grab cert sha256 identifiers from logs on-disk

SantaLogScraper.py

#!/usr/bin/python
import glob
import gzip


certs = [
    "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",# apples
    "33b9aee3b089c922952c9240a40a0daa271bebf192cf3f7d964722e8f2170e48",# santas - everything after this isn't included...
    "15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153",# GoogleSoftwareUpdateAgent (~)
    "1808a95f11169c7212a45b44c1c547c1f3e810915014bd892435253a3f8761ca",# Citrix ServiceRecords/ReceiverHelper
    "259aba4c7924f2ae7b1770c00f0eafc0dc1b433c03ebb3ffa5c56ea9a7689d3b",# osqueryi
    "2a0417257348a20f96c9de0486b44fcc7eaeaeb7625b207591b8109698c02dd2",# Dropbox/garcon
    "380e6394a2cb49ec1b1aeb588bdddb6a4d031145e6754aa70e935aa64082def5",# Github Desktop/Atom
    "4d60a649f7c6db9aa23690be8db2cc28211fa415feec62ccb91352050d800295",# QuickRadar
    "61977d6006459c4cefe9b988a453589946224957bfc07b262cd7ca1b7a61e04e",# Apple MAS - Numbers, Keynote, OmniGraffle
    "77198a84d6080082fb8d17468d5698b68b0b0dffc84f40d40fa067111e7aedf3",# AppSupport/CitrixOnline/GoToMeeting/G2MUpdate
    "8fa5635d4d6d9f93a9a1631a8f90388f19771b7082c8d7b8de19cc694f1db1ec",# Skype For Business
    "9c5e8b23cbdd0e7316fda612d120836041476ac91a28245f41611e74fe916ec1",# SuspiciousPackage
    "adced5ef3635ab1debda86f02dc55e96cefedf7bd7fe7519f0a806092bf75873",# new MAU helpertool
    "bf2b2fb5bbbffb3e73a35072ef78b5bd3da98c68d8ec1a6506c48a07b495f6f1",# Rest of office 2016
    "c1b6c50a32bb4b266e6335b4f79b6a7265f2594bf356e0cf5f847492cecf854b",# Slack
    "0caf42ad5cf856f4125a1e174692fce7d49a8f6acb70568f3bb53b69acdc979c"# JAMFyness
#    "cbc7fc26dd84cf5c62f49ca21ef308d6e90ccc617169709d5db46471cd3ca291",# DaisyDisk
#    "2d78ade98f19b5cee99c2eaa47745018b671c41a63da6941eb679db339753057",# Textmate
#    "34e1933590ebd8b05a8c425327ed794bfff9f018008c19d247ccf94ea622b60b",# Cisco anyconnect/bin/vpnagentd -execv_instance
#    "45fd79a19e12bbafeeaeaadd5a34ad7b2ea587f0edddfa75eca6329fa6575be8",# Mactracker
#    "4f1c352e8f62316e649c42bb7dfae0917d6f73fa72cb86850883e8e2ed519c69",# Charles
#    "537abaf0432a214b0495f712317b146eb18c0beb3b0e2255473abf2f8dbb2e3a",# VLC
#    "9f9dd26b6ad69cd86438ee416d527b8a9ed871a2bd75cdf8f9cf2345a9cbeb38",# Wireshark
#    "a7f86800e3a3a101ef20e2c4d20b01f2ec806b91038998f60d5db009ad26fc7c",# Logitech Control Center daemon
#    "e38f2b2ad07738bb94ec7d59ffb6043193cf91624a49b346b95ea502a074dd0e",# Docker's Kitematic
#    "ad9dba778a3a1204a02298193be3c8d184a6bdc0d10ae109dfaf356722b3cf92",# Kaleidoscope
#    "c77028bbb406c9335ebb9361275f5b240e621e715a446f3cc217a7efdb766b55",# Box Sync appex
#    "cb8a3c9b533f03e8fc56e0da1e9a170c4230511856f10f15b0f30f489949abc8",# TextExpander
#    "f78a1cb259aec911960624aa7257547eb0e82d61121280b52d3f39a2af296173",# 1Password helper, SafariExtensionCompanion.appex, etc.
#    "2f9a8a84c740c2ac6738b11c7036728a73beac00465a312d37ee703357aef168",# Spotify
#    "b106238716b124b107a761f3adceed90af5d53b738948f400545dcc00232f90a",# firefox
#    "81e1e4993c65c5b45f51254ebff0c994af015eeae8114eddc54dafe3ec363d57",# Fluidapp Apps
#    "7d1f025af294fe33bdc37068a0729624fdeebec7fd4d9a8124ef7e970143a12f",# RazorSQL
#    "44bad637bd9c257da0ff3a522b1c118f87e7aed8e9145373ae5d56f3069b1386",# Crashplan
#    "0cf15940ebd239cc47a5d3d1d7ebcf4dba963299fc30511ae8146ffa3051db10",#        CERTS: Cinch.app
#    "ee8a210b8516be499b98367e13f40f2a378c601bafd975f4fc02682ae818d2e1",# AAMEE
#    "c1816569a24d1c1bc8ed0ba25ed64a695ae324ee874e23e203af6a18d48e55e9",# VMWare Fusion
#    "8ca982d17dea5180f225134ea207c521dccd753f70da86491c7f77cb3a091ba1",# PyCharm (CE)
#    "7243f797cbb148f18ac081971bdd4afbae37821ca56a2e247cfd6c65a7aac3fd",# HP Print Dookie
#    "30bf0b1e58616204fcb5aae19706653c991941a41f5c3f2ed2ff1b4a8578e700",# FV2 AuthPlugin
#    "c6d6c77c3ef25999e2fcb2c93b87e9ea084565dcf4fd0ff0df19239dcc74751c",# MacID...
#    "27838a249bb08f311ad81875242861b9de0d7a9cb632bd48f2251ec38269ec36",# TaskPaper
#    "58a971b48a5ca3c9924c558bdc1f54bc014f2ee9a09fa6dff4aa0b819ab1e045",# iBarcoder app
#    "259187ec002d9015f88abc6e6421027a202ea95c1960db91a0c54ac8dc0500f1",# bomgar-rep
    ]

