launch import Launch
from datetime import datetime, timedelta
if __name__ == '__main__':
#Pull in the Launch module and get cmdline args via argparse.
launch=Launch()
args=launch.get_args()
cbserverurl,cbapitoken=launch.load_cb_config(args.configfile)
now = datetime.now()
#get computers from sensor group '6', aka 'cloud-ops'
cblookup = FindCBComputerGroup.Run(str(args.groupid),cbserverurl,cbapitoken)
for computer in cblookup:
if computer['uninstall']==False:
lastcheckintime = datetime.strptime(str(computer['last_checkin_time'][:19]),"%Y-%m-%d %H:%M:%S")
if (now-lastcheckintime) > timedelta(days = int(args.daysoffline)):
print computer['computer_name']+str(" has not checked in in over "+str(args.daysoffline)+" days, removing.")
RemoveCBComputer.Run(computer['computer_name'], cbserverurl, cbapitoken)
