Giter VIP home page Giter VIP logo

amp-04-process-name-to-network-connections's Introduction

Gitter chat

AMP for Endpoints Process Name to Network Connections:

Takes a process name as a command line argument and searches the environment for computers that have seen a seen a process or file with that name. It then fetches the trajectory for those computers and parses it to collect the SHA256s for the associated process. The the trajectory is parsed on more time looking at for network connections generated by the relevant SHA256s.

NOTE: This script will process hits from a maximum of 500 endpoints (there is no pagination). If you search for something and it hits on more than 500 endpoints you will not get a complete view of the environment

Before using you must update the following:

The authentictaion parameters are set in the api.cfg :

  • client_id
  • api_key

Usage:

python process_name_to_network_connections.py powershell.exe

Example script output:

This script has multiple outputs:

  • Prints connection information to the console
  • Writes a CSV containing connection the IPs, ports, direction, hostname, and GUID
  • Writes a log containing basic information about progress
Computers Found: 5
Processing: Demo_AMP_Exploit_Prevention_Audit - 13de840a-3577-41b3-8930-1917ca87ceda
  TCP 172.16.175.136:49349 -> 52.148.86.91:7777
  TCP 172.16.175.136:49347 -> 52.148.86.91:7777
  TCP 172.16.175.136:49346 -> 52.148.86.91:7777
  TCP 172.16.175.136:49340 -> 52.148.86.91:7777
  TCP 172.16.175.136:49338 -> 52.148.86.91:7777
  TCP 172.16.175.136:49336 -> 52.148.86.91:7777
  TCP 172.16.175.136:49336 -> 52.148.86.91:7777
Processing: Demo_AMP_Intel - 14dcfce3-9663-434d-9beb-c8836de035ce
  TCP 192.168.68.138:49311 -> 50.225.30.41:80
  TCP 192.168.68.138:49311 -> 50.225.30.41:80
Processing: Demo_AMP - 43ea5bb6-a4ec-48fa-876c-59cc304fda17
  TCP 172.16.175.143:49180 -> 52.168.18.255:8080
  TCP 172.16.175.143:49180 -> 52.168.18.255:8080
Processing: Demo_AMP_MAP_FriedEx - 93252a58-6d27-4687-b5a5-4e32e54cc166
  No communication observed
Processing: Demo_Command_Line_Arguments_Meterpreter - d2721a44-3795-4138-a73a-f36e6d8b0201
  No communication observed
Computers with powershell.exe: 5
Unique SHA256s for powershell.exe: 4
IPs powershell.exe has been observed communicating with: 38

amp-04-process-name-to-network-connections's People

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.