In [3]:
from splunk_connect import SplunkConnection
from splunk_search import SplunkSearch

In [5]:
import splunklib.client as splunkclient

class SplunkConnection:
    DEBUG = False

    def __init__(self):
        'create a Splunk service instance and log in'
        self.service = ""
        self.kwargs = self.get_credentials_from_rc()
        if self.DEBUG:
            print (self.kwargs)
        # connect requires keywords not positional args
        self.service = splunkclient.connect(**self.kwargs)
        if self.DEBUG:
            print ('service: ' , self.service)

    def get_credentials_from_rc(self):
        'read connection parameters from an rc file'
        '''to use: create a splunkrc file that has username, host, etc:
           username = somename
           host = myhost
           password = somepass
           ...
        '''
        kwargs = {}
        with open("c:\\projects\\python\splunk_py\\.splunkrc") as myfile:
            for line in myfile:
                name, var = line.partition("=")[::2]
                # by convention python comm likes to use kwargs as the
                # name of key word sweeper dictionary
                kwargs[name] = var.rstrip()
        return kwargs

    def get_app_names(self):
        'print installed apps to the console to verify login'
        app_list = []
        for app in self.service.apps:
            app_list.append(app.name)
        return app_list


In [4]:
import splunklib.results as results

class SplunkSearch:
    DEBUG = True

    def __init__(self,service):
        'create a Splunk service instance and log in'
        self.job = ''
        self.jobs = service.jobs

    def set_blocking_search(self,query, num_results):
        'place a blocking search on jobs collection'
        # num results can be 0 for no limit, or limited by num_results

        if num_results == 0:
            search = query
        else:
            search = query + ' | head ' + str(num_results)

        if self.DEBUG:
            print ('Query: ', search)

        kwargs = {"exec_mode": "blocking"}
        self.job = self.jobs.create(search, **kwargs)

    def set_search(self,num_results):
        pass


    def get_search_results(self):
        rr = results.ResultsReader(self.job.results())
        return rr




In [8]:
import pandas as pd
def driver():
    # create a connection to Splunk
    sc = SplunkConnection()
    # run a search
    ss = SplunkSearch(sc.service)
    # define the search in SPL
    query = 'search index=sysmon source="WinEventLog:Microsoft-Windows-Sysmon/Operational" | fields Hashes | fields - _*'
    # limit to 10 results (just for demo speed) and set the search
    ss.set_blocking_search(query,10)
    # set to a dataframe
    d = []
    for result in ss.get_search_results():
        d.append(result)
    df = pd.DataFrame(d)
    return df
  

In [12]:
df['SHA256']= df.Hashes.str.split(',').str[1].str.split('=').str[1]
df.SHA256

0    B70E8B7DDC7DC9AD850547776DCEC48E829959C10449FD...
1    670E3064127C622A748220249C427404B96BF29A930320...
2    29F00C4D8D36CC701B8D903C2341119A9BC2D614BDD8A6...
3    29F00C4D8D36CC701B8D903C2341119A9BC2D614BDD8A6...
4    34E5393E7ED503F97AC8E0E327E79590F46AA87BFF4FB1...
5    994811D828541A10D8B0265D325CE111959F3D9D234F90...
6    B282C60A794135C34E8CCA5BE765035BE365C331B91A18...
7    B70E8B7DDC7DC9AD850547776DCEC48E829959C10449FD...
8    670E3064127C622A748220249C427404B96BF29A930320...
9    29F00C4D8D36CC701B8D903C2341119A9BC2D614BDD8A6...
Name: SHA256, dtype: object

In [15]:
df['MD5']= df.Hashes.str.split(',').str[0].str.split('=').str[1]
df.MD5

0    465E59D0BE10B7FD0582C69D9F8F755F
1    201EF3ED68CBFFE77D099EC45B8B6ECA
2    726130E34D51AC726352EA31DD26D8EC
3    726130E34D51AC726352EA31DD26D8EC
4    AC9AF23748D45A2AB30D4E3F176F9EC3
5    E47C50BADC1A0BDCF711A618F605146B
6    164DBC480641B21FA928A4022FAD5FD8
7    465E59D0BE10B7FD0582C69D9F8F755F
8    201EF3ED68CBFFE77D099EC45B8B6ECA
9    726130E34D51AC726352EA31DD26D8EC
Name: MD5, dtype: object

In [127]:
import requests
import pandas as pd

class HashChecker():
    '''
    The HashChecker object is used  to process, arrange and store VirusTotal API calls
    against a file hash - the results are neatly arranged in a Pandas DataFrame
    
    
    hash : str
    This argument is used to pass the single hash in question 
    
    Todo:
    create the ability to pass multiple hashes
    '''

    
    def __init__(self, hash):
    
        self.hash = hash
        self.myparams= {}
        
        # HTTP Request results
        self.request_results = []
        
        # VirusTotal settings
        self.filename = 'c:\\projects\\python\splunk_py\\.virustotalrc'
        self.url = 'https://www.virustotal.com/vtapi/v2/file/report'
        
        # process the hash
        self.get_params()
        # Get the results of hash check from Request call
        self.request_results = self.get_results()
        
        # use a dataframe for flexibility and scalability
        self.df = pd.DataFrame()
        self.set_results_dataframe()
        
    def get_results(self):
        '''
        Method to call the REST API and check a single hash
        '''
        data = requests.get(self.url, params=self.myparams)
        return data

    def get_params(self):
        '''
        Method to get your hidden key from an ini file
        read the values from a file with format
        apikey=<yourapikey>
        '''
        with open(self.filename) as myfile:
            for line in myfile:
                key, value = line.partition("=")[::2]
                self.myparams[key.strip()] = value.strip()
                
    def set_results_dataframe(self):
        '''
        Method to create a dataframe with results using format
                    columns
            rows
            service1 detected   result  update  version
            service2 detected   result  update  version
        '''
        # use a dataframe that gets the normalized json from Request result
        # notice we only want the 'scans' level of the json
        self.df = json_normalize(self.request_results.json().get('scans'))
        
        # to aid in re-arranging more logically, tranpose rows and columns
        self.df = self.df.transpose()
    
        # create a holding dataframe in order to re-arrange the 
        # columns more logically
        ndf = pd.DataFrame(columns=['detected', 'result', 'update', 'version', ])    
        for i in range(0,len(self.df),4):
            ndf=ndf.append({ 'detected' : self.df.index[i].split('.')[0],
                             'result': self.df.iloc[i+1,0], 'update': self.df.iloc[i+2,0],
                             'version' : self.df.iloc[i+3,0]}, ignore_index=True)
        
        # reset the object dataframe to this new arrangment
        self.df = ndf
        

In [128]:

# hash of mimikatz
resource = 'BCD703932C9BEDE27659407E458AE103D0B4CC88'
hash_results = HashChecker(resource)
print(hash_results.request_results)
print(hash_results.df.head(4))




<Response [200]>
  detected                result    update      version
0    ALYac                  None  20190825      1.1.1.5
1     APEX             Malicious  20190825         5.55
2      AVG  FileRepMalware [PUP]  20190825  18.4.3895.0
3  Acronis                  None  20190822     1.0.1.51


In [145]:
print(hash_results.request_results.status_code)

200


In [144]:
print(hash_results.request_results.json())

{'scans': {'Zoner': {'version': '1.0.0.1', 'detected': False, 'update': '20190825', 'result': None}, 'CAT-QuickHeal': {'version': '14.00', 'detected': True, 'update': '20190825', 'result': 'Trojanpws.Win64'}, 'Symantec': {'version': '1.10.0.0', 'detected': True, 'update': '20190824', 'result': 'Hacktool.Mimikatz'}, 'VBA32': {'version': '4.0.0', 'detected': True, 'update': '20190823', 'result': 'TrojanPSW.Win64.Mimikatz'}, 'MicroWorld-eScan': {'version': '14.0.297.0', 'detected': True, 'update': '20190826', 'result': 'Gen:Application.Mimikatz.2'}, 'Yandex': {'version': '5.5.2.24', 'detected': True, 'update': '20190822', 'result': 'Riskware.Mimikatz!'}, 'FireEye': {'version': '29.7.0.0', 'detected': True, 'update': '20190826', 'result': 'Generic.mg.afa4101c99270950'}, 'TrendMicro': {'version': '11.0.0.1006', 'detected': True, 'update': '20190825', 'result': 'HKTL_MIMIKATZ64'}, 'K7GW': {'version': '11.63.31825', 'detected': True, 'update': '20190825', 'result': 'Hacktool ( 0043c1591 )'}, 

In [137]:
import json
jdata = json.dumps(hash_results.get_results().json(), indent = 4)
print (jdata)

{
    "scans": {
        "Zoner": {
            "version": "1.0.0.1",
            "detected": false,
            "update": "20190825",
            "result": null
        },
        "CAT-QuickHeal": {
            "version": "14.00",
            "detected": true,
            "update": "20190825",
            "result": "Trojanpws.Win64"
        },
        "Symantec": {
            "version": "1.10.0.0",
            "detected": true,
            "update": "20190824",
            "result": "Hacktool.Mimikatz"
        },
        "VBA32": {
            "version": "4.0.0",
            "detected": true,
            "update": "20190823",
            "result": "TrojanPSW.Win64.Mimikatz"
        },
        "MicroWorld-eScan": {
            "version": "14.0.297.0",
            "detected": true,
            "update": "20190826",
            "result": "Gen:Application.Mimikatz.2"
        },
        "Yandex": {
            "version": "5.5.2.24",
            "detected": true,
            "update": "201

In [157]:
print(hash_results.get_results().json()['scans']['AVG']['detected'])

True


In [151]:
print(type(jdata))
print(type(hash_results.get_results().json()))

<class 'str'>
<class 'dict'>


In [174]:
jdf = pd.DataFrame.from_dict(hash_results.get_results().json()['scans'], orient='index').reset_index()
jdf.rename(columns={'index':'service'},inplace=True)
jdf

In [176]:
jdf

Unnamed: 0,service,version,detected,update,result
0,ALYac,1.1.1.5,False,20190825,
1,APEX,5.55,True,20190825,Malicious
2,AVG,18.4.3895.0,True,20190825,FileRepMalware [PUP]
3,Acronis,1.0.1.51,False,20190822,
4,Ad-Aware,3.0.5.370,True,20190825,Gen:Application.Mimikatz.2
5,AegisLab,4.2,True,20190825,Trojan.Win64.Mimikatz.i!c
6,AhnLab-V3,3.16.0.24856,True,20190825,Trojan/Win32.Mimikatz.R262842
7,Alibaba,0.3.0.5,True,20190527,HackTool:Win32/Mimikatz.856f8946
8,Antiy-AVL,3.0.0.1,True,20190825,HackTool/Win64.Mimikatz.a
9,Arcabit,1.0.0.856,True,20190825,Application.Mimikatz.2
