A tool that detects the expensive Carbon Black watchlists.

Overview

CBExpensive

  ___| __ )  ____|                           _)           
 |     __ \  __| \ \  / __ \   _ \ __ \   __| |\ \   / _ \
 |     |   | |    `  <  |   |  __/ |   |\__ \ | \ \ /  __/
\____| ___/ _____|_/\_\ .__/ \___|_|  _|____/_|  \_/ \___|
                       _|                                 

A tool that detects the "expensive" Carbon Black watchlists.

This tool assist in detecting watchlists defined as "expensive", which may adversely affect the performance of the Carbon Black Response.

Installation

  1. Install Python 3 and PIP
  2. Clone this repository
  3. Go inside the repository and install the requirements:
pip install -r requirements.txt

How it works ?

This tool checks all the watchlists in the product for the cases specified in the following items.

  • Number of wildcards used
  • Is wildcard used with "modload" operand ?
  • Is wildcard used with "filemod" operand ?
  • Query Execution Time (last execution time)
  • Number of "OR" operator use
  • Is there usage of equals instead of colons with any operand ?

Usage

  1. Url, port, and Carbon Black API Key fields must be entered in the config file.
  2. Config file and script must be in the same directory. Then the script can be run as follows:
python3 cbexpensive.py
  1. After the script runs, it will generate the results as ".csv" in the directory where it is located.

Config File

[APIKEY]
API_KEY = apikey
[URL]
CB_URL = https://1.1.1.1
CB_PORT = 80

Example

Query ExecutionTime NumberofWildcard WildcardwithFilemod WildcardwithModload EqualOperator NumberofOROperator
((process_name:net.exe OR process_name:net1.exe) AND cmdline:use) 30 0 FALSE FALSE FALSE 1

References

  1. https://developer.carbonblack.com/reference/enterprise-response/6.3/rest-api/#watchlist-operations
  2. https://community.carbonblack.com/t5/Knowledge-Base/EDR-Are-there-Best-Practices-for-Performance-When-Writing-a/ta-p/88599
Owner
Oğuzcan Pamuk
Cyber Security Incident Responder & Threat Hunter
Oğuzcan Pamuk
Wireguard VPN Server Installer for: on Ubuntu, Debian, Arch, Fedora and CentOS

XGuard (Wireguard Server Installer) This Python script should make the installation of a Wireguard VPN server as easy as possible. Wireguard is a mode

Johann 3 Nov 04, 2022
Receive notifications/alerts on the most recent disclosed CVE's.

Receive notifications on the most recent disclosed CVE's.

Ameliorate 7 Nov 24, 2022
Brute-forcing (or not!) deck builder for Pokemon Trading Card Game.

PokeBot Deck Builder Brute-forcing (or not!) deck builder for Pokemon Trading Card Game. Warning: intensely not optimized and spaghetti coded Credits

Hocky Harijanto 0 Jan 10, 2022
Data Recovery from your broken Android phone

Broken Phone Recovery a guide how to backup data from your locked android phone if you broke your screen (and more) you can skip some steps depending

v1nc 25 Sep 23, 2022
Official implementation of the paper "Backdoor Attacks on Self-Supervised Learning".

SSL-Backdoor Abstract Large-scale unlabeled data has allowed recent progress in self-supervised learning methods that learn rich visual representation

UMBC Vision 44 Nov 21, 2022
pybotnet - A Python Library for building Botnet , Trojan or BackDoor for windows and linux with Telegram control panel

pybotnet A Python Library for building botnet , trojan or backdoor for windows and linux with Telegram control panel Disclaimer: Please note that this

</oNion 181 Jan 02, 2023
AIL LeakFeeder: A Module for AIL Framework that automate the process to feed leaked files automatically to AIL

AIL LeakFeeder: A Module for AIL Framework that automates the process to feed leaked files automatically to AIL, So basically this feeder will help you ingest AIL with your leaked files automatically

ail project 8 May 03, 2022
This respository contains the source code of the printjack and phonejack attacks.

Printjack-Phonejack This repository contains the source code of the printjack and phonejack attacks. The Printjack directory contains the script to ca

pietrobiondi 2 Feb 12, 2022
This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

22 Nov 09, 2022
Installation of hacking tools

Tools-Spartan This is a program that makes it easy for you to download and install tools used in Kali Linux, there are tons of tools available.

1 Nov 10, 2021
A python implementation of the windows 95 product key check.

Windows 95 Product Key Check Info: This is a python implementation of the windows 95 product key check. This was just a bit of fun and a massive 5 hou

11 Aug 07, 2022
Python decompiler for Python 1.5-2.4 (for historical archive)

This preserves the early code of a Python decompiler for Python versions 1.5 to 2.4. I have been able to install this using pyenv using Python 2.3.7 u

R. Bernstein 2 Jan 04, 2022
STATS305C: Applied Statistics III (Spring, 2022)

STATS305C: Applied Statistics III Instructor: Scott Linderman TA: Matt MacKay, James Yang Term: Spring 2022 Stanford University Course Description: Pr

Scott Linderman 14 Aug 11, 2022
md5 hash cracking with python.

Python-Md5-Cracker- md5 hash cracking with python. Original files added First create a file called word.txt then run the wordCreate.py script The task

Nebil Sharifi 0 Aug 31, 2022
Moodle community-based vulnerability scanner

badmoodle Moodle community-based vulnerability scanner Description badmoodle is an unofficial community-based vulnerability scanner for moodle that sc

Michele Di Bonaventura 11 Dec 22, 2022
Provides script to download and format public IP lists related to the Log4j exploit.

Provides script to download and format public IP lists related to the Log4j exploit. Current format includes: plain list, Cisco ASA Network Group.

Gianluca Ulivi 1 Jan 02, 2022
Ethereum transaction decoder (community version).

EthTx Community Edition Community version of EthTx transaction decoder Local environment For local instance, you need few things: Depending on your di

240 Dec 21, 2022
spring-cloud-gateway-rce CVE-2022-22947

Spring Cloud Gateway Actuator API SpEL表达式注入命令执行(CVE-2022-22947) 1.installation pip3 install -r requirements.txt 2.Usage $ python3 spring-cloud-gateway

k3rwin 10 Sep 28, 2022
A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts

log4j-scan A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts Features Support for lists of URLs. Fuzzing for more

Duc Linh Nguyen 4 Aug 08, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it

Hossam 867 Dec 22, 2022