Instantly share code, notes, and snippets.

Embed
What would you like to do?
grab cert sha256 identifiers from logs on-disk
#!/usr/bin/python
import glob
import gzip
certs = [
"2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",# apples
"33b9aee3b089c922952c9240a40a0daa271bebf192cf3f7d964722e8f2170e48",# santas - everything after this isn't included...
"15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153",# GoogleSoftwareUpdateAgent (~)
"1808a95f11169c7212a45b44c1c547c1f3e810915014bd892435253a3f8761ca",# Citrix ServiceRecords/ReceiverHelper
"259aba4c7924f2ae7b1770c00f0eafc0dc1b433c03ebb3ffa5c56ea9a7689d3b",# osqueryi
"2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2",# Dropbox/garcon
"380e6394a2cb49ec1b1aeb588bdddb6a4d031145e6754aa70e935aa64082def5",# Github Desktop/Atom
"4d60a649f7c6db9aa23690be8db2cc28211fa415feec62ccb91352050d800295",# QuickRadar
"61977d6006459c4cefe9b988a453589946224957bfc07b262cd7ca1b7a61e04e",# Apple MAS - Numbers, Keynote, OmniGraffle
"77198a84d6080082fb8d17468d5698b68b0b0dffc84f40d40fa067111e7aedf3",# AppSupport/CitrixOnline/GoToMeeting/G2MUpdate
"8fa5635d4d6d9f93a9a1631a8f90388f19771b7082c8d7b8de19cc694f1db1ec",# Skype For Business
"9c5e8b23cbdd0e7316fda612d120836041476ac91a28245f41611e74fe916ec1",# SuspiciousPackage
"adced5ef3635ab1debda86f02dc55e96cefedf7bd7fe7519f0a806092bf75873",# new MAU helpertool
"bf2b2fb5bbbffb3e73a35072ef78b5bd3da98c68d8ec1a6506c48a07b495f6f1",# Rest of office 2016
"c1b6c50a32bb4b266e6335b4f79b6a7265f2594bf356e0cf5f847492cecf854b",# Slack
"0caf42ad5cf856f4125a1e174692fce7d49a8f6acb70568f3bb53b69acdc979c"# JAMFyness
# "cbc7fc26dd84cf5c62f49ca21ef308d6e90ccc617169709d5db46471cd3ca291",# DaisyDisk
# "2d78ade98f19b5cee99c2eaa47745018b671c41a63da6941eb679db339753057",# Textmate
# "34e1933590ebd8b05a8c425327ed794bfff9f018008c19d247ccf94ea622b60b",# Cisco anyconnect/bin/vpnagentd -execv_instance
# "45fd79a19e12bbafeeaeaadd5a34ad7b2ea587f0edddfa75eca6329fa6575be8",# Mactracker
# "4f1c352e8f62316e649c42bb7dfae0917d6f73fa72cb86850883e8e2ed519c69",# Charles
# "537abaf0432a214b0495f712317b146eb18c0beb3b0e2255473abf2f8dbb2e3a",# VLC
# "9f9dd26b6ad69cd86438ee416d527b8a9ed871a2bd75cdf8f9cf2345a9cbeb38",# Wireshark
# "a7f86800e3a3a101ef20e2c4d20b01f2ec806b91038998f60d5db009ad26fc7c",# Logitech Control Center daemon
# "e38f2b2ad07738bb94ec7d59ffb6043193cf91624a49b346b95ea502a074dd0e",# Docker's Kitematic
# "ad9dba778a3a1204a02298193be3c8d184a6bdc0d10ae109dfaf356722b3cf92",# Kaleidoscope
# "c77028bbb406c9335ebb9361275f5b240e621e715a446f3cc217a7efdb766b55",# Box Sync appex
# "cb8a3c9b533f03e8fc56e0da1e9a170c4230511856f10f15b0f30f489949abc8",# TextExpander
# "f78a1cb259aec911960624aa7257547eb0e82d61121280b52d3f39a2af296173",# 1Password helper, SafariExtensionCompanion.appex, etc.
