# Forensics - Run Process Investigator on Linux

__Notebook Version:__ 1.0<br>
__Python Version:__ Python 3.6 (including Python 3.6 - AzureML)<br>
__Required Packages:__ Azure 4.0.0<br>
__OS Supported:__<br>
    -  Linux
__Platforms Supported:__<br>
    -  Azure Notebooks Free Compute
    -  Azure Notebooks DSVM
__Data Source Required:__<br>
    -  no
    
### Description
The notebook provides sample code to use custom script extension to run Processor Investigator on Linux.

<font color=red>When you switch between Azure Notebooks Free Compute and Data Science Virtual Machine (DSVM), you may need to select Python version: please select Python 3.6 for Free Compute, and Python 3.6 - AzureML for DSVM.</font>

## Prerequisite check

In [None]:
# only run once, current version 0.1.2
!pip install --upgrade Sentinel-Utilities

In [None]:
import SentinelUtils
# checking Python version
check = SentinelUtils.version_management.ModuleVersionCheck()
py_check = check.validate_python('3.6.0')
if py_check.requirement_met == False:
    print('Please select Python 3.6 or Python 3.6 - AzureML at the upper right corner')
else:
    print('Please continue')

In [None]:
# checking required packages
mods_check = check.validate_installed_modules(['Azure>=4.0.0'])
for mod_info in mods_check:
    if mod_info.requirement_met == False:
        print('Please install {} {} at the following cell.'.format(mod_info.name, mod_info.required_version))

In [None]:
# Please install required packages based on the check at last cell
!pip install azure

## Table of Contents

1. Retrieve Azure Resource Information
2. Authentication to Azure Resource Management 
3. Create Blob Storage
4. Create VM Extension
5. Read Memory Dump Data
6. Delete VM Extension

## 1. Retrieve Azure Resource Information

In [None]:
path = %env PATH
dsvm = False
if '/dsvm/' in path:
    dsvm = True

# information from config.json
if dsvm == False:
    # Run this if you are using Free Compute
    tenant_id = SentinelUtils.config_reader.ConfigReader.read_config_values("config.json")[0]
    subscription_id = SentinelUtils.config_reader.ConfigReader.read_config_values("config.json")[1]
    resource_group = SentinelUtils.config_reader.ConfigReader.read_config_values("config.json")[2]
else:
    # Run this if you are using DSVM.  You need to copy the values from config.json, if the file has no value, then you need to go to Log Analytics Portal to get the information.
    tenant_id = input('tenant_id:')
    subscription_id = input('subscription_id:')
    resource_group = input('resource_group:')

## 2. Authentication to Azure Resource Management

In [None]:
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.compute import ComputeManagementClient
from azure.mgmt.network import NetworkManagementClient
from azure.mgmt.compute.models import DiskCreateOption
from azure.mgmt.storage import StorageManagementClient

1. Select Authentication Methods<br>
If multi-factors authentication is enabled for your tenant, you must use Service Principal to authentication to Azure resource management.  Otherwise, you may choose either Service Principal or User ID/Password.

In [None]:
import ipywidgets as widgets
from IPython.display import display
auth_method = ['User ID/Password', 'Service Principal']
selected_auth = widgets.Dropdown(options=auth_method, value=auth_method[0],description='Auth Method:')
display(selected_auth)

2. Authentication

In [None]:
if selected_auth.value == 'Service Principal':
    credentials = ServicePrincipalCredentials(
        client_id=input('client_id:'), 
        secret=input('secret:'), 
        tenant=tenant_id)
else:
    from azure.common.credentials import UserPassCredentials
    import getpass
    uid = input('User ID:')
    pwd = getpass.getpass()
    credentials = UserPassCredentials(uid, pwd)
    
client = ResourceManagementClient(credentials, subscription_id)

## 3. Create Blob Storage

In [None]:
resource_group_client = ResourceManagementClient(credentials, subscription_id)
storage_client = StorageManagementClient(credentials, subscription_id)

