Giters

CiscoSecurity / amp-04-process-name-to-network-connections

Searches an environment for a process name and collects observed network connections

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

amp-for-endpoints

Gitter chat

AMP for Endpoints Process Name to Network Connections:

Takes a process name as a command line argument and searches the environment for computers that have seen a seen a process or file with that name. It then fetches the trajectory for those computers and parses it to collect the SHA256s for the associated process. The the trajectory is parsed on more time looking at for network connections generated by the relevant SHA256s.

NOTE: This script will process hits from a maximum of 500 endpoints (there is no pagination). If you search for something and it hits on more than 500 endpoints you will not get a complete view of the environment

Before using you must update the following:

The authentictaion parameters are set in the api.cfg :

  • client_id
  • api_key

Usage:

python process_name_to_network_connections.py powershell.exe

Example script output:

This script has multiple outputs:

  • Prints connection information to the console
  • Writes a CSV containing connection the IPs, ports, direction, hostname, and GUID
  • Writes a log containing basic information about progress
Computers Found: 5
Processing: Demo_AMP_Exploit_Prevention_Audit - 13de840a-3577-41b3-8930-1917ca87ceda
  TCP 172.16.175.136:49349 -> 52.148.86.91:7777
  TCP 172.16.175.136:49347 -> 52.148.86.91:7777
  TCP 172.16.175.136:49346 -> 52.148.86.91:7777
  TCP 172.16.175.136:49340 -> 52.148.86.91:7777
  TCP 172.16.175.136:49338 -> 52.148.86.91:7777
  TCP 172.16.175.136:49336 -> 52.148.86.91:7777
  TCP 172.16.175.136:49336 -> 52.148.86.91:7777
Processing: Demo_AMP_Intel - 14dcfce3-9663-434d-9beb-c8836de035ce
  TCP 192.168.68.138:49311 -> 50.225.30.41:80
  TCP 192.168.68.138:49311 -> 50.225.30.41:80
Processing: Demo_AMP - 43ea5bb6-a4ec-48fa-876c-59cc304fda17
  TCP 172.16.175.143:49180 -> 52.168.18.255:8080
  TCP 172.16.175.143:49180 -> 52.168.18.255:8080
Processing: Demo_AMP_MAP_FriedEx - 93252a58-6d27-4687-b5a5-4e32e54cc166
  No communication observed
Processing: Demo_Command_Line_Arguments_Meterpreter - d2721a44-3795-4138-a73a-f36e6d8b0201
  No communication observed
Computers with powershell.exe: 5
Unique SHA256s for powershell.exe: 4
IPs powershell.exe has been observed communicating with: 38

About

Searches an environment for a process name and collects observed network connections

amp-for-endpoints

Languages

Language:Python 100.0%