Maxime Lamothe-Brassard maximelb
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import limacharlie | |
| import json | |
| import tempfile | |
| import os | |
| import shutil | |
| import shlex | |
| import subprocess | |
| ######################################################## | |
| # Setting This Up |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import limacharlie | |
| # The is_interactive allows us to do sensor.simpleRequest() calls | |
| # and get the response inline in this script. | |
| lc = limacharlie.Manager( is_interactive = True, inv_id = "init-artifact-col" ) | |
| for sensor in lc.sensors(): | |
| # If a sensor is offline, we'll just skip it. | |
| if not sensor.isOnline(): | |
| print( "skipping %s since it's not online" % ( sensor.sid, ) ) |
maximelb
/ sync_commands.py
Created
November 6, 2020 22:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import limacharlie | |
| OID = "" | |
| KEY = "" | |
| lc = limacharlie.Manager( oid = OID, secret_api_key = KEY, is_interactive = True, inv_id = "simple_commands" ) | |
| for sensor in lc.sensors(): | |
| if not sensor.isOnline(): |
maximelb
/ detect.yaml
Created
July 30, 2020 23:27
Excel spawning a process that does an outbound connection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| op: ends with | |
| event: NEW_PROCESS | |
| path: event/FILE_PATH | |
| value: excel.exe | |
| case sensitive: false | |
| with descendant: | |
| op: is | |
| event: NETWORK_CONNECTIONS | |
| path: event/NETWORK_ACTIVITY/IS_OUTGOING | |
| value: 1 |
maximelb
/ detect.yaml
Created
July 30, 2020 23:02
Detect a process with a descendant opening a specific dest port.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| op: ends with | |
| event: NEW_PROCESS | |
| path: event/FILE_PATH | |
| value: excel.exe | |
| case sensitive: false | |
| with descendant: | |
| op: is | |
| event: NETWORK_CONNECTIONS | |
| path: event/NETWORK_ACTIVITY/DESTINATION/PORT | |
| value: 22 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import limacharlie | |
| OID = "" | |
| KEY = "" | |
| DEVICE_TAG_PREFIX = "dev_" | |
| TAG_FOR_SECONDS = 60 * 60 * 24 * 365 * 10 # Just tag for 10y for now. | |
| lc = limacharlie.Manager( oid = OID, secret_api_key = KEY, is_interactive = True, inv_id = "dev_tagging" ) |