1. Storage Account

In [None]:
import ipywidgets as widgets
from IPython.display import display
storage_account_creation = ['Creating new account', 'Using exist account']
selected_method = widgets.Dropdown(options=storage_account_creation, value=storage_account_creation[0],description='storage_account_creation:')
display(selected_method)

In [None]:
storage_account = None
if selected_method.value == 'Creating new account':
    # usert input storage account name
    storage_account_name = input('storage_account_name:')
    account_availability = storage_client.storage_accounts.check_name_availability(storage_account_name)
    if account_availability.name_available == False:
        print('Account already exist, please re-run this cell')
    else:
        storage_params = azure.mgmt.storage.models.StorageAccountCreateParameters(
            sku=Sku(name='standard_lrs'),
            kind=Kind.storage,
            location='eastus'
        )
        async_storage_creation = storage_client.storage_accounts.create(
            resource_group,
            storage_account_name,
            storage_params
        )
        storage_account = async_storage_creation.result()    
        print(storage_account)
else:
    storage_account_list = storage_client.storage_accounts.list_by_resource_group(resource_group)
    existing_storage_account_names = [item.name for item in storage_account_list]
    import ipywidgets as widgets
    from IPython.display import display
    selected_storage_account_name = widgets.Dropdown(options=existing_storage_account_names, value=existing_storage_account_names[0],description='existing_storage_accounts:')
    display(selected_storage_account_name)

2. Get Storage Account Key

In [None]:
if storage_account is None:
    storage_account = storage_client.storage_accounts.get_properties(resource_group, selected_storage_account_name.value)

storage_keys = storage_client.storage_accounts.list_keys(resource_group, storage_account.name)
primary_storage_key = {v.key_name: v.value for v in storage_keys.keys}['key1']

3. Blob Storage Container

In [None]:
import ipywidgets as widgets
from IPython.display import display
blob_container_creation = ['Creating new container', 'Using exist container']
selected_blob_method = widgets.Dropdown(options=blob_container_creation, value=blob_container_creation[0],description='blob_container_creation:')
display(selected_blob_method)

In [None]:
from azure.storage.blob import BlockBlobService, PageBlobService, AppendBlobService
from azure.storage.blob.models import BlobBlock, ContainerPermissions, ContentSettings

container = None
block_blob_service = BlockBlobService(account_name=storage_account.name, account_key=primary_storage_key) 
blob_container_name = input('blob_container_name:')
    
blob_container = None
if selected_blob_method.value == 'Creating new container':
    container = block_blob_service.create_container(blob_container_name) 
else:
    containers = block_blob_service.list_containers(blob_container_name)
    container = next(c for c in containers if c.name == blob_container_name)

In [None]:
from datetime import datetime, timedelta
container_permission = ContainerPermissions(read=True, write=True, list=True)
sas_url = block_blob_service.generate_container_shared_access_signature(container_name = blob_container_name, permission=container_permission, protocol='https', start=datetime.now(), expiry=datetime.now() + timedelta(days=1))
print(sas_url)

In [None]:
upload_container_path = 'https://' + storage_account.name + '.blob.core.windows.net/' + blob_container_name + '/windows/piresults.json?' + sas_url
print(upload_container_path)

## 4. Create VM Extension

1. Initialization

In [None]:
resource_group_client = ResourceManagementClient(credentials, subscription_id)
compute_client = ComputeManagementClient(credentials, subscription_id)
network_client = NetworkManagementClient(credentials, subscription_id)

In [None]:
# User input
vm_extension_name = 'sentinelmemoryinvestigator'
vm_name = input('vm_name:')

2. Get Vm extension Information

In [None]:
vm = compute_client.virtual_machines.get(resource_group, vm_name, expand='instanceView')
ext = vm.instance_view.extensions

In [None]:
# DEBUG
print(vm.os_profile.windows_configuration)

In [None]:
def has_vm_agent(vm):
    try:
        return vm.instance_view.vm_agent is not None
    except:
        return False