# "2f9a8a84c740c2ac6738b11c7036728a73beac00465a312d37ee703357aef168",# Spotify
# "b106238716b124b107a761f3adceed90af5d53b738948f400545dcc00232f90a",# firefox
# "81e1e4993c65c5b45f51254ebff0c994af015eeae8114eddc54dafe3ec363d57",# Fluidapp Apps
# "7d1f025af294fe33bdc37068a0729624fdeebec7fd4d9a8124ef7e970143a12f",# RazorSQL
# "44bad637bd9c257da0ff3a522b1c118f87e7aed8e9145373ae5d56f3069b1386",# Crashplan
# "0cf15940ebd239cc47a5d3d1d7ebcf4dba963299fc30511ae8146ffa3051db10",# CERTS: Cinch.app
# "ee8a210b8516be499b98367e13f40f2a378c601bafd975f4fc02682ae818d2e1",# AAMEE
# "c1816569a24d1c1bc8ed0ba25ed64a695ae324ee874e23e203af6a18d48e55e9",# VMWare Fusion
# "8ca982d17dea5180f225134ea207c521dccd753f70da86491c7f77cb3a091ba1",# PyCharm (CE)
# "7243f797cbb148f18ac081971bdd4afbae37821ca56a2e247cfd6c65a7aac3fd",# HP Print Dookie
# "30bf0b1e58616204fcb5aae19706653c991941a41f5c3f2ed2ff1b4a8578e700",# FV2 AuthPlugin
# "c6d6c77c3ef25999e2fcb2c93b87e9ea084565dcf4fd0ff0df19239dcc74751c",# MacID...
# "27838a249bb08f311ad81875242861b9de0d7a9cb632bd48f2251ec38269ec36",# TaskPaper
# "58a971b48a5ca3c9924c558bdc1f54bc014f2ee9a09fa6dff4aa0b819ab1e045",# iBarcoder app
# "259187ec002d9015f88abc6e6421027a202ea95c1960db91a0c54ac8dc0500f1",# bomgar-rep
]
all_loglines = []
santagzs = glob.glob('/var/log/santa.log.*')
for log in santagzs:
with gzip.open(log) as santalog:
all_loglines.extend(santalog.read().split())
output = []
with open('/var/log/santa.log') as santalog:
all_loglines.extend(santalog.readlines())
for line in all_loglines:
sha = line.partition('cert_sha256')[2]
path = line.partition('|path=')[2].partition('|')[0]
try:
if sha[0] == '=':
if not sha.startswith('=(null'):
if sha[1:65] not in certs:
certs.append(sha[1:65])
output.append(sha[1:65] + ',' + path)
except:
pass
print len(output)
print "\n".join(*[sorted(output)])
#!/usr/bin/python
import glob
import gzip
sip_dirs = ('/usr/bin', '/bin', '/usr/libexec', '/System', '/usr/sbin', '/sbin')
all_loglines = []
santagzs = glob.glob('/var/log/santa.log.*')
for log in santagzs:
with gzip.open(log) as santalog:
all_loglines.extend(santalog.read().splitlines())
all_shas = []
output = []
with open('/var/log/santa.log') as santalog:
all_loglines.extend(santalog.read().splitlines())
for line in all_loglines:
if not 'cert_sha256' in line:
# print line
sha = line.partition('|sha256')[2]
path = line.partition('|path=')[2].partition('|')[0]
try:
if sha[0] == '=':
if not sha.startswith('=(null'):
if sha[1:65] not in all_shas:
all_shas.append(sha[1:65])
if not path.startswith(sip_dirs):
output.append(sha[1:65] + ',' + path)
except:
pass
print len(all_shas)
print "\n".join(*[sorted(output)])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment