I hereby claim:
- I am jgarman on github.
- I am jgarman (https://keybase.io/jgarman) on keybase.
- I have a public key ASAbrLDfDrbMik5YXbyihYvR3-X36ctxXK_ynBrru8Kxewo
To claim this, I am signing this object:
from cbapi.protection import CbEnterpriseProtectionAPI, FileCatalog, Computer, FileInstance | |
from cbapi.errors import ObjectNotFoundError | |
import sys | |
import time | |
# set up DEBUG logging | |
import logging | |
root = logging.getLogger() | |
root.addHandler(logging.StreamHandler()) |
#!/usr/bin/env python | |
""" | |
Given a sensor ID and a file path, delete the file. This performs no logging | |
and returns no status. It is generally unhelpful and not a template upon which | |
you want to build. But if the file is present and not locked it will be | |
destroyed :) | |
""" | |
import argparse |
__author__ = 'jgarman' | |
import cbapi | |
import sys | |
import csv | |
# get these keys from http://www.nthelp.com/40/autorun.htm | |
autoruns = '''HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | |
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce |
cmdline:"xpcproxy /System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc/Contents/MacOS/writeconfig" os_type:osx |
from cbapi2 import CbApi2 | |
cb = CbApi2("http://cb.example.com", "API_TOKEN", ssl_verify=False, debug=True) | |
# find all executions of a process named "svchost.exe" not in a Windows System directory | |
procs = cb.process_search('process_name:svchost.exe -path:c:\\windows\\system32\\svchost.exe -path:c:\\windows\\syswow64\\svchost.exe') | |
for proc in procs: | |
print proc.start, proc.hostname, proc.path |
import cbapi | |
# Connect to the Cb server on cbserver.local. | |
cb = cbapi.CbApi("https://cbserver.local.", token="API_TOKEN", ssl_verify=False) | |
while True: | |
# find all executions of a process named "svchost.exe" not in a Windows System directory | |
procs = cb.process_search('process_name:svchost.exe -path:c:\\windows\\system32\\svchost.exe -path:c:\\windows\\syswow64\\svchost.exe', start=start) | |
if len(procs["results"]) == 0: |
I hereby claim:
To claim this, I am signing this object: