Merge branch 'master' into dependabot/pip/tqdm-approx-eq-4.66.1

definitions/remote-admin.json

@@ -1,13 +1,15 @@
 {
     "AweRay (AweSun)": {
-        "process_name": ["aweray_remote*.exe"],
+        "process_name": ["aweray_remote*.exe",
+                         "AweSun.exe"],
         "domain": ["asapi.aweray.net", 
                    "asapi-us.aweray.net"],
         "digsig_publisher": ["AWERAY PTE. LTD."]
     },
     "Ammyy Admin": { 
         "process_name": ["aa_v*.exe"],
-        "domain": ["ammyy.com"]
+        "domain": ["ammyy.com"],
+        "digsig_publisher": ["Ammyy LLC"]
     },
     "AeroAdmin" : {
         "process_name": ["AeroAdmin.exe"],
@@ -27,7 +29,8 @@
         "digsig_publisher": ["AOMEI International Network Limited"]
     },
     "Atera": {
-        "process_name": ["atera_agent.exe"]
+        "process_name": ["atera_agent.exe"],
+        "digsig_publisher": ["Atera Networks Ltd"]
     },
     "BeyondTrust (Bomgar)": {
         "process_name": ["bomgar-scc.exe",
@@ -60,15 +63,17 @@
                          "g2printh.exe",
                          "g2svc.exe",
                          "g2tray.exe",
-                         "gopcsrv.exe"]
+                         "gopcsrv.exe"],
+        "digsig_publisher": ["LogMeIn, Inc."]
     },
     "LiteManager": {
         "process_name": ["ROMServer.exe", 
                         "ROMFUSClient.exe"],
         "digsig_publisher": ["Yakhnovets Denis Aleksandrovich IP"]
     },
     "Microsoft RDP": { 
-        "process_name": ["termsrv.exe","Microsoft Remote Desktop"]
+        "process_name": ["termsrv.exe",
+                        "Microsoft Remote Desktop"]
     },
     "Microsoft TSC": { 
         "process_name": ["mstsc.exe"]
@@ -92,10 +97,13 @@
     },
     "RAdmin": { 
         "process_name": ["radmin3.exe",
-                         "famitrfc.exe"]
+                         "famitrfc.exe",
+                         "rserver3.exe"],
+        "digsig_publisher": ["Famatech Corp."]
     },
     "RemoteUtilities": {
-        "process_name": ["rutserv.exe"],
+        "process_name": ["rutserv.exe",
+                         "rutview.exe"],
         "domain": ["remoteutilities.com"],
         "digsig_publisher": ["Remote Utilities LLC"]
     },
@@ -115,12 +123,18 @@
     },
     "TeamViewer Desktop": { 
         "process_name": ["teamviewer_desktop.exe",
-                         "teamviewer"]
+                         "teamviewer.exe"],
+        "digsig_publisher": ["TeamViewer Germany GmbH",
+                             "TeamViewer GmbH",
+                             "TeamViewer"]
     },
     "TeamViewer Service": { 
         "process_name": ["teamviewer.exe",
                          "teamviewer_service.exe",
-                         "teamviewerhost"]
+                         "teamviewerhost"],
+        "digsig_publisher": ["TeamViewer Germany GmbH",
+                             "TeamViewer GmbH",
+                             "TeamViewer"]
     },
     "VNC": {
         "process_name": ["winvnc.exe", 
@@ -155,7 +169,8 @@
     },
     "Desktop Central": {
 		"process_name": ["dcagentservice.exe"],
-        "domain": ["desktopcentral.manageengine.com"]
+        "domain": ["desktopcentral.manageengine.com"],
+        "digsig_publisher": ["ZOHO Corporation Private Limited"] 
 	},
     "UltraView": {
         "process_name": ["UltraViewer_Desktop.exe",
@@ -166,11 +181,12 @@
     },
     "NinjaRMM": {
         "process_name": ["NinjaRMMAgent.exe",
-                        "NinjaRMMAgenPatcher.exe"],
+                        "NinjaRMMAgenPatcher.exe",
+                        "ninjarmm-cli.exe"],
         "digsig_publisher": ["NinjaRMM, LLC"],
         "domain": ["resources.ninjarmm.com"]
     },
-    "FleetDesk.io": {
+    "FleetDeck.io": {
         "process_name": ["fleetdeck_agent.exe",
                         "fleetdeck_agent_svc.exe",
                         "fleetdeck_installer.exe",
@@ -264,7 +280,9 @@
                         "SolarWinds-Dameware-DRS*.exe",
                         "DameWare Mini Remote Control*.exe",
                         "SolarWinds-Dameware-MRC*.exe"],
-        "internal_name": ["DWRCST"]
+        "internal_name": ["DWRCST"],
