You can use Live Response with the Carbon Black Cloud Python SDK to:
- Upload, download, or remove files
- Create, retrieve and remove registry entries
- Dump contents of physical memory
- Execute, terminate and list processes
Before any commands are sent to the live response session, the proper permissions need to be configured for the Custom Key that is used. The below table explains what permissions are needed for each of the SDK commands.
Command | Required Permissions | Explanation |
---|---|---|
Create LR session for device device.lr_session() |
CREATE, READ org.liveresponse.session | CREATE is needed to start the LR session and READ is needed to check the status of the command |
Close session lr_session.close() |
READ, DELETE org.liveresponse.session | DELETE is needed to terminate the LR session and READ is needed to check the status of the command |
Get Raw File lr_session.get_raw_file(...) |
READ org.liveresponse.file | |
Get File lr_session.get_file(...) |
READ org.liveresponse.file | |
Upload File lr_session.put_file(...) |
CREATE, READ org.liveresponse.file | CREATE is needed to upload the file and READ is needed to check the status of the command |
Delete file lr_session.delete_file(...) |
READ, DELETE org.liveresponse.file | DELETE is needed to delete the file and READ is needed to check the status of the command |
List Directory lr_session.list_directory(...) |
READ org.liveresponse.file | |
Create Directory lr_session.create_directory(...) |
CREATE, READ org.liveresponse.file | CREATE is needed to create the directory and READ is needed to check the status of the command |
Walk Directory lr_session.walk(...) |
READ org.liveresponse.file | |
Kill Process lr_session.kill_process(...) |
READ, DELETE org.liveresponse.process | DELETE is needed to kill the process and READ is needed to check the status of the command |
Create Process lr_session.create_process(...) |
EXECUTE org.liveresponse.process OR EXECUTE org.liveresponse.process READ, DELETE org.liveresponse.file |
If wait_for_completion = False, wait_for_output = False only EXECUTE is needed. Otherwise also file permissions are needed. |
List Processes lr_session.list_processes(...) |
READ org.liveresponse.process | |
List Registry Keys and Values lr_session.list_registry_keys_and_values(...) |
READ org.liveresponse.registry | |
List Registry Values lr_session.list_registry_values(...) |
READ org.liveresponse.registry | |
Get Registry Value lr_session.get_registry_value(...) |
READ org.liveresponse.registry | |
Set Registry lr_session.set_registry_value(...) |
READ, UPDATE org.liveresponse.registry | UPDATE is needed to set/create the value for the registry and READ to check the status of the command |
Create Registry Key lr_session.create_registry_key(...) |
CREATE, READ org.liveresponse.registry | CREATE is needed to create the key and READ to check the status of the command. |
Delete Registry Key lr_session.delete_registry_key(...) |
READ, DELETE org.liveresponse.registry | DELETE is needed to delete the key and READ to check the status of the command. |
Delete Registry Value lr_session.delete_registry_value(...) |
READ, DELETE org.liveresponse.registry | DELETE is needed to delete the value and READ to check the status of the command. |
Memdump lr_session.memdump(...) |
READ org.liveresponse.memdump READ, DELETE org.liveresponse.file | The command to dump the memory includes three commands - dumping the memory in a file on the remote machine, downloading the file on the local machine and deleting the file. |
To send commands to an endpoint, first establish a "session" with a device.
Connect to a device by querying the Device
object.
>>> from cbc_sdk import CBCloudAPI
>>> api = CBCloudAPI(profile='sample')
>>> from cbc_sdk.platform import Device
>>> device = api.select(Device).first()
>>> lr_session = device.lr_session()
Once a session is established, create a directory and upload a file to that directory. The list directory
command returns the content of the directory, including the uploaded file.
>>> lr_session.create_directory('C:\\\\demo\\\\')
>>> lr_session.put_file(open("demo.txt", "r"), 'C:\\\\demo\\\\demo.txt')
>>> directories = lr_session.list_directory('C:\\\\demo\\\\')
>>> for directory in directories:
... print(f"{directory['attributes'][0]} {directory['filename']}")
...
DIRECTORY .
DIRECTORY ..
ARCHIVE demo.txt
Note that the creation of the directory will fail if the directory already exists.
Next, get the contents of the file and then delete the file and the directory.
>>> contents = lr_session.get_file('C:\\\\demo\\\\demo.txt')
>>> lr_session.delete_file('C:\\\\demo\\\\demo.txt')
>>> lr_session.delete_file('C:\\\\demo\\\\')
Note: you can also delete a directory with the delete file command.
You can also execute commands to manage processes. Once you have established a session, you can check running processes.
>>> processes = lr_session.list_processes()
>>> for process in processes:
... print(f"{process['process_pid']} {process['process_path']}")
...
42 c:\windows\explorer.exe
43 c:\windows\system32\svchost.exe
You can also create or kill a process.
>>> lr_session.create_process(r'cmd.exe /c "ping.exe -t 127.0.0.1"',
wait_for_completion=False, wait_for_output=False)
>>> processes = lr_session.list_processes()
>>> for process in processes:
... if 'ping.exe' in process['process_path']:
... lr_session.kill_process(process['process_pid'])
Note: you must pass the PID of the process to kill it.
Find a full list of supported commands in the Live Response API documentation.
For tips on migrating from Live Response v3 to v6, check the migration guide<live-response-v6-migration>
.