I hereby claim:
- I am jgarman on github.
- I am jgarman (https://keybase.io/jgarman) on keybase.
- I have a public key ASAbrLDfDrbMik5YXbyihYvR3-X36ctxXK_ynBrru8Kxewo
To claim this, I am signing this object:
Jason Garman jgarman
jgarman
/ local_approval.py
Created
June 29, 2016 18:34
A small script using the Cb Protection API to mark a specific MD5 as locally approved on a given computer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from cbapi.protection import CbEnterpriseProtectionAPI, FileCatalog, Computer, FileInstance | |
| from cbapi.errors import ObjectNotFoundError | |
| import sys | |
| import time | |
| # set up DEBUG logging | |
| import logging | |
| root = logging.getLogger() | |
| root.addHandler(logging.StreamHandler()) |
jgarman
/ cb-response-delete-file.py
Last active
June 17, 2016 03:42
— forked from keithmccammon/cb-response-delete-file.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """ | |
| Given a sensor ID and a file path, delete the file. This performs no logging | |
| and returns no status. It is generally unhelpful and not a template upon which | |
| you want to build. But if the file is present and not locked it will be | |
| destroyed :) | |
| """ | |
| import argparse |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| __author__ = 'jgarman' | |
| import cbapi | |
| import sys | |
| import csv | |
| # get these keys from http://www.nthelp.com/40/autorun.htm | |
| autoruns = '''HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Run | |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cmdline:"xpcproxy /System/Library/PrivateFrameworks/SystemAdministration.framework/XPCServices/writeconfig.xpc/Contents/MacOS/writeconfig" os_type:osx |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from cbapi2 import CbApi2 | |
| cb = CbApi2("http://cb.example.com", "API_TOKEN", ssl_verify=False, debug=True) | |
| # find all executions of a process named "svchost.exe" not in a Windows System directory | |
| procs = cb.process_search('process_name:svchost.exe -path:c:\\windows\\system32\\svchost.exe -path:c:\\windows\\syswow64\\svchost.exe') | |
| for proc in procs: | |
| print proc.start, proc.hostname, proc.path |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import cbapi | |
| # Connect to the Cb server on cbserver.local. | |
| cb = cbapi.CbApi("https://cbserver.local.", token="API_TOKEN", ssl_verify=False) | |
| while True: | |
| # find all executions of a process named "svchost.exe" not in a Windows System directory | |
| procs = cb.process_search('process_name:svchost.exe -path:c:\\windows\\system32\\svchost.exe -path:c:\\windows\\syswow64\\svchost.exe', start=start) | |
| if len(procs["results"]) == 0: |
jgarman
/ keybase.md
Last active
April 4, 2017 13:32