Skip to content

CiscoSecurity/amp-04-sha256-to-network-connections

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

Gitter chat

SHA256 to Network Connections:

This script searches an AMP for Endpoints environment for computers that have seen a SHA256, it then fetches their trajectory and parses out the observed network connections associated with that SHA256. You must provide a SHA256 as a command line argument.

NOTE: For use in large environments with over 3000 endpoints it is possible to hit the hourly API rate limit and not get a complete list.

Before using you must update the following:

The authentication parameters are set in the api.cfg

  • client_id
  • api_key

Usage:

python sha256_to_network_connections.py 438b6ccd84f4dd32d9684ed7d58fd7d1e5a75fe3f3d12ab6c788e6bb0ffad5e7

Example script output:

Computers found: 2
Querying: Demo_AMP_Intel - 14dcfce3-9663-434d-9beb-c8836de035ce
Querying: Demo_Command_Line_Arguments_Kovter - 9fc87138-e65a-48cf-85c2-f5b8834e2109
  UDP 192.168.23.113:63678 -> 55.223.148.141:1900
  TCP 192.168.23.113:50308 -> 72.15.55.186:443
  TCP 192.168.23.113:50306 -> 6.196.65.123:443
  TCP 192.168.23.113:50186 -> 208.156.236.132:443
  TCP 40.80.145.38:80 <- 204.65.35.152:50238
  UDP 192.168.23.113:51082 -> 63.196.22.179:53
  TCP 192.168.23.113:50263 -> 55.217.246.42:443
  UDP 192.168.23.113:58041 -> 32.207.154.156:53

About

Searches an environment for a SHA256 and collects observed network connections

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages