-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathpowershell_long_running.py
More file actions
executable file
·107 lines (90 loc) · 4.06 KB
/
powershell_long_running.py
File metadata and controls
executable file
·107 lines (90 loc) · 4.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/bin/env python
# Author: bj@carbonblack.com
import optparse
import datetime
import sys
import pprint
import requests
import cbapi
requests.packages.urllib3.disable_warnings()
def build_cli_parser():
parser = optparse.OptionParser(usage="%prog [options]", description="Dump sensor list")
# for each supported output type, add an option
#
parser.add_option("-c", "--cburl", action="store", default=None, dest="url",
help="CB server's URL. e.g., http://127.0.0.1 ")
parser.add_option("-a", "--apitoken", action="store", default=None, dest="token",
help="API Token for Carbon Black server")
parser.add_option("-n", "--no-ssl-verify", action="store", default=False, dest="ssl_verify",
help="Do not verify server SSL certificate.")
return parser
def parent_search(opts, pdoc):
opts.query = "hostname: %s process_name: %s process_pid: %d" % (pdoc['hostname'], pdoc['parent_name'], pdoc['parent_pid'])
# build a cbapi object
cb = cbapi.CbApi(opts.url, token=opts.token, ssl_verify=opts.ssl_verify)
# use the cbapi object to iterate over all matching process documents
try:
r = cb.process_search(opts.query)
identifier = r['results'][0]['id']
seg_id = r['results'][0]['segment_id']
except:
return False
try:
events = cb.process_events(identifier, seg_id)
for cpe in events['process']['childproc_complete']:
cpe_split = cpe.split('|',)
if int(cpe_split[4]) == pdoc['process_pid'] and cpe_split[5] == 'false':
process_end_time = datetime.datetime.strptime(cpe_split[0], "%Y-%m-%d %H:%M:%S.%f")
return process_end_time
except:
return False
return False
def main(argv):
parser = build_cli_parser()
opts, args = parser.parse_args(argv)
if not opts.url or not opts.token:
print "Missing required param."
sys.exit(-1)
opts.query = 'process_name:powershell.exe'
print "Initial Query: %s", opts.query
# build a cbapi object
cb = cbapi.CbApi(opts.url, token=opts.token, ssl_verify=opts.ssl_verify)
source_set = cb.process_search(opts.query)
if source_set['total_results'] > 500:
print "Total Results: %d" % source_set['total_results']
print "More than 500 results to parse, exiting script to spare your CB server."
sys.exit(0)
# use the cbapi object to iterate over all matching process documents
answer = cb.process_search_iter(opts.query)
count = 0
lrcount = 0
# iterate over each process document in the results set
for pdoc in answer:
count += 1
# Query the parent process to see if this child process has ended and assign the end date to process_end_time
process_end_time = parent_search(opts, pdoc)
if process_end_time:
end = process_end_time
else:
end = datetime.datetime.strptime(pdoc['last_update'], "%Y-%m-%dT%H:%M:%S.%fZ")
# Start time
start = datetime.datetime.strptime(pdoc['start'], "%Y-%m-%dT%H:%M:%S.%fZ")
# Difference betweeen the process end time and process start time
runtime = int((end - start).seconds)
# Change the compared value if 60 seconds is not considered a long run of powershell
if runtime > 60:
lrcount += 1
print "#########################"
print "Proc Doc: %s/#/analyze/%s/%d" % (opts.url, pdoc['id'], pdoc['segment_id'])
print "Hostname: ", pdoc['hostname']
print "Username: ", pdoc['username']
print "Process Name: ", pdoc['process_name']
print "Command Line: ", pdoc['cmdline']
print "Runtime: %d seconds" % runtime
print "Process start : %s" % start
print "Process endtime: %s" % end
print "$$$$$$$$$$$$$$$$$$$$$$$$$"
print "Matching Process Count: ", count
print "Matching Long Running Process Count: ", lrcount
if __name__ == "__main__":
sys.exit(main(sys.argv[1:]))