Created
November 17, 2015 21:01
-
-
Save jgarman/d77de25d73e30016e0ee to your computer and use it in GitHub Desktop.
Python CbAPI autoruns report
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
__author__ = 'jgarman' | |
import cbapi | |
import sys | |
import csv | |
# get these keys from http://www.nthelp.com/40/autorun.htm | |
autoruns = '''HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | |
HKLM\Software\Microsoft\Windows\CurrentVersion\Run | |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce | |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices | |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | |
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | |
HKCU\Software\Microsoft\Windows\CurrentVersion\Run | |
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce | |
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices | |
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce | |
''' | |
# credentials for our Cb server | |
# TODO - fill these in with your server and API key | |
cb_server = "https://mycbserver" | |
cb_token = "xxx" | |
def convert_autoruns(a): | |
autorun_set = set() | |
keys = a.split() | |
for key in keys: | |
key = key[5:] | |
key += r'\*' | |
autorun_set.add(key) | |
return list(autorun_set) | |
def search_for_autorun(key): | |
results = [] | |
c = cbapi.CbApi(cb_server, token=cb_token, ssl_verify=False) | |
for proc in c.process_search_iter('regmod:%s' % key): | |
result = { | |
"timestamp": proc['start'].replace('T', ' ').replace('Z', ''), | |
"command_line": proc['cmdline'], | |
"registry_key": key, | |
"username": proc["username"], | |
"link": "%s/#analyze/%s/1" % (cb_server, proc['id']) | |
} | |
results.append(result) | |
return results | |
def main(): | |
print "Loading autoruns keys..." | |
autorun_keys = convert_autoruns(autoruns) | |
all_autoruns = [] | |
for key in autorun_keys: | |
print "Searching Carbon Black for key %s..." % key | |
new_autoruns = search_for_autorun(key) | |
all_autoruns.extend(new_autoruns) | |
print "Writing CSV output to output.csv..." | |
with open("output.csv", "wb") as output_file: | |
field_names = "timestamp", "registry_key", "username", "command_line", "link" | |
csvout = csv.DictWriter(output_file, fieldnames=field_names) | |
csvout.writeheader() | |
csvout.writerows(all_autoruns) | |
print "Done writing..." | |
if __name__ == '__main__': | |
sys.exit(main()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment