add live response example to watchlist_automation.py

carbonblack · Oct 13, 2016 · 50b6e32 · 50b6e32
1 parent 14d5b16
commit 50b6e32
Show file tree

Hide file tree

Showing 3 changed files with 90 additions and 89 deletions.
diff --git a/examples/response/event/event_responder.py b/examples/response/event/event_responder.py
diff --git a/examples/response/event/simple_event_listener.py b/examples/response/event/simple_event_listener.py
diff --git a/examples/response/event/watchlist_automation.py b/examples/response/event/watchlist_automation.py
@@ -28,36 +28,116 @@
 #  2015-10-23 by Jason McFarland jmcfarland@bit9.com
 #
 
-from cbapi.response import event, BannedHash
+from cbapi.response import event, BannedHash, Sensor
 from cbapi.event import on_event, registry
 from cbapi.example_helpers import get_cb_response_object, build_cli_parser
 import sys
 import time
-import os
 import json
+import shutil
+from tempfile import NamedTemporaryFile
+import sqlite3
 
 
-@on_event("watchlist.hit.binary")
-@on_event("watchlist.hit.process")
-def watchlist_callback(cb, event_type, event_data):
-    print("Received event type: {0} with data length {1} (from cb server {2})".format(event_type, len(event_data),
-          cb.url))
-    event_data = json.loads(event_data)
+def isolate_sensor(cb, sensor_id):
+    sensor = cb.select(Sensor, sensor_id)
+    sensor.network_isolation_enabled = True
+    sensor.save()
+    print("Successfully isolated sensor {} based on watchlist hit".format(sensor.hostname))
+
 
+def blacklist_binary(cb, md5hash):
     bh = cb.create(BannedHash)
-    bh.md5hash = event_data["docs"][0]["process_md5"]
-    bh.text = "banned via automated process!"
+    bh.md5hash = md5hash
+    bh.text = "Auto-Blacklist From Watchlist"
     bh.save()
+    print("Successfully banned binary MD5sum {} based on watchlist hit".format(md5hash))
+
+
+def perform_liveresponse(cb, sensor_id):
+    sensor = cb.select(Sensor, sensor_id)
+    with sensor.lr_session() as lr_session:
+        running_processes = lr_session.list_processes()
+
+        # get list of logged in users
+        users = set([proc['username'].split('\\')[-1]
+                     for proc in running_processes if proc['path'].find('explorer.exe') != -1])
+
+        for user in users:
+            print("10 Most Recent URLs visited in Chrome for user {0} on {1}:".format(user, sensor.hostname))
+
+            with NamedTemporaryFile(delete=False) as tf:
+                history_fp = lr_session.get_raw_file(
+                    "c:\\users\\%s\\appdata\\local\\google\\chrome\\user data\\default\\history" % user)
+                shutil.copyfileobj(history_fp, tf.file)
+                tf.close()
+                db = sqlite3.connect(tf.name)
+                db.row_factory = sqlite3.Row
+                cur = db.cursor()
+                cur.execute(
+                    "SELECT url, title, datetime(last_visit_time / 1000000 + (strftime('%s', '1601-01-01')), 'unixepoch') as last_visit_time FROM urls ORDER BY last_visit_time DESC")
+                urls = [dict(u) for u in cur.fetchall()]
+
+                for url in urls[:10]:
+                    print(url["url"])
+
+        print("")
+        print("Services running on {0}:".format(sensor.hostname))
+
+        running_services = lr_session.create_process("c:\\windows\\system32\\net.exe start")
+
+        print(running_services)
+        print("")
+
+
+@on_event("watchlist.hit.binary")
+def binary_callback(cb, event_type, event_data):
+    parsed_json = json.loads(event_data)
+    watchlist_name = parsed_json.get("watchlist_name", "")
+    docs = parsed_json.get("docs", [])
+    if type(docs) != list or len(docs) == 0:
+        return
+
+    if watchlist_name.startswith("ISOLATE:") or watchlist_name.startswith("LOCK:"):
+        for item in docs:
+            isolate_sensor(cb, item["sensor_id"])
+    if watchlist_name.startswith("BAN:") or watchlist_name.startswith("LOCK:"):
+        for item in docs:
+            blacklist_binary(cb, item["md5"])
+
+
+@on_event("watchlist.hit.process")
+def process_callback(cb, event_type, event_data):
+    parsed_json = json.loads(event_data)
+    watchlist_name = parsed_json.get("watchlist_name", "")
+    docs = parsed_json.get("docs", [])
+    if type(docs) != list or len(docs) == 0:
+        return
+
+    if watchlist_name.startswith("ISOLATE:") or watchlist_name.startswith("LOCK:"):
+        for item in docs:
+            isolate_sensor(cb, item["sensor_id"])
+    if watchlist_name.startswith("BAN:") or watchlist_name.startswith("LOCK:"):
+        for item in docs:
+            blacklist_binary(cb, item["process_md5"])
+    if watchlist_name.startswith("LIVERESPONSE:"):
+        # TODO: this is currently executed synchronously, blocking the receipt of further events until the
+        # Live Response session is done... a proper solution would spawn a background thread to do the LR session.
+        for item in docs:
+            perform_liveresponse(cb, item["sensor_id"])
 
 
 def main():
     parser = build_cli_parser("Event-driven example to BAN hashes, ISOLATE sensors, or LOCK (both ban & isolate) based on watchlist hits")
     args = parser.parse_args()
     cb = get_cb_response_object(args)
 
+    # event_source = event.RabbitMQEventSource(cb)
     event_source = event.FileEventSource(cb, "/tmp/output.json")
     event_source.start()
 
+    print("Listening on the event bus for watchlist hits")
+
     try:
         while True:
             time.sleep(10)