In [None]:
def has_vm_extensions(vm):
    try:
        return vm.instance_view.extensions is not None
    except:
        return False
    
def get_customscript_extensions(vm):
    try:
        exts = vm.instance_view.extensions
        if exts is not None:
            return list(ext for ext in exts if ext.type == 'Microsoft.Azure.Extensions.CustomScript')
        else:
            return None
    except:
        return None
    
def delete_vm_extension():
    async_vm_extension_delete = compute_client.virtual_machine_extensions.delete(resource_group, vm_name, vm_extension_name)
    vm_ext_delete = async_vm_extension_delete.result()

In [None]:
if has_vm_agent(vm) == False:
    print('No guest agent on the VM, VM Extension does not support')
else:
    exts = get_customscript_extensions(vm)
    if get_customscript_extensions(vm) is not None:
        print('VM has custom script extension installed already, need to delete the VM extension first to continue')
    else:
        print('Continue')

In [None]:
# Delete VM Extension
async_vm_extension_delete = delete_vm_extension()

3. Create VM Extension on Linux VM

In [None]:
# Set CIS endpoint VMExtensionProperties
api_version = '2018-06-01'
command_key = 'commandToExecute'
command_to_execute = 'powershell -File installNotebookExtension.ps1 "' + upload_container_path + '" >> out.txt'
type_handler_version = '1.9'
type_publisher = 'Microsoft.Compute'
resource_type = 'virtualMachines'
extension_type = 'CustomScriptExtension'
file_uris = ['https://pinotebookresults.blob.core.windows.net/results/installNotebookExtension.ps1?sp=r&st=2019-03-28T21:34:09Z&se=2019-06-01T05:34:09Z&spr=https&sv=2018-03-28&sig=83jlp%2Fr%2BVcuGRLRij6jssqMerCgkk2pp0s007sLUPpM%3D&sr=b', 'https://pinotebookresults.blob.core.windows.net/results/piextension.zip?sp=r&st=2019-03-28T21:44:08Z&se=2019-06-01T05:44:08Z&spr=https&sv=2018-03-28&sig=UoBRXLRK9C4xurBjYu%2FkqqlkjCSi%2B3FlmFiWcsqlu6E%3D&sr=b']

In [None]:
# Add settings
import json
protected_settings = {}
protected_settings[command_key] = command_to_execute

settings = {}
settings['fileUris'] = file_uris

In [None]:
# Initialize VM Extension object
import azure
vm_extensions = azure.mgmt.compute.models.VirtualMachineExtension(
    location = vm.location,
    publisher = type_publisher,
    virtual_machine_extension_type = extension_type,
    type_handler_version = type_handler_version,
    auto_upgrade_minor_version = True,
    settings = settings,
    protected_settings = protected_settings
)

In [None]:
# Create VM extension
async_vm_extension_creation = compute_client.virtual_machine_extensions.create_or_update(
        resource_group,
        vm.name,
        vm_extension_name,
        vm_extensions
    )

vm_ext = async_vm_extension_creation.result()

In [None]:
# Check VM extension creation status
print(vm_ext.provisioning_state)

## 5. Read Memory Dump Data

In [None]:
import requests
import json
import pandas as pd
from pandas.io.json import json_normalize

try:
    response = requests.get(upload_container_path)
    response.encoding = response.apparent_encoding
    start_of_json = response.text.index('{')
    raw_json = response.text[start_of_json::]
    resJson = json.loads(raw_json)
except Exception as e:
    print(e)

In [None]:
# DEBUGGING
#start_of_json = response.text.index('{')
#print(response.text[start_of_json::])

1. Machine Information

In [None]:
df_machine = json_normalize(resJson['machine'])
display(df_machine)

2. Procrss List

In [None]:
df_process_list = json_normalize(resJson['processList'])
display(df_process_list)

3. Conclusion

In [None]:
df_stats = json_normalize(resJson['scanSummary'])
display(df_stats)

## 6. Delete VM Extension as a final step

In [None]:
async_vm_extension_delete = delete_vm_extension()