Skip to content

Instantly share code, notes, and snippets.

@curi0usJack
Last active August 23, 2018 13:16
  • Star 9 You must be signed in to star a gist
  • Fork 7 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save curi0usJack/1ade450084b7e0b79ec892a21e56b60b to your computer and use it in GitHub Desktop.
# Carbon Black Evil PowerShell LSASS Query
#
# Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe
#
# Author: Jason Lang (@curi0usJack)
#
# Prereqs (Windows 10)
# Install bash on Win10
# sudo apt-get install python-pip
# sudo pip install --upgrade requests
# sudo pip install cbapi
# sudo pip install urllib3[secure] --upgrade
# create ~/.carbonblack/credentials.response
#
# Helpful Links
# https://developer.carbonblack.com/guide/enterprise-response/cbrestapiquickstart/
# https://github.com/carbonblack/cbapi
# https://cbapi.readthedocs.io/en/latest/
#
###
from cbapi.response import *
import time
import urllib3
urllib3.disable_warnings()
cb = CbResponseAPI()
foundevents = []
# The magic. Update with your own hi-fi query that catch mimikatz events with lsass.exe crossprocs
cbquery = 'process_name:powershell.exe AND (cmdline:*UseShellExecute* ' \
'OR cmdline:*[string]::join* OR cmdline:"-exec bypass" or cmdline:"-nop" OR cmdline:"-w 1")'
# Possible Mimikatz ORs
# (cmdline:"\"LogonUI.exe\" /flags:0x0") <-- Bad idea. To many -+'s
print "\nCarbon Black PowerShell Mimikatz Query: {0}\n\n".format(cbquery)
while True:
procs = cb.select(Process).where(cbquery)
for proc in procs:
# Crossproc properties: [event.source_path, timestamp, event.type, event.target_path, event.privileges]
crossprocs = Process(cb, proc.unique_id).crossprocs
# Loop through the crossprocs looking for lsass.exe
for event in crossprocs:
if event.source_path.lower() == "c:\windows\system32\lsass.exe":
# Check to make sure we haven't already reported on the event
if proc.unique_id not in foundevents:
found = "LSASS EVENT DETECTED: TIME:{0} HOST:{1} PROCESS:{2} USER:{3}".format(proc.start, proc.hostname, proc.process_name, proc.username)
foundevents.append(str(proc.unique_id))
print found
# Sleep 60s
time.sleep(60)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment