A tool that detects the expensive Carbon Black watchlists.

Related tags

Security related resourcescbexpensive
Overview

CBExpensive

  ___| __ )  ____|                           _)           
 |     __ \  __| \ \  / __ \   _ \ __ \   __| |\ \   / _ \
 |     |   | |    `  <  |   |  __/ |   |\__ \ | \ \ /  __/
\____| ___/ _____|_/\_\ .__/ \___|_|  _|____/_|  \_/ \___|
                       _|

A tool that detects the "expensive" Carbon Black watchlists.

This tool assist in detecting watchlists defined as "expensive", which may adversely affect the performance of the Carbon Black Response.

Installation

  1. Install Python 3 and PIP
  2. Clone this repository
  3. Go inside the repository and install the requirements:
pip install -r requirements.txt

How it works ?

This tool checks all the watchlists in the product for the cases specified in the following items.

  • Number of wildcards used
  • Is wildcard used with "modload" operand ?
  • Is wildcard used with "filemod" operand ?
  • Query Execution Time (last execution time)
  • Number of "OR" operator use
  • Is there usage of equals instead of colons with any operand ?

Usage

  1. Url, port, and Carbon Black API Key fields must be entered in the config file.
  2. Config file and script must be in the same directory. Then the script can be run as follows:
python3 cbexpensive.py
  1. After the script runs, it will generate the results as ".csv" in the directory where it is located.

Config File

[APIKEY]
API_KEY = apikey
[URL]
CB_URL = https://1.1.1.1
CB_PORT = 80

Example

Query ExecutionTime NumberofWildcard WildcardwithFilemod WildcardwithModload EqualOperator NumberofOROperator
((process_name:net.exe OR process_name:net1.exe) AND cmdline:use) 30 0 FALSE FALSE FALSE 1

References

  1. https://developer.carbonblack.com/reference/enterprise-response/6.3/rest-api/#watchlist-operations
  2. https://community.carbonblack.com/t5/Knowledge-Base/EDR-Are-there-Best-Practices-for-Performance-When-Writing-a/ta-p/88599
Owner
Oğuzcan Pamuk
Cyber Security Incident Responder & Threat Hunter
Oğuzcan Pamuk
GitHub Repository
A tool combined with the advantages of masscan and nmap

A tool combined with the advantages of masscan and nmap

59 Dec 24, 2022
Python HDFS client

Python HDFS client Because the world needs yet another way to talk to HDFS from Python. Usage This library provides a Python client for WebHDFS. NameN

Jing Wang 82 Dec 28, 2022
Remote control your Greenbone Vulnerability Manager (GVM)

Greenbone Vulnerability Management Tools The Greenbone Vulnerability Management Tools gvm-tools are a collection of tools that help with remote contro

Greenbone 130 Dec 17, 2022
Data Recovery from your broken Android phone

Broken Phone Recovery a guide how to backup data from your locked android phone if you broke your screen (and more) you can skip some steps depending

v1nc 25 Sep 23, 2022
A semi-automatic osint/recon framework.

Smog Framework A semi-automatic osint/recon framework. Requirements git Python = 3.8 How to use it

toast 22 Oct 17, 2022
PassLock is a medium-security password manager that encrypts passwords using Advanced Encryption Standards (AES)

A medium security python password manager that encrypt passwords using Advanced Encryption Standard (AES) PassLock is a password manager and password

Akshay Vs 44 Nov 18, 2022
Pgen is the best brute force password generator and it is improved from the cupp.py

pgen Pgen is the best brute force password generator and it is improved from the cupp.py The pgen tool is dedicated to Leonardo da Vinci -Time stays l

heyheykids 2 Jan 31, 2022
Shell hunter for AF

AF-ShellHunter AF-ShellHunter: Auto shell lookup AF-ShellHunter its a script designed to automate the search of WebShell's in AF Team How to pip3 ins

Eduardo 34 May 13, 2022
Privilege escalation with polkit - CVE-2021-3560

Polkit-exploit - CVE-2021-3560 Privilege escalation with polkit - CVE-2021-3560 Summary CVE-2021-3560 is an authentication bypass on polkit, which all

Ahmad Almorabea 95 Dec 27, 2022
Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

FeatureHasher Convert a collection of features to a fixed-dimensional matrix using the hashing trick. Note, this requires Jina=2.2.4. Example Here I

Jina AI 5 Mar 15, 2022
The best Python Backdoor👌

Backdoor The best Python Backdoor Files Server file is used in all of cases If client is Windows, the client need execute EXE file If client is Linux,

13 Oct 28, 2022
ADExplorerSnapshot.py is an AD Explorer snapshot ingestor for BloodHound.

ADExplorerSnapshot.py ADExplorerSnapshot.py is an AD Explorer snapshot ingestor for BloodHound. AD Explorer allows you to connect to a DC and browse L

576 Dec 23, 2022
Python low-interaction honeyclient

Thug The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as th

Angelo Dell'Aera 896 Dec 19, 2022
evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.

Introduction evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files. It can process a high numbe

NVISO 116 Dec 29, 2022
It's a simple tool for test vulnerability shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to ex

Mr. Cl0wn - H4ck1ng C0d3r 88 Dec 23, 2022
The Easiest Way To Gallery Hacking

The easiest way to HACK A GALLARY, Get every part of your friends' gallery ( 100% Working ) | Tool By John Kener 🇱🇰

John Kener 34 Nov 30, 2022
DCSync - DCSync Attack from Outside using Impacket

Adding DCSync Permissions Mostly copypasta from https://github.com/tothi/rbcd-at

n00py 77 Dec 16, 2022
A collection of write-ups and solutions for Cyber FastTrack Spring 2021.

IMPORTANT: Please contact us before you use any styling or content shown here! Cyber FastTrack Spring 2021 / National Cyber Scholarship Competition -

Alice 48 Aug 28, 2022
Sentinel-1 SAR time series analysis for OSINT use

SARveillance Sentinel-1 SAR time series analysis for OSINT use. Description Generates a time lapse GIF of the Sentinel-1 satellite images for the loca

21 Dec 09, 2022
DepFine Is a tool to find the unregistered dependency based on dependency confusion valunerablility and lead to RCE

DepFine DepFine Is a tool to find the unregistered dependency based on dependency confusion valunerablility and lead to RCE Installation: You Can inst

Hossam mesbah 14 Nov 11, 2022