+        "digsig_publisher": ["SolarWinds, Inc.",
+                             "Solarwinds Worldwide, LLC"]
     },
     "N-Able Advanced Monitoring Agent": {
         "process_name": ["Agent_*_RW.exe",
@@ -326,7 +344,8 @@
         "process_name": ["TightVNCViewerPortable*.exe",
                         "tvnviewer.exe",
                         "tvnserver.exe"],
-        "digsig_publisher": ["GlavSoft LLC."]
+        "digsig_publisher": ["GlavSoft LLC.",
+                             "GlavSoft LLC"]
     },
     "ShowMyPC": {
         "domain": ["showmypc.com"],
@@ -337,7 +356,9 @@
     },
     "Xeox": {
         "domain":["*.xeox.com", "xeox.com"],
-        "process_name":["xeox_service_windows.exe", "xeox-agent_x64.exe", "xeox-agent_x86.exe"],
+        "process_name":["xeox_service_windows.exe", 
+                        "xeox-agent_x64.exe", 
+                        "xeox-agent_x86.exe"],
         "digsig_publisher": ["hs2n Informationstechnologie GmbH"],
         "internal_name": ["XEOX Agent for Windows"]
     },
@@ -351,30 +372,65 @@
         "digsig_publisher": ["Instant Housecall", "Specialist Sign-in.exe"],
         "process_name": ["InstantHousecall.exe"],
         "internal_name": ["InstantHousecall.exe"],
-        "domain": ["secure.instanthousecall.com", "*.instanthousecall.com", "instanthousecall.com"]
+        "domain": ["secure.instanthousecall.com", 
+                "*.instanthousecall.com", 
+                "instanthousecall.com"]
     },
     "ISL Online":{
         "digsig_publisher":["ISL Online Ltd"],
         "process_name": ["ISLLight.exe", "ISLLightClient.exe"],
         "internal_name": ["ISL Light"],
-        "domain": ["*islonline.net"]
+        "domain": ["*.islonline.net"]
     },
     "Parallels Access": {
+        "process_name": ["TSClient.exe"],
         "digsig_publisher": ["Parallels International GmbH"]
     },
     "Pilixo": {
-        "digsig_publisher": ["Pilixo Cloud Solutions", "PILIXO INTERNATIONAL LLC"],
-        "domain": ["*.pilixo.com", "pilixo.com", "download.pilixo.com"],
+        "digsig_publisher": ["Pilixo Cloud Solutions", 
+                            "PILIXO INTERNATIONAL LLC"],
+        "domain": ["*.pilixo.com", 
+                "pilixo.com", 
+                "download.pilixo.com"],
         "process_name": ["Pilixo_Installer*.exe"]
     },
     "RemotePC": {
-        "digsig_publisher": ["IDrive, Inc", "IDrive Incorporated"],
-        "domain": ["remotepc.com", "www.remotepc.com"],
-        "process_name": ["idrive.RemotePCAgent", "Idrive.File-Transfer"]
+        "digsig_publisher": ["IDrive, Inc", 
+                            "IDrive Incorporated"],
+        "domain": ["remotepc.com", 
+                "www.remotepc.com"],
+        "process_name": ["idrive.RemotePCAgent", 
+                        "Idrive.File-Transfer",
+                        "RemotePC.exe",
+                        "RemotePCService.exe"]
     },
     "SuperOps": {
         "digsig_publisher": ["Superops Inc"],
-        "process_name": ["superops.exe", "superopsticket.exe"],
-        "domain": ["serv.superopsalpha.com", "*.superops.ai", "*.superopsalpha.com", "*.superopsbeta.com"]
+        "process_name": ["superops.exe", 
+                        "superopsticket.exe"],
+        "domain": ["serv.superopsalpha.com", 
+                "*.superops.ai", 
+                "*.superopsalpha.com", 
+                "*.superopsbeta.com"]
+    },
+    "Rocket Remote Desktop":{
+        "digsig_publisher": ["Rocket Remote Desktop"],
+        "process_name":["RDConsole.exe", 
+                        "RocketRemoteDesktop_Setup.exe"]
+    },
+    "GetScreen":{
+        "digsig_publisher":["Get Skrin Softver"],
+        "process_name":["GetScreen.exe", 
+                        "GetScreen.me"]
+    },
+    "ManageEngine":{
+        "digsig_publisher":["ManageEngine Remote Access Plus", 
+                            "Zoho Corporation Pvt. Ltd."],
+        "process_name":["ManageEngine_Remote_Access_Plus.exe", 
+                        "InstallShield Setup.exe"]
+    },
+    "Remcos":{
+        "process_name":["remcos*.exe"],
+        "digsig_publisher":["BreakingSecurity.net"]
     }
 }