all_loglines = []
santagzs = glob.glob('/var/log/santa.log.*')
for log in santagzs:
    with gzip.open(log) as santalog:
        all_loglines.extend(santalog.read().split())
output = []
with open('/var/log/santa.log') as santalog:
    all_loglines.extend(santalog.readlines())
for line in all_loglines:
    sha = line.partition('cert_sha256')[2]
    path = line.partition('|path=')[2].partition('|')[0]
    try:
        if sha[0] == '=':
            if not sha.startswith('=(null'):
                if sha[1:65] not in certs:
                    certs.append(sha[1:65])
                    output.append(sha[1:65] + ',' + path)
    except:
        pass

print len(output)
print "\n".join(*[sorted(output)])

scrapeBinaries.py

#!/usr/bin/python
import glob
import gzip

sip_dirs = ('/usr/bin', '/bin', '/usr/libexec', '/System', '/usr/sbin', '/sbin')

all_loglines = []
santagzs = glob.glob('/var/log/santa.log.*')
for log in santagzs:
    with gzip.open(log) as santalog:
        all_loglines.extend(santalog.read().splitlines())
all_shas = []
output = []
with open('/var/log/santa.log') as santalog:
    all_loglines.extend(santalog.read().splitlines())
for line in all_loglines:
    if not 'cert_sha256' in line:
        # print line
        sha = line.partition('|sha256')[2]
        path = line.partition('|path=')[2].partition('|')[0]
        try:
            if sha[0] == '=':
                if not sha.startswith('=(null'):
                    if sha[1:65] not in all_shas:
                        all_shas.append(sha[1:65])
                        if not path.startswith(sip_dirs):
                            output.append(sha[1:65] + ',' + path)
        except:
            pass

print len(all_shas)
print "\n".join(*[sorted(output)])