From 5ac13c6e91e4165767211e35ed85458fafdec7cb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Jul 2023 20:20:20 +0000 Subject: [PATCH 1/7] Bump cbapi from 1.7.0 to 1.7.10 Bumps [cbapi](https://github.com/carbonblack/cbapi-python) from 1.7.0 to 1.7.10. - [Release notes](https://github.com/carbonblack/cbapi-python/releases) - [Changelog](https://github.com/carbonblack/cbapi-python/blob/master/docs/changelog.rst) - [Commits](https://github.com/carbonblack/cbapi-python/compare/1.7.0...1.7.10) --- updated-dependencies: - dependency-name: cbapi dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- setup.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.txt b/requirements.txt index 8d44831..720c45c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ click~=8.0.4 -cbapi~=1.7.9 +cbapi~=1.7.10 requests~=2.27.1 setuptools~=60.6.0 tqdm~=4.63.0 diff --git a/setup.py b/setup.py index 9e12881..1ab68aa 100644 --- a/setup.py +++ b/setup.py @@ -36,7 +36,7 @@ def find_scripts(): 'Programming Language :: Python', ], install_requires=[ - 'cbapi==1.7.0', 'click', 'requests', 'tqdm', 'carbon-black-cloud-sdk' + 'cbapi==1.7.10', 'click', 'requests', 'tqdm', 'carbon-black-cloud-sdk' ], extras_require={ "sigma": [ From 22001fe065ce144b1d2f29c3457d707d200902a3 Mon Sep 17 00:00:00 2001 From: xC0uNt3r7hr34t Date: Fri, 15 Dec 2023 10:06:13 -0500 Subject: [PATCH 2/7] resolve site/account id filter issues --- products/sentinel_one.py | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/products/sentinel_one.py b/products/sentinel_one.py index 63dd0f3..90de51a 100644 --- a/products/sentinel_one.py +++ b/products/sentinel_one.py @@ -95,16 +95,18 @@ class SentinelOne(Product): def __init__(self, pq: bool = False, **kwargs): self.profile = kwargs['profile'] if 'profile' in kwargs else 'default' - self._site_ids = kwargs['site_ids'] if 'site_ids' in kwargs else [] - self._account_ids = kwargs['account_ids'] if 'account_ids' in kwargs else [] - self._account_names = kwargs['account_names'] if 'account_names' in kwargs else [] + self._site_ids = kwargs.get('site_id', []) or list() + self._account_ids = kwargs.get('account_id', []) or list() + self._account_names = kwargs.get('account_name', []) or list() self._url = kwargs['url'] if 'url' in kwargs else '' self._token = kwargs['token'] if 'token' in kwargs else None self.creds_file = kwargs['creds_file'] if 'creds_file' in kwargs else None self._raw = kwargs['raw'] if 'raw' in kwargs else self._raw limit = (kwargs['limit']) if 'limit' in kwargs else 0 self._pq = pq # This supports command-line options, will default to Power Query - + print(kwargs) + print(self._account_ids) + print(self._site_ids) # Will check for passed-in arguments; if none are present, it will default to Deep Visibility. Non-command line. if 'deep_visibility' in kwargs: self._pq = False if kwargs.get('deep_visibility', "False") == "True" else True @@ -264,16 +266,18 @@ def _get_site_ids(self, site_ids, account_ids, account_names): for item in response: for site in item['sites']: temp_site_ids.append(site['id']) - - if self._pq and site['id'] not in self._site_ids: - self._site_ids.append(site['id']) + + if self._pq: + if site['id'] not in self._site_ids: + self._site_ids.append(site['id']) if site['accountId'] not in self._account_ids: - # PowerQuery won't honor Site ID filters unless the parent account ID is also + # PowerQuery won't honor Site ID filters unless the parent accousnt ID is also # included in the request body self._account_ids.append(site['accountId']) elif site['accountId'] not in self._account_ids and site['id'] not in self._site_ids: - self._site_ids.append(site['id']) + self._site_ids.append(site['id']) + counter = 0 temp_list = [] i += 1 From e584810a6a58618d42d480bc0a17e7c6b7570cd4 Mon Sep 17 00:00:00 2001 From: xC0uNt3r7hr34t Date: Fri, 15 Dec 2023 10:09:13 -0500 Subject: [PATCH 3/7] removed print lines --- products/sentinel_one.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/products/sentinel_one.py b/products/sentinel_one.py index 90de51a..c61206b 100644 --- a/products/sentinel_one.py +++ b/products/sentinel_one.py @@ -104,9 +104,7 @@ def __init__(self, pq: bool = False, **kwargs): self._raw = kwargs['raw'] if 'raw' in kwargs else self._raw limit = (kwargs['limit']) if 'limit' in kwargs else 0 self._pq = pq # This supports command-line options, will default to Power Query - print(kwargs) - print(self._account_ids) - print(self._site_ids) + # Will check for passed-in arguments; if none are present, it will default to Deep Visibility. Non-command line. if 'deep_visibility' in kwargs: self._pq = False if kwargs.get('deep_visibility', "False") == "True" else True From 5e354ed4061db924b4050117dce70cdae195b177 Mon Sep 17 00:00:00 2001 From: Tre Wilkins <115818818+TreWilkinsRC@users.noreply.github.com> Date: Mon, 18 Dec 2023 15:50:00 -0700 Subject: [PATCH 4/7] initial --- products/cortex_xdr.py | 1 + 1 file changed, 1 insertion(+) diff --git a/products/cortex_xdr.py b/products/cortex_xdr.py index ba375f1..2ffdd71 100755 --- a/products/cortex_xdr.py +++ b/products/cortex_xdr.py @@ -30,6 +30,7 @@ class Query: 'ipaddr': 'action_remote_ip', 'cmdline': 'action_process_command_line', 'digsig_publisher': 'action_file_signature_vendor', + 'domain': 'action_external_hostname', 'modload': 'action_module_path', 'filemod': 'action_file_path', 'regmod': 'action_registry_key_name', From 8e36f6026a0792d12553037e47e4b2762a665f0e Mon Sep 17 00:00:00 2001 From: Cori Smith Date: Fri, 1 Mar 2024 09:00:55 -0600 Subject: [PATCH 5/7] update rmm tool list --- definitions/remote-admin.json | 65 +++++++++++++++++++++++++++++------ 1 file changed, 55 insertions(+), 10 deletions(-) diff --git a/definitions/remote-admin.json b/definitions/remote-admin.json index fc611a3..e0fb0d5 100644 --- a/definitions/remote-admin.json +++ b/definitions/remote-admin.json @@ -68,7 +68,8 @@ "digsig_publisher": ["Yakhnovets Denis Aleksandrovich IP"] }, "Microsoft RDP": { - "process_name": ["termsrv.exe","Microsoft Remote Desktop"] + "process_name": ["termsrv.exe", + "Microsoft Remote Desktop"] }, "Microsoft TSC": { "process_name": ["mstsc.exe"] @@ -337,7 +338,9 @@ }, "Xeox": { "domain":["*.xeox.com", "xeox.com"], - "process_name":["xeox_service_windows.exe", "xeox-agent_x64.exe", "xeox-agent_x86.exe"], + "process_name":["xeox_service_windows.exe", + "xeox-agent_x64.exe", + "xeox-agent_x86.exe"], "digsig_publisher": ["hs2n Informationstechnologie GmbH"], "internal_name": ["XEOX Agent for Windows"] }, @@ -351,7 +354,9 @@ "digsig_publisher": ["Instant Housecall", "Specialist Sign-in.exe"], "process_name": ["InstantHousecall.exe"], "internal_name": ["InstantHousecall.exe"], - "domain": ["secure.instanthousecall.com", "*.instanthousecall.com", "instanthousecall.com"] + "domain": ["secure.instanthousecall.com", + "*.instanthousecall.com", + "instanthousecall.com"] }, "ISL Online":{ "digsig_publisher":["ISL Online Ltd"], @@ -363,18 +368,58 @@ "digsig_publisher": ["Parallels International GmbH"] }, "Pilixo": { - "digsig_publisher": ["Pilixo Cloud Solutions", "PILIXO INTERNATIONAL LLC"], - "domain": ["*.pilixo.com", "pilixo.com", "download.pilixo.com"], + "digsig_publisher": ["Pilixo Cloud Solutions", + "PILIXO INTERNATIONAL LLC"], + "domain": ["*.pilixo.com", + "pilixo.com", + "download.pilixo.com"], "process_name": ["Pilixo_Installer*.exe"] }, "RemotePC": { - "digsig_publisher": ["IDrive, Inc", "IDrive Incorporated"], - "domain": ["remotepc.com", "www.remotepc.com"], - "process_name": ["idrive.RemotePCAgent", "Idrive.File-Transfer"] + "digsig_publisher": ["IDrive, Inc", + "IDrive Incorporated"], + "domain": ["remotepc.com", + "www.remotepc.com"], + "process_name": ["idrive.RemotePCAgent", + "Idrive.File-Transfer"] }, "SuperOps": { "digsig_publisher": ["Superops Inc"], - "process_name": ["superops.exe", "superopsticket.exe"], - "domain": ["serv.superopsalpha.com", "*.superops.ai", "*.superopsalpha.com", "*.superopsbeta.com"] + "process_name": ["superops.exe", + "superopsticket.exe"], + "domain": ["serv.superopsalpha.com", + "*.superops.ai", + "*.superopsalpha.com", + "*.superopsbeta.com"] + }, + "Rocket Remote Desktop":{ + "digsig_publisher": ["Rocket Remote Desktop"], + "process_name":["RDConsole.exe", + "RocketRemoteDesktop_Setup.exe"] + }, + "GetScreen":{ + "digsig_publisher":["Get Skrin Softver"], + "process_name":["GetScreen.exe", + "GetScreen.me"] + }, + "ManageEngine":{ + "digsig_publisher":["ManageEngine Remote Access Plus", + "Zoho Corporation Pvt. Ltd."], + "process_name":["ManageEngine_Remote_Access_Plus.exe", + "InstallShield Setup.exe"] + }, + "Remcos":{ + "process_name":["remcos*.exe"], + "digsig_publisher":["BreakingSecurity.net"] + }, + "ZeroTier":{ + "domain": ["my.zerotier.com", + "zerotier.com"], + "process_name": ["zerotier_desktop_ui.exe", + "zerotier-one_*.exe", + "ZeroTierOne.msi"], + "filemod_name": ["ZeroTierOne.msi"], + "cmdline": ["ZeroTierOne.msi"], + "digsig_publisher": ["ZeroTier, Inc."] } } From cecbf1f59b117f5ab8efe56bd1d8dcb5986a63f5 Mon Sep 17 00:00:00 2001 From: Cori Smith Date: Fri, 1 Mar 2024 12:53:38 -0600 Subject: [PATCH 6/7] removing zerotier as it's more of a network tool than rmm --- definitions/remote-admin.json | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/definitions/remote-admin.json b/definitions/remote-admin.json index e0fb0d5..64313da 100644 --- a/definitions/remote-admin.json +++ b/definitions/remote-admin.json @@ -411,15 +411,5 @@ "Remcos":{ "process_name":["remcos*.exe"], "digsig_publisher":["BreakingSecurity.net"] - }, - "ZeroTier":{ - "domain": ["my.zerotier.com", - "zerotier.com"], - "process_name": ["zerotier_desktop_ui.exe", - "zerotier-one_*.exe", - "ZeroTierOne.msi"], - "filemod_name": ["ZeroTierOne.msi"], - "cmdline": ["ZeroTierOne.msi"], - "digsig_publisher": ["ZeroTier, Inc."] } } From 1e97d2601e4779c9bc0c32681241b4a831254d69 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Thu, 28 Mar 2024 11:34:21 -0300 Subject: [PATCH 7/7] Add some more information to RMM definition --- definitions/remote-admin.json | 51 ++++++++++++++++++++++++----------- 1 file changed, 36 insertions(+), 15 deletions(-) diff --git a/definitions/remote-admin.json b/definitions/remote-admin.json index 64313da..b70e34e 100644 --- a/definitions/remote-admin.json +++ b/definitions/remote-admin.json @@ -1,13 +1,15 @@ { "AweRay (AweSun)": { - "process_name": ["aweray_remote*.exe"], + "process_name": ["aweray_remote*.exe", + "AweSun.exe"], "domain": ["asapi.aweray.net", "asapi-us.aweray.net"], "digsig_publisher": ["AWERAY PTE. LTD."] }, "Ammyy Admin": { "process_name": ["aa_v*.exe"], - "domain": ["ammyy.com"] + "domain": ["ammyy.com"], + "digsig_publisher": ["Ammyy LLC"] }, "AeroAdmin" : { "process_name": ["AeroAdmin.exe"], @@ -27,7 +29,8 @@ "digsig_publisher": ["AOMEI International Network Limited"] }, "Atera": { - "process_name": ["atera_agent.exe"] + "process_name": ["atera_agent.exe"], + "digsig_publisher": ["Atera Networks Ltd"] }, "BeyondTrust (Bomgar)": { "process_name": ["bomgar-scc.exe", @@ -60,7 +63,8 @@ "g2printh.exe", "g2svc.exe", "g2tray.exe", - "gopcsrv.exe"] + "gopcsrv.exe"], + "digsig_publisher": ["LogMeIn, Inc."] }, "LiteManager": { "process_name": ["ROMServer.exe", @@ -93,10 +97,13 @@ }, "RAdmin": { "process_name": ["radmin3.exe", - "famitrfc.exe"] + "famitrfc.exe", + "rserver3.exe"], + "digsig_publisher": ["Famatech Corp."] }, "RemoteUtilities": { - "process_name": ["rutserv.exe"], + "process_name": ["rutserv.exe", + "rutview.exe"], "domain": ["remoteutilities.com"], "digsig_publisher": ["Remote Utilities LLC"] }, @@ -116,12 +123,18 @@ }, "TeamViewer Desktop": { "process_name": ["teamviewer_desktop.exe", - "teamviewer"] + "teamviewer.exe"], + "digsig_publisher": ["TeamViewer Germany GmbH", + "TeamViewer GmbH", + "TeamViewer"] }, "TeamViewer Service": { "process_name": ["teamviewer.exe", "teamviewer_service.exe", - "teamviewerhost"] + "teamviewerhost"], + "digsig_publisher": ["TeamViewer Germany GmbH", + "TeamViewer GmbH", + "TeamViewer"] }, "VNC": { "process_name": ["winvnc.exe", @@ -156,7 +169,8 @@ }, "Desktop Central": { "process_name": ["dcagentservice.exe"], - "domain": ["desktopcentral.manageengine.com"] + "domain": ["desktopcentral.manageengine.com"], + "digsig_publisher": ["ZOHO Corporation Private Limited"] }, "UltraView": { "process_name": ["UltraViewer_Desktop.exe", @@ -167,11 +181,12 @@ }, "NinjaRMM": { "process_name": ["NinjaRMMAgent.exe", - "NinjaRMMAgenPatcher.exe"], + "NinjaRMMAgenPatcher.exe", + "ninjarmm-cli.exe"], "digsig_publisher": ["NinjaRMM, LLC"], "domain": ["resources.ninjarmm.com"] }, - "FleetDesk.io": { + "FleetDeck.io": { "process_name": ["fleetdeck_agent.exe", "fleetdeck_agent_svc.exe", "fleetdeck_installer.exe", @@ -265,7 +280,9 @@ "SolarWinds-Dameware-DRS*.exe", "DameWare Mini Remote Control*.exe", "SolarWinds-Dameware-MRC*.exe"], - "internal_name": ["DWRCST"] + "internal_name": ["DWRCST"], + "digsig_publisher": ["SolarWinds, Inc.", + "Solarwinds Worldwide, LLC"] }, "N-Able Advanced Monitoring Agent": { "process_name": ["Agent_*_RW.exe", @@ -327,7 +344,8 @@ "process_name": ["TightVNCViewerPortable*.exe", "tvnviewer.exe", "tvnserver.exe"], - "digsig_publisher": ["GlavSoft LLC."] + "digsig_publisher": ["GlavSoft LLC.", + "GlavSoft LLC"] }, "ShowMyPC": { "domain": ["showmypc.com"], @@ -362,9 +380,10 @@ "digsig_publisher":["ISL Online Ltd"], "process_name": ["ISLLight.exe", "ISLLightClient.exe"], "internal_name": ["ISL Light"], - "domain": ["*islonline.net"] + "domain": ["*.islonline.net"] }, "Parallels Access": { + "process_name": ["TSClient.exe"], "digsig_publisher": ["Parallels International GmbH"] }, "Pilixo": { @@ -381,7 +400,9 @@ "domain": ["remotepc.com", "www.remotepc.com"], "process_name": ["idrive.RemotePCAgent", - "Idrive.File-Transfer"] + "Idrive.File-Transfer", + "RemotePC.exe", + "RemotePCService.exe"] }, "SuperOps": { "digsig_publisher": ["Superops Inc"],