products/cortex_xdr.py

@@ -30,6 +30,7 @@ class Query:
     'ipaddr': 'action_remote_ip',
     'cmdline': 'action_process_command_line',
     'digsig_publisher': 'action_file_signature_vendor',
+    'domain': 'action_external_hostname',
     'modload': 'action_module_path',
     'filemod': 'action_file_path',
     'regmod': 'action_registry_key_name',

products/sentinel_one.py

@@ -95,16 +95,16 @@ class SentinelOne(Product):
     def __init__(self, pq: bool = False, **kwargs):
 
         self.profile = kwargs['profile'] if 'profile' in kwargs else 'default'
-        self._site_ids = kwargs['site_ids'] if 'site_ids' in kwargs else []
-        self._account_ids = kwargs['account_ids'] if 'account_ids' in kwargs else []
-        self._account_names = kwargs['account_names'] if 'account_names' in kwargs else []
+        self._site_ids = kwargs.get('site_id', []) or list()
+        self._account_ids = kwargs.get('account_id', []) or list()
+        self._account_names = kwargs.get('account_name', []) or list()
         self._url = kwargs['url'] if 'url' in kwargs else ''
         self._token = kwargs['token'] if 'token' in kwargs else None
         self.creds_file = kwargs['creds_file'] if 'creds_file' in kwargs else None
         self._raw = kwargs['raw'] if 'raw' in kwargs else self._raw
         limit = (kwargs['limit']) if 'limit' in kwargs else 0
         self._pq = pq # This supports command-line options, will default to Power Query
-        
+
         # Will check for passed-in arguments; if none are present, it will default to Deep Visibility. Non-command line.
         if 'deep_visibility' in kwargs:
             self._pq = False if kwargs.get('deep_visibility', "False") == "True" else True
@@ -264,16 +264,18 @@ def _get_site_ids(self, site_ids, account_ids, account_names):
                     for item in response:
                         for site in item['sites']:
                             temp_site_ids.append(site['id'])
-
-                            if self._pq and site['id'] not in self._site_ids:
-                                self._site_ids.append(site['id'])
+
+                            if self._pq:
+                                if site['id'] not in self._site_ids:
+                                    self._site_ids.append(site['id'])
 
                                 if site['accountId'] not in self._account_ids:
-                                    # PowerQuery won't honor Site ID filters unless the parent account ID is also
+                                    # PowerQuery won't honor Site ID filters unless the parent accousnt ID is also
                                     # included in the request body
                                     self._account_ids.append(site['accountId'])
                             elif site['accountId'] not in self._account_ids and site['id'] not in self._site_ids:
-                                self._site_ids.append(site['id'])
+                                self._site_ids.append(site['id']) 
+
                     counter = 0
                     temp_list = []
                 i += 1

requirements.txt

@@ -1,5 +1,5 @@
 click~=8.0.4
-cbapi~=1.7.9
+cbapi~=1.7.10
 requests~=2.27.1
 setuptools~=60.6.0
 tqdm~=4.66.1

setup.py

@@ -36,7 +36,7 @@ def find_scripts():
         'Programming Language :: Python',
     ],
     install_requires=[
-        'cbapi==1.7.0', 'click', 'requests', 'tqdm', 'carbon-black-cloud-sdk'
+        'cbapi==1.7.10', 'click', 'requests', 'tqdm', 'carbon-black-cloud-sdk'
     ],
     extras_require={
         "sigma": [