Giters

CiscoSecurity / amp-04-check-sha256-execution

Check if a given SHA256 has been executed in an AMP for Endpoints environment

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

amp-for-endpoints

Gitter chat

AMP for Endpoints check SHA256 for execution:

Takes a SHA256 as input and queries the environment for GUIDs that have seen the file. Then queries the trajectory of each GUID to verify the endpoint has executed the file. If a SHA256 is not provided as a command line argument, the script will prompt for one.

Before using you must update the following:

  • client_id
  • api_key

Usage:

python check_for_execution.py

or

python check_for_execution.py db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

Example script output:

Computers that have seen the file: 15

Hosts observed executing the file:
14dcfce3-9663-434d-9beb-c8836de035ce - Demo_AMP_Intel
  File: cmd.exe
  Path: /c:/windows/system32/cmd.exe

43ea5bb6-a4ec-48fa-876c-59cc304fda17 - Demo_AMP
  File: cmd.exe
  Path: /c:/windows/system32/cmd.exe

About

Check if a given SHA256 has been executed in an AMP for Endpoints environment

amp-for-endpoints

Languages

Language:Python 100.0%