Michael Haag MHaggis

## redcanary_requests.py
#!/usr/bin/env python

import os.path
import sys
import json
from datetime import datetime
import requests

TIMEFILE="/opt/splunk/etc/apps/redcanary_app_analysis/bin/redcanary.lastrun"
#TIMEFILE2="/opt/splunk/etc/apps/redcanary_app_analysis/redcanary2.lastrun"

## Chain Reaction - Reactor
:: Chain Reaction - Reactor
::
::

:: Tactic: Discovery
:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033

:: Single Endpoint

:: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt

## SafeConnect.json
{
    "da12b58c5b20b52bb3f7fe3fa545e236": {
        "md5": ["da12b58c5b20b52bb3f7fe3fa545e236"]
    },
    "c5c68606e1e3baabb45644a34ceb36c6": {
        "md5": ["c5c68606e1e3baabb45644a34ceb36c6"]
    },
    "3871d542cfac9dd8af62b8c05ea7304a": {
        "md5": ["3871d542cfac9dd8af62b8c05ea7304a"]
    },

## ware_behaviors.json
{
    "wmic": {
        "process_name": ["wmic.exe"],
        "cmdline": ["wmic shadowcopy delete"]
    },
    "Vssadmin": {
        "process_name": ["vssadmin.exe"],
        "cmdline": ["vssadmin delete shadows /all /quiet"]
    },
    "bcdedit": {

## CrowdStrike Savedsearches.conf
[POWERSHELL-DOWNLOAD-HUNT]
dispatch.earliest_time = -24h@h
dispatch.latest_time = now
dispatchAs = user
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
search = FileName=powershell.exe (CommandLine=*DownloadFile* OR CommandLine=*invoke-webrequest*) | stats values(CommandLine) as "commands" by ComputerName

## lolscripts.json
{
    "Cl_invocation.ps1": {
        "cmdline": ["Cl_invocation.ps1"]
    },
    "manage-bde": {
        "cmdline": ["manage-bde.vbs"]
    },
    "pubprn": {
        "process_name": ["pubprn.vbs"]
    },

## lolbins.json
{
    "Powershell": {
        "process_name": ["powershell.exe"]
    },
    "Utilman": {
        "process_name": ["utilman.exe"]
    },
    "msiexec": {
        "process_name": ["msiexec.exe"]
    },

## UT_Toolbox Examples
Source: https://www.splunk.com/blog/2017/11/03/you-can-t-hyde-from-dr-levenshtein-when-you-use-url-toolbox.html
Data type required: Carbon Black Response, CrowdStrike Falcon

`cb` process_path=*\\users\\*
| `ut_shannon(process_path)`
| where ut_shannon > 4.5
| stats values(ut_shannon)  as "Shannon Entropy Score" by process_path, computer_name
| rename process_path as Process, computer_name as Endpoint

sourcetype="crowdstrike:falconhost:json" ImageFileName=*\\users\\*

## sensor-util.py
#!/usr/bin/env python

"""
OVERVIEW

Extract selected sensor information from Cb Response.
"""

import argparse
import csv

## Carbon Black Response - Splunk Hunting
### Stats
| metadata type=sourcetypes index=carbonblack

`cb` |  stats values(computer_name)

`cb` type=alert |  stats values(docs{}.endpoint) by watchlist_name

`cb` notification_type="watchlist.hit.*" | stats values(watchlist_name)

`cb` | stats values(feed_name)
	#!/usr/bin/env python

	import os.path
	import sys
	import json
	from datetime import datetime
	import requests

	TIMEFILE="/opt/splunk/etc/apps/redcanary_app_analysis/bin/redcanary.lastrun"
	#TIMEFILE2="/opt/splunk/etc/apps/redcanary_app_analysis/redcanary2.lastrun"
	:: Chain Reaction - Reactor
	::
	::

	:: Tactic: Discovery
	:: Technique: System Owner/User Discovery: https://attack.mitre.org/wiki/Technique/T1033

	:: Single Endpoint

	:: for /F "tokens=1,2" %%i in ('qwinsta /server:<COMPUTERNAME> ^\| findstr "Active Disc"') do @echo %%i \| find /v "#" \| find /v "console" \|\| echo %%j > usernames.txt
	{
	"da12b58c5b20b52bb3f7fe3fa545e236": {
	"md5": ["da12b58c5b20b52bb3f7fe3fa545e236"]
	},
	"c5c68606e1e3baabb45644a34ceb36c6": {
	"md5": ["c5c68606e1e3baabb45644a34ceb36c6"]
	},
	"3871d542cfac9dd8af62b8c05ea7304a": {
	"md5": ["3871d542cfac9dd8af62b8c05ea7304a"]
	},
	{
	"wmic": {
	"process_name": ["wmic.exe"],
	"cmdline": ["wmic shadowcopy delete"]
	},
	"Vssadmin": {
	"process_name": ["vssadmin.exe"],
	"cmdline": ["vssadmin delete shadows /all /quiet"]
	},
	"bcdedit": {
	[POWERSHELL-DOWNLOAD-HUNT]
	dispatch.earliest_time = -24h@h
	dispatch.latest_time = now
	dispatchAs = user
	display.general.type = statistics
	display.page.search.mode = verbose
	display.page.search.tab = statistics
	display.visualizations.charting.chart = bar
	display.visualizations.show = 0
	search = FileName=powershell.exe (CommandLine=DownloadFile OR CommandLine=invoke-webrequest) \| stats values(CommandLine) as "commands" by ComputerName
	{
	"Cl_invocation.ps1": {
	"cmdline": ["Cl_invocation.ps1"]
	},
	"manage-bde": {
	"cmdline": ["manage-bde.vbs"]
	},
	"pubprn": {
	"process_name": ["pubprn.vbs"]
	},
	{
	"Powershell": {
	"process_name": ["powershell.exe"]
	},
	"Utilman": {
	"process_name": ["utilman.exe"]
	},
	"msiexec": {
	"process_name": ["msiexec.exe"]
	},
	Source: https://www.splunk.com/blog/2017/11/03/you-can-t-hyde-from-dr-levenshtein-when-you-use-url-toolbox.html
	Data type required: Carbon Black Response, CrowdStrike Falcon

	`cb` process_path=\\users\\
	\| `ut_shannon(process_path)`
	\| where ut_shannon > 4.5
	\| stats values(ut_shannon) as "Shannon Entropy Score" by process_path, computer_name
	\| rename process_path as Process, computer_name as Endpoint

	sourcetype="crowdstrike:falconhost:json" ImageFileName=\\users\\
	#!/usr/bin/env python

	"""
	OVERVIEW

	Extract selected sensor information from Cb Response.
	"""

	import argparse
	import csv
	### Stats
	\| metadata type=sourcetypes index=carbonblack

	`cb` \| stats values(computer_name)

	`cb` type=alert \| stats values(docs{}.endpoint) by watchlist_name

	`cb` notification_type="watchlist.hit.*" \| stats values(watchlist_name)

	`cb` \| stats values(feed_name)