# Incident Response

Incident response in computer security is about speed. Being able to work out what is happening within your infrastructure to shutdown any possible attack vectors being used against your organisation is key!

In this guide we are going to look at an interesting Python module, the `maragaritashotgun`! The maragitashotgun is especially useful in the cloud where we have many instances scaling out and being destroyed when no longer needed, it can be difficult to find out what is happening.

The `maragaritashotgun` allows us to access an instance and take a snapshot of it's memory for later perusal or maybe attaching to some Big Data crunches to churn through MANY instances... the limits are our imagination at this point.

AWS offer a developers account that allows users to play with some of the tooling for free (please remember to shutdown your account and even delete it before the free trial period ends!)

[AWS Developer Account Sign Up](https://portal.aws.amazon.com/billing/signup?refid=em_127222&redirect_url=https%3A%2F%2Faws.amazon.com%2Fregistration-confirmation#/start)

We will need to:
 - Create an SSH Key
 - Create an S3 Bucket with a bucket policy to allow our instance connect
 - Create a public instance with an SG that points to our IP address - use the default VPC
 - Advanced Students may want to write something that uses the `boto3` module to set this up. the boto3's [EC2](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/ec2-examples.html) and [S3](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-examples.html) code examples should give you an idea into what is possible.

 Once we have all that running we can update the following code to make a snapshot:


In [0]:
!pip install margaritashotgun

import margaritashotgun
configuration = {'aws': 
          {'bucket':'case-bucket'},
          {'hosts': [ 
              'addr': '10.10.12.10',
              'port': 22,
              'username': 'ec2-user',
              'key': '/path/to/private-key') ]
              'workers': 'auto',
              'logging': {
                  'log_dir': 'logs/',
                  'prefix': 'casenumber-10.10.12.10'
              },
              'repository': {
                  'enabled': true,
                  'url': 'your-custom-kernel-module-repo.io'
              }
          }

capture_client = margaritashotgun.client(
    name='mem-capture', config=config,
    library=True, verbose=False
)

response = capture_client.run()
print(response)

We can find out more and the usage of this tool by checking the user guides. Even small tools with niece usage have some documentation, the rest sadly will come down to reading the code and backing the module and your own imagination when using it. 

For our module here we can check out: 
- https://margaritashotgun.readthedocs.io/en/latest/user_guide.html - to peruse further into their documentation.
- https://github.com/ThreatResponse/margaritashotgun - to look into their code

This is another module we could think about plugging into all sorts of scenarios: 
- Command Line scripts
- Monitoring tools
- Lambda functions

The possibilities are endless for both Blue and Red team.

In [0]:
!pip install margaritashotgun

import margaritashotgun
from cli.log import LoggingApp

aws_config = {'aws': 
          {'bucket':'case-bucket'},
          {'hosts': [ 
              'addr': '10.10.12.10',
              'port': 22,
              'username': 'ec2-user',
              'key': '/path/to/private-key') ]
              'workers': 'auto',
              'logging': {
                  'log_dir': 'logs/',
                  'prefix': 'casenumber-10.10.12.10'
              },
              'repository': {
                  'enabled': true,
                  'url': 'your-custom-kernel-module-repo.io'
              }
          }


class TestCommandLineShotgun(LoggingApp):
    def create_client(self, name, config, verbose=False)
        return margaritashotgun.client(
            name=name, config=config,
            library=True, verbose=verbose
        )

    def run_client(self, client):
        return client.run(self)

    def main():
      print(self.run_client(self.create_client(
          self.params.name,
          aws_config,
      )))


if __name__ == "__main__":
  prog = TestCommandLineShotgun()
  prog.add_param("-n", "--name", default="aws_test")
  prog.run()


## But does it have to be JSON??

No I get you! JSON sucks and is not always that friendly, we could try YAML? it looks like:
```
---
KeyA:
 - List1
 - List2
KeyB: "String1"
KeyC:
  DictionaryA: "Foo"
  DictionaryB: "Bar"
  DictionaryC: "Baz"
```

Let's add our values from the JSON above to a configuration file and we will add the following to our code to import it:

In [0]:
!pip install pyyaml
import yaml

with open("config.yaml", 'r') as stream:
    try:
        print(yaml.safe_load(stream))
    except yaml.YAMLError as exc:
        print(exc)

Wow! It all renders down to the same thing we can pass to the `margaritashotgun` and snap those instances memory! No More yucky JSON!

We could even make the function take a variable!

Of course, if you do like JSON there is nothing stopping you from replacing the above with the below for a JSON configuration file to add to the script:


In [0]:
import json
with open('config.json') as json_file:
    data = json.load(json_file)

JSON is built into the language which is why we do not have to install it. YAML can be tricky sometimes as it is a community project. If you do have any difficulties just check the recent posts on Stack overflow where all the professional developers will be moaning about it as well.

Maybe you could adapt your script to use both and change it from the command line as needed?

## Wrap Up!

This Class has been an insight into how Python can be used with some of the community projects to become tooling to help defend your system and organisation from attacks and create automation to help diagnose what has happened in the event one has happened.

Now we have an incident response tool, why don't we personalise it? Make it your own! You can add colours to the output or even emoji's to wind your team up. 

The possibilities with this tool are limitless especially if you combine it with the power of `boto3` you can build some really interesting features into this shell... what will you add?

### Tasks:
- Make the Script more personal to you for output
- Make the Script handle more to your liking
- Create a Free Developer Cloud Account and test the script on instances with different AMI's see how they differ.