├── Feeds_Dump ├── aq.txt ├── CB_feeds_dump.vbs ├── Spreadsheet_Vuln_Parser │ ├── Spreadsheet_Vuln_Parser.vbs │ └── README.md ├── aq_Example.txt ├── Cb_Feeds.ini └── README.md ├── Misc ├── dotquad.txt ├── Images │ └── Cb_Resolve.png └── Convert list IP decimal to dotted quad.vbs ├── File_Download ├── hashlist.txt ├── CB_File_Downloader.vbs ├── Cb_FD.ini └── README.md ├── Pull_Events ├── Data │ ├── IPWatch.txt │ ├── DomainWatch.txt │ ├── FileWatch.txt │ ├── PortWatch.txt │ └── RegWatch.txt ├── Cb_PE.ini └── README.md ├── Sensor_Dump ├── CB_Sensor_Dump.vbs ├── Cb_sensor.ini ├── Spreadsheet_OS_Parser │ ├── Spreadsheet_OS_Parser.vbs │ └── README.md └── README.md ├── SocketTools ├── 32-bit │ └── cshtpax9.ocx ├── 64-bit │ └── cshtpax9.ocx └── InstallSocketTools.exe ├── Alerts ├── Cb_Alerts.ini ├── README.md ├── Cb_Resolve.vbs └── CB_Alerts.vbs ├── Event_Sampler ├── Cb_ES.ini └── README.md ├── extract_CB_zips ├── README.md └── extract_CB_zips.vbs ├── Hash_Dump ├── Cb_HD.ini ├── README.md ├── Hash_Searches │ └── CB_Dump_Search.py └── CB_Hash_Dump.vbs ├── README.md └── LICENSE /Feeds_Dump/aq.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Misc/dotquad.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /File_Download/hashlist.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pull_Events/Data/IPWatch.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pull_Events/Data/DomainWatch.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pull_Events/Data/FileWatch.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Pull_Events/Data/PortWatch.txt: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Misc/Images/Cb_Resolve.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RandomRhythm/Rhythm-CB-Scripts/HEAD/Misc/Images/Cb_Resolve.png -------------------------------------------------------------------------------- /Feeds_Dump/CB_feeds_dump.vbs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RandomRhythm/Rhythm-CB-Scripts/HEAD/Feeds_Dump/CB_feeds_dump.vbs -------------------------------------------------------------------------------- /Sensor_Dump/CB_Sensor_Dump.vbs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RandomRhythm/Rhythm-CB-Scripts/HEAD/Sensor_Dump/CB_Sensor_Dump.vbs -------------------------------------------------------------------------------- /SocketTools/32-bit/cshtpax9.ocx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RandomRhythm/Rhythm-CB-Scripts/HEAD/SocketTools/32-bit/cshtpax9.ocx -------------------------------------------------------------------------------- /SocketTools/64-bit/cshtpax9.ocx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RandomRhythm/Rhythm-CB-Scripts/HEAD/SocketTools/64-bit/cshtpax9.ocx -------------------------------------------------------------------------------- /File_Download/CB_File_Downloader.vbs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RandomRhythm/Rhythm-CB-Scripts/HEAD/File_Download/CB_File_Downloader.vbs -------------------------------------------------------------------------------- /SocketTools/InstallSocketTools.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RandomRhythm/Rhythm-CB-Scripts/HEAD/SocketTools/InstallSocketTools.exe -------------------------------------------------------------------------------- /Sensor_Dump/Cb_sensor.ini: -------------------------------------------------------------------------------- 1 | [IntegerValues] 2 | StartTime=* 3 | EndTime=* 4 | inactive_filter_days= 5 | [StringValues] 6 | IPaddress= 7 | [BooleanValues] 8 | UseSocketTools=False 9 | -------------------------------------------------------------------------------- /Sensor_Dump/Spreadsheet_OS_Parser/Spreadsheet_OS_Parser.vbs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RandomRhythm/Rhythm-CB-Scripts/HEAD/Sensor_Dump/Spreadsheet_OS_Parser/Spreadsheet_OS_Parser.vbs -------------------------------------------------------------------------------- /Feeds_Dump/Spreadsheet_Vuln_Parser/Spreadsheet_Vuln_Parser.vbs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RandomRhythm/Rhythm-CB-Scripts/HEAD/Feeds_Dump/Spreadsheet_Vuln_Parser/Spreadsheet_Vuln_Parser.vbs -------------------------------------------------------------------------------- /Feeds_Dump/Spreadsheet_Vuln_Parser/README.md: -------------------------------------------------------------------------------- 1 | ### Spreadsheet OS Parser for CB_feeds_dump csv output 2 | 3 | Takes the CSV output from CB_feeds_dump and opens it in Microsoft Excel creating additional worksheets breaking down the data. -------------------------------------------------------------------------------- /File_Download/Cb_FD.ini: -------------------------------------------------------------------------------- 1 | [IntegerValues] 2 | StartTime=* 3 | EndTime=* 4 | SleepDelay=100 5 | ReceiveTimeout=120 6 | PagesToPull=10000 7 | [StringValues] 8 | TimeMeasurement=d 9 | [BooleanValues] 10 | UseSocketTools=False 11 | -------------------------------------------------------------------------------- /Sensor_Dump/Spreadsheet_OS_Parser/README.md: -------------------------------------------------------------------------------- 1 | ### Spreadsheet OS Parser for CB_Sensor_Dump csv output 2 | 3 | Takes the CSV output from CB_Sensor_Dump and opens it in Microsoft Excel creating additional worksheets breaking down the data by various attributes such as server, workstation, linux, and Windows. -------------------------------------------------------------------------------- /File_Download/README.md: -------------------------------------------------------------------------------- 1 | # CB File Downloader 2 | ### This script will download binary files via the CB Response (Carbon Black) API. 3 | 4 | To download files provide the list of md5 hash values in file hashlist.txt located in the the same directory as the script. Zip files will download to the same directory as the script. 5 | -------------------------------------------------------------------------------- /Alerts/Cb_Alerts.ini: -------------------------------------------------------------------------------- 1 | [IntegerValues] 2 | StartTime=-14 3 | EndTime=* 4 | SleepDelay=100 5 | ReceiveTimeout=120 6 | PagesToPull=100 7 | SizeLimit=20000 8 | APIVersion=2 9 | [StringValues] 10 | TimeMeasurement=d 11 | SensorID= 12 | ClientCertPath= 13 | [BooleanValues] 14 | UseSocketTools=False 15 | Debug=False 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /Event_Sampler/Cb_ES.ini: -------------------------------------------------------------------------------- 1 | [IntegerValues] 2 | SleepDelay=100 3 | ReceiveTimeout=120 4 | APIVersion=4 5 | [StringValues] 6 | Delimiter=, 7 | InputFile= 8 | UniqueColumn= 9 | [BooleanValues] 10 | UseSocketTools=False 11 | Network=True 12 | Modules=True 13 | Child=True 14 | File=True 15 | Cross=True 16 | AllSections=True 17 | ReportUserName=True 18 | ReportProcessName=True -------------------------------------------------------------------------------- /Sensor_Dump/README.md: -------------------------------------------------------------------------------- 1 | # CB Sensor Dump 2 | ### This script will dump sensor information via the CB Response (Carbon Black) API. 3 | 4 | Dumps data to the following columns: 5 | * Computer 6 | * Operating System 7 | * Date Registered 8 | * Stored Bytes 9 | * Status 10 | * Health 11 | * Group ID 12 | * Group Name 13 | * Last Checkin 14 | * Event Log Bytes 15 | * Days Checking In 16 | * Computer Name 17 | * Network Addresses 18 | * ID 19 | -------------------------------------------------------------------------------- /extract_CB_zips/README.md: -------------------------------------------------------------------------------- 1 | # Extract CB Zips (works with CB_File_Downloader.vbs) 2 | ### This script will extract the binary files from zip files download from CB Response (Carbon Black). 3 | 4 | The script requires that a folder path be given as the argument: 5 | extract_cb_zips.vbs %folder path to zip files% 6 | 7 | Example: 8 | extract_cb_zips.vbs "c:\zip files" 9 | 10 | Files will be extracted to the same folder passed in the argument. 11 | -------------------------------------------------------------------------------- /Pull_Events/Cb_PE.ini: -------------------------------------------------------------------------------- 1 | [IntegerValues] 2 | SleepDelay=100 3 | ReceiveTimeout=120 4 | PagesToPull=1000 5 | APIVersion=4 6 | [StringValues] 7 | ClientCertPath= 8 | QueryFilePath= 9 | [BooleanValues] 10 | UseSocketTools=False 11 | Network=True 12 | Modules=True 13 | Child=True 14 | File=True 15 | Cross=True 16 | Registry=True 17 | RegistryWatch=True 18 | FileWatch=True 19 | DomainWatch=True 20 | IPWatch=True 21 | PortWatch=True 22 | AllSections=True 23 | ReportUserName=True 24 | ReportProcessName=True 25 | IncludeQueryInWatchlist=True -------------------------------------------------------------------------------- /Hash_Dump/Cb_HD.ini: -------------------------------------------------------------------------------- 1 | [IntegerValues] 2 | StartTime=* 3 | EndTime=* 4 | SleepDelay=100 5 | ReceiveTimeout=120 6 | PagesToPull=10000 7 | [StringValues] 8 | TimeMeasurement=d 9 | SensorID= 10 | QueryItem= 11 | [BooleanValues] 12 | IsExecutable=True 13 | ExcludeSRSTRust=True 14 | UseSocketTools=False 15 | YARA=True 16 | ExpandYARA=True 17 | OutputHosts=True 18 | OutputDateAdded=True 19 | OutputDateSigned=True 20 | OutputInternalName=True 21 | OutputCopyright=True 22 | OutputComments=True 23 | OutputOriginalName=True 24 | UseHashList=False 25 | Debug=False 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /Feeds_Dump/aq_Example.txt: -------------------------------------------------------------------------------- 1 | evasion_installutil|process_name:installutil.exe AND parent_name:cmd.exe 2 | exploit_Notepad_MemCorrupt|parent_name:notepad.exe and -process_name:splwow64.exe 3 | Slingshot_1|/api/v1/binary?q=scesrv.dll -digsig_publisher:Microsoft corporation 4 | Slingshot_2|/api/v1/binary?q=spoolsv.exe -digsig_publisher:Microsoft corporation 5 | netcat|/api/v1/binary?q=observed_filename:nc.exe 6 | IP_Scan|product_name:"advanced IP scanner" 7 | Wireshark_File|product_name:"Wireshark" 8 | Wireshark_Process|/api/v1/process?q=product_name:"Wireshark" 9 | Winexe|/api/v1/binary?q=winexesvc.exe 10 | APN|/api/v1/binary?q=digsig_publisher:APN* 11 | -------------------------------------------------------------------------------- /Alerts/README.md: -------------------------------------------------------------------------------- 1 | ## CB Alerts - Pulls alerts from Cb Response writes to CSV 2 | 3 | The Cb_Alerts script will export CSV files for each feed. This is different dataset than CB Feeds dump and provides IP addresses, domains and the report name from the feed such as "ZeuS IP Blocklist". The default INI settings will retrieve the last two weeks of alerts, so be sure to adjust the INI setting StartTime if you want a different timeframe. 4 | 5 | 6 | ## Cb Resolve - Resolve alerts in the Cb Response console 7 | 8 | The Cb_Resolve script can resolve alerts in the Cb Response console. Filter in the Cb Response console to the alerts you want resolved and then copy and paste the URL into the script. 9 | 10 | ![Cb_Resolve prompt](https://github.com/RandomRhythm/Rhythm-CB-Scripts/blob/master/Misc/Images/Cb_Resolve.png) 11 | -------------------------------------------------------------------------------- /Pull_Events/README.md: -------------------------------------------------------------------------------- 1 | ### Cb Pull Events - Pulls event data from the CB Response API and dumps to CSV. 2 | 3 | Will take the provided query and attempt to pull the following associated event data: 4 | * Network 5 | * Registry 6 | * Module Load 7 | * Child Process 8 | * File Modification 9 | * Cross Process 10 | 11 | Example: 12 | `Cb_Pull_Events.vbs query` 13 | 14 | If providing multiple statements within the query you must quote the whole query. Query time frame can be restricted using last_update. 15 | 16 | Example: 17 | `Cb_Pull_Events.vbs "sensor_id:123 AND last_update:-10080m"` 18 | 19 | Optional arguments: 20 | * `/a` argument to auto accept pulling down all results. 21 | * `/b` to baseline. Add letters after the "b" to tell it what to baseline: 22 | * `/bmncp` `"m"` - modules. `"n"` - network. `"c"` - cross process. `"p"` - child process -------------------------------------------------------------------------------- /Event_Sampler/README.md: -------------------------------------------------------------------------------- 1 | ### Cb Event Sampler - Queries IOCs in Cb Response event data and provides a sampling CSV output. 2 | 3 | The Cb Event Sampler script takes a list of IOCs and queries them via the Cb Response API. A CSV row is output for each IOC. The input list can either be a CSV where you specify which column contains the IOCs to lookup or a list of IOCs. 4 | 5 | The script will try to pull sample event data from the following categories: 6 | * Network 7 | * Registry 8 | * Module Load 9 | * Child Process 10 | * File Modification 11 | * Cross Process 12 | 13 | Domains, IPs, and MD5 hashes are the currently supported lookups. CSV processing can only query values from one column. API CSV output will combine the original CSV input rows. 14 | 15 | This script is useful for querying any items where more context is needed. For example, take low prevalent files from CB_Hash_Dump output and look those up to get context sampling of process activity. -------------------------------------------------------------------------------- /Hash_Dump/README.md: -------------------------------------------------------------------------------- 1 | ## CB Hash Dump - Dumps hashes from CB (Carbon Black) Response 2 | #### This script will export a CSV of binary files matching the specified query in CB Response (Carbon Black). 3 | 4 | You must edit the code of this script to adjust the query. The following section of code defines the query: 5 | 6 | ``` 7 | '---Config Section 8 | BoolDebugTrace = False 'Leave this to false unless asked to collect debug logs. 9 | IntDayStartQuery = "*" 'time to go back for start date of query. Set to "*" to query all binaries. Set to "-7" for the last week. 10 | strTimeMeasurement = "d" '"h" for hours "d" for days 11 | IntDayEndQuery = "-1" 'days to go back for end date of query. Set to "*" for no end date. Set to "-1" to stop at yesterday. 12 | strBoolIs_Executable = "True" 'set to "true" to query executables. Set to "false" to query resources (DLLs). 13 | BoolExcludeSRSTRust = True 'Exclude trusted applications from the query 14 | strHostFilter = "" 'computer name to filter to. Use uppercase, is case sensitive 15 | boolOutputHosts = True ' Set to True to output hostnames for each binary 16 | '---End Config section 17 | ``` 18 | -------------------------------------------------------------------------------- /Feeds_Dump/Cb_Feeds.ini: -------------------------------------------------------------------------------- 1 | [IntegerValues] 2 | StartTime=* 3 | EndTime=* 4 | SleepDelay=100 5 | ReceiveTimeout=120 6 | PagesToPull=5000 7 | [StringValues] 8 | TimeMeasurement=d 9 | SensorID= 10 | FlashVersion=32.0.0.255 11 | ClientCertPath= 12 | [BooleanValues] 13 | QueryChild=False 14 | QueryParent=False 15 | UseSocketTools=False 16 | YARA=True 17 | AddYaraToReports=True 18 | WatchLists=True 19 | Abusech=True 20 | AlienVault=True 21 | AdvancedThreats=True 22 | EndpointVisibility=True 23 | SuspiciousIndicators=True 24 | CbBanning=True 25 | EMET=True 26 | CbTamper=True 27 | FbThreatExchange=True 28 | IconMatching=True 29 | MDL=True 30 | NVD=True 31 | SANS=True 32 | SRSThreat=True 33 | SRSTrust=True 34 | ThreatConnect=True 35 | tor=True 36 | attackframework=True 37 | KnownIOCs=True 38 | CbFileAnalysis=True 39 | CbCommunity=True 40 | EarlyAccess=True 41 | AdditionalQueries=True 42 | CbInspect=True 43 | MS08-067=True 44 | FlashPlayer=True 45 | MS15-065=True 46 | Silverlight=True 47 | InternetExplorer=True 48 | MS16-051=True 49 | MS17-010=True 50 | CVE-2017-11826=True 51 | CVE-2019-0708=True 52 | DejaBlue=True 53 | CVE-2020-0601=True 54 | -------------------------------------------------------------------------------- /Feeds_Dump/README.md: -------------------------------------------------------------------------------- 1 | # CB Feeds Dump 2 | 3 | ### This script will export two CSV files for each feed/watchlist/query. One CSV containing all data and a limited CSV containing unique entries. 4 | 5 | Use the Cb_Feeds.ini to adjust the query timeframe and host filter. The following snippet identifies key values: 6 | 7 | '---INI snippet 8 | [IntegerValues] 9 | StartTime=* 'Number of time to go back for start date of query. Set to "*" to query all or set to -24 to query last 24 time measurement 10 | EndTime=* 'days to go back for end date of query. Set to * for no end date 11 | [StringValues] 12 | TimeMeasurement=d '"h" for hours "d" for days 13 | '---End INI snippet 14 | 15 | Script runs addtional queries to identify vulnerable and patched components. Currently supports the following checks: 16 | * Flash Player 17 | * MS15-065 KB3065822 18 | * MS15-078 KB3079904 not applied 19 | * MS08-067 20 | * Silverlight MS16-006 CVE-2016-0034 21 | * MS16-051 KB3155533 22 | * Internet Explorer Major Version 23 | * MS17-010 24 | * BlueKeep 25 | * DejaBlue 26 | 27 | Additional queries can be run via aq.txt in the current directory. Input format is name|query where the name will be used as the file name for CSV output and the query will be used to pull down the results. 28 | 29 | Example: 30 | 31 | knowndll|observed_filename:known.dll&digsig_result:Unsigned 32 | evasion_installutil|process_name:installutil.exe AND parent_name:cmd.exe 33 | 34 | To force a query to binary or process include "/api/v1/%type%?q=" before the query: 35 | 36 | knowndll|/api/v1/binary?q=observed_filename:known.dll&digsig_result:Unsigned 37 | evasion_installutil|/api/v1/process?q=process_name:installutil.exe AND parent_name:cmd.exe 38 | -------------------------------------------------------------------------------- /Hash_Dump/Hash_Searches/CB_Dump_Search.py: -------------------------------------------------------------------------------- 1 | #Search through csv for keyword 2 | 3 | #Copyright 2018 Ryan Boyle 4 | # 5 | #Licensed under the Apache License, Version 2.0 (the "License"); 6 | #you may not use this file except in compliance with the License. 7 | #You may obtain a copy of the License at 8 | # 9 | # http://www.apache.org/licenses/LICENSE-2.0 10 | # 11 | #Unless required by applicable law or agreed to in writing, software 12 | #distributed under the License is distributed on an "AS IS" BASIS, 13 | #WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | #See the License for the specific language governing permissions and 15 | #limitations under the License. 16 | 17 | import csv 18 | import os 19 | import operator 20 | import itertools 21 | 22 | 23 | #config section 24 | searchString = ""; #search string should be lower case 25 | csvFileName = ""; #name of CSV file to parse 26 | searchColumnEnd = 14; #integer for the column to stop the search at 27 | #end config 28 | 29 | from collections import defaultdict 30 | 31 | searchString = searchString.lower() 32 | with open(csvFileName, "rt") as csvfile: 33 | reader = csv.reader(csvfile, delimiter=',', quotechar='\"') 34 | for row in reader: 35 | tmpout = ""; 36 | for num in range(0,searchColumnEnd): 37 | strCompare = row[num] 38 | 39 | if strCompare.lower().find(searchString) > -1: 40 | tmpout = row[0]; 41 | if tmpout != "": 42 | strout = ""; 43 | for column in row: 44 | if strout == "": 45 | strout = '"' + column + '"' 46 | else: 47 | strout = strout + ',"' + column + '"'; 48 | 49 | print (strout) -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Rhythm-CB-Scripts 2 | #### Collection of scripts for working with Carbon Black Cb Response API 3 | 4 | This repository contains a folder for each script's purpose. 5 | 6 | #### Alerts 7 | The Cb_Alerts script will export alerts from the console in CSV files for each of the feeds and watchlists. The Alerts folder also contains the Cb_Resolve script to resolve alerts within the console. 8 | 9 | #### Pull_Events 10 | Process activity generates events, which can be child processes, registry, file, network, or cross-process activity. I call this the API trace, but some may call it the process interactions. The script takes a query and runs it against the API to then output CSV files for each event category. 11 | 12 | #### Feeds_Dump 13 | The Feed_Dump script will output CSV files for each feed or watchlist configured in the console. This script is useful for reviewing feeds and watchlists that are not generating alerts. 14 | 15 | #### Sensor_Dump 16 | This script outputs a CSV file containing each sensor and its associated data. 17 | 18 | #### Hash_Dump 19 | The Hash_Dump script will dump hash values and associated data. Dump all executables, DLL files, or provide a list of hash values to get the associated binary's information. I use this feature to run hashes against hash lookup services, such as VirusTotal, using VTTL. 20 | 21 | #### File_Download 22 | Cb Response will provide available files to download the files within zip files. The File_Download script will download the zip files for the provided hash values. 23 | 24 | #### extract_CB_zips 25 | The extract_CB_zips script will utilize 7z to extract File_Download zip files. Files are extracted and renamed to the value of the MD5. 26 | 27 | #### Event_Sampler 28 | The Event_Sampler is a branch of the Pull_Events script. Instead of outputting CSV files for the various event categories, the script will output a sampling from each event category into one CSV file. 29 | 30 | #### SocketTools 31 | SocketTools requires that it only be used in compiled code. However, compiling VBScript causes many antimalware vendors to detect the resulting executable file. The antimalware detections were causing problems with downloading this repo and thus were removed. If you would like compiled versions, please let me know as currently, that doesn't appear to be a problem these days. 32 | 33 | 34 | ### Configuring the INI file 35 | INI files are provided in each script directory. The settings in the INI files will override the default settings in the script/executable. The INI is broken down into three sections: 36 | ##### [IntegerValues] 37 | These values should be numeric. Only the StartTime and EndTime can be negative numbers. The StartTime and EndTime are asterisks (*) by default, which will pull all events. Time is evaluated at the current time, so negative numbers are required to filter to events in the past. 38 | * SleepDelay - milliseconds to sleep between queries 39 | * ReceiveTimeout - Time-out value in seconds 40 | * PagesToPull - Number of pages to pull for each API call (large numbers for certain calls can cause Cb Response console not to return data and could indicate a performance issue) 41 | * SizeLimit - Don't pull more than this number of events 42 | ##### [StringValues] 43 | These are string/text values. 44 | * TimeMeasurement - StartTime and EndTime use this measurement. The following values can be used for the time interval: 45 | * yyyy Year 46 | * q Quarter 47 | * m Month 48 | * y Day of the year 49 | * d Day 50 | * w Weekday 51 | * ww Week 52 | * h Hour 53 | * n Minute 54 | * s Second 55 | * SensorID - The ID number of a sensor you wish to limit the query to 56 | ##### [BooleanValues] 57 | These are boolean values (True or False) to turn on or off features of the script. 58 | * UseSocketTools - Set to True to use SocketTools or False to not use SocketTools 59 | 60 | Other Values exist and may be unique to the individual script. The above examples are provided as they are generally available for each INI file. 61 | 62 | 63 | ### Troubleshooting 64 | 65 | If you get the message "error on line 1" it is likely due to the file being saved in Unicode. Open up the script in notepad.exe and click File > Save As. In the save as dialog, change the encoding at the bottom of the screen to ANSI. 66 | 67 | If you are getting connection errors, it is likely happening because the HTTP Windows API the scripts uses by default doesn't support the TLS version configured on the Cb Response console. To work around the issue, use a modern version of Windows such as Windows 10 or Server 2016. To fix this problem in Windows perform the fix Microsoft describes here: 68 | 69 | https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi 70 | 71 | Another option to work around this problem is to utilize SocketTools. Executables were provided for each script to use SocketTools instead of the Windows API. However, the executables were detected as malware by several vendors, which caused problems with downloading this repo. If you require this workaround, please make a request to have the executables published. 72 | 73 | -------------------------------------------------------------------------------- /Misc/Convert list IP decimal to dotted quad.vbs: -------------------------------------------------------------------------------- 1 | 'Build Cb Response query with IP addresses and/or domains 2 | 'provide a list of IP address/domains in dotquad.txt 3 | 'output to cbquery.txt 4 | 5 | Const forwriting = 2 6 | Const ForAppending = 8 7 | Const ForReading = 1 8 | Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") 9 | 10 | boolConvertIP = False 11 | 12 | CurrentDirectory = GetFilePath(wscript.ScriptFullName) 13 | strinFile = CurrentDirectory & "\dotquad.txt" 14 | if objFSO.fileexists(strinFile) = False then 15 | msgbox "Input file does not exist: " & strinFile 16 | wscript.quit 2 17 | end if 18 | Set objFile = objFSO.OpenTextFile(strinFile) 19 | if objFile.AtEndOfStream = true then 20 | msgbox "Please add IP addresses to file: " & strinFile 21 | wscript.quit 3 22 | end if 23 | Do While Not objFile.AtEndOfStream 24 | 25 | strData = objFile.ReadLine 26 | strTmpIP = strData 27 | if isIPaddress(strData) = true then 28 | if isIPv6(strData) = False and boolConvertIP = True then 29 | strTmpIP = Dotted2LongIP(strData) 30 | logdata CurrentDirectory & "\decout.txt", strTmpIP, false 31 | end if 32 | strType = "ipaddr" 33 | elseif instr(strData, ".") = 0 then 34 | strType = "md5" 35 | else 36 | strType = "domain" 37 | end if 38 | 39 | if strCBout= "" then 40 | strCBout = strType & ":" & strTmpIP 41 | else 42 | strCBout = strCBout & " OR " & strType & ":" & strTmpIP 43 | end if 44 | loop 45 | 46 | logdata CurrentDirectory & "\cbquery.txt", strCBout, false 47 | msgbox "Finished" 48 | 49 | Public Function Dotted2LongIP(DottedIP) 'http://www.freevbcode.com/ShowCode.asp?ID=938 50 | ' errors will result in a zero value 51 | On Error Resume Next 52 | 53 | Dim i, pos 54 | Dim PrevPos, num 55 | 56 | ' string cruncher 57 | For i = 1 To 4 58 | ' Parse the position of the dot 59 | pos = InStr(PrevPos + 1, DottedIP, ".", 1) 60 | 61 | ' If its past the 4th dot then set pos to the last 62 | 'position + 1 63 | 64 | If i = 4 Then pos = Len(DottedIP) + 1 65 | 66 | ' Parse the number from between the dots 67 | 68 | num = Int(Mid(DottedIP, PrevPos + 1, pos - PrevPos - 1)) 69 | 70 | ' Set the previous dot position 71 | PrevPos = pos 72 | 73 | ' No dot value should ever be larger than 255 74 | ' Technically it is allowed to be over 255 -it just 75 | ' rolls over e.g. 76 | '256 => 0 -note the (4 - i) that's the 77 | 'proper exponent for this calculation 78 | 79 | 80 | Dotted2LongIP = ((num Mod 256) * (256 ^ (4 - i))) + _ 81 | Dotted2LongIP 82 | 83 | Next 84 | on error goto 0 85 | 86 | End Function 87 | 88 | 89 | Function IPDecToDotQuad(intDecIP) 90 | tmpOct = "" 91 | y = 0 92 | for x = 1 to 32 93 | y=y+1 94 | tmpBit = GetBit(intDecIP, x) 95 | if tmpBit = True then 96 | tmpOct = "1" & tmpOct 97 | else 98 | tmpOct = "0" & tmpOct 99 | end if 100 | if y = 8 then 101 | 'msgbox tmpOct 102 | 'msgbox Dec2Bin(tmpOct) 103 | strIP = Dec2Bin(tmpOct) & "." & strIP 104 | y=0 105 | tmpOct = "" 106 | end if 107 | next 108 | strIP = left(strIP,len(strIP)-1) 109 | IPDecToDotQuad = strIP 110 | end function 111 | 112 | Function GetBit(lngValue, BitNum) 113 | Dim BitMask 114 | If BitNum < 32 Then BitMask = 2 ^ (BitNum - 1) Else BitMask = "&H80000000" 115 | GetBit =Cbool(lngValue AND BitMask) 116 | End Function 117 | 118 | Function Dec2Bin(binary) 119 | 120 | For s = 1 To Len(binary) 121 | n = n + (Mid(binary, Len(binary) - s + 1, 1) * (2 ^ (s - 1))) 122 | Next 123 | Dec2Bin = n 124 | end function 125 | 126 | 127 | 128 | 129 | 130 | function LogData(TextFileName, TextToWrite,EchoOn) 131 | Set fsoLogData = CreateObject("Scripting.FileSystemObject") 132 | if EchoOn = True then wscript.echo TextToWrite 133 | If fsoLogData.fileexists(TextFileName) = False Then 134 | 'Creates a replacement text file 135 | on error resume next 136 | fsoLogData.CreateTextFile TextFileName, True 137 | if err.number <> 0 and err.number <> 53 then msgbox "Logging error: " & err.number & " " & err.description & vbcrlf & TextFileName 138 | on error goto 0 139 | End If 140 | if TextFileName <> "" then 141 | 142 | 143 | Set WriteTextFile = fsoLogData.OpenTextFile(TextFileName,ForAppending, False) 144 | on error resume next 145 | WriteTextFile.WriteLine TextToWrite 146 | if err.number <> 0 then 147 | on error goto 0 148 | WriteTextFile.Close 149 | Dim objStream 150 | Set objStream = CreateObject("ADODB.Stream") 151 | objStream.CharSet = "utf-16" 152 | objStream.Open 153 | objStream.WriteText TextToWrite 154 | on error resume next 155 | objStream.SaveToFile TextFileName, 2 156 | if err.number <> 0 then msgbox err.number & " - " & err.message & " Problem writting to " & TextFileName 157 | if err.number <> 0 then msgbox "problem writting text: " & TextToWrite 158 | on error goto 0 159 | Set objStream = nothing 160 | end if 161 | end if 162 | Set fsoLogData = Nothing 163 | End Function 164 | 165 | 166 | 167 | Function GetFilePath (ByVal FilePathName) 168 | found = False 169 | 170 | Z = 1 171 | 172 | Do While found = False and Z < Len((FilePathName)) 173 | 174 | Z = Z + 1 175 | 176 | If InStr(Right((FilePathName), Z), "\") <> 0 And found = False Then 177 | mytempdata = Left(FilePathName, Len(FilePathName) - Z) 178 | 179 | GetFilePath = mytempdata 180 | 181 | found = True 182 | 183 | End If 184 | 185 | Loop 186 | 187 | end Function 188 | 189 | 190 | 191 | Function isIPaddress(strIPaddress) 192 | DIm arrayTmpquad 193 | Dim boolReturn_isIP 194 | boolReturn_isIP = True 195 | if instr(strIPaddress,".") then 196 | arrayTmpquad = split(strIPaddress,".") 197 | for each item in arrayTmpquad 198 | if isnumeric(item) = false then boolReturn_isIP = false 199 | next 200 | else 201 | boolReturn_isIP = false 202 | end if 203 | if boolReturn_isIP = false then 204 | boolReturn_isIP = isIpv6(strIPaddress) 205 | end if 206 | isIPaddress = boolReturn_isIP 207 | END FUNCTION 208 | 209 | 210 | 211 | Function IsIPv6(TestString) 212 | 213 | Dim sTemp 214 | Dim iLen 215 | Dim iCtr 216 | Dim sChar 217 | 218 | if instr(TestString, ":") = 0 then 219 | IsIPv6 = false 220 | exit function 221 | end if 222 | 223 | sTemp = TestString 224 | iLen = Len(sTemp) 225 | If iLen > 0 Then 226 | For iCtr = 1 To iLen 227 | sChar = Mid(sTemp, iCtr, 1) 228 | if isnumeric(sChar) or "a"= lcase(sChar) or "b"= lcase(sChar) or "c"= lcase(sChar) or "d"= lcase(sChar) or "e"= lcase(sChar) or "f"= lcase(sChar) or ":" = sChar then 229 | 'allowed characters for hash (hex) 230 | else 231 | IsIPv6 = False 232 | exit function 233 | end if 234 | Next 235 | 236 | IsIPv6 = True 237 | else 238 | IsIPv6 = False 239 | End If 240 | 241 | End Function -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | 9 | This version of the GNU Lesser General Public License incorporates 10 | the terms and conditions of version 3 of the GNU General Public 11 | License, supplemented by the additional permissions listed below. 12 | 13 | 0. Additional Definitions. 14 | 15 | As used herein, "this License" refers to version 3 of the GNU Lesser 16 | General Public License, and the "GNU GPL" refers to version 3 of the GNU 17 | General Public License. 18 | 19 | "The Library" refers to a covered work governed by this License, 20 | other than an Application or a Combined Work as defined below. 21 | 22 | An "Application" is any work that makes use of an interface provided 23 | by the Library, but which is not otherwise based on the Library. 24 | Defining a subclass of a class defined by the Library is deemed a mode 25 | of using an interface provided by the Library. 26 | 27 | A "Combined Work" is a work produced by combining or linking an 28 | Application with the Library. The particular version of the Library 29 | with which the Combined Work was made is also called the "Linked 30 | Version". 31 | 32 | The "Minimal Corresponding Source" for a Combined Work means the 33 | Corresponding Source for the Combined Work, excluding any source code 34 | for portions of the Combined Work that, considered in isolation, are 35 | based on the Application, and not on the Linked Version. 36 | 37 | The "Corresponding Application Code" for a Combined Work means the 38 | object code and/or source code for the Application, including any data 39 | and utility programs needed for reproducing the Combined Work from the 40 | Application, but excluding the System Libraries of the Combined Work. 41 | 42 | 1. Exception to Section 3 of the GNU GPL. 43 | 44 | You may convey a covered work under sections 3 and 4 of this License 45 | without being bound by section 3 of the GNU GPL. 46 | 47 | 2. Conveying Modified Versions. 48 | 49 | If you modify a copy of the Library, and, in your modifications, a 50 | facility refers to a function or data to be supplied by an Application 51 | that uses the facility (other than as an argument passed when the 52 | facility is invoked), then you may convey a copy of the modified 53 | version: 54 | 55 | a) under this License, provided that you make a good faith effort to 56 | ensure that, in the event an Application does not supply the 57 | function or data, the facility still operates, and performs 58 | whatever part of its purpose remains meaningful, or 59 | 60 | b) under the GNU GPL, with none of the additional permissions of 61 | this License applicable to that copy. 62 | 63 | 3. Object Code Incorporating Material from Library Header Files. 64 | 65 | The object code form of an Application may incorporate material from 66 | a header file that is part of the Library. You may convey such object 67 | code under terms of your choice, provided that, if the incorporated 68 | material is not limited to numerical parameters, data structure 69 | layouts and accessors, or small macros, inline functions and templates 70 | (ten or fewer lines in length), you do both of the following: 71 | 72 | a) Give prominent notice with each copy of the object code that the 73 | Library is used in it and that the Library and its use are 74 | covered by this License. 75 | 76 | b) Accompany the object code with a copy of the GNU GPL and this license 77 | document. 78 | 79 | 4. Combined Works. 80 | 81 | You may convey a Combined Work under terms of your choice that, 82 | taken together, effectively do not restrict modification of the 83 | portions of the Library contained in the Combined Work and reverse 84 | engineering for debugging such modifications, if you also do each of 85 | the following: 86 | 87 | a) Give prominent notice with each copy of the Combined Work that 88 | the Library is used in it and that the Library and its use are 89 | covered by this License. 90 | 91 | b) Accompany the Combined Work with a copy of the GNU GPL and this license 92 | document. 93 | 94 | c) For a Combined Work that displays copyright notices during 95 | execution, include the copyright notice for the Library among 96 | these notices, as well as a reference directing the user to the 97 | copies of the GNU GPL and this license document. 98 | 99 | d) Do one of the following: 100 | 101 | 0) Convey the Minimal Corresponding Source under the terms of this 102 | License, and the Corresponding Application Code in a form 103 | suitable for, and under terms that permit, the user to 104 | recombine or relink the Application with a modified version of 105 | the Linked Version to produce a modified Combined Work, in the 106 | manner specified by section 6 of the GNU GPL for conveying 107 | Corresponding Source. 108 | 109 | 1) Use a suitable shared library mechanism for linking with the 110 | Library. A suitable mechanism is one that (a) uses at run time 111 | a copy of the Library already present on the user's computer 112 | system, and (b) will operate properly with a modified version 113 | of the Library that is interface-compatible with the Linked 114 | Version. 115 | 116 | e) Provide Installation Information, but only if you would otherwise 117 | be required to provide such information under section 6 of the 118 | GNU GPL, and only to the extent that such information is 119 | necessary to install and execute a modified version of the 120 | Combined Work produced by recombining or relinking the 121 | Application with a modified version of the Linked Version. (If 122 | you use option 4d0, the Installation Information must accompany 123 | the Minimal Corresponding Source and Corresponding Application 124 | Code. If you use option 4d1, you must provide the Installation 125 | Information in the manner specified by section 6 of the GNU GPL 126 | for conveying Corresponding Source.) 127 | 128 | 5. Combined Libraries. 129 | 130 | You may place library facilities that are a work based on the 131 | Library side by side in a single library together with other library 132 | facilities that are not Applications and are not covered by this 133 | License, and convey such a combined library under terms of your 134 | choice, if you do both of the following: 135 | 136 | a) Accompany the combined library with a copy of the same work based 137 | on the Library, uncombined with any other library facilities, 138 | conveyed under the terms of this License. 139 | 140 | b) Give prominent notice with the combined library that part of it 141 | is a work based on the Library, and explaining where to find the 142 | accompanying uncombined form of the same work. 143 | 144 | 6. Revised Versions of the GNU Lesser General Public License. 145 | 146 | The Free Software Foundation may publish revised and/or new versions 147 | of the GNU Lesser General Public License from time to time. Such new 148 | versions will be similar in spirit to the present version, but may 149 | differ in detail to address new problems or concerns. 150 | 151 | Each version is given a distinguishing version number. If the 152 | Library as you received it specifies that a certain numbered version 153 | of the GNU Lesser General Public License "or any later version" 154 | applies to it, you have the option of following the terms and 155 | conditions either of that published version or of any later version 156 | published by the Free Software Foundation. If the Library as you 157 | received it does not specify a version number of the GNU Lesser 158 | General Public License, you may choose any version of the GNU Lesser 159 | General Public License ever published by the Free Software Foundation. 160 | 161 | If the Library as you received it specifies that a proxy can decide 162 | whether future versions of the GNU Lesser General Public License shall 163 | apply, that proxy's public statement of acceptance of any version is 164 | permanent authorization for you to choose that version for the 165 | Library. 166 | -------------------------------------------------------------------------------- /extract_CB_zips/extract_CB_zips.vbs: -------------------------------------------------------------------------------- 1 | 'Extract CB Zips v1.5 (works with CB_File_Downloader) 2 | 'parameter is the folder path containing the zip files to extract (prompt for folder path if not provided. ) 3 | 4 | 'Copyright (c) 2021 Ryan Boyle randomrhythm@rhythmengineering.com. 5 | 'All rights reserved. 6 | 7 | 'This program is free software: you can redistribute it and/or modify 8 | 'it under the terms of the GNU General Public License as published by 9 | 'the Free Software Foundation, either version 3 of the License, or 10 | '(at your option) any later version. 11 | 12 | 'This program is distributed in the hope that it will be useful, 13 | 'but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | 'MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | 'GNU General Public License for more details. 16 | 17 | 'You should have received a copy of the GNU General Public License 18 | 'along with this program. If not, see . 19 | 20 | Const forwriting = 2 21 | Const ForAppending = 8 22 | Const ForReading = 1 23 | 24 | DIm objShellComplete 25 | Set objShellComplete = WScript.CreateObject("WScript.Shell") 26 | Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") 27 | Dim objShell 28 | Dim BoolSilent 29 | Dim strFDname 30 | Dim strExtension 31 | Const WshRunning = 0 32 | Const WshFinished = 1 33 | 34 | 35 | 'Config section 36 | strExtension = "zip" 37 | BoolSilent = True 38 | boolSubDir = False 'create sub directories for each compressed file 39 | 'end Config 40 | 41 | Set objShell = WScript.CreateObject( "WScript.Shell" ) 42 | 43 | 44 | strFDname = "filedata" 45 | CurrentDirectory = GetFilePath(wscript.ScriptFullName) 46 | 47 | on error resume next 48 | ProcessDirectory = WScript.Arguments(0) 49 | if err.number <> 0 then 50 | wscript.echo "Error getting arguments. Must pass the path to the folder containing zip files to extract as parameter." 51 | ProcessDirectory = fnShellBrowseForFolderVB 52 | end if 53 | on error goto 0 54 | 55 | if objFSO.FileExists("C:\Program Files\7-Zip\7z.exe") then 56 | str7zPath = "C:\Program Files\7-Zip\7z.exe" 57 | elseif objFSO.FileExists("c:\Program Files (x86)\7-Zip\7z.exe") then 58 | str7zPath = "c:\Program Files (x86)\7-Zip\7z.exe" 59 | else 60 | msgbox "7z not installed: File does not exist - " & chr(34) & "C:\Program Files\7-Zip\7z.exe" & chr(34) & vbcrlf & "script will now exit" 61 | wscript.quit(888) 62 | end if 63 | 64 | if objFSO.FolderExists(ProcessDirectory) = False then 65 | msgbox "Folder does not exist " & chr(34) & ProcessDirectory & chr(34) 66 | wscript.quit (882) 67 | end if 68 | 69 | Set f = objFSO.GetFolder(ProcessDirectory) 70 | Set fc = f.files 71 | For Each f1 in fc 72 | if lcase(right(f1.name, len(strExtension) + 1)) = "." & strExtension then 73 | strOutputdir = CurrentDirectory 74 | if objFSO.FileExists(ProcessDirectory & "\" & f1.name) then 75 | if instr(f1.name, ".") then 76 | if boolSubDir = TRue then 77 | if objFSO.folderexists(CurrentDirectory & "\" & f1.name) = False then 78 | objFSO.createfolder(CurrentDirectory & "\" & f1.name) 79 | strOutputdir = CurrentDirectory & "\" & f1.name 80 | end if 81 | end if 82 | set execResults = objShell.Exec(chr(34) & str7zPath & Chr(34) & " x -y -o" & Chr(34) & strOutputdir & Chr(34) & " " & Chr(34) & ProcessDirectory & "\" & f1.name & Chr(34)) 83 | wscript.sleep 700 84 | intExistLoop = 0 85 | 'wait for file to be created 86 | Do while exitFileExistsLoop = False and WshRunning = execResults.Status 87 | if objFSO.FileExists(CurrentDirectory & "\" & strFDname) = True then 88 | exitFileExistsLoop = True 89 | else 90 | wscript.Sleep 2500 91 | if intExistLoop > 11 then exitFileExistsLoop = True 92 | intExistLoop = intExistLoop +1 93 | end if 94 | loop 95 | wscript.Sleep 800 96 | if objFSO.FileExists(CurrentDirectory & "\" & strFDname) = False then 97 | if execResults.Status = WshRunning then 98 | logdata CurrentDirectory & "\extract.log", "7z is still running and extraction was not verified: " & ProcessDirectory & "\" & f1.name, False 99 | elseif execResults.ExitCode <> 0 then 100 | if BoolSilent = False then msgbox "failed extraction with exit code " & str(execResults.ExitCode) & ": " & ProcessDirectory & "\" & f1.name 101 | logdata CurrentDirectory & "\extract.log", "failed extraction with exit code " & cstr(execResults.ExitCode) & ": " & ProcessDirectory & "\" & f1.name, False 102 | if BoolSilent = False then msgbox CurrentDirectory & "\" & ReturnFnameNoExt(f1.name) 103 | else 104 | if BoolSilent = False then msgbox "7z did not error but extraction was not verified: " & ProcessDirectory & "\" & f1.name 105 | logdata CurrentDirectory & "\extract.log", "7z did not error but extraction was not verified: " & ProcessDirectory & "\" & f1.name, False 106 | if BoolSilent = False then msgbox CurrentDirectory & "\" & ReturnFnameNoExt(f1.name) 107 | 108 | end if 109 | else 110 | logdata CurrentDirectory & "\extract.log", "Successful extraction: " & ProcessDirectory & "\" & f1.name, False 111 | if objFSO.FolderExists(CurrentDirectory & "\" & ReturnFnameNoExt(f1.name)) = True then 112 | StrAddmodifier = "_extracted" 113 | else 114 | StrAddmodifier = "" 115 | end if 116 | if objFSO.FileExists(CurrentDirectory & "\" & ReturnFnameNoExt(f1.name) & StrAddmodifier) = False then 117 | 118 | on error resume next 119 | objFSO.MoveFile CurrentDirectory & "\" & strFDname, CurrentDirectory & "\" & ReturnFnameNoExt(f1.name) & StrAddmodifier 120 | if err.number = 0 then 121 | logdata CurrentDirectory & "\extract.log", "Moved " & CurrentDirectory & "\" & ReturnFnameNoExt(f1.name) & StrAddmodifier, False 122 | else 123 | logdata CurrentDirectory & "\extract.log", "Error Moving " & CurrentDirectory & "\" & strFDname & " to " & CurrentDirectory & "\" & ReturnFnameNoExt(f1.name) & StrAddmodifier, False 124 | msgbox "Error moving file - " & err.number & " " & err.description 125 | end if 126 | on error goto 0 127 | 128 | wscript.sleep 700 129 | else 130 | logdata CurrentDirectory & "\extract.log", "Already Exists: " & CurrentDirectory & "\" & ReturnFnameNoExt(f1.name) & StrAddmodifier, False 131 | end if 132 | end if 133 | else 134 | wscript.echo "zip file missing extension" 135 | end if 136 | end if 137 | end if 138 | Next 139 | 140 | 141 | Function ReturnFnameNoExt(strFNWE) 142 | 143 | if instr(strFNWE,".") then 144 | tmpArrayFName = split(strFNWE, ".") 145 | 146 | for intFNEcount = 0 to ubound(tmpArrayFName) -1 147 | strReturnNoExt = strReturnNoExt & tmpArrayFName(intFNEcount) 148 | 149 | next 150 | 151 | else 152 | strReturnNoExt = strFNWE 153 | end if 154 | ReturnFnameNoExt = strReturnNoExt 155 | end function 156 | 157 | Function GetData(contents, ByVal EndOfStringChar, ByVal MatchString) 158 | MatchStringLength = Len(MatchString) 159 | x= 0 160 | 161 | do while x < len(contents) - (MatchStringLength +1) 162 | 163 | x = x + 1 164 | if Mid(contents, x, MatchStringLength) = MatchString then 165 | 'Gets server name for section 166 | for y = 1 to len(contents) -x 167 | if instr(Mid(contents, x + MatchStringLength, y),EndOfStringChar) = 0 then 168 | TempData = Mid(contents, x + MatchStringLength, y) 169 | else 170 | exit do 171 | end if 172 | next 173 | end if 174 | loop 175 | GetData = TempData 176 | end Function 177 | 178 | 179 | function LogData(TextFileName, TextToWrite,EchoOn) 180 | Dim strTmpFilName1 181 | Dim strTmpFilName2 182 | strTmpFilName1 = right(TextFileName, len(TextFileName) - instrrev(TextFileName,"\")) 183 | strTmpFilName2 = replace(strTmpFilName1,"/",".") 184 | 'TextFileName = replace(TextFileName,"\",".") 185 | strTmpFilName2 = replace(strTmpFilName2,":",".") 186 | strTmpFilName2 = replace(strTmpFilName2,"*",".") 187 | strTmpFilName2 = replace(strTmpFilName2,"?",".") 188 | strTmpFilName2 = replace(strTmpFilName2,chr(34),".") 189 | strTmpFilName2 = replace(strTmpFilName2,"<",".") 190 | strTmpFilName2 = replace(strTmpFilName2,">",".") 191 | strTmpFilName2 = replace(strTmpFilName2,"|",".") 192 | TextFileName = replace(TextFileName,strTmpFilName1,strTmpFilName2) 193 | 194 | Set fsoLogData = CreateObject("Scripting.FileSystemObject") 195 | if EchoOn = True then wscript.echo TextToWrite 196 | If fsoLogData.fileexists(TextFileName) = False Then 197 | 'Creates a replacement text file 198 | fsoLogData.CreateTextFile TextFileName, True 199 | End If 200 | on error resume next 201 | Set WriteTextFile = fsoLogData.OpenTextFile(TextFileName,ForAppending, False) 202 | if err.number <> 0 then 203 | msgbox "Error writting to " & TextFileName & " perhaps the file is locked?" 204 | err.number = 0 205 | Set WriteTextFile = fsoLogData.OpenTextFile(TextFileName,ForAppending, False) 206 | if err.number <> 0 then exit function 207 | end if 208 | 209 | on error goto 0 210 | WriteTextFile.WriteLine TextToWrite 211 | WriteTextFile.Close 212 | Set fsoLogData = Nothing 213 | End Function 214 | 215 | 216 | Function GetFilePath (ByVal FilePathName) 217 | found = False 218 | 219 | Z = 1 220 | 221 | Do While found = False and Z < Len((FilePathName)) 222 | 223 | Z = Z + 1 224 | 225 | If InStr(Right((FilePathName), Z), "\") <> 0 And found = False Then 226 | mytempdata = Left(FilePathName, Len(FilePathName) - Z) 227 | 228 | GetFilePath = mytempdata 229 | 230 | found = True 231 | 232 | End If 233 | 234 | Loop 235 | 236 | end Function 237 | 238 | 239 | function fnShellBrowseForFolderVB() 240 | dim objShell 241 | dim ssfWINDOWS 242 | dim objFolder 243 | 244 | ssfWINDOWS = 36 245 | set objShell = CreateObject("shell.application") 246 | set objFolder = objShell.BrowseForFolder(0, "Example", 0, ssfDRIVES) 247 | if (not objFolder is nothing) then 248 | set oFolderItem = objFolder.items.item 249 | fnShellBrowseForFolderVB = oFolderItem.Path 250 | end if 251 | set objFolder = nothing 252 | set objShell = nothing 253 | end function -------------------------------------------------------------------------------- /Pull_Events/Data/RegWatch.txt: -------------------------------------------------------------------------------- 1 | system\currentcontrolset\control\session manager\bootexecute|persistence 2 | software\classes\htmlfile\shell\open\command|persistence 3 | software\classes\htmlfile\shell\open\command\(default)|persistence 4 | system\currentcontrolset\services|persistence 5 | software\microsoft\windows\currentversion\authentication\credential providers|persistence 6 | software\microsoft\windows\currentversion\authentication\credential provider filters|persistence 7 | software\microsoft\windows\currentversion\authentication\plap providers|persistence 8 | system\currentcontrolset\control\print\monitors|persistence 9 | system\currentcontrolset\control\securityproviders|persistence 10 | system\currentcontrolset\control\securityproviders\securityproviders|persistence 11 | system\currentcontrolset\control\lsa\authentication packages|persistence 12 | system\currentcontrolset\control\lsa\notification packages|persistence 13 | system\currentcontrolset\control\networkprovider\order|persistence 14 | system\currentcontrolset\services\winsock2\parameters\protocol_catalog9\catalog_entries|persistence 15 | system\currentcontrolset\services\winsock2\parameters\namespace_catalog5\catalog_entries|persistence 16 | system\currentcontrolset\services\winsock2\parameters\protocol_catalog9\catalog_entries64|persistence 17 | system\currentcontrolset\services\winsock2\parameters\namespace_catalog5\catalog_entries64|persistence 18 | system\currentcontrolset\control\terminal server\wds\rdpwd|persistence 19 | system\currentcontrolset\control\terminal server\wds\rdpwd\startupprograms|persistence 20 | software\microsoft\windows nt\currentversion\winlogon|persistence 21 | software\microsoft\windows nt\currentversion\winlogon\userinit|persistence 22 | software\microsoft\windows nt\currentversion\winlogon\vmapplet|persistence 23 | software\microsoft\windows nt\currentversion\winlogon\shell|persistence 24 | system\currentcontrolset\control\safeboot|persistence 25 | system\currentcontrolset\control\safeboot\alternateshell|persistence 26 | software\microsoft\windows\currentversion\run|persistence 27 | software\wow6432node\microsoft\windows\currentversion\run|persistence 28 | software\classes\protocols\filter|persistence 29 | software\classes\protocols\handler|persistence 30 | software\microsoft\active setup\installed components|persistence 31 | software\microsoft\windows nt\currentversion\windows|persistence 32 | software\microsoft\windows nt\currentversion\windows\iconservicelib|persistence 33 | software\wow6432node\microsoft\active setup\installed components|persistence 34 | software\microsoft\windows\currentversion\explorer\shellserviceobjects|persistence 35 | software\wow6432node\microsoft\windows\currentversion\explorer\shellserviceobjects|persistence 36 | software\microsoft\windows\currentversion\explorer\browser helper objects|persistence 37 | software\wow6432node\microsoft\windows\currentversion\explorer\browser helper objects|persistence 38 | software\classes\*\shellex\contextmenuhandlers|persistence 39 | software\wow6432node\classes\*\shellex\contextmenuhandlers|persistence 40 | software\classes\drive\shellex\contextmenuhandlers|persistence 41 | software\wow6432node\classes\drive\shellex\contextmenuhandlers|persistence 42 | software\classes\*\shellex\propertysheethandlers|persistence 43 | software\wow6432node\classes\*\shellex\propertysheethandlers|persistence 44 | software\classes\allfilesystemobjects\shellex\contextmenuhandlers|persistence 45 | software\wow6432node\classes\allfilesystemobjects\shellex\contextmenuhandlers|persistence 46 | software\classes\allfilesystemobjects\shellex\propertysheethandlers|persistence 47 | software\wow6432node\classes\allfilesystemobjects\shellex\propertysheethandlers|persistence 48 | software\classes\directory\shellex\contextmenuhandlers|persistence 49 | software\wow6432node\classes\directory\shellex\contextmenuhandlers|persistence 50 | software\classes\directory\shellex\dragdrophandlers|persistence 51 | software\wow6432node\classes\directory\shellex\dragdrophandlers|persistence 52 | software\classes\directory\shellex\propertysheethandlers|persistence 53 | software\wow6432node\classes\directory\shellex\propertysheethandlers|persistence 54 | software\classes\directory\shellex\copyhookhandlers|persistence 55 | software\wow6432node\classes\directory\shellex\copyhookhandlers|persistence 56 | software\classes\directory\background\shellex\contextmenuhandlers|persistence 57 | software\wow6432node\classes\directory\background\shellex\contextmenuhandlers|persistence 58 | software\classes\folder\shellex\contextmenuhandlers|persistence 59 | software\wow6432node\classes\folder\shellex\contextmenuhandlers|persistence 60 | software\classes\folder\shellex\dragdrophandlers|persistence 61 | software\wow6432node\classes\folder\shellex\dragdrophandlers|persistence 62 | software\classes\folder\shellex\propertysheethandlers|persistence 63 | software\wow6432node\classes\folder\shellex\propertysheethandlers|persistence 64 | software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers|persistence 65 | software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers|persistence 66 | software\microsoft\internet explorer\extensions|persistence 67 | software\wow6432node\microsoft\internet explorer\extensions|persistence 68 | software\microsoft\windows nt\currentversion\drivers32|persistence 69 | software\wow6432node\microsoft\windows nt\currentversion\drivers32|persistence 70 | software\classes\clsid\{083863f1-70de-11d0-bd40-00a0c911ce86}\instance|persistence 71 | software\wow6432node\classes\clsid\{083863f1-70de-11d0-bd40-00a0c911ce86}\instance|persistence 72 | software\classes\clsid\{7ed96837-96f0-4812-b211-f13c24117ed3}\instance|persistence 73 | software\wow6432node\classes\clsid\{7ed96837-96f0-4812-b211-f13c24117ed3}\instance|persistence 74 | software\microsoft\windows\currentversion\run|persistence 75 | software\classes\*\shellex\contextmenuhandlers|persistence 76 | software\classes\directory\shellex\contextmenuhandlers|persistence 77 | software\classes\directory\background\shellex\contextmenuhandlers|persistence 78 | software\microsoft\internet explorer\urlsearchhooks|persistence 79 | \software\microsoft\windows\currentversion\internet settings\wpad\|modifies_proxy_wpad 80 | \software\microsoft\windows\currentversion\internet settings\proxyoverride|modifies_proxy_override 81 | \software\microsoft\windows\currentversion\internet settings\autoconfigurl|modifies_proxy_autoconfig 82 | \software\microsoft\windows\currentversion\internet settings\proxyenable|disables_proxy 83 | \system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\|bypass_firewall 84 | \software\microsoft\internet explorer\privacy\enableinprivatemode|browser_security 85 | \software\microsoft\internet explorer\phishingfilter\|browser_security 86 | \software\microsoft\windows\currentversion\internet settings\zones\|browser_security 87 | \software\microsoft\windows\currentversion\internet settings\zonemap\domains\|browser_security 88 | \software\microsoft\windows\currentversion\internet settings\zonemap\escdomains\|browser_security 89 | \software\microsoft\windows\currentversion\internet settings\zonemap\escranges\|browser_security 90 | \software\microsoft\windows\currentversion\internet settings\zonemap\ieharden|browser_security 91 | \software\microsoft\windows\currentversion\internet settings\certificaterevocation|browser_security 92 | \software\microsoft\internet explorer\main\noupdatecheck|browser_security 93 | \software\microsoft\internet explorer\security\|browser_security 94 | \software\microsoft\internet explorer\main\featurecontrol\ |browser_security 95 | \software\microsoft\internet explorer\main\start page|browser_startpage 96 | \software\microsoft\windows\currentversion\internet settings\warnonbadcertrecving|disables_browser_warn 97 | \software\microsoft\windows\currentversion\internet settings\warnonbadcertsending|disables_browser_warn 98 | \software\microsoft\windows\currentversion\internet settings\warnonhttpstohttpredirect|disables_browser_warn 99 | \software\microsoft\windows\currentversion\internet settings\warnonzonecrossing|disables_browser_warn 100 | \software\microsoft\windows\currentversion\internet settings\warnonpostredirect|disables_browser_warn 101 | \software\microsoft\windows\currentversion\internet settings\iehardenienowarn|disables_browser_warn 102 | \software\microsoft\internet explorer\main\noprotectedmodebanner|disables_browser_warn 103 | \software\microsoft\internet explorer\main\ie9runonceperinstall|disables_browser_warn 104 | \software\microsoft\windows\currentversion\policies\system\enablelua|disables_security 105 | \software\microsoft\security center\antivirusoverride|disables_security 106 | \software\microsoft\security center\|modifies_security_center 107 | \software\microsoft\security center\antivirusdisablenotify|disables_security 108 | \software\microsoft\security center\firewalldisablenotify|disables_security 109 | \software\microsoft\security center\firewalloverride|disables_security 110 | \software\microsoft\security center\updatesdisablenotify|disables_security 111 | \software\microsoft\security center\uacdisablenotify|disables_security 112 | \system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\enablefirewall|disables_security 113 | \system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\donotallowexceptions|disables_security 114 | \system\controlset001\services\sharedaccess\parameters\firewallpolicy\standardprofile\disablenotifications|disables_security 115 | \software\windows defender\|disables_security 116 | \software\policies\microsoft\windows defender\|disables_security 117 | \system\currentcontrolset\services\windefend\|disables_security 118 | \software\microsoft\windows\currentversion\internet settings\zonemap\proxybypass|browser_setting_modify 119 | \software\microsoft\windows\currentversion\internet settings\zonemap\uncasintranet|browser_setting_modify 120 | \software\microsoft\windows\currentversion\internet settings\zonemap\intranetname|browser_setting_modify 121 | \software\microsoft\windows\currentversion\internet settings\zonemap\autodetect|browser_setting_modify 122 | \software\microsoft\windows nt\currentversion\systemrestore\disablesr|disables_system_restore 123 | \software\policies\microsoft\windows nt\systemrestore\disablesr|disables_system_restore 124 | \software\policies\microsoft\windows nt\systemrestore\disableconfig|disables_system_restore 125 | \software\microsoft\windows\windows error reporting\disabled|disables_wer 126 | \software\policies\microsoft\windows\windowsupdate\au\noautoupdate|disables_windowsupdate 127 | \software\policies\microsoft\windows\windowsupdate\auto update\auoptions|disables_windowsupdate 128 | \software\microsoft\systemcertificates\|modifies_certificates 129 | \software\microsoft\windows\currentversion\policies\system\|system_policies 130 | \control panel\desktop\wallpaper|modifies_desktop_wallpaper 131 | \internet explorer\desktop\general\wallpaper|modifies_desktop_wallpaper 132 | \software\microsoft\powershell\1\shellids\microsoft.powershell\executionpolicy|powershell_execution_policy 133 | \policies\microsoft\windows\powershell\|powershell_policies 134 | software\policies\microsoft\windows\bits|bitsadmin_policy_modification 135 | \software\microsoft\windows\currentversion\control panel\|modify_cpl_items 136 | system\currentcontrolset\control\lsa\|lsass 137 | \control\session manager\safedllsearchmode|dll_search_order 138 | \software\microsoft\windows nt\currentversion\appcompatflags|persistence_shim_database 139 | software\microsoft\windows nt\currentversion\schedule\taskcache\tree\|persistence_scheduledtask -------------------------------------------------------------------------------- /Alerts/Cb_Resolve.vbs: -------------------------------------------------------------------------------- 1 | 'Cb Response Resolve Alerts 2 | 3 | 'Copyright (c) 2019 Ryan Boyle randomrhythm@rhythmengineering.com. 4 | 5 | 'This program is free software: you can redistribute it and/or modify 6 | 'it under the terms of the GNU General Public License as published by 7 | 'the Free Software Foundation, either version 3 of the License, or 8 | '(at your option) any later version. 9 | 10 | 'This program is distributed in the hope that it will be useful, 11 | 'but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | 'MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | 'GNU General Public License for more details. 14 | 15 | 'You should have received a copy of the GNU General Public License 16 | 'along with this program. If not, see . 17 | 18 | Const forwriting = 2 19 | Const ForAppending = 8 20 | Const ForReading = 1 21 | dim strCarBlackAPIKey 22 | Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") 23 | Dim strIgnore 24 | Dim strQuery 25 | Dim strIDs 'quoted comma separated: & Chr(34) & "id1" & Chr(34) & ", " & Chr(34) & "id2" & Chr(34) 26 | 27 | '---Config Section 28 | strQuery = "" 'set to "" to disable 29 | BoolDebugTrace = False 30 | IgnoreReport = False 'not implemented 31 | intReceiveTimeout = 120 'number of seconds for timeout (not implemented) 32 | boolUseSocketTools = False 'Uses external library from SocketTools (needed when using old OS that does not support latest TLS standards) (not currently implemented) 33 | strLicenseKey = "" 'Lincense key is required to use SocketTools 34 | strIniPath="Cb_Alerts.ini" 35 | '---End Config section 36 | 37 | if objFSO.FileExists(strIniPath) = True then 38 | '---Ini loading section 39 | boolUseSocketTools = ValueFromINI(strIniPath, "BooleanValues", "UseSocketTools", boolUseSocketTools) 40 | BoolDebugTrace = ValueFromINI(strIniPath, "BooleanValues", "Debug", BoolDebugTrace) 41 | '---End ini loading section 42 | else 43 | if BoolRunSilent = False then WScript.Echo strFilePath & " does not exist. Using script configured/default settings instead" 44 | end if 45 | 46 | if IgnoreReport = True then 47 | strIgnore = "true" 48 | else 49 | strIgnore = "false" 50 | end if 51 | 52 | CurrentDirectory = GetFilePath(wscript.ScriptFullName) 53 | strDebugPath = CurrentDirectory & "\Debug\" 54 | if objFSO.folderexists(strDebugPath) = False then _ 55 | objFSO.createfolder(strDebugPath) 56 | 57 | 58 | strFile= CurrentDirectory & "\cb.dat" 59 | strAPIproduct = "Carbon Black" 60 | strRandom = "4bv3nT9vrkJpj3QyueTvYFBMIvMOllyuKy3d401Fxaho6DQTbPafyVmfk8wj1bXF" 'encryption key. Change if you want but can only decrypt with same key 61 | 62 | strData = "" 63 | if objFSO.fileexists(strFile) then 64 | Set objFile = objFSO.OpenTextFile(strFile) 65 | if not objFile.AtEndOfStream then 'read file 66 | On Error Resume Next 67 | strData = objFile.ReadLine 68 | StrBaseCBURL = objFile.ReadLine 69 | on error goto 0 70 | end if 71 | objFile.close 72 | 73 | if strData <> "" then 74 | strData = Decrypt(strData,strRandom) 75 | strCarBlackAPIKey = strData 76 | strData = "" 77 | end if 78 | end if 79 | 80 | if not objFSO.fileexists(strFile) and strData = "" then 81 | strCarBlackAPIKey = inputbox("Enter your " & strAPIproduct & " api key") 82 | if strCarBlackAPIKey <> "" then 83 | strTempEncryptedAPIKey = strCarBlackAPIKey 84 | strTempEncryptedAPIKey = encrypt(strTempEncryptedAPIKey,strRandom) 85 | logdata strFile,strTempEncryptedAPIKey,False 86 | strTempEncryptedAPIKey = "" 87 | StrBaseCBURL = inputbox("Enter your " & strAPIproduct & " base URL (example: https://ryancb-example.my.carbonblack.io") 88 | logdata strFile,StrBaseCBURL,False 89 | end if 90 | end if 91 | 92 | 93 | if strQuery = "" then 94 | strQuery = inputbox("Filter alerts in the Cb Response console to the ones you want resolved. Then copy and paste the URL here and click ok.") 95 | end if 96 | 97 | if instr(strQuery, "://") = 0 then 98 | strQuery = StrBaseCBURL & strQuery 99 | end if 100 | 101 | query = "{" 102 | if strQuery <> "" then bQuery Chr(34) & "query" & Chr(34) & ": " & Chr(34) & strQuery & Chr(34) 103 | if strIDs <> "" then bQuery Chr(34) & "alert_ids" & Chr(34) & ": [" & Chr(34) & "id1" & Chr(34) & ", " & Chr(34) & "id2" & Chr(34) & ", ...]" 104 | bQuery Chr(34) & "requested_status" & Chr(34) & ": " & Chr(34) & "Resolved" & Chr(34) 105 | 'bQuery Chr(34) & "set_ignored" & Chr(34) & ": " & strIgnore 106 | 'bQuery Chr(34) & "assigned_to" & Chr(34) & ": " & Chr(34) & "ahnold" & Chr(34) 107 | query = query & "}" 108 | 109 | StrResponse = HTTPPost(StrBaseCBURL & "/api/v1/alerts", query) 110 | 111 | if instr(StrResponse, "Maintenance - ") > 0 then 112 | msgbox "The Cb Response server is under maintenance. Please check the web console and wait for maintenance to end before trying again" 113 | elseif instr(StrResponse, "<title>504 Gateway Time-out") > 0 then 114 | msgbox "The HTTP response timed out. This often occurs when there are more alerts than what could be resolved within the timeout period. The Cb Response server is still processing the request so please wait some time before running again." 115 | 116 | else 117 | msgbox StrResponse 118 | end if 119 | 120 | sub bQuery(queryAdd) 121 | if query <> "{" then 122 | query = query & "," & queryAdd 123 | else 124 | query = query & queryAdd 125 | end if 126 | end sub 127 | 128 | function LogData(TextFileName, TextToWrite,EchoOn) 129 | Set fsoLogData = CreateObject("Scripting.FileSystemObject") 130 | if EchoOn = True then wscript.echo TextToWrite 131 | If fsoLogData.fileexists(TextFileName) = False Then 132 | 'Creates a replacement text file 133 | on error resume next 134 | fsoLogData.CreateTextFile TextFileName, True 135 | if err.number <> 0 and err.number <> 53 then msgbox "can't create file " & Chr(34) & TextFileName & Chr(34) & ": " & err.number & " " & err.description & vbcrlf & TextFileName 136 | on error goto 0 137 | End If 138 | if TextFileName <> "" then 139 | 140 | 141 | Set WriteTextFile = fsoLogData.OpenTextFile(TextFileName,ForAppending, False) 142 | on error resume next 143 | WriteTextFile.WriteLine TextToWrite 144 | if err.number <> 0 then 145 | on error goto 0 146 | WriteTextFile.Close 147 | Dim objStream 148 | Set objStream = CreateObject("ADODB.Stream") 149 | objStream.CharSet = "utf-16" 150 | objStream.Open 151 | objStream.WriteText TextToWrite 152 | on error resume next 153 | objStream.SaveToFile TextFileName, 2 154 | if err.number <> 0 then msgbox err.number & " - " & err.message & " Problem writting to " & TextFileName 155 | if err.number <> 0 then msgbox "problem writting text: " & TextToWrite 156 | on error goto 0 157 | Set objStream = nothing 158 | end if 159 | end if 160 | Set fsoLogData = Nothing 161 | End Function 162 | 163 | Function GetFilePath (ByVal FilePathName) 164 | found = False 165 | 166 | Z = 1 167 | 168 | Do While found = False and Z < Len((FilePathName)) 169 | 170 | Z = Z + 1 171 | 172 | If InStr(Right((FilePathName), Z), "\") <> 0 And found = False Then 173 | mytempdata = Left(FilePathName, Len(FilePathName) - Z) 174 | 175 | GetFilePath = mytempdata 176 | 177 | found = True 178 | 179 | End If 180 | 181 | Loop 182 | 183 | end Function 184 | function UDate(oldDate) 185 | UDate = DateDiff("s", "01/01/1970 00:00:00", oldDate) 186 | end function 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | Function encrypt(StrText, key) 195 | Dim lenKey, KeyPos, LenStr, x, Newstr 196 | 197 | Newstr = "" 198 | lenKey = Len(key) 199 | KeyPos = 1 200 | LenStr = Len(StrText) 201 | StrText = StrReverse(StrText) 202 | For x = 1 To LenStr 203 | Newstr = Newstr & chr(asc(Mid(StrText,x,1)) + Asc(Mid(key,KeyPos,1))) 204 | KeyPos = keypos+1 205 | If KeyPos > lenKey Then KeyPos = 1 206 | 'if x = 4 then msgbox "error with char " & Chr(34) & asc(Mid(StrText,x,1)) - Asc(Mid(key,KeyPos,1)) & Chr(34) & " At position " & KeyPos & vbcrlf & Mid(StrText,x,1) & Mid(key,KeyPos,1) & vbcrlf & asc(Mid(StrText,x,1)) & asc(Mid(key,KeyPos,1)) 207 | Next 208 | encrypt = Newstr 209 | End Function 210 | 211 | Function Decrypt(StrText,key) 212 | Dim lenKey, KeyPos, LenStr, x, Newstr 213 | 214 | Newstr = "" 215 | lenKey = Len(key) 216 | KeyPos = 1 217 | LenStr = Len(StrText) 218 | 219 | StrText=StrReverse(StrText) 220 | For x = LenStr To 1 Step -1 221 | on error resume next 222 | Newstr = Newstr & chr(asc(Mid(StrText,x,1)) - Asc(Mid(key,KeyPos,1))) 223 | if err.number <> 0 then 224 | msgbox "error with char " & Chr(34) & asc(Mid(StrText,x,1)) - Asc(Mid(key,KeyPos,1)) & Chr(34) & " At position " & KeyPos & vbcrlf & Mid(StrText,x,1) & Mid(key,KeyPos,1) & vbcrlf & asc(Mid(StrText,x,1)) & asc(Mid(key,KeyPos,1)) 225 | wscript.quit(011) 226 | end if 227 | on error goto 0 228 | KeyPos = KeyPos+1 229 | If KeyPos > lenKey Then KeyPos = 1 230 | Next 231 | Newstr=StrReverse(Newstr) 232 | Decrypt = Newstr 233 | End Function 234 | Function FormatDate(strFDate) 235 | Dim strTmpMonth 236 | Dim strTmpDay 237 | strTmpMonth = datepart("m",strFDate) 238 | strTmpDay = datepart("d",strFDate) 239 | if len(strTmpMonth) = 1 then strTmpMonth = "0" & strTmpMonth 240 | if len(strTmpDay) = 1 then strTmpDay = "0" & strTmpDay 241 | 242 | FormatDate = datepart("yyyy",strFDate) & "-" & strTmpMonth & "-" & strTmpDay 243 | 244 | 245 | end function 246 | 247 | 248 | Function ValueFromIni(strFpath, iniSection, iniKey, currentValue) 249 | returniniVal = ReadIni( strFpath, iniSection, iniKey) 250 | if returniniVal = " " then 251 | returniniVal = currentValue 252 | end if 253 | if TypeName(returniniVal) = "String" then 254 | returniniVal = stringToBool(returniniVal)'convert type to boolean if needed 255 | elseif TypeName(returniniVal) = "Integer" then 256 | returniniVal = int(returniniVal)'convert type to int if needed 257 | end if 258 | ValueFromIni = returniniVal 259 | end function 260 | 261 | Function stringToBool(strBoolean) 262 | if lcase(strBoolean) = "true" then 263 | returnBoolean = True 264 | elseif lcase(strBoolean) = "false" then 265 | returnBoolean = False 266 | else 267 | returnBoolean = strBoolean 268 | end if 269 | stringToBool = returnBoolean 270 | end function 271 | 272 | Function ReadIni( myFilePath, mySection, myKey ) 'http://www.robvanderwoude.com/vbstech_files_ini.php 273 | ' This function returns a value read from an INI file 274 | ' 275 | ' Arguments: 276 | ' myFilePath [string] the (path and) file name of the INI file 277 | ' mySection [string] the section in the INI file to be searched 278 | ' myKey [string] the key whose value is to be returned 279 | ' 280 | ' Returns: 281 | ' the [string] value for the specified key in the specified section 282 | ' 283 | ' CAVEAT: Will return a space if key exists but value is blank 284 | ' 285 | ' Written by Keith Lacelle 286 | ' Modified by Denis St-Pierre and Rob van der Woude 287 | 288 | Dim intEqualPos 289 | Dim objFSO, objIniFile 290 | Dim strFilePath, strKey, strLeftString, strLine, strSection 291 | 292 | Set objFSO = CreateObject( "Scripting.FileSystemObject" ) 293 | 294 | ReadIni = "" 295 | strFilePath = Trim( myFilePath ) 296 | strSection = Trim( mySection ) 297 | strKey = Trim( myKey ) 298 | 299 | If objFSO.FileExists( strFilePath ) Then 300 | Set objIniFile = objFSO.OpenTextFile( strFilePath, ForReading, False ) 301 | Do While objIniFile.AtEndOfStream = False 302 | strLine = Trim( objIniFile.ReadLine ) 303 | 304 | ' Check if section is found in the current line 305 | If LCase( strLine ) = "[" & LCase( strSection ) & "]" Then 306 | strLine = Trim( objIniFile.ReadLine ) 307 | 308 | ' Parse lines until the next section is reached 309 | Do While Left( strLine, 1 ) <> "[" 310 | ' Find position of equal sign in the line 311 | intEqualPos = InStr( 1, strLine, "=", 1 ) 312 | If intEqualPos > 0 Then 313 | strLeftString = Trim( Left( strLine, intEqualPos - 1 ) ) 314 | ' Check if item is found in the current line 315 | If LCase( strLeftString ) = LCase( strKey ) Then 316 | ReadIni = Trim( Mid( strLine, intEqualPos + 1 ) ) 317 | ' In case the item exists but value is blank 318 | If ReadIni = "" Then 319 | ReadIni = " " 320 | End If 321 | ' Abort loop when item is found 322 | Exit Do 323 | End If 324 | End If 325 | 326 | ' Abort if the end of the INI file is reached 327 | If objIniFile.AtEndOfStream Then Exit Do 328 | 329 | ' Continue with next line 330 | strLine = Trim( objIniFile.ReadLine ) 331 | Loop 332 | Exit Do 333 | End If 334 | Loop 335 | objIniFile.Close 336 | Else 337 | if BoolRunSilent = False then WScript.Echo strFilePath & " does not exist. Using script configured/default settings instead" 338 | End If 339 | End Function 340 | 341 | 342 | 343 | 344 | Function SocketTools_HTTP(strRemoteURL) 345 | ' SocketTools 9.3 ActiveX Edition 346 | ' Copyright 2018 Catalyst Development Corporation 347 | ' All rights reserved 348 | ' 349 | ' This file is licensed to you pursuant to the terms of the 350 | ' product license agreement included with the original software, 351 | ' and is protected by copyright law and international treaties. 352 | ' Unauthorized reproduction or distribution may result in severe 353 | ' criminal penalties. 354 | ' 355 | 356 | ' 357 | ' Retrieve the specified page from a web server and write the 358 | ' contents to standard output. The parameter should specify the 359 | ' URL of the page to display 360 | 361 | 362 | Const httpTransferDefault = 0 363 | Const httpTransferConvert = 1 364 | 365 | Dim objArgs 366 | Dim objHttp 367 | Dim strBuffer 368 | Dim nLength 369 | Dim nArg, nError 370 | 371 | 372 | ' 373 | ' Create an instance of the control 374 | ' 375 | Set objHttp = WScript.CreateObject("SocketTools.HttpClient.9") 376 | 377 | ' 378 | ' Initialize the object using the specified runtime license key; 379 | ' if the key is not specified, the development license will be used 380 | ' 381 | 382 | nError = objHttp.Initialize(strLicenseKey) 383 | If nError <> 0 Then 384 | WScript.Echo "Unable to initialize SocketTools component" 385 | WScript.Quit(1) 386 | End If 387 | 388 | objHttp.HeaderField = "X-Auth-Token" 389 | objHttp.HeaderValue = strCarBlackAPIKey 390 | 391 | ' Setup error handling since the component will throw an error 392 | ' if an invalid URL is specified 393 | 394 | On Error Resume Next: Err.Clear 395 | objHttp.URL = strRemoteURL 396 | 397 | ' Check the Err object to see if an error has occurred, and 398 | ' if so, let the user know that the URL is invalid 399 | 400 | If Err.Number <> 0 Then 401 | WScript.echo "The specified URL is invalid" 402 | WScript.Quit(1) 403 | End If 404 | 405 | ' Reset error handling and connect to the server using the 406 | ' default property values that were updated when the URL 407 | ' property was set (ie: HostName, RemotePort, UserName, etc.) 408 | On Error GoTo 0 409 | nError = objHttp.Connect() 410 | 411 | If nError <> 0 Then 412 | WScript.echo "Error connecting to " & strRemoteURL & ". " & objHttp.LastError & ": " & objHttp.LastErrorString 413 | WScript.Quit(1) 414 | End If 415 | objHttp.timeout = 90 416 | ' Download the file to the local system 417 | nError = objHttp.GetData(objHttp.Resource, strBuffer, nLength, httpTransferConvert) 418 | 419 | If nError = 0 Then 420 | SocketTools_HTTP = strBuffer 421 | Else 422 | WScript.echo "Error " & objHttp.LastError & ": " & objHttp.LastErrorString 423 | SocketTools_HTTP = objHttp.ResultString 424 | End If 425 | 426 | objHttp.Disconnect 427 | objHttp.Uninitialize 428 | end function 429 | 430 | 431 | 432 | 433 | 434 | 435 | 436 | 437 | Function HTTPPost(sUrl, sRequest) 438 | set oHTTP = CreateObject("MSXML2.ServerXMLHTTP") 439 | oHTTP.SetTimeouts 600000, 600000, 600000, 1200000 440 | oHTTP.open "POST", sUrl,false 441 | oHTTP.setRequestHeader "X-Auth-Token", strCarBlackAPIKey 442 | oHTTP.send sRequest 443 | HTTPPost = oHTTP.responseText 444 | End Function -------------------------------------------------------------------------------- /Alerts/CB_Alerts.vbs: -------------------------------------------------------------------------------- 1 | 'Cb Response Alert Dump 2 | 3 | 'Copyright (c) 2020 Ryan Boyle randomrhythm@rhythmengineering.com. 4 | 5 | 'This program is free software: you can redistribute it and/or modify 6 | 'it under the terms of the GNU General Public License as published by 7 | 'the Free Software Foundation, either version 3 of the License, or 8 | '(at your option) any later version. 9 | 10 | 'This program is distributed in the hope that it will be useful, 11 | 'but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | 'MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | 'GNU General Public License for more details. 14 | 15 | 'You should have received a copy of the GNU General Public License 16 | 'along with this program. If not, see <http://www.gnu.org/licenses/>. 17 | 18 | dim strCarBlackAPIKey 19 | Dim StrCBfilePath 20 | Dim StrCBdigSig 21 | Dim StrCBcompanyName 22 | Dim StrCBproductName 23 | Dim StrCBFileSize 24 | Dim StrCBprevalence 25 | Dim StrCBMD5 26 | Dim intTotalQueries 27 | Dim IntDaysQuery 28 | Dim strStartDateQuery 29 | Dim strEndDateQuery 30 | Dim strHashOutPath 31 | Const forwriting = 2 32 | Const ForAppending = 8 33 | Const ForReading = 1 34 | Dim DictIPAddresses: set DictIPAddresses = CreateObject("Scripting.Dictionary")' 35 | Dim DictFeedInfo: set DictFeedInfo = CreateObject("Scripting.Dictionary")' 36 | Dim DictFeedExclude: set DictFeedExclude = CreateObject("Scripting.Dictionary")' 37 | Dim boolHeaderWritten 38 | Dim boolEchoInfo 39 | Dim intSleepDelay 40 | Dim intPagesToPull 41 | Dim intSizeLimit 42 | Dim intReceiveTimeout 43 | Dim boolUseSocketTools 44 | Dim strLicenseKey 45 | Dim boolOutputID 46 | Dim boolOutputWID 47 | Dim strAPIVersion 48 | Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") 49 | 50 | '---Config Section 51 | APIVersion = 2 52 | strReportPath = "\Reports" 'directory to write report output 53 | boolOutputID = True 'Alert ID 54 | boolOutputWID = True 'Watchlist ID 55 | IntDayStartQuery = "-9" 'days to go back for start date of query. Set to * to query all 56 | IntDayEndQuery = "*" 'days to go back for end date of query. Set to * for no end date 57 | strTimeMeasurement = "d" '"h" for hours "d" for days 58 | strSensorID = "" 'sensor_id 59 | 'DictFeedExclude.add "SRSThreat", 0 'exclude feed 60 | 'DictFeedExclude.add "NVD", 0 'exclude feed 61 | 'DictFeedExclude.add "SRSTrust", 0 'exclude feed 62 | 'DictFeedExclude.add "cbemet", 0 'exclude feed 63 | 'DictFeedExclude.add "attackframework", 0 'exclude feed due to large amounts of alerts 64 | intSleepDelay = 90000 'delay between queries 65 | intPagesToPull = 20 'Number of alerts to retrieve at a time 66 | intSizeLimit = 20000 'don't dump more than this number of pages per feed 67 | intReceiveTimeout = 120 'number of seconds for timeout 68 | boolUseSocketTools = False 'Uses external library from SocketTools (needed when using old OS that does not support latest TLS standards) 69 | strLicenseKey = "" 'License key is required to use SocketTools 70 | strIniPath="Cb_Alerts.ini" 71 | strReportPath = "\Reports" 'directory to write report output 72 | '---End Config section 73 | 74 | '---Debug 75 | BoolDebugTrace = False 76 | boolEchoInfo = False 77 | '---End Debug 78 | 79 | if objFSO.FileExists(strIniPath) = True then 80 | '---Ini loading section 81 | IntDayStartQuery = ValueFromINI(strIniPath, "IntegerValues", "StartTime", IntDayStartQuery) 82 | IntDayEndQuery = ValueFromINI(strIniPath, "IntegerValues", "EndTime", IntDayEndQuery) 83 | strTimeMeasurement = ValueFromINI(strIniPath, "StringValues", "TimeMeasurement", strTimeMeasurement) 84 | strSensorID = ValueFromINI(strIniPath, "StringValues", "SensorID", strSensorID) 85 | intSleepDelay = ValueFromINI(strIniPath, "IntegerValues", "SleepDelay", intSleepDelay) 86 | intPagesToPull = ValueFromINI(strIniPath, "IntegerValues", "PagesToPull", intPagesToPull) 87 | intSizeLimit = ValueFromINI(strIniPath, "IntegerValues", "SizeLimit", intSizeLimit) 88 | intReceiveTimeout = ValueFromINI(strIniPath, "IntegerValues", "ReceiveTimeout", intReceiveTimeout) 89 | boolUseSocketTools = ValueFromINI(strIniPath, "BooleanValues", "UseSocketTools", boolUseSocketTools) 90 | BoolDebugTrace = ValueFromINI(strIniPath, "BooleanValues", "Debug", BoolDebugTrace) 91 | APIVersion = ValueFromINI(strIniPath, "IntegerValues", "APIVersion", APIVersion) 92 | '---End ini loading section 93 | else 94 | if BoolRunSilent = False then WScript.Echo strFilePath & " does not exist. Using script configured/default settings instead" 95 | end if 96 | 97 | if strSensorID <> "" then 98 | msgbox "filtering to sensor ID " & strSensorID 99 | strHostFilter = " AND sensor_id:" & strSensorID 100 | end if 101 | 102 | if isnumeric(IntDayStartQuery) then 103 | strStartDateQuery = DateAdd(strTimeMeasurement,IntDayStartQuery,now) 104 | 105 | ' AND server_added_timestamp:[" & strStartDateQuery & "T00:00:00 TO " 106 | strStartDateQuery = " AND created_time:[" & FormatDate (strStartDateQuery) & " TO " 107 | if IntDayEndQuery = "*" then 108 | strEndDateQuery = "*]" 109 | elseif isnumeric(IntDayEndQuery) then 110 | strEndDateQuery = DateAdd(strTimeMeasurement,IntDayEndQuery,now) 111 | strEndDateQuery = FormatDate (strEndDateQuery) & "]" 112 | end if 113 | end if 114 | 115 | if cint(APIVersion) > 2 then 116 | msgbox "API version " & APIVersion & " is not supported. Changing to V2" 117 | APIVersion = 2 118 | end if 119 | 120 | CurrentDirectory = GetFilePath(wscript.ScriptFullName) 121 | strDebugPath = CurrentDirectory & "\Debug\" 122 | strSSfilePath = CurrentDirectory & "\CBIP_" & udate(now) & ".csv" 123 | 124 | strRandom = "4bv3nT9vrkJpj3QyueTvYFBMIvMOllyuKy3d401Fxaho6DQTbPafyVmfk8wj1bXF" 'encryption key. Change if you want but can only decrypt with same key 125 | 126 | if BoolDebugTrace = False and objFSO.folderexists(strDebugPath) = False then _ 127 | objFSO.createfolder(strDebugPath) 128 | if instr(strReportPath, ":") = 0 then 129 | strReportPath = CurrentDirectory & "\" & strReportPath 130 | end if 131 | if objFSO.folderexists(strReportPath) = False then _ 132 | objFSO.createfolder(strReportPath) 133 | 134 | strFile= CurrentDirectory & "\cb.dat" 135 | strAPIproduct = "Carbon Black" 136 | 137 | 138 | strData = "" 139 | if objFSO.fileexists(strFile) then 140 | Set objFile = objFSO.OpenTextFile(strFile) 141 | if not objFile.AtEndOfStream then 'read file 142 | On Error Resume Next 143 | strData = objFile.ReadLine 144 | StrBaseCBURL = objFile.ReadLine 145 | 146 | on error goto 0 147 | end if 148 | if strData <> "" then 149 | strData = Decrypt(strData,strRandom) 150 | strTempAPIKey = "apikey=" & strData 151 | strData = "" 152 | end if 153 | end if 154 | 155 | if not objFSO.fileexists(strFile) and strData = "" then 156 | strTempAPIKey = inputbox("Enter your " & strAPIproduct & " api key") 157 | if strTempAPIKey <> "" then 158 | strTempEncryptedAPIKey = strTempAPIKey 159 | strTempEncryptedAPIKey = encrypt(strTempEncryptedAPIKey,strRandom) 160 | logdata strFile,strTempEncryptedAPIKey,False 161 | strTempEncryptedAPIKey = "" 162 | StrBaseCBURL = inputbox("Enter your " & strAPIproduct & " base URL (example: https://ryancb-example.my.carbonblack.io") 163 | logdata strFile,StrBaseCBURL,False 164 | end if 165 | end if 166 | if strTempAPIKey = "" then 167 | 168 | msgbox "invalid api key" 169 | wscript.quit(999) 170 | end if 171 | 172 | if instr(strTempAPIKey,"apikey=") then 173 | strCarBlackAPIKey = replace(strTempAPIKey,"apikey=","") 174 | else 175 | strCarBlackAPIKey = strTempAPIKey 176 | end if 177 | 178 | if strCarBlackAPIKey <> "" and StrBaseCBURL <> "" then BoolUseCarbonBlack = True 179 | 180 | on error resume next 181 | objFile.close 182 | on error goto 0 183 | strTempAPIKey = "" 184 | 185 | 186 | 187 | 188 | intTotalQueries = 50 189 | 'get feed info 190 | DumpCarBlack 0, False, intTotalQueries, "/api/v1/feed" 191 | 'get watchlist info 192 | DumpCarBlack 0, False, intTotalQueries, "/api/v1/watchlist" 193 | 194 | for each strCBFeedID in DictFeedInfo 195 | 'msgbox "DictFeedExclude.exists(" & DictFeedInfo.item(strCBFeedID) & ")=" & DictFeedExclude.exists(strCBFeedID) 196 | if DictFeedExclude.exists(DictFeedInfo.item(strCBFeedID)) = False Then 197 | If InStr(strCBFeedID, "watchlist_id:") > 0 Then 198 | strTmpWatchName = DictFeedInfo.item(strCBFeedID) 199 | If InStr(strTmpWatchName," ") > 0 Then strTmpWatchName = Chr(34) & strTmpWatchName & Chr(34) 'contains whitespace 200 | strQueryFeed = "/api/v" & APIVersion & "/alert?q=" & strCBFeedID & strStartDateQuery & strEndDateQuery 201 | Else 202 | strQueryFeed = "/api/v" & APIVersion & "/alert?q=feed_name:" & DictFeedInfo.item(strCBFeedID) & strStartDateQuery & strEndDateQuery 203 | End if 204 | 205 | if strQueryFeed <> "" then 206 | wscript.sleep 10 207 | intCBcount = 10 208 | boolHeaderWritten = False 209 | strHashOutPath = strReportPath & "\CBalert_" & DictFeedInfo.item(strCBFeedID) & "_" & udate(now) & ".csv" 210 | intTotalQueries = DumpCarBlack(0, True, intCBcount, strQueryFeed & strHostFilter) 211 | wscript.sleep intSleepDelay 212 | logdata CurrentDirectory & "\CB_Alerts.log", date & " " & time & ": " & "Total number of items being retrieved for feed " & DictFeedInfo.item(strCBFeedID) & ": " & intTotalQueries ,boolEchoInfo 213 | 214 | if clng(intTotalQueries) > 0 then 215 | 'still have pages to pull OR initial amount is less than intCBcount 216 | do while (intCBcount < clng(intTotalQueries) Or clng(intTotalQueries) < intCBcount And intCBcount < CLng(intPagesToPull)) and intCBcount < intSizeLimit 217 | 218 | If BoolDebugTrace = True Then logdata strDebugPath & "\follow_queries.log" , date & " " & time & " " & DictFeedInfo.item(strCBFeedID) & ": " & intCBcount & " < " & intTotalQueries & " and " & intCBcount & " < " & intSizeLimit, false 219 | DumpCarBlack intCBcount, True, intPagesToPull, strQueryFeed & strHostFilter 220 | intCBcount = intCBcount + intPagesToPull 221 | wscript.sleep intSleepDelay 222 | loop 223 | end if 224 | strSSfilePath = strReportPath & "\CBIP_" & DictFeedInfo.item(strCBFeedID) & "_" & udate(now) & ".csv" 225 | For each item in DictIPAddresses 226 | LogData strSSfilePath, item & "|" & DictIPAddresses.item(item), False 227 | next 228 | DictIPAddresses.RemoveAll 229 | 230 | else 231 | msgbox "Parser not configured for " & DictFeedInfo.item(strCBFeedID) 232 | end if 233 | end if 234 | next 235 | 236 | 237 | Function DumpCarBlack(intCBcount,BoolProcessData, intCBrows, strURLQuery) 238 | 239 | Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP") 240 | Dim strAVEurl 241 | Dim strReturnURL 242 | dim strAssocWith 243 | Dim strCBresponseText 244 | Dim strtmpCB_Fpath 245 | Dim StrTmpFeedIP 246 | 247 | strAVEurl = StrBaseCBURL & strURLQuery 248 | 249 | if BoolProcessData = True then strAVEurl = strAVEurl & "&start=" & intCBcount & "&rows=" & intCBrows 250 | 251 | if boolUseSocketTools = False then 252 | objHTTP.SetTimeouts 600000, 600000, 600000, 900000 253 | objHTTP.open "GET", strAVEurl, True 254 | 255 | objHTTP.setRequestHeader "X-Auth-Token", strCarBlackAPIKey 256 | 257 | 258 | on error resume next 259 | objHTTP.send 260 | If objHTTP.waitForResponse(intReceiveTimeout) Then 'response ready 261 | 'success! 262 | Else 'wait timeout exceeded 263 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " CarBlack lookup failed due to timeout", False 264 | exit function 265 | End If 266 | if err.number <> 0 then 267 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " CarBlack lookup failed with HTTP error. - " & err.description,False 268 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " HTTP status code - " & objHTTP.status,False 269 | exit function 270 | end if 271 | on error goto 0 272 | 'creates a lot of data. Don't uncomment next line unless your going to disable it again 273 | if BoolDebugTrace = True then logdata strDebugPath & "\CarBlack" & "" & ".txt", objHTTP.responseText & vbcrlf & vbcrlf,BoolEchoLog 274 | strCBresponseText = objHTTP.responseText 275 | else 276 | strCBresponseText = SocketTools_HTTP(strAVEurl) 277 | end if 278 | 279 | if instr(strCBresponseText, "b Response Cloud is currently undergoing maintenance and will be back shortly") > 0 then 280 | wscript.sleep 240000 281 | DumpCarBlack = DumpCarBlack(intCBcount,BoolProcessData, intCBrows, strURLQuery) 282 | exit function 283 | end If 284 | boolNoSpaces = False 285 | 'msgbox strCBresponseText 286 | if instr(strCBresponseText, vblf & " {") Then 'response contains alert data 287 | strArrayCBresponse = split(strCBresponseText, vblf & " {") 288 | elseif instr(strCBresponseText, vblf & " {") Then 'response contains feed data 289 | strArrayCBresponse = split(strCBresponseText, vblf & " {") 290 | else 'response contains watchlist data or empty alert data 291 | strArrayCBresponse = split(strCBresponseText, "{") 292 | boolNoSpaces = True 293 | end if 294 | for each strCBResponseEntry in strArrayCBresponse 295 | 296 | if len(strCBResponseEntry) > 1 then 297 | 'logdata strDebugPath & "cbresponse.log", strCBResponseEntry, True 298 | 299 | if instr(strCBResponseEntry, "provider_url" & Chr(34) & ":") > 0 and instr(strCBresponseText, "id" & Chr(34) & ":") > 0 Then 300 | strTmpFeedID = getdata(strCBResponseEntry, ",", "id" & Chr(34) & ": ") 301 | strTmpFeedName = getdata(strCBResponseEntry, Chr(34), Chr(34) & "name" & Chr(34) & ": " & Chr(34)) 302 | If strTmpFeedID <> "" Then strTmpFeedID = "feed_name:" & strTmpFeedID 303 | if DictFeedInfo.exists(strTmpFeedID) = false then DictFeedInfo.add strTmpFeedID, lcase(strTmpFeedName) 304 | elseif instr(strCBresponseText, "search_query" & Chr(34) & ":") > 0 And instr(strCBresponseText, "id" & Chr(34) & ":") > 0 Then 305 | spaceOrNone = "" 306 | If boolNoSpaces = False Then spaceOrNone = " " 307 | strTmpwatchlistID = getdata(strCBResponseEntry, Chr(34), Chr(34) & "id" & Chr(34) & ":" & spaceOrNone & Chr(34)) 308 | strTmpWLName = getdata(strCBResponseEntry, Chr(34), Chr(34) & "name" & Chr(34) & ":" & spaceOrNone & Chr(34)) 309 | strTmpActualWatchlistQuery = getdata(strCBResponseEntry, Chr(34), Chr(34) & "search_query" & Chr(34) & ":" & spaceOrNone & Chr(34)) 310 | strTmpWatchlistQuery = "/api/v1/process?q=watchlist_" & strTmpwatchlistID & ":*" 311 | If strTmpwatchlistID <> "" Then 312 | strTmpwatchlistID = "watchlist_id:" & strTmpwatchlistID 313 | If DictFeedInfo.exists(strTmpwatchlistID) = false then DictFeedInfo.add strTmpwatchlistID, strTmpWLName 314 | End if 315 | elseif BoolProcessData = True then 316 | if instr(strCBresponseText, "total_results" & Chr(34) & ": ") > 0 then 317 | DumpCarBlack = getdata(strCBresponseText, ",", "total_results" & Chr(34) & ": ") 318 | 319 | if instr(strCBResponseEntry, "ioc_value") > 0 Or instr(strCBResponseEntry, "ioc_type") > 0 then 320 | LogIOCdata strCBResponseEntry, True, boolNoSpaces 321 | else 322 | If BoolDebugTrace = True Then LogData currentdirectory & "\ioc_value.log", "Debug - did not contain ioc_value: " & strCBResponseEntry, False 323 | end if 324 | else 325 | If BoolDebugTrace = True Then logdata currentdirectory & "\total_results.log" , "Debug - did not contain total_results: " & strCBresponseText, False 326 | end if 327 | end if 328 | 329 | end if 330 | 331 | next 332 | 333 | set objHTTP = nothing 334 | end function 335 | 336 | Function GetData(contents, ByVal EndOfStringChar, ByVal MatchString) 337 | MatchStringLength = Len(MatchString) 338 | x= instr(contents, MatchString) 339 | 340 | if X >0 then 341 | strSubContents = Mid(contents, x + MatchStringLength, len(contents) - MatchStringLength - x +1) 342 | if instr(strSubContents,EndOfStringChar) > 0 then 343 | GetData = Mid(contents, x + MatchStringLength, instr(strSubContents,EndOfStringChar) -1) 344 | exit function 345 | else 346 | GetData = Mid(contents, x + MatchStringLength, len(contents) -x -1) 347 | exit function 348 | end if 349 | 350 | end if 351 | GetData = "" 352 | end Function 353 | 354 | 355 | Sub LogIOCdata(strCBresponseText, boolLogAll, boolNoSpaces) 356 | spaceValue = "" 357 | If boolNoSpaces = True Then spaceValue = " " 358 | if instr(strCBresponseText, "ioc_value") > 0 or instr(strCBresponseText, "ioc_type") > 0 then 359 | 360 | strCBfilePath = getdata(strCBresponseText, Chr(34), "process_path" & Chr(34) & ": " & Chr(34)) 361 | strioc_value = getdata(strCBresponseText, Chr(34), "ioc_value" & Chr(34) & ": " & Chr(34)) 362 | if strioc_value = "" then 363 | strioc_value = getdata(strCBresponseText, "}", "ioc_value" & Chr(34) & ": " & Chr(34) & "{") 364 | end If 365 | if strioc_value = "" then 366 | strIOCval = getdata(strCBresponseText, Chr(34), "ioc_type" & Chr(34) & ": " & Chr(34)) 367 | If strIOCval = "query" Then 368 | strioc_value = getdata(strCBresponseText, "}", "ioc_attr" & Chr(34) & ": " & Chr(34) & "{") 369 | End If 370 | End if 371 | boolQueryIOC = False 372 | if strioc_value = "{\" then 'gets query string for alert (behavior) 373 | strioc_value = getdata(strCBresponseText, "}", "ioc_value" & Chr(34) & ": " & Chr(34) & "{") 374 | boolQueryIOC = True 375 | end if 376 | interface_ip = getdata(strCBresponseText, Chr(34), "interface_ip" & Chr(34) & ": " & Chr(34)) 377 | sensor_id = getdata(strCBresponseText, Chr(34), "sensor_id" & Chr(34) & ": " & Chr(34)) 378 | strdescription = getdata(strCBresponseText, Chr(34), "description" & Chr(34) & ": " & Chr(34)) 379 | search_query = getdata(strCBresponseText, Chr(34), "search_query" & Chr(34) & ": " & Chr(34)) 380 | StrCBMD5 = getdata(strCBresponseText, Chr(34), "md5" & Chr(34) & ": " & Chr(34)) 381 | strCBprevalence = getdata(strCBresponseText, ",", "hostCount" & Chr(34) & ": ") 382 | strCBHostname = getdata(strCBresponseText, Chr(34), "hostname" & Chr(34) & ": " & Chr(34)) 383 | strstatus = getdata(strCBresponseText, Chr(34), "status" & Chr(34) & ": " & Chr(34)) '"status": "Unresolved" 384 | created_time = getdata(strCBresponseText, Chr(34), "created_time" & Chr(34) & ": " & Chr(34)) 385 | resolved_time= getdata(strCBresponseText, Chr(34), "resolved_time" & Chr(34) & ": " & Chr(34)) 386 | process_name = getdata(strCBresponseText, Chr(34), "process_name" & Chr(34) & ": " & Chr(34)) 387 | process_id = getdata(strCBresponseText, Chr(34), "process_id" & Chr(34) & ": " & Chr(34)) 388 | segment_id = getdata(strCBresponseText, ",", "segment_id" & Chr(34) & ": " ) 389 | netconn_count = getdata(strCBresponseText, ",", "netconn_count" & Chr(34) & ": ") 390 | unique_id = getdata(strCBresponseText, Chr(34), "unique_id" & Chr(34) & ": " & Chr(34)) 391 | watchlist_id = getdata(strCBresponseText, Chr(34), "watchlist_id" & Chr(34) & ": " & Chr(34)) 392 | if instr(strCBresponseText,"ioc_attr") Then 'might want to add this And strIOCval <> "query" 393 | iocSection = getdata(strCBresponseText, "}", "ioc_attr" & Chr(34) & ": " & Chr(34) & "{") 394 | strDirection = getdata(iocSection, "\", "direction\" & Chr(34) & ":" & spaceValue & "\" & Chr(34)) 395 | strprotocol = getdata(iocSection, "\", "protocol\" & Chr(34) & ":" & spaceValue & "\" & Chr(34)) 396 | strlocal_port = getdata(iocSection, "\", "local_port\" & Chr(34) & ":" & spaceValue & "\" & Chr(34)) 397 | strdns_name = getdata(iocSection, "\", "dns_name\" & Chr(34) & ":" & spaceValue & "\" & Chr(34)) 398 | strlocal_ip = getdata(iocSection, "\", "local_ip\" & Chr(34) & ":" & spaceValue & "\" & Chr(34)) 399 | strport = getdata(iocSection, "\", "remote_port\" & Chr(34) & ":" & spaceValue & "\" & Chr(34)) 400 | strremote_ip = getdata(iocSection, "\", "remote_ip\" & Chr(34) & ":" & spaceValue & "\" & Chr(34)) 401 | end if 402 | if strCBHostname = "" then 403 | strTmpCBHostname = getdata(strCBresponseText, "]", "hostnames" & Chr(34) & ": [" & vblf & " " & Chr(34)) 404 | if instr(strTmpCBHostname, "|") then 405 | arrayCBHostName = split(strTmpCBHostname, "|") 406 | for each CBNames in arrayCBHostName 407 | arrayCBnames = split(CBNames, vbLf) 408 | for each CBhostName in arrayCBnames 409 | strTmpCBHostname = replace(CBhostName, Chr(34), "") 410 | strTmpCBHostname = replace(strTmpCBHostname, " ","" ) 411 | if isnumeric(strTmpCBHostname) = False and strTmpCBHostname <> "" then 412 | 'msgbox strTmpCBHostname 413 | if strCBHostname = "" then 414 | strCBHostname = strTmpCBHostname 415 | else 416 | strCBHostname= strCBHostname & "/" & strTmpCBHostname 417 | end if 418 | end if 419 | next 420 | next 421 | end if 422 | end if 423 | 424 | alert_severity = getdata(strCBresponseText, ",", "alert_severity" & Chr(34) & ": ") 425 | 426 | strtmpCB_Fpath = getfilepath(strCBfilePath) 427 | 'RecordPathVendorStat strtmpCB_Fpath 'record path vendor statistics 428 | end if 429 | 430 | 431 | if IsHash(strioc_value) = True then 432 | logdata strReportPath & "\IOC_MD5.txt", strioc_value, false 433 | elseif IsIPaddress(strioc_value) = True then 434 | logdata strReportPath & "\IOC_IP.txt", strioc_value, false 435 | elseif boolQueryIOC = True then 436 | logdata strReportPath & "\IOC_Query.txt", strioc_value, false 437 | elseif instr(strioc_value, "$") = 0 And strioc_value <> "" then 438 | logdata strReportPath & "\IOC_Domain.txt", strioc_value, false 439 | ElseIf strioc_value <> "" then 440 | logdata strReportPath & "\IOCs.txt", strioc_value, false 441 | end if 442 | 443 | if strioc_value = "" and BoolDebugTrace = True then 444 | logdata strDebugPath & "\ioc_value.log", "Debug - did not contain ioc_value: " & strCBresponseText, False 445 | end If 446 | If strIOCval = "query" Then strioc_value = "query" 447 | If strioc_value <> "" then 448 | strioc_value = replace(strioc_value, Chr(34), "") 'value provided can contain characters that mess with CSV output 449 | strioc_value = replace(strioc_value, ",", "") 450 | strCBfilePath = AddPipe(strCBfilePath) 'CB File Path 451 | process_name = AddPipe(process_name) 'CB Digital Sig 452 | netconn_count = AddPipe(netconn_count)'CB Company Name 453 | strstatus = AddPipe(strstatus) 'Product Name 454 | strCBFileSize = AddPipe(strCBFileSize) 455 | strCBprevalence = AddPipe(strCBprevalence) 456 | strCBHostname = AddPipe(strCBHostname) 457 | interface_ip = AddPipe(interface_ip) 458 | strdescription = AddPipe(strdescription) 459 | sensor_id = AddPipe(sensor_id) 460 | alert_severity = AddPipe(strCBcmdline) 461 | StrCBMD5 = AddPipe(StrCBMD5) 462 | 463 | IOC_Entries = "" 464 | IOC_Head = "" 465 | 466 | if instr(strCBresponseText,"ioc_attr") then 467 | strDirection = AddPipe(strDirection) 468 | strprotocol = AddPipe(strprotocol) 469 | strlocal_port = AddPipe(strlocal_port) 470 | strdns_name = AddPipe(strdns_name) 471 | strlocal_ip = AddPipe(strlocal_ip) 472 | strport = AddPipe(strport) 473 | strremote_ip = AddPipe(strremote_ip) 474 | search_query = AddPipe(search_query) 475 | created_time = AddPipe(created_time) 476 | resolved_time = AddPipe(resolved_time) 477 | process_id = AddPipe(process_id) 478 | segment_id = AddPipe(segment_id) 479 | IOC_Entries = strDirection & strprotocol & strlocal_port & strdns_name & strlocal_ip & strport & strremote_ip & created_time & resolved_time & search_query & process_id & segment_id 480 | IOC_Head = ",Direction, Protocol, Local Port, DNS Name, Local IP, Port, Report IP, Creation Time, Resolve Time, search_query, Process ID, Segment ID" 481 | end if 482 | endHead = ",Host Name" 483 | if boolOutputID = True then 484 | endHead = endHead & ", AlertID" 485 | unique_id = addPipe(unique_id) 486 | else 487 | unique_id = "" 488 | end if 489 | if boolOutputWID = True then 490 | endHead = endHead & ", WatchlistID" 491 | watchlist_id = addPipe(watchlist_id) 492 | else 493 | watchlist_id = "" 494 | end if 495 | 496 | 497 | if boolHeaderWritten = False then 498 | strSSrow = "IOC,MD5,Path," & "process_name," & "netconn_count," & "Status," & "CB Prevalence,interface_ip, sensor_id, Description, Severity" & IOC_Head & endHead 499 | logdata strHashOutPath, strSSrow, False 500 | boolHeaderWritten = True 501 | END IF 502 | 503 | strSSrow = strioc_value & StrCBMD5 & strCBfilePath & process_name & netconn_count & strstatus & strCBprevalence & interface_ip & sensor_id & strdescription & alert_severity & IOC_Entries & strCBHostname & unique_id & watchlist_id 504 | strTmpSSlout = Chr(34) & replace(strSSrow, "|",Chr(34) & "," & Chr(34)) & Chr(34) 505 | logdata strHashOutPath, strTmpSSlout, False 506 | end if 507 | strCBfilePath = "" 508 | strCBdigSig = "" 509 | strCBcompanyName = "" 510 | strCBproductName = "" 511 | strCBFileSize = "" 512 | strCBprevalence = "" 513 | StrCBMD5 = "" 514 | strCBHostname = "" 515 | strCBInfoLink = "" 516 | strCBcmdline = "" 517 | parent_name = "" 518 | end sub 519 | 520 | 521 | 522 | 523 | function LogData(TextFileName, TextToWrite,EchoOn) 524 | Set fsoLogData = CreateObject("Scripting.FileSystemObject") 525 | If InStr(TextFileName, "/") > 0 Then TextFileName = Replace(TextFileName, "/", "_") 526 | if EchoOn = True then wscript.echo TextToWrite 527 | If fsoLogData.fileexists(TextFileName) = False Then 528 | 'Creates a replacement text file 529 | on error resume next 530 | fsoLogData.CreateTextFile TextFileName, True 531 | if err.number <> 0 and err.number <> 53 then msgbox "can't create file " & Chr(34) & TextFileName & Chr(34) & ": " & err.number & " " & err.description & vbcrlf & TextFileName 532 | on error goto 0 533 | End If 534 | if TextFileName <> "" then 535 | 536 | 537 | Set WriteTextFile = fsoLogData.OpenTextFile(TextFileName,ForAppending, False) 538 | on error resume next 539 | WriteTextFile.WriteLine TextToWrite 540 | if err.number <> 0 then 541 | on error goto 0 542 | WriteTextFile.Close 543 | Dim objStream 544 | Set objStream = CreateObject("ADODB.Stream") 545 | objStream.CharSet = "utf-16" 546 | objStream.Open 547 | objStream.WriteText TextToWrite 548 | on error resume next 549 | objStream.SaveToFile TextFileName, 2 550 | if err.number <> 0 then msgbox err.number & " - " & err.message & " Problem writting to " & TextFileName 551 | if err.number <> 0 then msgbox "problem writting text: " & TextToWrite 552 | on error goto 0 553 | Set objStream = nothing 554 | end if 555 | end if 556 | Set fsoLogData = Nothing 557 | End Function 558 | 559 | Function GetFilePath (ByVal FilePathName) 560 | found = False 561 | 562 | Z = 1 563 | 564 | Do While found = False and Z < Len((FilePathName)) 565 | 566 | Z = Z + 1 567 | 568 | If InStr(Right((FilePathName), Z), "\") <> 0 And found = False Then 569 | mytempdata = Left(FilePathName, Len(FilePathName) - Z) 570 | 571 | GetFilePath = mytempdata 572 | 573 | found = True 574 | 575 | End If 576 | 577 | Loop 578 | 579 | end Function 580 | function UDate(oldDate) 581 | UDate = DateDiff("s", "01/01/1970 00:00:00", oldDate) 582 | end function 583 | 584 | Sub ExitExcel() 585 | if BoolUseExcel = True then 586 | objExcel.DisplayAlerts = False 587 | objExcel.quit 588 | end if 589 | end sub 590 | Function RemoveTLS(strTLS) 591 | dim strTmpTLS 592 | if len(strTLS) > 0 then 593 | for rmb = 1 to len(strTLS) 594 | if mid(strTLS, rmb, 1) <> " " then 595 | strTmpTLS = right(strTLS,len(strTLS) - RMB +1) 596 | exit for 597 | end if 598 | next 599 | end if 600 | 601 | if len(strTmpTLS) > 0 then 602 | for rmb = len(strTmpTLS) to 1 step -1 603 | 604 | if mid(strTmpTLS, rmb, 1) <> " " then 605 | strTmpTLS = left(strTmpTLS,len(strTmpTLS) - (len(strTmpTLS) - RMB)) 606 | exit for 607 | end if 608 | next 609 | end if 610 | 611 | RemoveTLS = strTmpTLS 612 | end Function 613 | 614 | Function AddPipe(strpipeless) 615 | dim strPipeAdded 616 | 617 | if len(strpipeless) > 0 then 618 | if left(strpipeless, 1) <> "|" then 619 | strPipeAdded = "|" & strpipeless 620 | 621 | else 622 | strPipeAdded = strpipeless 623 | end if 624 | else 625 | strPipeAdded = "|" 626 | end if 627 | 628 | AddPipe = strPipeAdded 629 | end function 630 | 631 | 632 | 633 | 634 | Function encrypt(StrText, key) 635 | Dim lenKey, KeyPos, LenStr, x, Newstr 636 | 637 | Newstr = "" 638 | lenKey = Len(key) 639 | KeyPos = 1 640 | LenStr = Len(StrText) 641 | StrText = StrReverse(StrText) 642 | For x = 1 To LenStr 643 | Newstr = Newstr & Chr(asc(Mid(StrText,x,1)) + Asc(Mid(key,KeyPos,1))) 644 | KeyPos = keypos+1 645 | If KeyPos > lenKey Then KeyPos = 1 646 | 'if x = 4 then msgbox "error with char " & Chr(34) & asc(Mid(StrText,x,1)) - Asc(Mid(key,KeyPos,1)) & Chr(34) & " At position " & KeyPos & vbcrlf & Mid(StrText,x,1) & Mid(key,KeyPos,1) & vbcrlf & asc(Mid(StrText,x,1)) & asc(Mid(key,KeyPos,1)) 647 | Next 648 | encrypt = Newstr 649 | End Function 650 | 651 | Function Decrypt(StrText,key) 652 | Dim lenKey, KeyPos, LenStr, x, Newstr 653 | 654 | Newstr = "" 655 | lenKey = Len(key) 656 | KeyPos = 1 657 | LenStr = Len(StrText) 658 | 659 | StrText=StrReverse(StrText) 660 | For x = LenStr To 1 Step -1 661 | on error resume next 662 | Newstr = Newstr & Chr(asc(Mid(StrText,x,1)) - Asc(Mid(key,KeyPos,1))) 663 | if err.number <> 0 then 664 | msgbox "error with char " & Chr(34) & asc(Mid(StrText,x,1)) - Asc(Mid(key,KeyPos,1)) & Chr(34) & " At position " & KeyPos & vbcrlf & Mid(StrText,x,1) & Mid(key,KeyPos,1) & vbcrlf & asc(Mid(StrText,x,1)) & asc(Mid(key,KeyPos,1)) 665 | wscript.quit(011) 666 | end if 667 | on error goto 0 668 | KeyPos = KeyPos+1 669 | If KeyPos > lenKey Then KeyPos = 1 670 | Next 671 | Newstr=StrReverse(Newstr) 672 | Decrypt = Newstr 673 | End Function 674 | Function FormatDate(strFDate) 675 | Dim strTmpMonth 676 | Dim strTmpDay 677 | strTmpMonth = datepart("m",strFDate) 678 | strTmpDay = datepart("d",strFDate) 679 | if len(strTmpMonth) = 1 then strTmpMonth = "0" & strTmpMonth 680 | if len(strTmpDay) = 1 then strTmpDay = "0" & strTmpDay 681 | 682 | FormatDate = datepart("yyyy",strFDate) & "-" & strTmpMonth & "-" & strTmpDay 683 | 684 | 685 | end function 686 | 687 | 688 | Function ValueFromIni(strFpath, iniSection, iniKey, currentValue) 689 | returniniVal = ReadIni( strFpath, iniSection, iniKey) 690 | if returniniVal = " " then 691 | returniniVal = currentValue 692 | end if 693 | if TypeName(returniniVal) = "String" then 694 | returniniVal = stringToBool(returniniVal)'convert type to boolean if needed 695 | elseif TypeName(returniniVal) = "Integer" then 696 | returniniVal = int(returniniVal)'convert type to int if needed 697 | end if 698 | ValueFromIni = returniniVal 699 | end function 700 | 701 | Function stringToBool(strBoolean) 702 | if lcase(strBoolean) = "true" then 703 | returnBoolean = True 704 | elseif lcase(strBoolean) = "false" then 705 | returnBoolean = False 706 | else 707 | returnBoolean = strBoolean 708 | end if 709 | stringToBool = returnBoolean 710 | end function 711 | 712 | Function ReadIni( myFilePath, mySection, myKey ) 'http://www.robvanderwoude.com/vbstech_files_ini.php 713 | ' This function returns a value read from an INI file 714 | ' 715 | ' Arguments: 716 | ' myFilePath [string] the (path and) file name of the INI file 717 | ' mySection [string] the section in the INI file to be searched 718 | ' myKey [string] the key whose value is to be returned 719 | ' 720 | ' Returns: 721 | ' the [string] value for the specified key in the specified section 722 | ' 723 | ' CAVEAT: Will return a space if key exists but value is blank 724 | ' 725 | ' Written by Keith Lacelle 726 | ' Modified by Denis St-Pierre and Rob van der Woude 727 | 728 | Dim intEqualPos 729 | Dim objFSO, objIniFile 730 | Dim strFilePath, strKey, strLeftString, strLine, strSection 731 | 732 | Set objFSO = CreateObject( "Scripting.FileSystemObject" ) 733 | 734 | ReadIni = "" 735 | strFilePath = Trim( myFilePath ) 736 | strSection = Trim( mySection ) 737 | strKey = Trim( myKey ) 738 | 739 | If objFSO.FileExists( strFilePath ) Then 740 | Set objIniFile = objFSO.OpenTextFile( strFilePath, ForReading, False ) 741 | Do While objIniFile.AtEndOfStream = False 742 | strLine = Trim( objIniFile.ReadLine ) 743 | 744 | ' Check if section is found in the current line 745 | If LCase( strLine ) = "[" & LCase( strSection ) & "]" Then 746 | strLine = Trim( objIniFile.ReadLine ) 747 | 748 | ' Parse lines until the next section is reached 749 | Do While Left( strLine, 1 ) <> "[" 750 | ' Find position of equal sign in the line 751 | intEqualPos = InStr( 1, strLine, "=", 1 ) 752 | If intEqualPos > 0 Then 753 | strLeftString = Trim( Left( strLine, intEqualPos - 1 ) ) 754 | ' Check if item is found in the current line 755 | If LCase( strLeftString ) = LCase( strKey ) Then 756 | ReadIni = Trim( Mid( strLine, intEqualPos + 1 ) ) 757 | ' In case the item exists but value is blank 758 | If ReadIni = "" Then 759 | ReadIni = " " 760 | End If 761 | ' Abort loop when item is found 762 | Exit Do 763 | End If 764 | End If 765 | 766 | ' Abort if the end of the INI file is reached 767 | If objIniFile.AtEndOfStream Then Exit Do 768 | 769 | ' Continue with next line 770 | strLine = Trim( objIniFile.ReadLine ) 771 | Loop 772 | Exit Do 773 | End If 774 | Loop 775 | objIniFile.Close 776 | Else 777 | if BoolRunSilent = False then WScript.Echo strFilePath & " does not exist. Using script configured/default settings instead" 778 | End If 779 | End Function 780 | 781 | 782 | 783 | 784 | Function SocketTools_HTTP(strRemoteURL) 785 | ' SocketTools 9.3 ActiveX Edition 786 | ' Copyright 2018 Catalyst Development Corporation 787 | ' All rights reserved 788 | ' 789 | ' This file is licensed to you pursuant to the terms of the 790 | ' product license agreement included with the original software, 791 | ' and is protected by copyright law and international treaties. 792 | ' Unauthorized reproduction or distribution may result in severe 793 | ' criminal penalties. 794 | ' 795 | 796 | ' 797 | ' Retrieve the specified page from a web server and write the 798 | ' contents to standard output. The parameter should specify the 799 | ' URL of the page to display 800 | 801 | 802 | Const httpTransferDefault = 0 803 | Const httpTransferConvert = 1 804 | 805 | Dim objArgs 806 | Dim objHttp 807 | Dim strBuffer 808 | Dim nLength 809 | Dim nArg, nError 810 | 811 | 812 | ' 813 | ' Create an instance of the control 814 | ' 815 | Set objHttp = WScript.CreateObject("SocketTools.HttpClient.9") 816 | 817 | ' 818 | ' Initialize the object using the specified runtime license key; 819 | ' if the key is not specified, the development license will be used 820 | ' 821 | 822 | nError = objHttp.Initialize(strLicenseKey) 823 | If nError <> 0 Then 824 | WScript.Echo "Unable to initialize SocketTools component" 825 | WScript.Quit(1) 826 | End If 827 | 828 | objHttp.HeaderField = "X-Auth-Token" 829 | objHttp.HeaderValue = strCarBlackAPIKey 830 | 831 | ' Setup error handling since the component will throw an error 832 | ' if an invalid URL is specified 833 | 834 | On Error Resume Next: Err.Clear 835 | objHttp.URL = strRemoteURL 836 | 837 | ' Check the Err object to see if an error has occurred, and 838 | ' if so, let the user know that the URL is invalid 839 | 840 | If Err.Number <> 0 Then 841 | WScript.echo "The specified URL is invalid" 842 | WScript.Quit(1) 843 | End If 844 | 845 | ' Reset error handling and connect to the server using the 846 | ' default property values that were updated when the URL 847 | ' property was set (ie: HostName, RemotePort, UserName, etc.) 848 | On Error GoTo 0 849 | nError = objHttp.Connect() 850 | 851 | If nError <> 0 Then 852 | WScript.echo "Error connecting to " & strRemoteURL & ". " & objHttp.LastError & ": " & objHttp.LastErrorString 853 | WScript.Quit(1) 854 | End If 855 | objHttp.timeout = 90 856 | ' Download the file to the local system 857 | nError = objHttp.GetData(objHttp.Resource, strBuffer, nLength, httpTransferConvert) 858 | 859 | If nError = 0 Then 860 | SocketTools_HTTP = strBuffer 861 | Else 862 | WScript.echo "Error " & objHttp.LastError & ": " & objHttp.LastErrorString 863 | SocketTools_HTTP = objHttp.ResultString 864 | End If 865 | 866 | objHttp.Disconnect 867 | objHttp.Uninitialize 868 | end function 869 | 870 | Function IsHash(TestString) 871 | Dim sTemp 872 | Dim iLen 873 | Dim iCtr 874 | Dim sChar 875 | 876 | 877 | sTemp = TestString 878 | iLen = Len(sTemp) 879 | If iLen > 0 Then 880 | For iCtr = 1 To iLen 881 | sChar = Mid(sTemp, iCtr, 1) 882 | if isnumeric(sChar) or "a"= lcase(sChar) or "b"= lcase(sChar) or "c"= lcase(sChar) or "d"= lcase(sChar) or "e"= lcase(sChar) or "f"= lcase(sChar) then 883 | 'allowed characters for hash (hex) 884 | else 885 | IsHash = False 886 | exit function 887 | end if 888 | Next 889 | 890 | IsHash = True 891 | else 892 | IsHash = False 893 | End If 894 | 895 | End Function 896 | 897 | 898 | Function isIPaddress(strIPaddress) 899 | DIm arrayTmpquad 900 | Dim boolReturn_isIP 901 | boolReturn_isIP = True 902 | if instr(strIPaddress,".") then 903 | arrayTmpquad = split(strIPaddress,".") 904 | for each item in arrayTmpquad 905 | if isnumeric(item) = false then boolReturn_isIP = false 906 | next 907 | else 908 | boolReturn_isIP = false 909 | end if 910 | if boolReturn_isIP = false then 911 | boolReturn_isIP = isIpv6(strIPaddress) 912 | end if 913 | isIPaddress = boolReturn_isIP 914 | End Function 915 | 916 | 917 | 918 | 919 | Function IsIPv6(TestString) 920 | 921 | Dim sTemp 922 | Dim iLen 923 | Dim iCtr 924 | Dim sChar 925 | 926 | if instr(TestString, ":") = 0 then 927 | IsIPv6 = false 928 | exit function 929 | end if 930 | 931 | sTemp = TestString 932 | iLen = Len(sTemp) 933 | If iLen > 0 Then 934 | For iCtr = 1 To iLen 935 | sChar = Mid(sTemp, iCtr, 1) 936 | if isnumeric(sChar) or "a"= lcase(sChar) or "b"= lcase(sChar) or "c"= lcase(sChar) or "d"= lcase(sChar) or "e"= lcase(sChar) or "f"= lcase(sChar) or ":" = sChar then 937 | 'allowed characters for hash (hex) 938 | else 939 | IsIPv6 = False 940 | exit function 941 | end if 942 | Next 943 | 944 | IsIPv6 = True 945 | else 946 | IsIPv6 = False 947 | End If 948 | 949 | End Function 950 | 951 | function escapeSpecials(strSpecialQuery) 952 | newQuery = replace(strSpecialQuery, "*", "\*") 953 | newQuery = replace(newQuery, Chr(34), "\" & Chr(34)) 954 | newQuery = replace(newQuery, "&", "\&") 955 | 'need to perform encoding for pound sign 956 | escapeSpecials = newQuery 957 | end Function -------------------------------------------------------------------------------- /Hash_Dump/CB_Hash_Dump.vbs: -------------------------------------------------------------------------------- 1 | 'CB Hash Dump v3.3 - Dumps hashes from CB (Carbon Black) Response 2 | 'Dumps CSV "MD5|Path|Publisher|Company|Product|CB Prevalence|Logical Size|Score 3 | 4 | 'This script will write out hashes and some associated data via the CB Response (Carbon Black) API 5 | 6 | 'Copyright (c) 2020 Ryan Boyle randomrhythm@rhythmengineering.com. 7 | 8 | 'This program is free software: you can redistribute it and/or modify 9 | 'it under the terms of the GNU General Public License as published by 10 | 'the Free Software Foundation, either version 3 of the License, or 11 | '(at your option) any later version. 12 | 13 | 'This program is distributed in the hope that it will be useful, 14 | 'but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | 'MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | 'GNU General Public License for more details. 17 | 18 | 'You should have received a copy of the GNU General Public License 19 | 'along with this program. If not, see <http://www.gnu.org/licenses/>. 20 | 21 | dim strCarBlackAPIKey 22 | Dim StrCBfilePath 23 | Dim StrCBdigSig 24 | Dim StrCBcompanyName 25 | Dim StrCBproductName 26 | Dim StrCBFileSize 27 | Dim StrCBprevalence 28 | Dim StrCBMD5 29 | Dim intTotalQueries 30 | Dim IntDaysQuery 31 | Dim strStartDateQuery 32 | Dim strEndDateQuery 33 | Dim strSRSTRustQuery 34 | Dim strHostFilter 35 | Dim boolOutputHosts 36 | Dim boolOutputDateAdded 37 | Dim boolOutputCopyright 38 | Dim boolOutputInternalName 39 | Dim boolOutputOrigFname 40 | Dim boolOutputFileDesc 41 | Dim boolEnableYARA 42 | Dim yaraFeedID 43 | Dim tmpYaraUID 44 | Dim ExpandYARA 45 | Dim objFSO: Set objFSO = CreateObject("Scripting.FileSystemObject") 46 | Dim dictYARA: Set dictYARA = CreateObject("Scripting.Dictionary") 47 | Dim dictYARoutput: Set dictYARoutput = CreateObject("Scripting.Dictionary") 48 | Dim boolUseSocketTools 49 | Dim strLicenseKey 50 | Dim strIniPath 51 | Dim boolUseHashList 52 | Dim strReportPath 53 | Dim strCBHostname 54 | Const forwriting = 2 55 | Const ForAppending = 8 56 | Const ForReading = 1 57 | 58 | 59 | '---Config Section 60 | BoolDebugTrace = False 'Leave this to false unless asked to collect debug logs. 61 | IntDayStartQuery = "*" 'time to go back for start date of query. Set to "*" to query all binaries. Set to "-7" for the last week. 62 | strTimeMeasurement = "d" '"h" for hours "d" for days 63 | IntDayEndQuery = "*" 'days to go back for end date of query. Set to "*" for no end date. Set to "-1" to stop at yesterday. 64 | strBoolIs_Executable = "True" 'set to "true" to query executables. Set to "false" to query resources (DLLs). 65 | BoolExcludeSRSTRust = True 'Exclude trusted applications from the query 66 | strSensorID = "" 'sensor_id 67 | strHostFilter = "" 'computer name to filter to. Use uppercase, is case sensitive. If does not work try using sensor_id instead 68 | strqueryitem = "" 'feed or other query item to filter off of example:"alliance_score_srsthreat:* " 69 | strReportPath = "\Reports" 'directory to write report output 70 | boolOutputHosts = True ' Set to True to output hostnames for each binary 71 | boolOutputDateAdded = True ' Set to True to output the date that the file was added to Cb Response 72 | boolOutputDateSigned = True ' Set to True to output the date the binary was signed 73 | boolOutputInternalName = True 'Seems uncommon for this to be populated 74 | boolOutputCopyright = True 75 | boolOutputComments = True 76 | boolOutputOrigFname = True 'Seems uncommon for this to be populated 77 | boolOutputFileDesc = True 78 | boolUseHashList = False 'Output only hashes found within input list 79 | boolEnableYARA = True'include yara 80 | expandYARA = False 'Adds a column for each rule. Set to false to put all YARA data in one column 81 | boolUseSocketTools = False 'Uses external library from SocketTools (needed when using old OS that does not support latest TLS standards) 82 | strLicenseKey = "" 'Lincense key is required to use SocketTools 83 | strIniPath = "Cb_HD.ini" 84 | '---End Config section 85 | 86 | if objFSO.FileExists(strIniPath) = True then 87 | '---Ini loading section 88 | IntDayStartQuery = ValueFromINI(strIniPath, "IntegerValues", "StartTime", IntDayStartQuery) 89 | IntDayEndQuery = ValueFromINI(strIniPath, "IntegerValues", "EndTime", IntDayEndQuery) 90 | strTimeMeasurement = ValueFromINI(strIniPath, "StringValues", "TimeMeasurement", strTimeMeasurement) 91 | strBoolIs_Executable = ValueFromINI(strIniPath, "BooleanValues", "IsExecutable", strBoolIs_Executable) 92 | strSensorID = ValueFromINI(strIniPath, "StringValues", "SensorID", strSensorID) 93 | strHostFilter = ValueFromINI(strIniPath, "StringValues", "HostFilter", strHostFilter) 94 | strqueryitem = ValueFromINI(strIniPath, "StringValues", "QueryItem", strqueryitem) 95 | 96 | BoolExcludeSRSTRust = ValueFromINI(strIniPath, "BooleanValues", "ExcludeSRSTRust", BoolExcludeSRSTRust) 97 | boolUseSocketTools = ValueFromINI(strIniPath, "BooleanValues", "UseSocketTools", boolUseSocketTools) 98 | boolOutputHosts = ValueFromINI(strIniPath, "BooleanValues", "OutputHosts", boolOutputHosts) 99 | boolOutputDateAdded = ValueFromINI(strIniPath, "BooleanValues", "OutputDateAdded", boolOutputDateAdded) 100 | boolOutputDateSigned = ValueFromINI(strIniPath, "BooleanValues", "OutputDateSigned", boolOutputDateSigned) 101 | boolOutputInternalName = ValueFromINI(strIniPath, "BooleanValues", "OutputInternalName", boolOutputInternalName) 102 | boolOutputCopyright = ValueFromINI(strIniPath, "BooleanValues", "OutputCopyright", boolOutputCopyright) 103 | boolOutputComments = ValueFromINI(strIniPath, "BooleanValues", "OutputComments", boolOutputComments) 104 | boolOutputOrigFname = ValueFromINI(strIniPath, "BooleanValues", "OutputOriginalName", boolOutputOrigFname) 105 | boolEnableYARA = ValueFromINI(strIniPath, "BooleanValues", "YARA", boolEnableYARA) 106 | expandYARA = ValueFromINI(strIniPath, "BooleanValues", "ExpandYARA", expandYARA) 107 | BoolDebugTrace = ValueFromINI(strIniPath, "BooleanValues", "Debug", BoolDebugTrace) 108 | boolUseHashList = ValueFromINI(strIniPath, "BooleanValues", "UseHashList", boolUseHashList) 109 | '---End ini loading section 110 | else 111 | if BoolRunSilent = False then WScript.Echo strIniPath & " does not exist. Using script configured/default settings instead" 112 | end if 113 | 114 | if strHostFilter <> "" then 115 | msgbox "filtering to host " & strHostFilter 116 | strHostFilter = " AND hostname:" & strHostFilter 117 | end if 118 | if strSensorID <> "" then 119 | msgbox "filtering to sensor ID " & strSensorID 120 | strHostFilter = " AND sensor_id:" & strSensorID 121 | end if 122 | if strqueryitem <> "" then 123 | strHostFilter = strHostFilter & " AND " & strqueryitem 124 | end if 125 | 126 | if isnumeric(IntDayStartQuery) then 127 | strStartDateQuery = DateAdd(strTimeMeasurement,IntDayStartQuery,now) 128 | 129 | ' AND server_added_timestamp:[" & strStartDateQuery & "T00:00:00 TO " 130 | strStartDateQuery = " AND server_added_timestamp:[" & FormatDate (strStartDateQuery) & " TO " 131 | if IntDayEndQuery = "*" then 132 | strEndDateQuery = "*]" 133 | elseif isnumeric(IntDayEndQuery) then 134 | strEndDateQuery = DateAdd(strTimeMeasurement,IntDayEndQuery,now) 135 | strEndDateQuery = FormatDate (strEndDateQuery) & "]" 136 | end if 137 | elseif isnumeric(IntDayEndQuery) then 138 | strEndDateQuery = DateAdd(strTimeMeasurement,IntDayEndQuery,now) 139 | strEndDateQuery = " AND server_added_timestamp:[ * TO " & FormatDate (strEndDateQuery) & "]" 140 | end if 141 | 142 | if boolUseHashList = True then 'only dump hashes specified in the input file 143 | if objFSO.fileexists(CurrentDirectory & "\" & strInputPath) then 144 | strInputPath = CurrentDirectory & "\" & strInputPath 145 | else 146 | wscript.echo "Please open the text input list or CSV file" 147 | strInputPath = SelectFile( ) 148 | end if 149 | if strInputPath <> "" then 150 | Msgbox "Dumping all hashes available in Cb Response that match the hash list in file " & Chr(34) & strInputPath & chr(34) 151 | else 152 | msgbox "No input path specified. Script will dump all hashes instead per the INI configuration" 153 | boolUseHashList = False 154 | end if 155 | end if 156 | if boolUseHashList = False then 'only used during full dump 157 | msgbox "Date query: " & right(strStartDateQuery & strEndDateQuery, len(strStartDateQuery & strEndDateQuery) - instr(strStartDateQuery & strEndDateQuery,"[") +1) 158 | end if 159 | 160 | strSRSTRustQuery = "" 161 | if BoolExcludeSRSTRust = True then 162 | strSRSTRustQuery = " AND -alliance_score_srstrust:*" 163 | end if 164 | 165 | CurrentDirectory = GetFilePath(wscript.ScriptFullName) 166 | strDebugPath = CurrentDirectory & "\Debug\" 167 | if instr(strReportPath, ":") = 0 then 168 | strReportPath = CurrentDirectory & "\" & strReportPath 169 | end if 170 | 171 | strSSfilePath = strReportPath & "\CB_" & udate(now) & ".csv" 172 | 173 | strRandom = "4bv3nT9vrkJpj3QyueTvYFBMIvMOllyuKy3d401Fxaho6DQTbPafyVmfk8wj1bXF" 'encryption key. Change if you want but can only decrypt with same key 174 | Set objFSO = CreateObject("Scripting.FileSystemObject") 175 | 176 | 177 | 'create sub directories 178 | if objFSO.folderexists(strReportPath) = False then _ 179 | objFSO.createfolder(strReportPath) 180 | if objFSO.folderexists(strDebugPath) = False then _ 181 | objFSO.createfolder(strDebugPath) 182 | 183 | strFile= CurrentDirectory & "\cb.dat" 184 | strAPIproduct = "Carbon Black" 185 | 186 | 187 | strData = "" 188 | StrBaseCBURL = "" 189 | if objFSO.fileexists(strFile) then 190 | Set objFile = objFSO.OpenTextFile(strFile) 191 | if not objFile.AtEndOfStream then 'read file 192 | 'On Error Resume Next 193 | strData = objFile.ReadLine 194 | if not objFile.AtEndOfStream then StrBaseCBURL = objFile.ReadLine 195 | 'on error goto 0 196 | end if 197 | if strData <> "" then 198 | strData = Decrypt(strData,strRandom) 199 | strTempAPIKey = strData 200 | strData = "" 201 | end if 202 | end if 203 | on error resume next 204 | objFile.close 205 | on error goto 0 206 | 207 | if not objFSO.fileexists(strFile) and strData = "" then 208 | strTempAPIKey = inputbox("Enter your " & strAPIproduct & " api key") 209 | if strTempAPIKey <> "" then 210 | strTempEncryptedAPIKey = encrypt(strTempAPIKey,strRandom) 211 | logdata strFile,strTempEncryptedAPIKey,False 212 | end if 213 | end if 214 | 215 | if StrBaseCBURL = "" and strTempAPIKey <> "" then 216 | strTempEncryptedAPIKey = "" 217 | StrBaseCBURL = inputbox("Enter your " & strAPIproduct & " base URL (example: https://ryancb-example.my.carbonblack.io") 218 | if StrBaseCBURL <> "" then 219 | logdata strFile,StrBaseCBURL,False 220 | end if 221 | end if 222 | if strTempAPIKey = "" then 223 | 224 | msgbox "invalid api key" 225 | wscript.quit(999) 226 | end if 227 | 228 | strCarBlackAPIKey = strTempAPIKey 229 | 230 | 231 | if instr(lcase(StrBaseCBURL),"http") <> 0 and instr(lcase(StrBaseCBURL),"://") <> 0 then 232 | if strCarBlackAPIKey <> "" and StrBaseCBURL <> "" then BoolUseCarbonBlack = True 233 | else 234 | msgbox "Invalid URL specified for Carbon Black: " & StrBaseCBURL & vbcrlf & "Delete the dat file to input new URL information: " & strFile 235 | StrBaseCBURL = "" 236 | BoolUseCarbonBlack = False 237 | end if 238 | 239 | 240 | if boolUseSocketTools = True then 241 | on error resume next 242 | Set objST_Http = WScript.CreateObject("SocketTools.HttpClient.9") 243 | if err.number <> 0 then 244 | on error goto 0 245 | msgbox "Problem loading SocketTools HTTP Client. Script will now exit. Try registering the control or disabling SocketTools" 246 | wscript.quit 247 | end if 248 | nError = objST_Http.Initialize(strLicenseKey) 249 | If nError <> 0 Then 250 | WScript.Echo "Unable to initialize SocketTools component" 251 | WScript.Quit(1) 252 | End If 253 | end if 254 | 255 | 256 | strTempAPIKey = "" 257 | 258 | 259 | intTotalQueries = 50 260 | 'get feed info 261 | DumpCbFeed 0, False, intTotalQueries, "/api/v1/feed" 262 | 'process yara 263 | if boolEnableYARA = True then 264 | wscript.sleep 10 265 | if dictYARA.count = 0 then 266 | CbFeedQuery "feed_id:" & yaraFeedID, "YARA" 267 | if dictYARA.count = 0 then 268 | 'wscript.echo "Nothing returned from YARA feed so disabling it." 269 | boolEnableYARA = False 270 | end if 271 | 272 | end if 273 | end if 274 | 275 | 276 | 277 | if BoolUseCarbonBlack = True then 278 | ssInternalName = "" 279 | ssCopyright = "" 280 | ssComment = "" 281 | ssYARA = "" 282 | if boolOutputOrigFname = True then ssOrigFname = "|Original File Name" 283 | if boolOutputInternalName = True then ssInternalName = "|Internal Name" 284 | IF boolOutputCopyright = True then ssCopyright = "|Copyright" 285 | If boolOutputFileDesc = True then ssFileDesc = "|File Description" 286 | If boolOutputComments = True then ssComment = "|Comments" 287 | 'build header row 288 | strSSrow = "MD5|Path|Publisher|Company|Product" & ssInternalName & ssOrigFname & ssCopyright & ssFileDesc & ssComment & "|CB Prevalence" & "|Logical Size|Alliance Score" 289 | if boolOutputDateAdded = True then strSSrow = strSSrow & "|Date Time Added" 290 | if boolOutputDateSigned = True then strSSrow = strSSrow & "|Date Time Signed" 291 | if boolOutputHosts = True then strSSrow = strSSrow & "|Computers" 292 | If boolEnableYARA = True then 293 | if expandYARA = False then 294 | strSSrow = strSSrow & "|YARA" 295 | else 296 | strSSrow = strSSrow & "|" & YARAheaderrow 297 | end if 298 | end if 299 | strTmpSSlout = chr(34) & replace(strSSrow, "|",chr(34) & "," & Chr(34)) & chr(34) 300 | logdata strSSfilePath, strTmpSSlout, False 301 | 302 | If boolUseHashList = False then 303 | intTotalQueries = 10 304 | 'loop through CB results 305 | intTotalQueries = DumpCarBlack(0, False, intTotalQueries) 306 | wscript.sleep 10 307 | msgbox "Total number of items being retrieved : " & intTotalQueries 308 | 'DumpCarBlack 0, True, intTotalQueries 309 | intCBcount = 0 310 | do while intCBcount < clng(intTotalQueries) 311 | DumpCarBlack intCBcount, True, 10000 312 | intCBcount = intCBcount +10000 313 | loop 314 | else 315 | RunHashLookup strInputPath'Run against input file 316 | end if 317 | end if 318 | 319 | 320 | Function DumpCarBlack(intCBcount,BoolProcessData, intCBrows) 321 | 322 | Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP") 323 | Dim strAVEurl 324 | Dim strReturnURL 325 | dim strAssocWith 326 | Dim strCBresponseText 327 | Dim strtmpCB_Fpath 328 | 329 | 'msgbox StrBaseCBURL & "/api/v1/binary?q=is_executable_image:" & strBoolIs_Executable & strSRSTRustQuery & strStartDateQuery & strEndDateQuery & "&start=" & intCBcount & "&rows=" & intCBrows 330 | strAVEurl = StrBaseCBURL & "/api/v1/binary?q=is_executable_image:" & strBoolIs_Executable & strSRSTRustQuery & strHostFilter & strStartDateQuery & strEndDateQuery & "&start=" & intCBcount & "&rows=" & intCBrows 331 | if boolUseSocketTools = False then 332 | objHTTP.open "GET", strAVEurl, False 333 | objHTTP.SetOption 2, 13056 334 | objHTTP.setRequestHeader "X-Auth-Token", strCarBlackAPIKey 335 | 336 | 337 | on error resume next 338 | objHTTP.send 339 | if err.number <> 0 then 340 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " CarBlack lookup failed with HTTP error. - " & err.description,False 341 | exit function 342 | end if 343 | on error goto 0 344 | 'creates a lot of data. DOn't uncomment next line unless your going to disable it again 345 | if BoolDebugTrace = True then logdata strDebugPath & "\CarBlack" & "" & ".txt", objHTTP.responseText & vbcrlf & vbcrlf,BoolEchoLog 346 | strCBresponseText = objHTTP.responseText 347 | else 348 | strCBresponseText = SocketTools_HTTP(strAVEurl) 349 | 350 | end if 351 | if instr(strCBresponseText, "401 Unauthorized") then 352 | Msgbox "Carbon Black did not like the API key supplied" 353 | wscript.quit(997) 354 | end if 355 | if instr(strCBresponseText, "400 Bad Request") then 356 | msgbox "Server did not like the query. Try using " & chr(34) & "*" & CHr(34) & " for the start and end dates" & vbcrlf & strAVEurl 357 | else 358 | strArrayCBresponse = split(strCBresponseText, vblf & " {") 359 | for each strCBResponseText in strArrayCBresponse 360 | 361 | if len(strCBresponseText) > 0 then 362 | 'logdata strDebugPath & "cb.log", strCBresponseText, false 363 | if instr(strCBresponseText, "Sample not found by hash ") then 364 | 'hash not found 365 | else 366 | if instr(strCBresponseText, "total_results" & Chr(34) & ": ") then 367 | DumpCarBlack = getdata(strCBresponseText, ",", "total_results" & Chr(34) & ": ") 368 | elseif instr(strCBresponseText, "md5") and BoolProcessData = True then 369 | individualHashProcess strCBresponseText 370 | end if 371 | end if 372 | end if 373 | 374 | next 375 | end if 376 | set objHTTP = nothing 377 | end function 378 | 379 | 380 | 381 | Function CbHTTPrequest(strURLQuery) 382 | strAVEurl = StrBaseCBURL & strURLQuery 383 | Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP") 384 | 385 | if boolUseSocketTools = False then 386 | objHTTP.SetTimeouts 600000, 600000, 600000, 900000 387 | objHTTP.open "GET", strAVEurl, True 388 | 389 | objHTTP.setRequestHeader "X-Auth-Token", strCarBlackAPIKey 390 | 391 | 392 | on error resume next 393 | objHTTP.send 394 | If objHTTP.waitForResponse(intReceiveTimeout) Then 'response ready 395 | 'success!? 396 | if err.number <> 0 then 397 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " CarBlack lookup failed with HTTP error. - " & err.description,False 398 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " HTTP status code - " & objHTTP.status,False 399 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " strAVEurl - " & strAVEurl,False 400 | exit function 401 | end if 402 | Else 'wait timeout exceeded 403 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " Try limiting the date range and lowering the PagesToPull in the ini file. CarBlack lookup failed due to timeout: " & strAVEurl, False 404 | exit function 405 | End If 406 | if objHTTP.status = 500 or objHTTP.status = 501 then 407 | 'failed query 408 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " CarBlack lookup failed with HTTP status " & objHTTP.status & " - " & strAVEurl,False 409 | exit function 410 | end if 411 | if objHTTP.status = 405 then 412 | 'failed access 413 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " CarBlack lookup failed with HTTP status " & objHTTP.status & " - This could indicate you do not have appropiate rights to query feeds",False 414 | msgbox "CarBlack lookup failed with HTTP status " & objHTTP.status & " - This could indicate you do not have appropiate rights to query feeds" 415 | exit function 416 | end if 417 | if objHTTP.status <> 200 and objHTTP.status <> 404 then 418 | msgbox "Cb hash dump non-200 status code returned:" & objHTTP.status 419 | end if 420 | if err.number <> 0 then 421 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " CarBlack lookup failed with HTTP error. - " & err.description,False 422 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " HTTP status code - " & objHTTP.status,False 423 | exit function 424 | end if 425 | on error goto 0 426 | 'creates a lot of data. DOn't uncomment next line unless your going to disable it again 427 | if BoolDebugTrace = True then logdata strDebugPath & "\CarBlack" & "" & ".txt", objHTTP.responseText & vbcrlf & vbcrlf,BoolEchoLog 428 | strCBresponseText = objHTTP.responseText 429 | else 430 | strCBresponseText = SocketTools_HTTP(strAVEurl, True) 431 | end if 432 | CbHTTPrequest = strCBresponseText 433 | end function 434 | 435 | 436 | Sub RunHashLookup(strInputPath) 437 | 438 | 'Read list of items to query 439 | if not objFSO.fileexists(strInputPath) then 440 | objFSO.CreateTextFile strInputPath, True 441 | objShellComplete.run "notepad.exe " & chr(34) & strInputPath & chr(34) 442 | msgbox "Input list (" & strInputPath & ") file was not found. The file has been created and opened in notepad. Please input the hashes or IP and domain addresses you want to scan and save the file." 443 | end if 444 | Set oFile = objFSO.GetFile(strInputPath) 445 | 446 | If oFile.Size = 0 Then 447 | objFSO.CreateTextFile strInputPath, True 448 | objShellComplete.run "notepad.exe " & chr(34) & strInputPath & chr(34) 449 | msgbox "Input list (" & strInputPath & ") file was empty. The file has been opened in notepad. Please input hashes or IP addresses and domains you want to scan and save the file." 450 | 451 | End If 452 | 453 | boolHeaderWritten = False 454 | strHeaderImport = "" 'header from CSV file we are importing 455 | Set objRLfile = objFSO.OpenTextFile(strInputPath) 456 | Do While Not objRLfile.AtEndOfStream 457 | if not objRLfile.AtEndOfStream then 'read file 458 | On Error Resume Next 459 | strLineIn = objRLfile.ReadLine 460 | on error goto 0 461 | if ishash(strLineIn) then 462 | CbOutput = CbHTTPrequest("/api/v1/binary/" & strLineIn & "/summary") 463 | 464 | individualHashProcess CbOutput 465 | end if 466 | end if 467 | loop 468 | end sub 469 | 470 | 471 | Sub individualHashProcess(strCBresponseText) 472 | 473 | if len(strCBresponseText) > 0 then 474 | 475 | strCBfilePath = getdata(strCBresponseText, "]", "observed_filename" & Chr(34) & ": [") 476 | strCBfilePath = replace(strCBfilePath,chr(10),"") 477 | strCBfilePath = RemoveTLS(strCBfilePath) 478 | strCBfilePath = getdata(strCBfilePath, chr(34),chr(34))'just grab the fist file path listed 479 | if instr(strCBresponseText, "digsig_publisher") then 480 | strCBdigSig = getdata(strCBresponseText, chr(34), "digsig_publisher" & Chr(34) & ": " & Chr(34)) 481 | strCBdigSig = replace(strCBdigSig,chr(10),"") 482 | strCBdigIssue = getdata(strCBresponseText, chr(34), "digsig_issuer" & Chr(34) & ": " & Chr(34)) 483 | else 484 | 'not signed 485 | strCBdigSig = "" 486 | strCBdigIssue = "" 487 | end if 488 | if instr(strCBresponseText, "signed" & Chr(34) & ": " & Chr(34) & "Signed") = 0 and instr(strCBresponseText, "signed" & Chr(34) & ": " & Chr(34) & "Unsigned") = 0 then 489 | 'problem with sig 490 | strCBdigSig = getdata(strCBresponseText, chr(34), "signed" & Chr(34) & ": " & Chr(34)) & " - " & strCBdigSig 491 | end if 492 | if boolOutputHosts = True then 493 | strCBHostname = getdata(strCBresponseText, ",", "hostname" & Chr(34) & ": ") 494 | if strCBHostname = "" then 495 | strTmpCBHostname = getdata(strCBresponseText, "]", "endpoint" & Chr(34) & ": [" & vblf & " ") 496 | end if 497 | if instr(strTmpCBHostname, "|") then 498 | arrayCBHostName = split(strTmpCBHostname, "|") 499 | for each CBNames in arrayCBHostName 500 | arrayCBnames = split(CBNames, vbLf) 501 | for each CBhostName in arrayCBnames 502 | strTmpCBHostname = replace(CBhostName, chr(34), "") 503 | strTmpCBHostname = replace(strTmpCBHostname, " ","" ) 504 | if isnumeric(strTmpCBHostname) = False and strTmpCBHostname <> "" then 505 | 'msgbox strTmpCBHostname 506 | if strCBHostname = "" then 507 | strCBHostname = strTmpCBHostname 508 | else 509 | strCBHostname= strCBHostname & "/" & strTmpCBHostname 510 | end if 511 | end if 512 | next 513 | next 514 | end if 515 | 516 | end if 517 | strCBcompanyName = getdata(strCBresponseText, chr(34), "company_name" & Chr(34) & ": " & Chr(34)) 518 | strCBcompanyName = "|" & RemoveTLS(strCBcompanyName) 519 | strCBproductName = getdata(strCBresponseText, chr(34), "product_name" & Chr(34) & ": " & Chr(34)) 520 | strCBproductName = "|" &RemoveTLS(strCBproductName) 521 | StrCBMD5 = getdata(strCBresponseText, chr(34), "md5" & Chr(34) & ": " & Chr(34)) 522 | strCBprevalence = getdata(strCBresponseText, ",", "host_count" & Chr(34) & ": ") 523 | if instr(strCBprevalence, vblf) > 0 then 524 | strCBprevalence = left(strCBprevalence, instr(strCBprevalence, vblf) -1) 525 | end if 526 | strCBFileSize = getdata(strCBresponseText, ",", "orig_mod_len" & Chr(34) & ": ") 527 | strtmpCB_Fpath = getfilepath(strCBfilePath) 528 | strCBVTScore = getdata(strCBresponseText, ",", "alliance_score_virustotal" & Chr(34) & ": ") 529 | if boolOutputDateAdded = True then 530 | strDateTimeAdded = getdata(strCBresponseText, chr(34), "server_added_timestamp" & Chr(34) & ": " & Chr(34)) 531 | end if 532 | if boolOutputDateSigned = True then 533 | strDateTimeSigned = getdata(strCBresponseText, chr(34), "digsig_sign_time" & Chr(34) & ": " & Chr(34)) 534 | end if 535 | if boolOutputInternalName = True then 536 | strInternalName = getdata(strCBresponseText, chr(34), "internal_name" & Chr(34) & ": " & Chr(34)) 537 | end if 538 | if boolOutputCopyright = True then 539 | strcopyright = getdata(strCBresponseText, chr(34), "legal_copyright" & Chr(34) & ": " & Chr(34)) 540 | end if 541 | if boolOutputComments = True then 542 | strComments = getdata(strCBresponseText, chr(34), "comments" & Chr(34) & ": " & Chr(34)) 543 | end if 544 | if boolOutputOrigFname = True then 545 | strOrigFname = getdata(strCBresponseText, chr(34), "original_filename" & Chr(34) & ": " & Chr(34)) 546 | end if 547 | if boolOutputFileDesc = True then 548 | strFileDesc = getdata(strCBresponseText, chr(34), "file_desc" & Chr(34) & ": " & Chr(34)) 549 | end if 550 | strYaraLine = YaraLookup(StrCBMD5) 551 | outputHashCSV strCBVTScore,strDateTimeAdded, strDateTimeSigned,strInternalName,strcopyright,strComments,strOrigFname,strFileDesc,strYaraLine 'Logs the CSV output 552 | end if 553 | 554 | 555 | 556 | Set objHTTP = Nothing 557 | end Sub 558 | 559 | 560 | 561 | Function boolAddPipe(strPipeless, BooleanAddPipe) 562 | if BooleanAddPipe = True then 563 | strReturnPiped = AddPipe(strPipeless) 564 | else 565 | strReturnPiped = strPipeless 566 | end if 567 | boolAddPipe = strReturnPiped 568 | end function 569 | 570 | Function GetData(contents, ByVal EndOfStringChar, ByVal MatchString) 571 | MatchStringLength = Len(MatchString) 572 | x= instr(contents, MatchString) 573 | 574 | if X >0 then 575 | strSubContents = Mid(contents, x + MatchStringLength) 576 | if instr(strSubContents,EndOfStringChar) > 0 then 577 | GetData = Mid(contents, x + MatchStringLength, instr(strSubContents,EndOfStringChar) -1) 578 | exit function 579 | else 580 | GetData = Mid(contents, x + MatchStringLength) 581 | exit function 582 | end if 583 | end if 584 | GetData = "" 585 | 586 | end Function 587 | 588 | function LogData(TextFileName, TextToWrite,EchoOn) 589 | Set fsoLogData = CreateObject("Scripting.FileSystemObject") 590 | if EchoOn = True then wscript.echo TextToWrite 591 | If fsoLogData.fileexists(TextFileName) = False Then 592 | 'Creates a replacement text file 593 | on error resume next 594 | fsoLogData.CreateTextFile TextFileName, True 595 | if err.number <> 0 and err.number <> 53 then msgbox err.number & " " & err.description & vbcrlf & TextFileName 596 | on error goto 0 597 | End If 598 | if TextFileName <> "" then 599 | 600 | 601 | Set WriteTextFile = fsoLogData.OpenTextFile(TextFileName,ForAppending, False) 602 | on error resume next 603 | WriteTextFile.WriteLine TextToWrite 604 | if err.number <> 0 then 605 | on error goto 0 606 | WriteTextFile.Close 607 | Dim objStream 608 | Set objStream = CreateObject("ADODB.Stream") 609 | objStream.CharSet = "utf-16" 610 | objStream.Open 611 | objStream.WriteText TextToWrite 612 | on error resume next 613 | objStream.SaveToFile TextFileName, 2 614 | if err.number <> 0 then msgbox err.number & " - " & err.message & " Problem writting to " & TextFileName 615 | if err.number <> 0 then msgbox "problem writting text: " & TextToWrite 616 | on error goto 0 617 | Set objStream = nothing 618 | end if 619 | end if 620 | Set fsoLogData = Nothing 621 | End Function 622 | 623 | 624 | Function GetFilePath (ByVal FilePathName) 625 | found = False 626 | Z = 1 627 | 628 | Do While found = False and Z < Len((FilePathName)) 629 | 630 | Z = Z + 1 631 | If InStr(Right((FilePathName), Z), "\") <> 0 And found = False Then 632 | mytempdata = Left(FilePathName, Len(FilePathName) - Z) 633 | GetFilePath = mytempdata 634 | found = True 635 | End If 636 | 637 | Loop 638 | 639 | end Function 640 | 641 | function UDate(oldDate) 642 | UDate = DateDiff("s", "01/01/1970 00:00:00", oldDate) 643 | end function 644 | 645 | 646 | 647 | Function RemoveTLS(strTLS) 648 | dim strTmpTLS 649 | if len(strTLS) > 0 then 650 | for rmb = 1 to len(strTLS) 651 | if mid(strTLS, rmb, 1) <> " " then 652 | strTmpTLS = right(strTLS,len(strTLS) - RMB +1) 653 | exit for 654 | end if 655 | next 656 | end if 657 | 658 | if len(strTmpTLS) > 0 then 659 | for rmb = len(strTmpTLS) to 1 step -1 660 | 661 | if mid(strTmpTLS, rmb, 1) <> " " then 662 | strTmpTLS = left(strTmpTLS,len(strTmpTLS) - (len(strTmpTLS) - RMB)) 663 | exit for 664 | end if 665 | next 666 | end if 667 | 668 | RemoveTLS = strTmpTLS 669 | end function 670 | 671 | Function AddPipe(strpipeless) 672 | dim strPipeAdded 673 | 674 | if len(strpipeless) > 0 then 675 | if left(strpipeless, 1) <> "|" then 676 | strPipeAdded = "|" & replace(strpipeless, "|", ",") 677 | 678 | else 679 | strPipeAdded = "|" & replace(right(strpipeless, len(strpipeless) -1), "|", ",") 680 | end if 681 | else 682 | strPipeAdded = "|" 683 | end if 684 | 685 | AddPipe = strPipeAdded 686 | end function 687 | 688 | 689 | 690 | 691 | Function encrypt(StrText, key) 'Rafael Paran? - https://gallery.technet.microsoft.com/scriptcenter/e0d5d71c-313e-4ac1-81bf-0e016aad3cd2 692 | Dim lenKey, KeyPos, LenStr, x, Newstr 693 | 694 | Newstr = "" 695 | lenKey = Len(key) 696 | KeyPos = 1 697 | LenStr = Len(StrText) 698 | StrTmpText = StrReverse(StrText) 699 | For x = 1 To LenStr 700 | Newstr = Newstr & chr(asc(Mid(StrTmpText,x,1)) + Asc(Mid(key,KeyPos,1))) 701 | KeyPos = keypos+1 702 | If KeyPos > lenKey Then KeyPos = 1 703 | 'if x = 4 then msgbox "error with char " & Chr(34) & asc(Mid(StrTmpText,x,1)) - Asc(Mid(key,KeyPos,1)) & Chr(34) & " At position " & KeyPos & vbcrlf & Mid(StrTmpText,x,1) & Mid(key,KeyPos,1) & vbcrlf & asc(Mid(StrTmpText,x,1)) & asc(Mid(key,KeyPos,1)) 704 | Next 705 | encrypt = Newstr 706 | End Function 707 | 708 | Function Decrypt(StrText,key) 'Rafael Paran? - https://gallery.technet.microsoft.com/scriptcenter/e0d5d71c-313e-4ac1-81bf-0e016aad3cd2 709 | Dim lenKey, KeyPos, LenStr, x, Newstr 710 | 711 | Newstr = "" 712 | lenKey = Len(key) 713 | KeyPos = 1 714 | LenStr = Len(StrText) 715 | 716 | StrText=StrReverse(StrText) 717 | For x = LenStr To 1 Step -1 718 | on error resume next 719 | Newstr = Newstr & chr(asc(Mid(StrText,x,1)) - Asc(Mid(key,KeyPos,1))) 720 | if err.number <> 0 then 721 | msgbox "error with char " & Chr(34) & asc(Mid(StrText,x,1)) - Asc(Mid(key,KeyPos,1)) & Chr(34) & " At position " & KeyPos & vbcrlf & Mid(StrText,x,1) & Mid(key,KeyPos,1) & vbcrlf & asc(Mid(StrText,x,1)) & asc(Mid(key,KeyPos,1)) 722 | wscript.quit(011) 723 | end if 724 | on error goto 0 725 | KeyPos = KeyPos+1 726 | If KeyPos > lenKey Then KeyPos = 1 727 | Next 728 | Newstr=StrReverse(Newstr) 729 | Decrypt = Newstr 730 | End Function 731 | 732 | Function FormatDate(strFDate) 733 | Dim strTmpMonth 734 | Dim strTmpDay 735 | strTmpMonth = datepart("m",strFDate) 736 | strTmpDay = datepart("d",strFDate) 737 | strTmpHours = datepart("h",strFDate) 738 | strTmpMinutes = datepart("n",strFDate) 739 | strTmpSeconds = datepart("s",strFDate) 740 | if len(strTmpMonth) = 1 then strTmpMonth = "0" & strTmpMonth 741 | if len(strTmpDay) = 1 then strTmpDay = "0" & strTmpDay 742 | 743 | if len(strTmpHours) = 1 then strTmpHours = "0" & strTmpHours 744 | if len(strTmpMinutes) = 1 then strTmpMinutes = "0" & strTmpMinutes 745 | if len(strTmpSeconds) = 1 then strTmpSeconds = "0" & strTmpSeconds 746 | 747 | FormatDate = datepart("yyyy",strFDate) & "-" & strTmpMonth & "-" & strTmpDay & "T" & strTmpHours & ":" & strTmpMinutes & ":" & strTmpSeconds 748 | 749 | 750 | end function 751 | 752 | 753 | 754 | Function CbFeedQuery(strQuery, strUniquefName) 755 | Dim intParseCount: intParseCount = 10 756 | Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") 757 | strAppendQuery = "" 758 | boolexit = False 759 | do while boolexit = False 760 | strAVEurl = StrBaseCBURL & "/api/v1/threat_report?q=" & strQuery & strAppendQuery 761 | if boolUseSocketTools = False then 762 | objHTTP.open "GET", strAVEurl, False 763 | objHTTP.setRequestHeader "X-Auth-Token", strCarBlackAPIKey 764 | 765 | on error resume next 766 | objHTTP.send 767 | if err.number <> 0 then 768 | logdata CurrentDirectory & "\CB_Error.log", Date & " " & Time & " CarBlack lookup failed with HTTP error. - " & err.description,False 769 | exit function 770 | end if 771 | on error goto 0 772 | 773 | CBresponseText = objHTTP.responseBody 774 | else 775 | strCBresponseText = SocketTools_HTTP(strAVEurl) 776 | end if 777 | if len(CBresponseText) > 0 then 778 | 779 | binTempResponse = objHTTP.responseBody 780 | StrTmpResponse = RSBinaryToString(binTempResponse) 781 | logdata CurrentDirectory & "\Cb_TQueryResults.log", StrTmpResponse,False 782 | 783 | if instr(StrTmpResponse, vblf & " {") > 0 then 784 | strArrayCBresponse = split(StrTmpResponse, vblf & " {") 785 | else 786 | strArrayCBresponse = split(StrTmpResponse, vblf & " {") 787 | end if 788 | for each strCBResponseText in strArrayCBresponse 789 | strTmpIOC = getdata(strCBResponseText, "]", "[") 790 | 791 | strItem = getdata(strTmpIOC, chr(34) ,chr(34)) 792 | strCBid = getdata(strCBResponseText, chr(34), chr(34) & "id" & Chr(34) & ": " & Chr(34)) 793 | strTitle = getdata(strCBResponseText, chr(34), "title" & Chr(34) & ": " & Chr(34)) 794 | 795 | if strTitle <> "" then 796 | if instr(strTitle, "Matched yara rules: ") and ishash(strItem) then 797 | strTitle = replace(right(strTitle,len(strTitle) -20), ",", "^") 798 | dictYARA.add strItem, strTitle 799 | end if 800 | if instr(strTitle, "^") = 0 then 801 | queryYARAdict strTitle, strItem 802 | else 803 | arrayRuleNames = split(strTitle, "^") 804 | for each yaraRname in arrayRuleNames 805 | queryYARAdict yaraRname, strItem 806 | next 807 | end if 808 | strRowOut = strCBid & "|" & strTitle & "|" & strItem 809 | strRowOut = chr(34) & replace(strRowOut,"|",chr(34) & "," & Chr(34)) & chr(34) 810 | if tmpYaraUID = "" then tmpYaraUID = udate(now) 811 | logdata CurrentDirectory & "\" & strUniquefName & "_" & tmpYaraUID & ".csv",strRowOut , false 812 | end if 813 | next 814 | end if 815 | intResultCount = getdata(StrTmpResponse, ",", "total_results" & Chr(34) & ": ") 816 | if isnumeric(intResultCount) then 817 | 818 | intAnswer = vbno 'msgbox (intParseCount & " items have been pulled down. Do you want to pull down more? There are a total of " & intResultCount & " items to retrieve",vbYesNo, "Cb Scripts") 819 | if intAnswer = vbno and intParseCount < clng(intResultCount) then 820 | 821 | strAppendQuery = "&start=" & intParseCount & "&rows=" & 1000 822 | intParseCount = intParseCount + 1000 823 | else 824 | boolexit = True 825 | exit function 826 | end if 827 | else 828 | boolexit = True 829 | msgbox "YARA query error" 830 | exit function 831 | end if 832 | loop 833 | End function 834 | 835 | 836 | Function DumpCbFeed(intCBcount,BoolProcessData, intCBrows, strURLQuery) 837 | 838 | Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP") 839 | Dim strAVEurl 840 | Dim strReturnURL 841 | dim strAssocWith 842 | Dim strCBresponseText 843 | Dim strtmpCB_Fpath 844 | Dim StrTmpFeedIP 845 | Dim boolProcessChildren: boolProcessChildren = False 846 | strAVEurl = StrBaseCBURL & strURLQuery 847 | if BoolProcessData = True and instr(strAVEurl, "?") > 0 then 848 | strAVEurl = strAVEurl & "&start=" & intCBcount & "&rows=" & intCBrows 849 | end if 850 | if BoolDebugTrace = True then logdata strDebugPath & "\CarBlack" & "" & ".txt", "Query URL=" & strAVEurl & vbcrlf & vbcrlf,BoolEchoLog 851 | 852 | if boolUseSocketTools = False then 853 | objHTTP.open "GET", strAVEurl, False 854 | 855 | objHTTP.setRequestHeader "X-Auth-Token", strCarBlackAPIKey 856 | 857 | 858 | on error resume next 859 | objHTTP.send 860 | if err.number <> 0 then 861 | logdata CurrentDirectory & "\CBF_Error.log", Date & " " & Time & " CarBlack lookup failed with HTTP error. - " & err.description,False 862 | exit function 863 | end if 864 | on error goto 0 865 | 'creates a lot of data. Don't uncomment next line unless your going to disable it again 866 | if BoolDebugTrace = True then logdata strDebugPath & "\CarBlack" & "" & ".txt", objHTTP.responseText & vbcrlf & vbcrlf,BoolEchoLog 867 | strCBresponseText = objHTTP.responseText 868 | else 869 | strCBresponseText = SocketTools_HTTP(strAVEurl) 870 | 871 | end if 872 | if instr(strCBresponseText, "401 Unauthorized") then 873 | Msgbox "Carbon Black did not like the API key supplied" 874 | wscript.quit(997) 875 | end if 876 | if instr(strCBresponseText, vblf & " {") > 0 then 877 | strArrayCBresponse = split(strCBresponseText, vblf & " {") 878 | else 879 | strArrayCBresponse = split(strCBresponseText, vblf & " {") 880 | end if 881 | for each strCBResponseText in strArrayCBresponse 882 | 883 | if len(strCBresponseText) > 0 then 884 | 'logdata strDebugPath & "cbresponse.log", strCBresponseText, True 885 | if instr(strCBresponseText, "Sample not found by hash ") > 0 then 886 | 'hash not found 887 | else 888 | if instr(strCBresponseText, "total_results" & Chr(34) & ": ") > 0 then 889 | DumpCbFeed = getdata(strCBresponseText, ",", "total_results" & Chr(34) & ": ") 890 | elseif instr(strCBresponseText, "provider_url" & Chr(34) & ": ") > 0 and instr(strCBresponseText, "id" & Chr(34) & ": ") > 0 then 891 | strTmpFeedID = getdata(strCBresponseText, ",", "id" & Chr(34) & ": ") 892 | strTmpFeedName = getdata(strCBresponseText, Chr(34), chr(34) & "name" & Chr(34) & ": " & Chr(34)) 893 | if strTmpFeedName = "yara" then yaraFeedID = strTmpFeedID 894 | 895 | end if 896 | end if 897 | end if 898 | 899 | next 900 | set objHTTP = nothing 901 | end function 902 | 903 | 904 | Function IsHash(TestString) 905 | 906 | Dim sTemp 907 | Dim iLen 908 | Dim iCtr 909 | Dim sChar 910 | 911 | 'returns true if all characters in a string are alphabetical 912 | ' or numeric 913 | 'returns false otherwise or for empty string 914 | 915 | sTemp = TestString 916 | iLen = Len(sTemp) 917 | If iLen > 0 Then 918 | For iCtr = 1 To iLen 919 | sChar = Mid(sTemp, iCtr, 1) 920 | if isnumeric(sChar) or "a"= lcase(sChar) or "b"= lcase(sChar) or "c"= lcase(sChar) or "d"= lcase(sChar) or "e"= lcase(sChar) or "f"= lcase(sChar) then 921 | 'allowed characters for hash (hex) 922 | else 923 | IsHash = False 924 | exit function 925 | end if 926 | Next 927 | 928 | IsHash = True 929 | else 930 | IsHash = False 931 | End If 932 | 933 | End Function 934 | 935 | Function RSBinaryToString(xBinary) 936 | 'Antonin Foller, http://www.motobit.com 937 | 'RSBinaryToString converts binary data (VT_UI1 | VT_ARRAY Or MultiByte string) 938 | 'to a string (BSTR) using ADO recordset 939 | 940 | Dim Binary 941 | 'MultiByte data must be converted To VT_UI1 | VT_ARRAY first. 942 | If vartype(xBinary)=8 Then Binary = MultiByteToBinary(xBinary) Else Binary = xBinary 943 | 944 | Dim RS, LBinary 945 | Const adLongVarChar = 201 946 | Set RS = CreateObject("ADODB.Recordset") 947 | LBinary = LenB(Binary) 948 | 949 | If LBinary>0 Then 950 | RS.Fields.Append "mBinary", adLongVarChar, LBinary 951 | RS.Open 952 | RS.AddNew 953 | RS("mBinary").AppendChunk Binary 954 | RS.Update 955 | RSBinaryToString = RS("mBinary") 956 | Else 957 | RSBinaryToString = "" 958 | End If 959 | End Function 960 | 961 | Function queryYARAdict(strRuleName, strCbHash) 962 | 'returns true if exists in DB otherwise returns false and adds to DB 963 | if dictYARoutput.exists(strRuleName) = False then 964 | Set dictYARoutput.item(strRuleName) = CreateObject("Scripting.Dictionary") 965 | dictYARoutput.item(strRuleName).item(strCbHash) = "" 966 | queryYARAdict = False 967 | elseif dictYARoutput.item(strRuleName).exists(strCbHash) then 968 | queryYARAdict = True 969 | else 970 | dictYARoutput.item(strRuleName).item(strCbHash) = "" 971 | queryYARAdict = False 972 | end if 973 | 974 | end function 975 | 976 | Function YARAheaderrow() 977 | strTmpReturnHead = "" 978 | 979 | for each dictName in dictYARoutput 980 | if strTmpReturnHead = "" then 981 | strTmpReturnHead = dictName 982 | else 983 | strTmpReturnHead = strTmpReturnHead & "|" & dictName 984 | end if 985 | next 986 | YARAheaderrow = strTmpReturnHead 987 | end function 988 | 989 | Function YARAEntryrow(strCbHash) 990 | strTmpReturnHead = "" 991 | 992 | for each dictName in dictYARoutput 993 | if dictYARoutput.item(dictName).exists(strCbHash) = True then 994 | strTmpReturnHead = AppendValuedList(strTmpReturnHead,dictName,"|") 995 | else 996 | strTmpReturnHead = strTmpReturnHead & "|" 997 | end if 998 | 999 | next 1000 | YARAEntryrow = strTmpReturnHead 1001 | end function 1002 | 1003 | Function AppendValuedList(strAggregate,strAppend,strSeparator) 1004 | if strAggregate = "" then 1005 | strAggregate = strSeparator & strAppend 1006 | else 1007 | strAggregate = strAggregate & strSeparator & strAppend 1008 | end if 1009 | AppendValuedList = strAggregate 1010 | 1011 | end Function 1012 | 1013 | 1014 | Function ValueFromIni(strFpath, iniSection, iniKey, currentValue) 1015 | returniniVal = ReadIni( strFpath, iniSection, iniKey) 1016 | if returniniVal = " " then 1017 | returniniVal = currentValue 1018 | end if 1019 | if TypeName(returniniVal) = "String" then 1020 | returniniVal = stringToBool(returniniVal)'convert type to boolean if needed 1021 | elseif TypeName(returniniVal) = "Integer" then 1022 | returniniVal = int(returniniVal)'convert type to int if needed 1023 | end if 1024 | ValueFromIni = returniniVal 1025 | end function 1026 | 1027 | Function stringToBool(strBoolean) 1028 | if lcase(strBoolean) = "true" then 1029 | returnBoolean = True 1030 | elseif lcase(strBoolean) = "false" then 1031 | returnBoolean = False 1032 | else 1033 | returnBoolean = strBoolean 1034 | end if 1035 | stringToBool = returnBoolean 1036 | end function 1037 | 1038 | Function ReadIni( myFilePath, mySection, myKey ) 'http://www.robvanderwoude.com/vbstech_files_ini.php 1039 | ' This function returns a value read from an INI file 1040 | ' 1041 | ' Arguments: 1042 | ' myFilePath [string] the (path and) file name of the INI file 1043 | ' mySection [string] the section in the INI file to be searched 1044 | ' myKey [string] the key whose value is to be returned 1045 | ' 1046 | ' Returns: 1047 | ' the [string] value for the specified key in the specified section 1048 | ' 1049 | ' CAVEAT: Will return a space if key exists but value is blank 1050 | ' 1051 | ' Written by Keith Lacelle 1052 | ' Modified by Denis St-Pierre and Rob van der Woude 1053 | 1054 | Dim intEqualPos 1055 | Dim objFSO, objIniFile 1056 | Dim strFilePath, strKey, strLeftString, strLine, strSection 1057 | 1058 | Set objFSO = CreateObject( "Scripting.FileSystemObject" ) 1059 | 1060 | ReadIni = "" 1061 | strFilePath = Trim( myFilePath ) 1062 | strSection = Trim( mySection ) 1063 | strKey = Trim( myKey ) 1064 | 1065 | If objFSO.FileExists( strFilePath ) Then 1066 | Set objIniFile = objFSO.OpenTextFile( strFilePath, ForReading, False ) 1067 | Do While objIniFile.AtEndOfStream = False 1068 | strLine = Trim( objIniFile.ReadLine ) 1069 | 1070 | ' Check if section is found in the current line 1071 | If LCase( strLine ) = "[" & LCase( strSection ) & "]" Then 1072 | strLine = Trim( objIniFile.ReadLine ) 1073 | 1074 | ' Parse lines until the next section is reached 1075 | Do While Left( strLine, 1 ) <> "[" 1076 | ' Find position of equal sign in the line 1077 | intEqualPos = InStr( 1, strLine, "=", 1 ) 1078 | If intEqualPos > 0 Then 1079 | strLeftString = Trim( Left( strLine, intEqualPos - 1 ) ) 1080 | ' Check if item is found in the current line 1081 | If LCase( strLeftString ) = LCase( strKey ) Then 1082 | ReadIni = Trim( Mid( strLine, intEqualPos + 1 ) ) 1083 | ' In case the item exists but value is blank 1084 | If ReadIni = "" Then 1085 | ReadIni = " " 1086 | End If 1087 | ' Abort loop when item is found 1088 | Exit Do 1089 | End If 1090 | End If 1091 | 1092 | ' Abort if the end of the INI file is reached 1093 | If objIniFile.AtEndOfStream Then Exit Do 1094 | 1095 | ' Continue with next line 1096 | strLine = Trim( objIniFile.ReadLine ) 1097 | Loop 1098 | Exit Do 1099 | End If 1100 | Loop 1101 | objIniFile.Close 1102 | Else 1103 | if BoolRunSilent = False then WScript.Echo strFilePath & " does not exist. Using script configured/default settings instead" 1104 | End If 1105 | End Function 1106 | 1107 | Function SocketTools_HTTP(strRemoteURL) 1108 | ' SocketTools 9.3 ActiveX Edition 1109 | ' Copyright 2018 Catalyst Development Corporation 1110 | ' All rights reserved 1111 | ' 1112 | ' This file is licensed to you pursuant to the terms of the 1113 | ' product license agreement included with the original software, 1114 | ' and is protected by copyright law and international treaties. 1115 | ' Unauthorized reproduction or distribution may result in severe 1116 | ' criminal penalties. 1117 | ' 1118 | 1119 | ' 1120 | ' Retrieve the specified page from a web server and write the 1121 | ' contents to standard output. The parameter should specify the 1122 | ' URL of the page to display 1123 | 1124 | 1125 | Const httpTransferDefault = 0 1126 | Const httpTransferConvert = 1 1127 | 1128 | Dim objArgs 1129 | Dim objHttp 1130 | Dim strBuffer 1131 | Dim nLength 1132 | Dim nArg, nError 1133 | 1134 | 1135 | ' 1136 | ' Create an instance of the control 1137 | ' 1138 | Set objHttp = WScript.CreateObject("SocketTools.HttpClient.9") 1139 | 1140 | ' 1141 | ' Initialize the object using the specified runtime license key; 1142 | ' if the key is not specified, the development license will be used 1143 | ' 1144 | 1145 | nError = objHttp.Initialize(strLicenseKey) 1146 | If nError <> 0 Then 1147 | WScript.Echo "Unable to initialize SocketTools component" 1148 | WScript.Quit(1) 1149 | End If 1150 | 1151 | objHttp.HeaderField = "X-Auth-Token" 1152 | objHttp.HeaderValue = strCarBlackAPIKey 1153 | 1154 | ' Setup error handling since the component will throw an error 1155 | ' if an invalid URL is specified 1156 | 1157 | On Error Resume Next: Err.Clear 1158 | objHttp.URL = strRemoteURL 1159 | 1160 | ' Check the Err object to see if an error has occurred, and 1161 | ' if so, let the user know that the URL is invalid 1162 | 1163 | If Err.Number <> 0 Then 1164 | WScript.echo "The specified URL is invalid" 1165 | WScript.Quit(1) 1166 | End If 1167 | 1168 | ' Reset error handling and connect to the server using the 1169 | ' default property values that were updated when the URL 1170 | ' property was set (ie: HostName, RemotePort, UserName, etc.) 1171 | On Error GoTo 0 1172 | nError = objHttp.Connect() 1173 | 1174 | If nError <> 0 Then 1175 | WScript.echo "Error connecting to " & strRemoteURL & ". " & objHttp.LastError & ": " & objHttp.LastErrorString 1176 | WScript.Quit(1) 1177 | End If 1178 | objHttp.timeout = 90 1179 | ' Download the file to the local system 1180 | nError = objHttp.GetData(objHttp.Resource, strBuffer, nLength, httpTransferConvert) 1181 | 1182 | If nError = 0 Then 1183 | SocketTools_HTTP = strBuffer 1184 | Else 1185 | WScript.echo "Error " & objHttp.LastError & ": " & objHttp.LastErrorString 1186 | SocketTools_HTTP = objHttp.ResultString 1187 | End If 1188 | 1189 | objHttp.Disconnect 1190 | objHttp.Uninitialize 1191 | end function 1192 | 1193 | Function YaraLookup(StrCBMD5) 1194 | if boolEnableYARA = True then 1195 | if expandYARA = False then 1196 | if dictYARA.exists(StrCBMD5) then 1197 | strYaraLine = "|" & dictYARA.item(StrCBMD5) 1198 | else 1199 | strYaraLine = "|" 1200 | end if 1201 | else 1202 | strYaraLine = YARAEntryrow(StrCBMD5) 1203 | end if 1204 | end if 1205 | YaraLookup = strYaraLine 1206 | end function 1207 | 1208 | sub outputHashCSV(strCBVTScore,strDateTimeAdded, strDateTimeSigned,strInternalName,strcopyright,strComments,strOrigFname,strFileDesc,strYaraLine) 'Logs the CSV output 1209 | if StrCBMD5 <> "" then 1210 | strCBfilePath = AddPipe(strCBfilePath) 'CB File Path 1211 | strCBdigSig = AddPipe(strCBdigSig) 'CB Digital Sig 1212 | strCBcompanyName = AddPipe(strCBcompanyName)'CB Company Name 1213 | strCBproductName = AddPipe(strCBproductName) 'Product Name 1214 | strCBFileSize = AddPipe(strCBFileSize) 1215 | strCBprevalence = AddPipe(strCBprevalence) 1216 | strCBVTScore = AddPipe(strCBVTScore) 1217 | strCBHostname = boolAddPipe(strCBHostname, boolOutputHosts) 1218 | strDateTimeAdded = boolAddPipe(strDateTimeAdded, boolOutputDateAdded) 1219 | strDateTimeSigned = boolAddPipe(strDateTimeSigned, boolOutputDateSigned) 1220 | strInternalName = boolAddPipe(strInternalName, boolOutputInternalName) 1221 | strcopyright = boolAddPipe(strcopyright, boolOutputCopyright) 1222 | strComments = boolAddPipe(strComments, boolOutputComments) 1223 | strOrigFname = boolAddPipe(strOrigFname, boolOutputOrigFname) 1224 | strFileDesc = boolAddPipe(strFileDesc, boolOutputFileDesc) 1225 | 1226 | strSSrow = StrCBMD5 & strCBfilePath & strCBdigSig & strCBcompanyName & strCBproductName & strOrigFname & strInternalName & strcopyright & strFileDesc & strComments & strCBprevalence & strCBFileSize & strCBVTScore & strDateTimeAdded & strDateTimeSigned & strCBHostname & strYaraLine 1227 | strTmpSSlout = chr(34) & replace(strSSrow, "|",chr(34) & "," & Chr(34)) & chr(34) 1228 | logdata strSSfilePath, strTmpSSlout, False 1229 | end if 1230 | strCBfilePath = "" 1231 | strCBdigSig = "" 1232 | strCBcompanyName = "" 1233 | strCBproductName = "" 1234 | strCBFileSize = "" 1235 | strCBprevalence = "" 1236 | StrCBMD5 = "" 1237 | strCBVTScore = "" 1238 | end sub 1239 | 1240 | Function SelectFile( ) 1241 | ' File Browser via HTA 1242 | ' Author: Rudi Degrande, modifications by Denis St-Pierre and Rob van der Woude 1243 | ' Features: Works in Windows Vista and up (Should also work in XP). 1244 | ' Fairly fast. 1245 | ' All native code/controls (No 3rd party DLL/ XP DLL). 1246 | ' Caveats: Cannot define default starting folder. 1247 | ' Uses last folder used with MSHTA.EXE stored in Binary in [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32]. 1248 | ' Dialog title says "Choose file to upload". 1249 | ' Source: http://social.technet.microsoft.com/Forums/scriptcenter/en-US/a3b358e8-15&?lig;-4ba3-bca5-ec349df65ef6 1250 | 1251 | Dim objExec, strMSHTA, wshShell 1252 | 1253 | SelectFile = "" 1254 | 1255 | ' For use in HTAs as well as "plain" VBScript: 1256 | strMSHTA = "mshta.exe ""about:" & "<" & "input type=file id=FILE>" _ 1257 | & "<" & "script>FILE.click();new ActiveXObject('Scripting.FileSystemObject')" _ 1258 | & ".GetStandardStream(1).WriteLine(FILE.value);close();resizeTo(0,0);" & "<" & "/script>""" 1259 | ' For use in "plain" VBScript only: 1260 | ' strMSHTA = "mshta.exe ""about:<input type=file id=FILE>" _ 1261 | ' & "<script>FILE.click();new ActiveXObject('Scripting.FileSystemObject')" _ 1262 | ' & ".GetStandardStream(1).WriteLine(FILE.value);close();resizeTo(0,0);</script>""" 1263 | 1264 | Set wshShell = CreateObject( "WScript.Shell" ) 1265 | Set objExec = wshShell.Exec( strMSHTA ) 1266 | 1267 | SelectFile = objExec.StdOut.ReadLine( ) 1268 | 1269 | Set objExec = Nothing 1270 | Set wshShell = Nothing 1271 | End Function 1272 | --------------------------------------------------------------------------------