Last active
August 23, 2018 13:16
Star
You must be signed in to star a gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Carbon Black Evil PowerShell LSASS Query | |
# | |
# Prints out malicious Powershell events that have a crossproc event for c:\windows\system32\lsass.exe | |
# | |
# Author: Jason Lang (@curi0usJack) | |
# | |
# Prereqs (Windows 10) | |
# Install bash on Win10 | |
# sudo apt-get install python-pip | |
# sudo pip install --upgrade requests | |
# sudo pip install cbapi | |
# sudo pip install urllib3[secure] --upgrade | |
# create ~/.carbonblack/credentials.response | |
# | |
# Helpful Links | |
# https://developer.carbonblack.com/guide/enterprise-response/cbrestapiquickstart/ | |
# https://github.com/carbonblack/cbapi | |
# https://cbapi.readthedocs.io/en/latest/ | |
# | |
### | |
from cbapi.response import * | |
import time | |
import urllib3 | |
urllib3.disable_warnings() | |
cb = CbResponseAPI() | |
foundevents = [] | |
# The magic. Update with your own hi-fi query that catch mimikatz events with lsass.exe crossprocs | |
cbquery = 'process_name:powershell.exe AND (cmdline:*UseShellExecute* ' \ | |
'OR cmdline:*[string]::join* OR cmdline:"-exec bypass" or cmdline:"-nop" OR cmdline:"-w 1")' | |
# Possible Mimikatz ORs | |
# (cmdline:"\"LogonUI.exe\" /flags:0x0") <-- Bad idea. To many -+'s | |
print "\nCarbon Black PowerShell Mimikatz Query: {0}\n\n".format(cbquery) | |
while True: | |
procs = cb.select(Process).where(cbquery) | |
for proc in procs: | |
# Crossproc properties: [event.source_path, timestamp, event.type, event.target_path, event.privileges] | |
crossprocs = Process(cb, proc.unique_id).crossprocs | |
# Loop through the crossprocs looking for lsass.exe | |
for event in crossprocs: | |
if event.source_path.lower() == "c:\windows\system32\lsass.exe": | |
# Check to make sure we haven't already reported on the event | |
if proc.unique_id not in foundevents: | |
found = "LSASS EVENT DETECTED: TIME:{0} HOST:{1} PROCESS:{2} USER:{3}".format(proc.start, proc.hostname, proc.process_name, proc.username) | |
foundevents.append(str(proc.unique_id)) | |
print found | |
# Sleep 60s | |
time.sleep(60) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment