diff --git a/plugins/grr/.CHECKSUM b/plugins/grr/.CHECKSUM deleted file mode 100644 index eb06215b96..0000000000 --- a/plugins/grr/.CHECKSUM +++ /dev/null @@ -1,23 +0,0 @@ -{ - "spec": "d53a170fbcf5fb474d2b2f4ba102ebbb", - "manifest": "a7aac9416b3ee4df04233b0c0930b11a", - "setup": "99bfc64c1e65aa63e088373af6a1f0ba", - "schemas": [ - { - "identifier": "hunting/schema.py", - "hash": "9e8a4f8426034724815b8a52b26aa457" - }, - { - "identifier": "labeling/schema.py", - "hash": "e345981bfbca09434878fd8362d8a0e8" - }, - { - "identifier": "listing/schema.py", - "hash": "7dd79d69ed3a6993299305ab98c20b2a" - }, - { - "identifier": "connection/schema.py", - "hash": "8b7eb3cff059e9d92216c85554f1f03d" - } - ] -} \ No newline at end of file diff --git a/plugins/grr/.dockerignore b/plugins/grr/.dockerignore deleted file mode 100644 index 93dc53fb01..0000000000 --- a/plugins/grr/.dockerignore +++ /dev/null @@ -1,9 +0,0 @@ -unit_test/**/* -unit_test -examples/**/* -examples -tests -tests/**/* -**/*.json -**/*.tar -**/*.gz \ No newline at end of file diff --git a/plugins/grr/Dockerfile b/plugins/grr/Dockerfile deleted file mode 100755 index 1cb35b530d..0000000000 --- a/plugins/grr/Dockerfile +++ /dev/null @@ -1,25 +0,0 @@ -FROM komand/python-2-plugin:2 -# The three supported python parent images are: -# - komand/python-2-plugin -# - komand/python-3-plugin -# - komand/python-pypy3-plugin -# -# Update the tag to a full semver version - -# Add any custom package dependencies here -# NOTE: Add pip packages to requirements.txt - -# End package dependencies - -# Add source code -WORKDIR /python/src -ADD ./plugin.spec.yaml /plugin.spec.yaml -ADD . /python/src - -# Install pip dependencies -RUN if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - -# Install plugin -RUN python setup.py build && python setup.py install - -ENTRYPOINT ["/usr/local/bin/icon_grr"] diff --git a/plugins/grr/Makefile b/plugins/grr/Makefile deleted file mode 100755 index cb85f96b6c..0000000000 --- a/plugins/grr/Makefile +++ /dev/null @@ -1,53 +0,0 @@ -# Include other Makefiles for improved functionality -INCLUDE_DIR = ../../tools/Makefiles -MAKEFILES := $(wildcard $(INCLUDE_DIR)/*.mk) -# We can't guarantee customers will have the include files -# - prefix to ignore Makefiles when not present -# https://www.gnu.org/software/make/manual/html_node/Include.html --include $(MAKEFILES) - -ifneq ($(MAKEFILES),) - $(info [$(YELLOW)*$(NORMAL)] Use ``make menu`` for available targets) - $(info [$(YELLOW)*$(NORMAL)] Including available Makefiles: $(MAKEFILES)) - $(info --) -else - $(warning Makefile includes directory not present: $(INCLUDE_DIR)) -endif - -VERSION?=$(shell grep '^version: ' plugin.spec.yaml | sed 's/version: //') -NAME?=$(shell grep '^name: ' plugin.spec.yaml | sed 's/name: //') -VENDOR?=$(shell grep '^vendor: ' plugin.spec.yaml | sed 's/vendor: //') -CWD?=$(shell basename $(PWD)) -_NAME?=$(shell echo $(NAME) | awk '{ print toupper(substr($$0,1,1)) tolower(substr($$0,2)) }') -PKG=$(VENDOR)-$(NAME)-$(VERSION).tar.gz - -# Set default target explicitly. Make's default behavior is the first target in the Makefile. -# We don't want that behavior due to includes which are read first -.DEFAULT_GOAL := default # Make >= v3.80 (make -version) - - -default: image tarball - -tarball: - $(info [$(YELLOW)*$(NORMAL)] Creating plugin tarball) - rm -rf build - rm -rf $(PKG) - tar -cvzf $(PKG) --exclude=$(PKG) --exclude=tests --exclude=run.sh * - -image: - $(info [$(YELLOW)*$(NORMAL)] Building plugin image) - docker build --pull -t $(VENDOR)/$(NAME):$(VERSION) . - docker tag $(VENDOR)/$(NAME):$(VERSION) $(VENDOR)/$(NAME):latest - -regenerate: - $(info [$(YELLOW)*$(NORMAL)] Regenerating schema from plugin.spec.yaml) - icon-plugin generate python --regenerate - -export: image - $(info [$(YELLOW)*$(NORMAL)] Exporting docker image) - @printf "\n ---> Exporting Docker image to ./$(VENDOR)_$(NAME)_$(VERSION).tar\n" - @docker save $(VENDOR)/$(NAME):$(VERSION) | gzip > $(VENDOR)_$(NAME)_$(VERSION).tar - -# Make will not run a target if a file of the same name exists unless setting phony targets -# https://www.gnu.org/software/make/manual/html_node/Phony-Targets.html -.PHONY: default tarball image regenerate diff --git a/plugins/grr/bin/icon_grr b/plugins/grr/bin/icon_grr deleted file mode 100755 index 5e4f79ba1f..0000000000 --- a/plugins/grr/bin/icon_grr +++ /dev/null @@ -1,50 +0,0 @@ -#!/usr/bin/env python -# GENERATED BY KOMAND SDK - DO NOT EDIT -import os -import json -from sys import argv - -Name = "Google Rapid Response" -Vendor = "rapid7" -Version = "3.0.1" -Description = "Organize and start threat hunts using GRR" - - -def main(): - if 'http' in argv: - if os.environ.get("GUNICORN_CONFIG_FILE"): - with open(os.environ.get("GUNICORN_CONFIG_FILE")) as gf: - gunicorn_cfg = json.load(gf) - if gunicorn_cfg.get("worker_class", "sync") == "gevent": - from gevent import monkey - monkey.patch_all() - elif 'gevent' in argv: - from gevent import monkey - monkey.patch_all() - - import komand - from icon_grr import connection, actions, triggers - - class ICONGrr(komand.Plugin): - def __init__(self): - super(self.__class__, self).__init__( - name=Name, - vendor=Vendor, - version=Version, - description=Description, - connection=connection.Connection() - ) - self.add_action(actions.Hunting()) - - self.add_action(actions.Labeling()) - - self.add_action(actions.Listing()) - - - """Run plugin""" - cli = komand.CLI(ICONGrr()) - cli.run() - - -if __name__ == "__main__": - main() diff --git a/plugins/grr/extension.png b/plugins/grr/extension.png deleted file mode 100644 index a5fcabf522..0000000000 Binary files a/plugins/grr/extension.png and /dev/null differ diff --git a/plugins/grr/help.md b/plugins/grr/help.md deleted file mode 100644 index d596ee8121..0000000000 --- a/plugins/grr/help.md +++ /dev/null @@ -1,368 +0,0 @@ -# Description - -[GRR Rapid Response](https://github.com/google/grr) is an incident response framework that allows you to focus on remote -live forensics. GRR is a python client (agent) that is installed on target systems, and python server infrastructure -that can manage and talk to clients. - -The GRR plugin allows you to organize clients and start hunts using GRR. - -This plugin utilizes the [GRR Python library](https://github.com/google/grr/tree/master/api_client/python). - -# Key Features - -* Organize GRR clients -* Start a hunt - -# Requirements - -* GRR credentials - -# Supported Product Versions - -*This plugin does not contain any supported product versions.* - -# Documentation - -## Setup - -The connection configuration accepts the following parameters: - -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|api_endpoint|string|None|True|The GRR API Endpoint to connect to|None|www.example.com| -|credentials|credential_username_password|None|True|Username and password|None|{}| -|ssl_verify|boolean|True|True|Verify server's SSL/TLS certificate|None|True| - -Example input: - -``` -{ - "api_endpoint":"www.example.com", - "credentials":{ - "username":"user", - "password":"pass" - }, - "ssl_verify":true -} -``` - -## Technical Details - -### Actions - -#### Labeling - -This action is used to label clients based on a search query. - -##### Input - -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|label|[]string|None|True|Label's clients|None|[]| -|query|string|None|True|Search for clients|None|client:client1| - -Example input: - -``` -{ - "label": ["label1", "label2"], - "query": "client:client1" -} -``` - -##### Output - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|results|string|False|Labeling complete| - -Example output: - -``` - -{ - "results": "All clients have been labeled" -} - -``` - -#### Listing - -This action is used to find and list clients based on a search query. - -##### Input - -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|clients|boolean|None|False|Search clients|None|True| -|grr_binaries|boolean|None|False|List GRR binaries|None|True| -|hunt_approvals|boolean|None|False|List hunt approvals|None|True| -|hunts|boolean|None|False|List hunts|None|True| -|query|string|None|True|Query to search for (e.g. 'host:suspicious.corp.com')|None|host:suspicious.corp.com| - -Example input: - -``` -{ - "clients":true, - "grr_binaries":true, - "hunt_approvals":true, - "hunts":true, - "query": "host:suspicious.corp.com" -} -``` - -##### Output - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|result|object|False|Listing results| - -Example output: - -``` - -{ - "result": { - "client0": { - "hardwareInfo": { - "biosVersion": "VirtualBox", - "serialNumber": "0", - "biosVendor": "innotek GmbH", - "systemSkuNumber": "Not Specified", - "biosReleaseDate": "12/01/2006", - "systemProductName": "VirtualBox", - "systemFamily": "Virtual Machine", - "systemUuid": "E9200C28-9075-46CE-A477-A9BAEF46FBE6", - "biosRomSize": "128 kB", - "systemManufacturer": "innotek GmbH" - }, - "osInfo": { - "machine": "x86_64", - "kernel": "4.15.0-20-generic", - "version": "18.4", - "installDate": "1529100873000000", - "release": "Ubuntu", - "system": "Linux", - "fqdn": "anonymous-VirtualBox" - }, - "labels": [ - { - "owner": "admin", - "name": "suspicious" - } - ], - "knowledgeBase": { - "osRelease": "Ubuntu", - "osMinorVersion": 4, - "os": "Linux", - "fqdn": "anonymous-VirtualBox", - "osMajorVersion": 18 - }, - "agentInfo": { - "clientDescription": "grr linux amd64", - "buildTime": "2018-03-08 12:12:56", - "clientVersion": 3220, - "clientName": "grr" - }, - "lastClock": "1531947560875707", - "memorySize": "2090307584", - "clientId": "C.8956f9766996b204", - "lastBootedAt": "1531333783000000", - "age": "1531333800792079", - "firstSeenAt": "1529101768850237", - "volumes": [ - { - "actualAvailableAllocationUnits": "1147463", - "totalAllocationUnits": "2563397", - "sectorsPerAllocationUnit": "1", - "bytesPerSector": "4096", - "unixvolume": { - "mountPoint": "/" - } - } - ], - "interfaces": [ - { - "macAddress": "AAAAAAAA", - "ifname": "lo", - "addresses": [ - { - "packedBytes": "fwAAAQ==", - "addressType": "INET" - }, - { - "packedBytes": "AAAAAAAAAAAAAAAAAAAAAQ==", - "addressType": "INET6" - } - ] - }, - { - "macAddress": "CAAn9SZD", - "ifname": "enp0s3", - "addresses": [ - { - "packedBytes": "CgACDw==", - "addressType": "INET" - }, - { - "packedBytes": "/oAAAAAAAADBDDCBmP7VBQ==", - "addressType": "INET6" - } - ] - } - ], - "lastSeenAt": "1531947561202751", - "urn": "aff4:/C.8956f9766996b204" - } -} - -``` - -#### Hunting - -This action is used to start a hunt on clients. - -##### Input - -|Name|Type|Default|Required|Description|Enum|Example| -|----|----|-------|--------|-----------|----|-------| -|action|string|None|False|Use an action|['STAT', 'HASH', 'DOWNLOAD']|None| -|annotations|[]string|None|False|Annotations to add to exported data. This field can be used to differentiate sets of exported data inside a particular exported type. e.g. data collected by users vs. data collected by cronjob|None|None| -|apply_parsers|boolean|None|False|If 1, apply any relevant parser to the collected data. If 0, return the raw collected data e.g Files or Registry Keys|None|None| -|artifact_list|string|None|False|A list of Artifact class names|None|None| -|attribute_regex|string|None|False|The regular expression|None|None| -|bytes_after|integer|None|False|Include this many bytes after the hit|None|None| -|bytes_before|integer|None|False|Include this many bytes before the hit|None|None| -|ch_username|string|None|False|The user to get Chrome history for. If history_path is not set this will be used to guess the path to the history files|None|None| -|check_chrome|integer|None|False|Checks Chrome|None|None| -|check_firefox|integer|None|False|Checks Chrome|None|None| -|check_ie|boolean|None|False|Checks Internet Explorer|None|None| -|chunk_size|integer|None|False|A heartbeat will be emitted every chunk_size.This could be reduced in case the process times out|None|None| -|client_limit|integer|None|False|Maximum number of clients participating in the hunt. Best practice is for all hunts to use a limit to start with and remove it only when client impact has been assessed by looking at hunt stats. Note that this limit can be overshot by a small number of clients if there are multiple workers running |None|None| -|client_rate|integer|None|False|The maximum number of clients to engage per minute. A rate of 0 means to schedule clients as fast as possible|None|None| -|component_version|string|None|False|Version of Chipsec component to be used|None|None| -|conditions|string|None|False|These conditions will be applied to all files that match the path arguments|['MODIFICATION_TIME', 'ACCESS_TIME', 'INODE_CHANGE_TIME', 'SIZE', 'CONTENTS_REGEX_MATCH', 'CONTENTS_LITERAL_MATCH', 'EXT_FLAGS']|None| -|connection_states|[]string|None|False|Network connection states to match. If a process has any network connections in any status listed here, it will be considered a match|['UNKNOWN', 'CLOSED', 'LISTEN', 'SYN_SENT', 'SYN_RECV', 'ESTABLISHED', 'FIN_WAIT1', 'FIN_WAIT2', 'CLOSE_WAIT', 'CLOSING', 'LAST_ACK', 'TIME_WAIT', 'DELETE_TCB', 'NONE', 'CLOSE']|None| -|convert_values|boolean|None|False|If true, convert values for export-friendly format|None|None| -|cpu_limit|integer|None|False|A limit on the client CPU seconds used by this flow|None|None| -|crash_alert_email|string|None|False|An email address to send mails to when a client crashes during execution of this hunt|None|None| -|data_regex|string|None|False|A regular expression to search for|None|None| -|dependencies|string|USE_CACHED|False|Specifies how dependencies should be handled. Use the knowledgebase as a cache. If knowledgebase isn't present, a new one will be populated|['USE_CACHED', 'IGNORE_DEPS', 'FETCH_NOW']|None| -|description|string|None|False|The description of this hunt|None|None| -|duration|integer|3600|False|Until when should the client stay in the fast poll mode|None|None| -|email|string|None|False|Email address to send to. If not set, mail will be sent to the logged in user|None|None| -|email_address|string|None|False|The email address that messages will be sent to|None|None| -|emails_limit|integer|None|False|The emails limit|None|None| -|expiry_time|integer|None|False|Expiry time for the hunt|None|None| -|export_files_contents|boolean|None|False|If this is true, open files and export their full or partial contents. Note: this may require additional datastore roundtrips and slow down the export process, also exporting file contents may significantly increase size of the exported data|None|None| -|export_files_hashes|boolean|None|False|If this is true, export hashes when dealing with file-related values. The files won't be hashed during the export, hashes will only be exported if they were collected before the export. This option affects exporting VFSFile and StatEntry RDFValues. This is true by default even though it requires extra datastore roundtrips because it's very useful and users expect the hashes to be there|None|None| -|fetch_binaries|boolean|None|False|Fetches Binaries|None|None| -|ff_username|string|None|False|The user to get FireFox history for. If history_path is not set this will be used to guess the path to the history files|None|None| -|field|string|UNSET|False|Field Specification|['UNSET', 'USERNAMES', 'UNAME', 'FQDN', 'HOST_TIPS', 'CLIENT_NAME', 'CLIENT_DESCRIPTION', 'SYSTEM', 'MAC_ADDRESSES', 'KERNEL_VERSION', 'OS_VERSION', 'OS_RELEASE', 'CLIENT_LABELS', 'INSTALL_TIME', 'CLIENT_VERSION', 'LAST_BOOT_TIME', 'CLIENT_CLOCK']|None| -|filefinder_regex|string|None|False|The regular expression which will be used to search|None|None| -|filename_regex|string|None|False|Regex used to filter the list of processes|None|None| -|flow_args|boolean|False|False|Enable high signal regex checks|None|None| -|flow_name|string|None|True|The name of the Flow you want to use|['Interrogate', 'KeepAlive', 'OnlineNotification', 'CacheGrep', 'ChromeHistory', 'FirefoxHistory', 'CheckRunner', 'ArtifactCollectorFlow', 'DumpACPITable', 'DumpFlashImage', 'FileFinder', 'GetMBR', 'ListVolumeShadowCopies', 'Netstat', 'ListProcesses', 'CollectRunKeyBinaries', 'RegistryFinder']|None| -|follow_links|boolean|None|False|Should symbolic links be followed in recursive directory listings|None|None| -|follow_urns|boolean|None|False|If this is true, follow urns and try to export not only the urns themselves, but also the data they are pointing to. Note: this may require additional datastore roundtrips and slow down the export process|None|None| -|get_archive|boolean|None|False|Gets Archived History as well (3 months old)|None|None| -|grep_users|string|None|False|A list of users to check. Default all users on the system|None|None| -|history_path|string|None|False|Path to a profile directory that contains a History file|None|None| -|hunt_name|string|None|False|The name of the class implementing the hunt to run|None|None| -|ignore_interpolation_errors|boolean|None|False|If true, don't die if %%users.homedir%% and similar fail to expand. It's common on windows for some user attributes to be missing if users have never logged in. Enable this when you have multiple artifacts or paths and want to report partial results|None|None| -|integer|boolean|None|False|Integer to trigger this hunt|None|None| -|knowledge_base|string|None|False|An optional knowledge base to use, if not specified we retrieve one from the client object|None|None| -|label|[]string|None|False|Label that triggers this hunt|None|None| -|length|integer|None|False|How far (in bytes) into the file to search or the length of the MBR to read|None|None| -|lightweight|boolean|None|False|Performs a light weight version of the interrogate|None|None| -|listening_only|boolean|None|False|If set, only listening connections are returned|None|None| -|literal|string|None|False|Search for this literal string|None|None| -|log_level|integer|None|False|Set the log level. If set, the log returned will include additional information reported by Chipsec|None|None| -|logging|boolean|None|False|If the logging is set to true, the client sends log, including Chipsec's log|None|None| -|match_mode|string|None|False|Match mode to trigger this hunt|['MATCH_ALL', 'MATCH_ANY']|None| -|max_file_size|string|None|False|The maximum size of files we will download in bytes, 500MB by default|None|None| -|max_findings|integer|None|False|Summarize checks with more than N individual findings|None|None| -|max_last_access_time|integer|None|False|File must be accessed before this time|None|None| -|max_last_inode_change_time|integer|None|False|File's must be changed before this time|None|None| -|max_last_modified_time|integer|None|False|File must be modified before this time|None|None| -|max_size|integer|None|False|The maximum size of files|None|None| -|min_file_size|integer|None|False|Minimum file size in bytes|None|None| -|min_last_access_time|integer|None|False|File must be accessed after this time|None|None| -|min_last_inode_change_time|integer|None|False|File's inode must be changed after this time|None|None| -|min_last_modified_time|integer|None|False|File must be modified after this time|None|None| -|mode|string|None|False|When should searching stop? Stop after one hit or search for all|['FIRST_HIT', 'ALL_HITS']|None| -|network_bytes_limit|integer|None|False|A limit on the total traffic used by this flow|None|None| -|notification_event|string|None|False|An event name for an event listener. An event will be published to this listener once the flow finishes|None|None| -|notify_syslog|boolean|None|False|If true, a message will be written by the client to the syslog before running the action. This can be used for debugging in case the client crashes |None|None| -|on_no_results_error|boolean|None|False|The maximum size of files we will download in bytes, 500MB by default|None|None| -|only_cpe|string|None|False|Limit checks to hosts with cpe strings|None|None| -|only_label|string|None|False|Limit checks to hosts with label strings|None|None| -|only_os|string|None|False|Limit checks to hosts of OS type(s) [Linux|OSX|Windows]|None|None| -|operating_system|string|None|False|Type of operating system to trigger this hunt|['Os_windows', 'Os_linux', 'Os_darwin']|None| -|operator|string|None|False|Operator|['EQUAL', 'LESS_THAN', 'GREATER_THAN']|None| -|output_plugin_name|string|None|False|The name of the output plugin|['EmailOutput', 'BigQueryOutput']|None| -|oversized_file_policy|string|None|False|What should GRR do with files that are larger than max_size|['SKIP', 'HASH_TRUNCATED', 'DOWNLOAD_TRUNCATED']|None| -|paths|string|None|False|A path to glob that can contain %% expansions|None|None| -|pathtype|string|None|False|Type of path access to use|['UNSET', 'OS', 'TSK', 'Registry', 'Memory', 'TMPFILE']|None| -|priority|string|None|False|The priority used for this flow|['LOW_PRIORITY', 'MEDIUM_PRIORITY', 'HIGH_PRIORITY']|None| -|process_non_regular_files|boolean|None|False|Look both into regular files and non-regular files (devices, named pipes, sockets). NOTE: This is very dangerous and should be used with care|None|None| -|queue|string|None|False|The queue to use for the hunt|None|None| -|regex|boolean|None|False|Use a regular expression to trigger this hunt|None|None| -|resolve_links|boolean|None|False|If true, the action will yield stat information for link targets, if false, the stat for the link itself will be returned|None|None| -|restrict_checks|string|None|False|Only run checks with the specified check_ids|None|None| -|split_output_by_artifact|boolean|None|False|If True, use output as a directory and write a separate collection for each artifact collected|None|None| -|start_offest|integer|None|False|Start searching at this file offset|None|None| -|start_offset|integer|None|False|Start searching at this file offset|None|None| -|table_signature_list|string|None|False|Signature of ACPI tables to be dumped|None|None| -|upload_token|boolean|None|False|An upload token to use with the direct upload functionality. This token contains the hmac authenticated policy that determines for how long the client is allowed to upload files to the server. This is comparable to the policy document used by GCS: https://cloud.google.com/storage/docs/xml-api/post-object#policydocument|None|None| -|use_external_stores|boolean|None|False|If true, look in any defined external file stores for files before downloading them, and offer any new files to external stores. This should be true unless the external checks are misbehaving|None|None| -|use_tsk|boolean|None|False|Whether raw filesystem access should be used|None|None| -|value|integer|None|False|Value|None|None| -|xdev|string|None|False|Behavior when ecountering device boundaries while doing recursive searches|['NEVER', 'ALWAYS', 'LOCAL']|None| -|xor_in_key|integer|None|False|When searching memory we need to ensure we dont hit on our own process. This allows us to obfuscate the search string in memory to avoid us finding ourselves|None|None| -|xor_out_key|integer|None|False|When searching memory we need to ensure we dont hit on our own process. This allows us to obfuscate the search string in memory to avoid us finding ourselves|None|None| - -Example input: - -``` -``` - -##### Output - -|Name|Type|Required|Description| -|----|----|--------|-----------| -|results|string|False|Issues found with TruffleHog| - -### Triggers - -*This plugin does not contain any triggers.* -### Tasks - -*This plugin does not contain any tasks.* - -### Custom Types - -*This plugin does not contain any custom output types.* - -## Troubleshooting - -*There is no troubleshooting for this plugin.* - -# Version History - -* 3.0.1 - Updated plugin to set the status to obsolete. This plugin is no longer supported. -* 3.0.0 - Updated requests version | default values and enum changed for hunting -* 2.0.2 - Correct spelling in help.md -* 2.0.1 - New spec and help.md format for the Extension Library -* 2.0.0 - Add certificate validation to connection -* 1.0.1 - Support web server mode -* 1.0.0 - Initial plugin - -# Links - - -## References - -* [GRR](https://github.com/google/grr/tree/master/api_client/python) - diff --git a/plugins/grr/icon.png b/plugins/grr/icon.png deleted file mode 100644 index d9d75e9ad1..0000000000 Binary files a/plugins/grr/icon.png and /dev/null differ diff --git a/plugins/grr/icon_grr/__init__.py b/plugins/grr/icon_grr/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/grr/icon_grr/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/grr/icon_grr/actions/__init__.py b/plugins/grr/icon_grr/actions/__init__.py deleted file mode 100755 index c5340cbdf2..0000000000 --- a/plugins/grr/icon_grr/actions/__init__.py +++ /dev/null @@ -1,4 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .hunting.action import Hunting -from .labeling.action import Labeling -from .listing.action import Listing diff --git a/plugins/grr/icon_grr/actions/hunting/__init__.py b/plugins/grr/icon_grr/actions/hunting/__init__.py deleted file mode 100755 index 1572358856..0000000000 --- a/plugins/grr/icon_grr/actions/hunting/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .action import Hunting diff --git a/plugins/grr/icon_grr/actions/hunting/action.py b/plugins/grr/icon_grr/actions/hunting/action.py deleted file mode 100755 index 58b17e900f..0000000000 --- a/plugins/grr/icon_grr/actions/hunting/action.py +++ /dev/null @@ -1,307 +0,0 @@ -import komand -from .schema import HuntingInput, HuntingOutput - - -# Custom imports below - - -class Hunting(komand.Action): - def __init__(self): - super(self.__class__, self).__init__( - name="hunting", - description="Looks for exposed secrets in the git commit history and branches", - input=HuntingInput(), - output=HuntingOutput(), - ) - self.grr_api = None - - def run(self, params={}): - self.grr_api = self.connection.grr_api - flow_name = params.get("flow_name") - administrative = ["Interrogate", "KeepAlive", "OnlineNotification"] - browser = ["CacheGrep", "ChromeHistory", "FirefoxHistory"] - collectors = ["ArtifactCollectorFlow", "DumpACPITable", "DumpFlashImage"] - filesystem = ["FileFinder", "GetMBR", "ListVolumeShadowCopies"] - registry = ["CollectRunKeyBinaries", "RegistryFinder"] - if flow_name in administrative: - self.administrative(flow_name) - if flow_name in browser: - self.brower(flow_name) - if flow_name == "CheckRunner": - self.checks(flow_name) - if flow_name in collectors: - self.collectors(flow_name) - if flow_name in filesystem: - self.filesystem(flow_name) - if flow_name == "Netstat": - self.network(flow_name) - if flow_name == "ListProcesses": - self.processes(flow_name) - if flow_name in registry: - self.registry(flow_name) - - def administrative(self, flow_name, params={}): - flow_args = self.grr_api.types.CreateFlowArgs(flow_name) - if flow_name == "Interrogate": - flow_args.lightweight = True - self.hunter_args() - if flow_name == "KeepAlive": - duration = params.get("duration") - flow_args.duration = duration - self.hunter_args() - if flow_name == "OnlineNotification": - email = params.get("email") - flow_args.email = email - self.hunter_args() - - def browser(self, flow_name, params={}): - flow_args = self.grr_api.types.CreateFlowArgs(flow_name) - if flow_name == "CacheGrep": - check_chrome = params.get("check_chrome") - check_firefox = params.get("check_firefox") - data_regex = params.get("data_regex") - grep_users = params.get("grep_users") - pathtype = params.get("pathtype") - if check_chrome: - flow_args.check_chrome = True - if check_firefox: - flow_args.check_firefox = True - flow_args.path_type = pathtype - flow_args.data_regex = data_regex - flow_args.grep_users = grep_users - self.hunter_args() - if flow_name == "ChromeHistory": - get_archive = params.get("get_archive") - history_path = params.get("history_path") - path_type = params.get("pathtype") - username = params.get("username") - flow_args.get_archive = get_archive - flow_args.username = username - flow_args.history_path = history_path - flow_args.path_type = path_type - self.hunter_args() - if flow_name == "FirefoxHistory": - get_archive = params.get("get_archive") - history_path = params.get("history_path") - path_type = params.get("pathtype") - username = params.get("username") - flow_args.get_archive = get_archive - flow_args.username = username - flow_args.history_path = history_path - flow_args.path_type = path_type - self.hunter_args() - - def checks(self, flow_name, params={}): - flow_args = self.grr_api.types.CreateFlowArgs(flow_name) - if flow_name == "CheckRunner": - max_findings = params.get("max_findings") - only_cpe = params.get("only_cpe") - only_label = params.get("only_label") - only_os = params.get("only_os") - restrict_checks = params.get("restrict_checks") - flow_args.restrict_checks = restrict_checks - flow_args.only_os = only_os - flow_args.only_label = only_label - flow_args.only_cpe = only_cpe - flow_args.max_findings = max_findings - self.hunter_args() - - def collectors(self, flow_name, params={}): - flow_args = self.grr_api.types.CreateFlowArgs(flow_name) - if flow_name == "ArtifactCollectorFlow": - apply_parsers = params.get("apply_parsers") - artifact_list = params.get("artifact_list") - dependencies = params.get("dependencies") - ignore_interpolation_errors = params.get("ignore_interpolation_errors") - knowledge_base = params.get("knowledge_base") - max_file_size = params.get("max_file_size") - on_no_results_error = params.get("on_no_results_error") - split_output_by_artifact = params.get("split_output_by_artifact") - use_tsk = params.get("use_tsk") - if ignore_interpolation_errors: - flow_args.ignore_interpolation_errors = ignore_interpolation_errors - if apply_parsers: - flow_args.apply_parsers = apply_parsers - if on_no_results_error: - flow_args.on_no_results_error = on_no_results_error - if split_output_by_artifact: - flow_args.split_output_by_artifact = split_output_by_artifact - if use_tsk: - flow_args.use_tsk = use_tsk - flow_args.dependencies = dependencies - flow_args.artifact_list = artifact_list - flow_args.knowledge_base = knowledge_base - flow_args.max_file_size = max_file_size - self.hunter_args() - if flow_name == "DumpACPITable": - component_version = params.get("component_version") - logging = params.get("logging") - table_signature_list = params.get("table_signature_list") - flow_args.component_version = component_version - flow_args.table_signature_list = table_signature_list - flow_args.logging = logging - self.hunter_args() - if flow_name == "DumpFlashImage": - chunk_size = params.get("chunk_size") - component_version = params.get("component_version") - log_level = params.get("log_level") - notify_syslog = params.get("notify_syslog") - if notify_syslog: - flow_args.notify_syslog = notify_syslog - flow_args.chunk_size = chunk_size - flow_args.component_version = component_version - flow_args.log_level = log_level - self.hunter_args() - - def filesystem(self, flow_name, params={}): - if flow_name == "list_volume_shadow_copies": - flow_args = self.grr_api.types.CreateFlowArgs(flow_name) - if flow_name == "FileFinder": - flow_args = self.grr_api.types.CreateFlowArgs(flow_name) - action = params.get("action") - conditions = params.get("conditions") - follow_links = params.get("follow_links") - paths = params.get("paths") - pathtype = params.get("pathtype") - process_non_regular_files = params.get("process_non_regular_files") - xdev = params.get("xdev") - if action: - flow_args.action = action - if conditions: - flow_args.conditions = conditions - if follow_links: - flow_args.follow_links = follow_links - if paths: - flow_args.ClearField("paths") - flow_args.paths.append(paths) - if pathtype: - flow_args.pathtype = pathtype - if process_non_regular_files: - flow_args.process_non_regular_files = process_non_regular_files - if xdev: - flow_args.xdev = xdev - self.hunter_args() - if flow_name == "length": - length = params.get("length") - flow_args.ClearField("length") - flow_args.length.append(length) - - def hunter_args(self, params={}): - hunt_name = params.get("hunt_name") - description = params.get("description") - priority = params.get("priority") - notification_event = params.get("notification_event") - queue = params.get("queue") - cpu_limit = params.get("cpu_limit") - network_bytes_limit = params.get("network_bytes_limit") - client_limit = params.get("client_limit") - expiry_time = params.get("expiry_time") - client_rate = params.get("client_rate") - crash_alert_email = params.get("crash_alert_email") - hunt_runner_args = self.grr_api.types.CreateHuntRunnerArgs() - if hunt_name: - hunt_runner_args.hunt_name.append(hunt_name) - if description: - hunt_runner_args.description.append(description) - if priority: - hunt_runner_args.ClearField("priority") - hunt_runner_args.priority.append(priority) - if notification_event: - hunt_runner_args.notification_event.append(notification_event) - if queue: - hunt_runner_args.ClearField("queue") - hunt_runner_args.queue.append(queue) - if cpu_limit: - hunt_runner_args.cpu_limit.append(cpu_limit) - if network_bytes_limit: - hunt_runner_args.network_bytes_limit.append(network_bytes_limit) - if client_limit: - hunt_runner_args.ClearField("client_limit") - hunt_runner_args.client_limit.append(client_limit) - if expiry_time: - hunt_runner_args.ClearField("expiry_time") - hunt_runner_args.expiry_time.append(expiry_time) - if client_rate: - hunt_runner_args.client_rate.append(client_rate) - if crash_alert_email: - hunt_runner_args.ClearField("crash_alert_email") - hunt_runner_args.crash_alert_email.append(crash_alert_email) - self.output_plugins(hunt_runner_args) - rule = self.hunt_runner_args.client_rule_set.rules.add() - self.foreman(rule) - rule.rule_type = rule.LABEL - - def foreman(self, rule, params={}): - pass - - def output_plugins(self, hunt_runner_args, params={}): - plugin_name = params.get("output_plugin_name") - output_plugin = hunt_runner_args.output_plugin - if plugin_name: - output_plugin.plugin_name = plugin_name - plugin_args = output_plugin.plugin_args - if plugin_name == "EmailOutput": - email_address = params.get("email_address") - emails_limit = params.get("emails_limit") - if email_address: - plugin_args.email_address.append(email_address) - if emails_limit: - plugin_args.ClearField("emails_limit") - plugin_args.emails_limit.append(emails_limit) - if plugin_name == "BigQueryOutput": - convert_values = params.get("convert_values") - export_files_contents = params.get("export_files_contents") - export_files_hashes = params.get("export_files_hashes") - follow_urns = params.get("follow_urns") - annotations = params.get("annotations") - if convert_values: - plugin_args.ClearField("convert_values") - plugin_args.convert_values.append(convert_values) - if export_files_contents or export_files_hashes or follow_urns or annotations: - export_options = plugin_args.export_options - if follow_urns: - export_options.ClearField("follow_urns") - export_options.follow_urns.append(follow_urns) - if export_files_contents: - export_options.ClearField("export_files_contents") - export_options.export_files_contents.append(export_files_contents) - if export_files_hashes: - export_options.ClearField("export_files_hashes") - export_options.export_files_hashes.append(export_files_hashes) - for annotation in annotations: - export_options.annotations.append(annotation) - return hunt_runner_args - - def network(self, flow_name, params={}): - flow_args = self.grr_api.types.CreateFlowArgs(flow_name) - listening_only = params.get("listening_only") - if listening_only: - flow_args.listening_only = listening_only - - def processes(self, flow_name, params={}): - flow_args = self.grr_api.types.CreateFlowArgs(flow_name) - if flow_name == "list_processes": - connection_states = params.get("connection_states") - fetch_binaries = params.get("fetch_binaries") - filename_regex = params.get("filename_regex") - if connection_states: - flow_args.connection_states = connection_states - if fetch_binaries: - flow_args.fetch_binaries = fetch_binaries - if filename_regex: - flow_args.filename_regex = filename_regex - - def registry(self, flow_name, params={}): - if flow_name == "CollectRunKeyBinaries": - flow_args = self.grr_api.types.CreateFlowArgs(flow_name) - if flow_name == "RegistryFinder": - flow_args = self.grr_api.types.CreateFlowArgs(flow_name) - conditions = params.get("conditions") - key_paths = params.get("key_paths") - if conditions: - flow_args.conditions = conditions - if key_paths: - flow_args.key_paths = key_paths - - def test(self): - return {} diff --git a/plugins/grr/icon_grr/actions/hunting/schema.py b/plugins/grr/icon_grr/actions/hunting/schema.py deleted file mode 100755 index 47ed78e42a..0000000000 --- a/plugins/grr/icon_grr/actions/hunting/schema.py +++ /dev/null @@ -1,848 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Component: - DESCRIPTION = "Start a hunt on clients" - - -class Input: - ACTION = "action" - ANNOTATIONS = "annotations" - APPLY_PARSERS = "apply_parsers" - ARTIFACT_LIST = "artifact_list" - ATTRIBUTE_REGEX = "attribute_regex" - BYTES_AFTER = "bytes_after" - BYTES_BEFORE = "bytes_before" - CH_USERNAME = "ch_username" - CHECK_CHROME = "check_chrome" - CHECK_FIREFOX = "check_firefox" - CHECK_IE = "check_ie" - CHUNK_SIZE = "chunk_size" - CLIENT_LIMIT = "client_limit" - CLIENT_RATE = "client_rate" - COMPONENT_VERSION = "component_version" - CONDITIONS = "conditions" - CONNECTION_STATES = "connection_states" - CONVERT_VALUES = "convert_values" - CPU_LIMIT = "cpu_limit" - CRASH_ALERT_EMAIL = "crash_alert_email" - DATA_REGEX = "data_regex" - DEPENDENCIES = "dependencies" - DESCRIPTION = "description" - DURATION = "duration" - EMAIL = "email" - EMAIL_ADDRESS = "email_address" - EMAILS_LIMIT = "emails_limit" - EXPIRY_TIME = "expiry_time" - EXPORT_FILES_CONTENTS = "export_files_contents" - EXPORT_FILES_HASHES = "export_files_hashes" - FETCH_BINARIES = "fetch_binaries" - FF_USERNAME = "ff_username" - FIELD = "field" - FILEFINDER_REGEX = "filefinder_regex" - FILENAME_REGEX = "filename_regex" - FLOW_ARGS = "flow_args" - FLOW_NAME = "flow_name" - FOLLOW_LINKS = "follow_links" - FOLLOW_URNS = "follow_urns" - GET_ARCHIVE = "get_archive" - GREP_USERS = "grep_users" - HISTORY_PATH = "history_path" - HUNT_NAME = "hunt_name" - IGNORE_INTERPOLATION_ERRORS = "ignore_interpolation_errors" - INTEGER = "integer" - KNOWLEDGE_BASE = "knowledge_base" - LABEL = "label" - LENGTH = "length" - LIGHTWEIGHT = "lightweight" - LISTENING_ONLY = "listening_only" - LITERAL = "literal" - LOG_LEVEL = "log_level" - LOGGING = "logging" - MATCH_MODE = "match_mode" - MAX_FILE_SIZE = "max_file_size" - MAX_FINDINGS = "max_findings" - MAX_LAST_ACCESS_TIME = "max_last_access_time" - MAX_LAST_INODE_CHANGE_TIME = "max_last_inode_change_time" - MAX_LAST_MODIFIED_TIME = "max_last_modified_time" - MAX_SIZE = "max_size" - MIN_FILE_SIZE = "min_file_size" - MIN_LAST_ACCESS_TIME = "min_last_access_time" - MIN_LAST_INODE_CHANGE_TIME = "min_last_inode_change_time" - MIN_LAST_MODIFIED_TIME = "min_last_modified_time" - MODE = "mode" - NETWORK_BYTES_LIMIT = "network_bytes_limit" - NOTIFICATION_EVENT = "notification_event" - NOTIFY_SYSLOG = "notify_syslog" - ON_NO_RESULTS_ERROR = "on_no_results_error" - ONLY_CPE = "only_cpe" - ONLY_LABEL = "only_label" - ONLY_OS = "only_os" - OPERATING_SYSTEM = "operating_system" - OPERATOR = "operator" - OUTPUT_PLUGIN_NAME = "output_plugin_name" - OVERSIZED_FILE_POLICY = "oversized_file_policy" - PATHS = "paths" - PATHTYPE = "pathtype" - PRIORITY = "priority" - PROCESS_NON_REGULAR_FILES = "process_non_regular_files" - QUEUE = "queue" - REGEX = "regex" - RESOLVE_LINKS = "resolve_links" - RESTRICT_CHECKS = "restrict_checks" - SPLIT_OUTPUT_BY_ARTIFACT = "split_output_by_artifact" - START_OFFEST = "start_offest" - START_OFFSET = "start_offset" - TABLE_SIGNATURE_LIST = "table_signature_list" - UPLOAD_TOKEN = "upload_token" - USE_EXTERNAL_STORES = "use_external_stores" - USE_TSK = "use_tsk" - VALUE = "value" - XDEV = "xdev" - XOR_IN_KEY = "xor_in_key" - XOR_OUT_KEY = "xor_out_key" - - -class Output: - RESULTS = "results" - - -class HuntingInput(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "action": { - "type": "string", - "title": "Action", - "description": "Use an action", - "enum": [ - "STAT", - "HASH", - "DOWNLOAD" - ], - "order": 36 - }, - "annotations": { - "type": "array", - "title": "Annotations", - "description": "Annotations to add to exported data. This field can be used to differentiate sets of exported data inside a particular exported type. e.g. data collected by users vs. data collected by cronjob", - "items": { - "type": "string" - }, - "order": 95 - }, - "apply_parsers": { - "type": "boolean", - "title": "Apply Parsers", - "description": "If 1, apply any relevant parser to the collected data. If 0, return the raw collected data e.g Files or Registry Keys", - "order": 21 - }, - "artifact_list": { - "type": "string", - "title": "Artifact List", - "description": "A list of Artifact class names", - "order": 22 - }, - "attribute_regex": { - "type": "string", - "title": "Attribute Regex", - "description": "The regular expression", - "order": 83 - }, - "bytes_after": { - "type": "integer", - "title": "Bytes After", - "description": "Include this many bytes after the hit", - "order": 49 - }, - "bytes_before": { - "type": "integer", - "title": "Bytes Before", - "description": "Include this many bytes before the hit", - "order": 48 - }, - "ch_username": { - "type": "string", - "title": "Chrome History Username", - "description": "The user to get Chrome history for. If history_path is not set this will be used to guess the path to the history files", - "order": 14 - }, - "check_chrome": { - "type": "integer", - "title": "Check Chrome", - "description": "Checks Chrome", - "order": 6 - }, - "check_firefox": { - "type": "integer", - "title": "Check Firefox", - "description": "Checks Chrome", - "order": 7 - }, - "check_ie": { - "type": "boolean", - "title": "Check IE", - "description": "Checks Internet Explorer", - "order": 8 - }, - "chunk_size": { - "type": "integer", - "title": "Chunk Size", - "description": "A heartbeat will be emitted every chunk_size.This could be reduced in case the process times out", - "order": 33 - }, - "client_limit": { - "type": "integer", - "title": "Client Limit", - "description": "Maximum number of clients participating in the hunt. Best practice is for all hunts to use a limit to start with and remove it only when client impact has been assessed by looking at hunt stats. Note that this limit can be overshot by a small number of clients if there are multiple workers running ", - "order": 75 - }, - "client_rate": { - "type": "integer", - "title": "Client Rate", - "description": "The maximum number of clients to engage per minute. A rate of 0 means to schedule clients as fast as possible", - "order": 77 - }, - "component_version": { - "type": "string", - "title": "Component Version", - "description": "Version of Chipsec component to be used", - "order": 30 - }, - "conditions": { - "type": "string", - "title": "Conditions", - "description": "These conditions will be applied to all files that match the path arguments", - "enum": [ - "MODIFICATION_TIME", - "ACCESS_TIME", - "INODE_CHANGE_TIME", - "SIZE", - "CONTENTS_REGEX_MATCH", - "CONTENTS_LITERAL_MATCH", - "EXT_FLAGS" - ], - "order": 37 - }, - "connection_states": { - "type": "array", - "title": "Connection States", - "description": "Network connection states to match. If a process has any network connections in any status listed here, it will be considered a match", - "items": { - "type": "string" - }, - "enum": [ - "UNKNOWN", - "CLOSED", - "LISTEN", - "SYN_SENT", - "SYN_RECV", - "ESTABLISHED", - "FIN_WAIT1", - "FIN_WAIT2", - "CLOSE_WAIT", - "CLOSING", - "LAST_ACK", - "TIME_WAIT", - "DELETE_TCB", - "NONE", - "CLOSE" - ], - "order": 65 - }, - "convert_values": { - "type": "boolean", - "title": "Convert Values", - "description": "If true, convert values for export-friendly format", - "order": 94 - }, - "cpu_limit": { - "type": "integer", - "title": "CPU Limit", - "description": "A limit on the client CPU seconds used by this flow", - "order": 73 - }, - "crash_alert_email": { - "type": "string", - "title": "Crash Alert Email", - "description": "An email address to send mails to when a client crashes during execution of this hunt", - "order": 78 - }, - "data_regex": { - "type": "string", - "title": "Data Regex", - "description": "A regular expression to search for", - "order": 9 - }, - "dependencies": { - "type": "string", - "title": "Dependencies", - "description": "Specifies how dependencies should be handled. Use the knowledgebase as a cache. If knowledgebase isn't present, a new one will be populated", - "default": "USE_CACHED", - "enum": [ - "USE_CACHED", - "IGNORE_DEPS", - "FETCH_NOW" - ], - "order": 23 - }, - "description": { - "type": "string", - "title": "Description", - "description": "The description of this hunt", - "order": 69 - }, - "duration": { - "type": "integer", - "title": "Duration", - "description": "Until when should the client stay in the fast poll mode", - "default": 3600, - "order": 4 - }, - "email": { - "type": "string", - "title": "Email", - "description": "Email address to send to. If not set, mail will be sent to the logged in user", - "order": 5 - }, - "email_address": { - "type": "string", - "title": "Email Address", - "description": "The email address that messages will be sent to", - "order": 89 - }, - "emails_limit": { - "type": "integer", - "title": "Emails Limit", - "description": "The emails limit", - "order": 90 - }, - "expiry_time": { - "type": "integer", - "title": "Expiry Time", - "description": "Expiry time for the hunt", - "order": 76 - }, - "export_files_contents": { - "type": "boolean", - "title": "Export Files Contents", - "description": "If this is true, open files and export their full or partial contents. Note: this may require additional datastore roundtrips and slow down the export process, also exporting file contents may significantly increase size of the exported data", - "order": 91 - }, - "export_files_hashes": { - "type": "boolean", - "title": "Export Files Hashes", - "description": "If this is true, export hashes when dealing with file-related values. The files won't be hashed during the export, hashes will only be exported if they were collected before the export. This option affects exporting VFSFile and StatEntry RDFValues. This is true by default even though it requires extra datastore roundtrips because it's very useful and users expect the hashes to be there", - "order": 93 - }, - "fetch_binaries": { - "type": "boolean", - "title": "Fetch Binaries", - "description": "Fetches Binaries", - "order": 66 - }, - "ff_username": { - "type": "string", - "title": "Firefox History Username", - "description": "The user to get FireFox history for. If history_path is not set this will be used to guess the path to the history files", - "order": 15 - }, - "field": { - "type": "string", - "title": "Field", - "description": "Field Specification", - "default": "UNSET", - "enum": [ - "UNSET", - "USERNAMES", - "UNAME", - "FQDN", - "HOST_TIPS", - "CLIENT_NAME", - "CLIENT_DESCRIPTION", - "SYSTEM", - "MAC_ADDRESSES", - "KERNEL_VERSION", - "OS_VERSION", - "OS_RELEASE", - "CLIENT_LABELS", - "INSTALL_TIME", - "CLIENT_VERSION", - "LAST_BOOT_TIME", - "CLIENT_CLOCK" - ], - "order": 84 - }, - "filefinder_regex": { - "type": "string", - "title": "FileFinder Regex", - "description": "The regular expression which will be used to search", - "order": 46 - }, - "filename_regex": { - "type": "string", - "title": "Filename Regex", - "description": "Regex used to filter the list of processes", - "order": 67 - }, - "flow_args": { - "type": "boolean", - "title": "Regex Checks", - "description": "Enable high signal regex checks", - "default": false, - "order": 2 - }, - "flow_name": { - "type": "string", - "title": "Flow Name", - "description": "The name of the Flow you want to use", - "enum": [ - "Interrogate", - "KeepAlive", - "OnlineNotification", - "CacheGrep", - "ChromeHistory", - "FirefoxHistory", - "CheckRunner", - "ArtifactCollectorFlow", - "DumpACPITable", - "DumpFlashImage", - "FileFinder", - "GetMBR", - "ListVolumeShadowCopies", - "Netstat", - "ListProcesses", - "CollectRunKeyBinaries", - "RegistryFinder" - ], - "order": 1 - }, - "follow_links": { - "type": "boolean", - "title": "Follow links", - "description": "Should symbolic links be followed in recursive directory listings", - "order": 60 - }, - "follow_urns": { - "type": "boolean", - "title": "Follow URNs", - "description": "If this is true, follow urns and try to export not only the urns themselves, but also the data they are pointing to. Note: this may require additional datastore roundtrips and slow down the export process", - "order": 92 - }, - "get_archive": { - "type": "boolean", - "title": "Get Archive", - "description": "Gets Archived History as well (3 months old)", - "order": 12 - }, - "grep_users": { - "type": "string", - "title": "Grep Users", - "description": "A list of users to check. Default all users on the system", - "order": 10 - }, - "history_path": { - "type": "string", - "title": "History Path", - "description": "Path to a profile directory that contains a History file", - "order": 13 - }, - "hunt_name": { - "type": "string", - "title": "Hunt Name", - "description": "The name of the class implementing the hunt to run", - "order": 68 - }, - "ignore_interpolation_errors": { - "type": "boolean", - "title": "Ignore Interpolation Errors", - "description": "If true, don't die if %%users.homedir%% and similar fail to expand. It's common on windows for some user attributes to be missing if users have never logged in. Enable this when you have multiple artifacts or paths and want to report partial results", - "order": 24 - }, - "integer": { - "type": "boolean", - "title": "Integer", - "description": "Integer to trigger this hunt", - "order": 85 - }, - "knowledge_base": { - "type": "string", - "title": "Knowledge Base", - "description": "An optional knowledge base to use, if not specified we retrieve one from the client object", - "order": 25 - }, - "label": { - "type": "array", - "title": "Label", - "description": "Label that triggers this hunt", - "items": { - "type": "string" - }, - "order": 80 - }, - "length": { - "type": "integer", - "title": "Length", - "description": "How far (in bytes) into the file to search or the length of the MBR to read", - "order": 51 - }, - "lightweight": { - "type": "boolean", - "title": "Lightweight", - "description": "Performs a light weight version of the interrogate", - "order": 3 - }, - "listening_only": { - "type": "boolean", - "title": "Listening Only", - "description": "If set, only listening connections are returned", - "order": 64 - }, - "literal": { - "type": "string", - "title": "Literal", - "description": "Search for this literal string", - "order": 52 - }, - "log_level": { - "type": "integer", - "title": "Log Level", - "description": "Set the log level. If set, the log returned will include additional information reported by Chipsec", - "order": 34 - }, - "logging": { - "type": "boolean", - "title": "Logging", - "description": "If the logging is set to true, the client sends log, including Chipsec's log", - "order": 31 - }, - "match_mode": { - "type": "string", - "title": "Match Mode", - "description": "Match mode to trigger this hunt", - "enum": [ - "MATCH_ALL", - "MATCH_ANY" - ], - "order": 79 - }, - "max_file_size": { - "type": "string", - "title": "Max File Size", - "description": "The maximum size of files we will download in bytes, 500MB by default", - "order": 26 - }, - "max_findings": { - "type": "integer", - "title": "Maximize Findings", - "description": "Summarize checks with more than N individual findings", - "order": 16 - }, - "max_last_access_time": { - "type": "integer", - "title": "Min Last Access Time", - "description": "File must be accessed before this time", - "order": 42 - }, - "max_last_inode_change_time": { - "type": "integer", - "title": "Max Last Inode Change Time", - "description": "File's must be changed before this time", - "order": 44 - }, - "max_last_modified_time": { - "type": "integer", - "title": "Max Last Modified Time", - "description": "File must be modified before this time", - "order": 40 - }, - "max_size": { - "type": "integer", - "title": "Max Size", - "description": "The maximum size of files", - "order": 56 - }, - "min_file_size": { - "type": "integer", - "title": "Min File Size", - "description": "Minimum file size in bytes", - "order": 45 - }, - "min_last_access_time": { - "type": "integer", - "title": "Min Last Access Time", - "description": "File must be accessed after this time", - "order": 41 - }, - "min_last_inode_change_time": { - "type": "integer", - "title": "Min Last Inode Change Time", - "description": "File's inode must be changed after this time", - "order": 43 - }, - "min_last_modified_time": { - "type": "integer", - "title": "Min Last Modified Time", - "description": "File must be modified after this time", - "order": 39 - }, - "mode": { - "type": "string", - "title": "Mode", - "description": "When should searching stop? Stop after one hit or search for all", - "enum": [ - "FIRST_HIT", - "ALL_HITS" - ], - "order": 47 - }, - "network_bytes_limit": { - "type": "integer", - "title": "Network Bytes Limit", - "description": "A limit on the total traffic used by this flow", - "order": 74 - }, - "notification_event": { - "type": "string", - "title": "Notification Event", - "description": "An event name for an event listener. An event will be published to this listener once the flow finishes", - "order": 71 - }, - "notify_syslog": { - "type": "boolean", - "title": "Notify Syslog", - "description": "If true, a message will be written by the client to the syslog before running the action. This can be used for debugging in case the client crashes ", - "order": 35 - }, - "on_no_results_error": { - "type": "boolean", - "title": "Oh No Results Error", - "description": "The maximum size of files we will download in bytes, 500MB by default", - "order": 27 - }, - "only_cpe": { - "type": "string", - "title": "Only CPE", - "description": "Limit checks to hosts with cpe strings", - "order": 17 - }, - "only_label": { - "type": "string", - "title": "Only CPE", - "description": "Limit checks to hosts with label strings", - "order": 18 - }, - "only_os": { - "type": "string", - "title": "Only OS", - "description": "Limit checks to hosts of OS type(s) [Linux|OSX|Windows]", - "order": 19 - }, - "operating_system": { - "type": "string", - "title": "Operating System", - "description": "Type of operating system to trigger this hunt", - "enum": [ - "Os_windows", - "Os_linux", - "Os_darwin" - ], - "order": 81 - }, - "operator": { - "type": "string", - "title": "Operator", - "description": "Operator", - "enum": [ - "EQUAL", - "LESS_THAN", - "GREATER_THAN" - ], - "order": 86 - }, - "output_plugin_name": { - "type": "string", - "title": "Output Plugin Name", - "description": "The name of the output plugin", - "enum": [ - "EmailOutput", - "BigQueryOutput" - ], - "order": 88 - }, - "oversized_file_policy": { - "type": "string", - "title": "Max Size", - "description": "What should GRR do with files that are larger than max_size", - "enum": [ - "SKIP", - "HASH_TRUNCATED", - "DOWNLOAD_TRUNCATED" - ], - "order": 57 - }, - "paths": { - "type": "string", - "title": "Paths", - "description": "A path to glob that can contain %% expansions", - "order": 38 - }, - "pathtype": { - "type": "string", - "title": "Path Type", - "description": "Type of path access to use", - "enum": [ - "UNSET", - "OS", - "TSK", - "Registry", - "Memory", - "TMPFILE" - ], - "order": 11 - }, - "priority": { - "type": "string", - "title": "Priority", - "description": "The priority used for this flow", - "enum": [ - "LOW_PRIORITY", - "MEDIUM_PRIORITY", - "HIGH_PRIORITY" - ], - "order": 70 - }, - "process_non_regular_files": { - "type": "boolean", - "title": "Process Non Regular Files", - "description": "Look both into regular files and non-regular files (devices, named pipes, sockets). NOTE: This is very dangerous and should be used with care", - "order": 61 - }, - "queue": { - "type": "string", - "title": "Queue", - "description": "The queue to use for the hunt", - "order": 72 - }, - "regex": { - "type": "boolean", - "title": "Regex", - "description": "Use a regular expression to trigger this hunt", - "order": 82 - }, - "resolve_links": { - "type": "boolean", - "title": "Resolve links", - "description": "If true, the action will yield stat information for link targets, if false, the stat for the link itself will be returned", - "order": 59 - }, - "restrict_checks": { - "type": "string", - "title": "Restrict Checks", - "description": "Only run checks with the specified check_ids", - "order": 20 - }, - "split_output_by_artifact": { - "type": "boolean", - "title": "Split Output by Artifact", - "description": "If True, use output as a directory and write a separate collection for each artifact collected", - "order": 28 - }, - "start_offest": { - "type": "integer", - "title": "Start Offset", - "description": "Start searching at this file offset", - "order": 50 - }, - "start_offset": { - "type": "integer", - "title": "Start offset", - "description": "Start searching at this file offset", - "order": 53 - }, - "table_signature_list": { - "type": "string", - "title": "Table Signature Lists", - "description": "Signature of ACPI tables to be dumped", - "order": 32 - }, - "upload_token": { - "type": "boolean", - "title": "Upload Token", - "description": "An upload token to use with the direct upload functionality. This token contains the hmac authenticated policy that determines for how long the client is allowed to upload files to the server. This is comparable to the policy document used by GCS: https://cloud.google.com/storage/docs/xml-api/post-object#policydocument", - "order": 63 - }, - "use_external_stores": { - "type": "boolean", - "title": "Use External Stores", - "description": "If true, look in any defined external file stores for files before downloading them, and offer any new files to external stores. This should be true unless the external checks are misbehaving", - "order": 58 - }, - "use_tsk": { - "type": "boolean", - "title": "Use TSK", - "description": "Whether raw filesystem access should be used", - "order": 29 - }, - "value": { - "type": "integer", - "title": "Value", - "description": "Value", - "order": 87 - }, - "xdev": { - "type": "string", - "title": "Xdev", - "description": "Behavior when ecountering device boundaries while doing recursive searches", - "enum": [ - "NEVER", - "ALWAYS", - "LOCAL" - ], - "order": 62 - }, - "xor_in_key": { - "type": "integer", - "title": "XOR in Key", - "description": "When searching memory we need to ensure we dont hit on our own process. This allows us to obfuscate the search string in memory to avoid us finding ourselves", - "order": 54 - }, - "xor_out_key": { - "type": "integer", - "title": "XOR in Key", - "description": "When searching memory we need to ensure we dont hit on our own process. This allows us to obfuscate the search string in memory to avoid us finding ourselves", - "order": 55 - } - }, - "required": [ - "flow_name" - ] -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) - - -class HuntingOutput(komand.Output): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "results": { - "type": "string", - "title": "Results", - "description": "Issues found with TruffleHog", - "order": 1 - } - } -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/grr/icon_grr/actions/labeling/__init__.py b/plugins/grr/icon_grr/actions/labeling/__init__.py deleted file mode 100755 index 8156476cce..0000000000 --- a/plugins/grr/icon_grr/actions/labeling/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .action import Labeling diff --git a/plugins/grr/icon_grr/actions/labeling/action.py b/plugins/grr/icon_grr/actions/labeling/action.py deleted file mode 100755 index 2801307103..0000000000 --- a/plugins/grr/icon_grr/actions/labeling/action.py +++ /dev/null @@ -1,39 +0,0 @@ -import komand -from .schema import LabelingInput, LabelingOutput - - -# Custom imports below - - -class Labeling(komand.Action): - def __init__(self): - super(self.__class__, self).__init__( - name="labeling", - description="Looks for exposed secrets in the git commit history and branches", - input=LabelingInput(), - output=LabelingOutput(), - ) - self.grrapi = None - - def run(self, params={}): - self.grrapi = self.connection.grrapi - query = params.get("query") - label = params.get("label") - label = [str(x) for x in label] - search_results = self.grrapi.SearchClients(query) - try: - for client in search_results: - type_client = type(client) - if type(client) is not type_client: - return {"result": "No clients found with the given query"} - client.AddLabels(label) - except Exception as e: - self.logger.error(e) - return {"results": "All clients have been labeled"} - - def test(self): - self.grrapi = self.connection.grrapi - if self.grrapi: - return {"results": "Ready to label"} - if not self.grrapi: - return {"results": "Not ready. Please check your connection with the GRR Client"} diff --git a/plugins/grr/icon_grr/actions/labeling/schema.py b/plugins/grr/icon_grr/actions/labeling/schema.py deleted file mode 100755 index a02961c789..0000000000 --- a/plugins/grr/icon_grr/actions/labeling/schema.py +++ /dev/null @@ -1,69 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Component: - DESCRIPTION = "Label clients based on search" - - -class Input: - LABEL = "label" - QUERY = "query" - - -class Output: - RESULTS = "results" - - -class LabelingInput(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "label": { - "type": "array", - "title": "Label", - "description": "Label's clients", - "items": { - "type": "string" - }, - "order": 2 - }, - "query": { - "type": "string", - "title": "Query", - "description": "Search for clients", - "order": 1 - } - }, - "required": [ - "label", - "query" - ] -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) - - -class LabelingOutput(komand.Output): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "results": { - "type": "string", - "title": "Results", - "description": "Labeling complete", - "order": 1 - } - } -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/grr/icon_grr/actions/listing/__init__.py b/plugins/grr/icon_grr/actions/listing/__init__.py deleted file mode 100755 index 169dcda7dc..0000000000 --- a/plugins/grr/icon_grr/actions/listing/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .action import Listing diff --git a/plugins/grr/icon_grr/actions/listing/action.py b/plugins/grr/icon_grr/actions/listing/action.py deleted file mode 100755 index 3e506ffcdb..0000000000 --- a/plugins/grr/icon_grr/actions/listing/action.py +++ /dev/null @@ -1,106 +0,0 @@ -import komand -from .schema import ListingInput, ListingOutput - -# Custom imports below -import json -from google.protobuf.json_format import MessageToJson - - -class Listing(komand.Action): - def __init__(self): - super(self.__class__, self).__init__( - name="listing", - description="Looks for exposed secrets in the git commit history and branches", - input=ListingInput(), - output=ListingOutput(), - ) - self.grrapi = None - self.query = None - self.result = {} - - def run(self, params={}): - self.grrapi = self.connection.grrapi - if params.get("hunts"): - self.hunts() - if params.get("hunt_approvals"): - self.hunt_approvals() - if params.get("grr_binaries"): - self.grr_binaries() - if params.get("clients"): - query = params.get("query").encode("utf-8", "ignore") - self.clients(query) - return {"result": self.result} - - def hunts(self): - try: - list_hunts = self.grrapi.ListHunts() - result = {} - count = 0 - for hunt in list_hunts: - data = hunt.data - data = MessageToJson(data) - result["hunt%s" % count] = json.loads(data) - count += 1 - self.result = komand.helper.clean(result) - except Exception as e: - self.logger.error(e) - - def hunt_approvals(self): - # Still testing, need to create a hunt to see the hunt approval and how the data comes out - try: - hunt_approvals = self.grrapi.ListHuntApprovals() - self.logger.info(hunt_approvals.data) - count = 0 - result = {} - for item in hunt_approvals: - data = item.data - data = MessageToJson(data) - result["approval%s" % count] = json.loads(data) - count += 1 - self.result = komand.helper.clean(result) - except Exception as e: - self.logger.error(e) - - def clients(self, query): - try: - search_results = self.grrapi.SearchClients(query) - result = {} - count = 0 - if not search_results: - return {"results": "No clients found"} - for client in search_results: - data = client.data - data = MessageToJson(data) - result["client%s" % count] = json.loads(data) - count += 1 - if result == {}: - self.logger.error("No clients found with provided query.") - return {"results": "No clients have been found"} - self.result = komand.helper.clean(result) - except Exception as e: - self.logger.error(e) - - def grr_binaries(self): - # Havn't tested it, but based on the other functions behaving similarly and the source code - # I am going to assume this works until tested - try: - binaries = self.grrapi.ListGrrBinaries() - count = 0 - result = {} - for x in binaries: - data = x.data - data = MessageToJson(data) - result["binary%s" % count] = json.loads(data) - count += 1 - self.result = komand.helper.clean(result) - except Exception as e: - self.logger.error(e) - self.logger.error("No GRR Binaries") - return {"results": "No GRR Binaries have been found"} - - def test(self): - self.grrapi = self.connection.grrapi - if self.grrapi: - return {"results": "Ready to list"} - if not self.grrapi: - return {"results": "Not ready. Please check your connection with the GRR Client"} diff --git a/plugins/grr/icon_grr/actions/listing/schema.py b/plugins/grr/icon_grr/actions/listing/schema.py deleted file mode 100755 index 75d77e2a4b..0000000000 --- a/plugins/grr/icon_grr/actions/listing/schema.py +++ /dev/null @@ -1,86 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Component: - DESCRIPTION = "List client information based on search" - - -class Input: - CLIENTS = "clients" - GRR_BINARIES = "grr_binaries" - HUNT_APPROVALS = "hunt_approvals" - HUNTS = "hunts" - QUERY = "query" - - -class Output: - RESULT = "result" - - -class ListingInput(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "clients": { - "type": "boolean", - "title": "Clients", - "description": "Search clients", - "order": 5 - }, - "grr_binaries": { - "type": "boolean", - "title": "GRR Binaries", - "description": "List GRR binaries", - "order": 4 - }, - "hunt_approvals": { - "type": "boolean", - "title": "Hunt Approvals", - "description": "List hunt approvals", - "order": 3 - }, - "hunts": { - "type": "boolean", - "title": "Hunts", - "description": "List hunts", - "order": 2 - }, - "query": { - "type": "string", - "title": "Query", - "description": "Query to search for (e.g. 'host:suspicious.corp.com')", - "order": 1 - } - }, - "required": [ - "query" - ] -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) - - -class ListingOutput(komand.Output): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "result": { - "type": "object", - "title": "Result", - "description": "Listing results", - "order": 1 - } - } -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/grr/icon_grr/connection/__init__.py b/plugins/grr/icon_grr/connection/__init__.py deleted file mode 100755 index a515dcf6b0..0000000000 --- a/plugins/grr/icon_grr/connection/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -from .connection import Connection diff --git a/plugins/grr/icon_grr/connection/connection.py b/plugins/grr/icon_grr/connection/connection.py deleted file mode 100755 index 9fc8679110..0000000000 --- a/plugins/grr/icon_grr/connection/connection.py +++ /dev/null @@ -1,31 +0,0 @@ -import komand -from .schema import ConnectionSchema - -# Custom imports below -from grr_api_client import api - - -class Connection(komand.Connection): - def __init__(self): - super(self.__class__, self).__init__(input=ConnectionSchema()) - - self.grrapi = None - self.api_endpoint = None - self.username = None - self.password = None - - def connect(self, params): - self.logger.info("Connect: Connecting...") - self.api_endpoint = params.get("api_endpoint") - self.username = params.get("credentials").get("username") - self.password = params.get("credentials").get("password") - ssl_verify = params.get("ssl_verify") - try: - self.grrapi = api.InitHttp( - api_endpoint=self.api_endpoint, - auth=(self.username, self.password), - verify=ssl_verify, - ) - except Exception as e: - self.logger.error("Please provide valid options to connect to the GRR API endpoint") - raise e diff --git a/plugins/grr/icon_grr/connection/schema.py b/plugins/grr/icon_grr/connection/schema.py deleted file mode 100755 index d7ca55725b..0000000000 --- a/plugins/grr/icon_grr/connection/schema.py +++ /dev/null @@ -1,75 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT -import komand -import json - - -class Input: - API_ENDPOINT = "api_endpoint" - CREDENTIALS = "credentials" - SSL_VERIFY = "ssl_verify" - - -class ConnectionSchema(komand.Input): - schema = json.loads(""" - { - "type": "object", - "title": "Variables", - "properties": { - "api_endpoint": { - "type": "string", - "title": "API Endpoint", - "description": "The GRR API Endpoint to connect to", - "order": 1 - }, - "credentials": { - "$ref": "#/definitions/credential_username_password", - "title": "Username and Password", - "description": "Username and password", - "order": 2 - }, - "ssl_verify": { - "type": "boolean", - "title": "SSL Verify", - "description": "Verify server's SSL/TLS certificate", - "default": true, - "order": 3 - } - }, - "required": [ - "api_endpoint", - "credentials", - "ssl_verify" - ], - "definitions": { - "credential_username_password": { - "id": "credential_username_password", - "type": "object", - "title": "Credential: Username and Password", - "description": "A username and password combination", - "properties": { - "password": { - "type": "string", - "title": "Password", - "displayType": "password", - "description": "The password", - "format": "password", - "order": 2 - }, - "username": { - "type": "string", - "title": "Username", - "description": "The username to log in with", - "order": 1 - } - }, - "required": [ - "username", - "password" - ] - } - } -} - """) - - def __init__(self): - super(self.__class__, self).__init__(self.schema) diff --git a/plugins/grr/icon_grr/tasks/__init__.py b/plugins/grr/icon_grr/tasks/__init__.py deleted file mode 100644 index 7020c9a4ad..0000000000 --- a/plugins/grr/icon_grr/tasks/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT - diff --git a/plugins/grr/icon_grr/triggers/__init__.py b/plugins/grr/icon_grr/triggers/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/grr/icon_grr/triggers/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/grr/icon_grr/util/__init__.py b/plugins/grr/icon_grr/util/__init__.py deleted file mode 100755 index bace8db897..0000000000 --- a/plugins/grr/icon_grr/util/__init__.py +++ /dev/null @@ -1 +0,0 @@ -# GENERATED BY KOMAND SDK - DO NOT EDIT diff --git a/plugins/grr/plugin.spec.yaml b/plugins/grr/plugin.spec.yaml deleted file mode 100644 index 89c5f9a331..0000000000 --- a/plugins/grr/plugin.spec.yaml +++ /dev/null @@ -1,744 +0,0 @@ -plugin_spec_version: v2 -extension: plugin -products: [insightconnect] -name: grr -title: Google Rapid Response -description: Organize and start threat hunts using GRR -version: 3.0.1 -vendor: rapid7 -support: community -status: [obsolete] -resources: - source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/plugins/grr - license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE - vendor_url: http://www.google.com -tags: -- incident response -- google -- grr -- hunt -- label -- list -hub_tags: - use_cases: [threat_detection_and_response] - keywords: [incident response, google, grr, hunt, label, list] - features: [] -enable_cache: true -connection: - api_endpoint: - title: API Endpoint - type: string - description: The GRR API Endpoint to connect to - required: true - credentials: - title: Username and Password - type: credential_username_password - description: Username and password - required: true - ssl_verify: - title: SSL Verify - type: boolean - description: Verify server's SSL/TLS certificate - default: true - required: true -actions: - listing: - title: Listing - description: List client information based on search - input: - query: - title: Query - description: Query to search for (e.g. 'host:suspicious.corp.com') - type: string - required: true - hunts: - title: Hunts - description: List hunts - type: boolean - required: false - hunt_approvals: - title: Hunt Approvals - description: List hunt approvals - type: boolean - required: false - grr_binaries: - title: GRR Binaries - description: List GRR binaries - type: boolean - required: false - clients: - title: Clients - description: Search clients - type: boolean - required: false - output: - result: - title: Result - type: object - description: Listing results - required: false - labeling: - title: Labeling - description: Label clients based on search - input: - query: - title: Query - description: Search for clients - type: string - required: true - label: - title: Label - description: Label's clients - type: '[]string' - required: true - output: - results: - title: Results - type: string - description: Labeling complete - required: false - hunting: - title: Hunting - description: Start a hunt on clients - input: - flow_name: - title: Flow Name - description: The name of the Flow you want to use - type: string - required: true - enum: - - Interrogate - - KeepAlive - - OnlineNotification - - CacheGrep - - ChromeHistory - - FirefoxHistory - - CheckRunner - - ArtifactCollectorFlow - - DumpACPITable - - DumpFlashImage - - FileFinder - - GetMBR - - ListVolumeShadowCopies - - Netstat - - ListProcesses - - CollectRunKeyBinaries - - RegistryFinder - flow_args: - title: Regex Checks - description: Enable high signal regex checks - type: boolean - required: false - default: false - lightweight: - title: Lightweight - description: Performs a light weight version of the interrogate - type: boolean - required: false - duration: - title: Duration - description: Until when should the client stay in the fast poll mode - type: integer - required: false - default: 3600 - email: - title: Email - description: Email address to send to. If not set, mail will be sent to the - logged in user - type: string - required: false - check_chrome: - title: Check Chrome - description: Checks Chrome - type: integer - required: false - check_firefox: - title: Check Firefox - description: Checks Chrome - type: integer - required: false - check_ie: - title: Check IE - description: Checks Internet Explorer - type: boolean - required: false - data_regex: - title: Data Regex - description: A regular expression to search for - type: string - required: false - grep_users: - title: Grep Users - description: A list of users to check. Default all users on the system - type: string - required: false - pathtype: - title: Path Type - description: Type of path access to use - type: string - required: false - enum: - - UNSET - - OS - - TSK - - Registry - - Memory - - TMPFILE - get_archive: - title: Get Archive - description: Gets Archived History as well (3 months old) - type: boolean - required: false - history_path: - title: History Path - description: Path to a profile directory that contains a History file - type: string - required: false - ch_username: - title: Chrome History Username - description: The user to get Chrome history for. If history_path is not set - this will be used to guess the path to the history files - type: string - required: false - ff_username: - title: Firefox History Username - description: The user to get FireFox history for. If history_path is not set - this will be used to guess the path to the history files - type: string - required: false - max_findings: - title: Maximize Findings - description: Summarize checks with more than N individual findings - type: integer - required: false - only_cpe: - title: Only CPE - description: Limit checks to hosts with cpe strings - type: string - required: false - only_label: - title: Only CPE - description: Limit checks to hosts with label strings - type: string - required: false - only_os: - title: Only OS - description: Limit checks to hosts of OS type(s) [Linux|OSX|Windows] - type: string - required: false - restrict_checks: - title: Restrict Checks - description: Only run checks with the specified check_ids - type: string - required: false - apply_parsers: - title: Apply Parsers - description: If 1, apply any relevant parser to the collected data. If 0, - return the raw collected data e.g Files or Registry Keys - type: boolean - required: false - artifact_list: - title: Artifact List - description: A list of Artifact class names - type: string - required: false - dependencies: - title: Dependencies - description: Specifies how dependencies should be handled. Use the knowledgebase as a cache. If knowledgebase isn't present, a new one will be populated - type: string - default: USE_CACHED - required: false - enum: - - USE_CACHED - - IGNORE_DEPS - - FETCH_NOW - ignore_interpolation_errors: - title: Ignore Interpolation Errors - description: If true, don't die if %%users.homedir%% and similar fail to expand. - It's common on windows for some user attributes to be missing if users have - never logged in. Enable this when you have multiple artifacts or paths and - want to report partial results - type: boolean - required: false - knowledge_base: - title: Knowledge Base - description: An optional knowledge base to use, if not specified we retrieve - one from the client object - type: string - required: false - max_file_size: - title: Max File Size - description: The maximum size of files we will download in bytes, 500MB by - default - type: string - required: false - on_no_results_error: - title: Oh No Results Error - description: The maximum size of files we will download in bytes, 500MB by - default - type: boolean - required: false - split_output_by_artifact: - title: Split Output by Artifact - description: If True, use output as a directory and write a separate collection - for each artifact collected - type: boolean - required: false - use_tsk: - title: Use TSK - description: Whether raw filesystem access should be used - type: boolean - required: false - component_version: - title: Component Version - description: Version of Chipsec component to be used - type: string - required: false - logging: - title: Logging - description: If the logging is set to true, the client sends log, including - Chipsec's log - type: boolean - required: false - table_signature_list: - title: Table Signature Lists - description: Signature of ACPI tables to be dumped - type: string - required: false - chunk_size: - title: Chunk Size - description: A heartbeat will be emitted every chunk_size.This could be reduced - in case the process times out - type: integer - required: false - log_level: - title: Log Level - description: Set the log level. If set, the log returned will include additional - information reported by Chipsec - type: integer - required: false - notify_syslog: - title: Notify Syslog - description: 'If true, a message will be written by the client to the syslog - before running the action. This can be used for debugging in case the client - crashes ' - type: boolean - required: false - action: - title: Action - description: Use an action - type: string - required: false - enum: - - STAT - - HASH - - DOWNLOAD - conditions: - title: Conditions - description: These conditions will be applied to all files that match the - path arguments - type: string - required: false - enum: - - MODIFICATION_TIME - - ACCESS_TIME - - INODE_CHANGE_TIME - - SIZE - - CONTENTS_REGEX_MATCH - - CONTENTS_LITERAL_MATCH - - EXT_FLAGS - paths: - title: Paths - description: A path to glob that can contain %% expansions - type: string - required: false - min_last_modified_time: - title: Min Last Modified Time - description: File must be modified after this time - type: integer - required: false - max_last_modified_time: - title: Max Last Modified Time - description: File must be modified before this time - type: integer - required: false - min_last_access_time: - title: Min Last Access Time - description: File must be accessed after this time - type: integer - required: false - max_last_access_time: - title: Min Last Access Time - description: File must be accessed before this time - type: integer - required: false - min_last_inode_change_time: - title: Min Last Inode Change Time - description: File's inode must be changed after this time - type: integer - required: false - max_last_inode_change_time: - title: Max Last Inode Change Time - description: File's must be changed before this time - type: integer - required: false - min_file_size: - title: Min File Size - description: Minimum file size in bytes - type: integer - required: false - filefinder_regex: - title: FileFinder Regex - description: The regular expression which will be used to search - type: string - required: false - mode: - title: Mode - description: When should searching stop? Stop after one hit or search for - all - type: string - required: false - enum: - - FIRST_HIT - - ALL_HITS - bytes_before: - title: Bytes Before - description: Include this many bytes before the hit - type: integer - required: false - bytes_after: - title: Bytes After - description: Include this many bytes after the hit - type: integer - required: false - start_offest: - title: Start Offset - description: Start searching at this file offset - type: integer - required: false - length: - title: Length - description: How far (in bytes) into the file to search or the length of the - MBR to read - type: integer - required: false - literal: - title: Literal - description: Search for this literal string - type: string - required: false - start_offset: - title: Start offset - description: Start searching at this file offset - type: integer - required: false - xor_in_key: - title: XOR in Key - description: When searching memory we need to ensure we dont hit on our own - process. This allows us to obfuscate the search string in memory to avoid - us finding ourselves - type: integer - required: false - xor_out_key: - title: XOR in Key - description: When searching memory we need to ensure we dont hit on our own - process. This allows us to obfuscate the search string in memory to avoid - us finding ourselves - type: integer - required: false - max_size: - title: Max Size - description: The maximum size of files - type: integer - required: false - oversized_file_policy: - title: Max Size - description: What should GRR do with files that are larger than max_size - type: string - required: false - enum: - - SKIP - - HASH_TRUNCATED - - DOWNLOAD_TRUNCATED - use_external_stores: - title: Use External Stores - description: If true, look in any defined external file stores for files before - downloading them, and offer any new files to external stores. This should - be true unless the external checks are misbehaving - type: boolean - required: false - resolve_links: - title: Resolve links - description: If true, the action will yield stat information for link targets, - if false, the stat for the link itself will be returned - type: boolean - required: false - follow_links: - title: Follow links - description: Should symbolic links be followed in recursive directory listings - type: boolean - required: false - process_non_regular_files: - title: Process Non Regular Files - description: 'Look both into regular files and non-regular files (devices, - named pipes, sockets). NOTE: This is very dangerous and should be used with - care' - type: boolean - required: false - xdev: - title: Xdev - description: Behavior when ecountering device boundaries while doing recursive - searches - type: string - required: false - enum: - - NEVER - - ALWAYS - - LOCAL - upload_token: - title: Upload Token - description: 'An upload token to use with the direct upload functionality. - This token contains the hmac authenticated policy that determines for how - long the client is allowed to upload files to the server. This is comparable - to the policy document used by GCS: https://cloud.google.com/storage/docs/xml-api/post-object#policydocument' - type: boolean - required: false - listening_only: - title: Listening Only - description: If set, only listening connections are returned - type: boolean - required: false - connection_states: - title: Connection States - description: Network connection states to match. If a process has any network - connections in any status listed here, it will be considered a match - type: '[]string' - required: false - enum: - - UNKNOWN - - CLOSED - - LISTEN - - SYN_SENT - - SYN_RECV - - ESTABLISHED - - FIN_WAIT1 - - FIN_WAIT2 - - CLOSE_WAIT - - CLOSING - - LAST_ACK - - TIME_WAIT - - DELETE_TCB - - NONE - - CLOSE - fetch_binaries: - title: Fetch Binaries - description: Fetches Binaries - type: boolean - required: false - filename_regex: - title: Filename Regex - description: Regex used to filter the list of processes - type: string - required: false - hunt_name: - title: Hunt Name - description: The name of the class implementing the hunt to run - type: string - required: false - description: - title: Description - description: The description of this hunt - type: string - required: false - priority: - title: Priority - description: The priority used for this flow - type: string - required: false - enum: - - LOW_PRIORITY - - MEDIUM_PRIORITY - - HIGH_PRIORITY - notification_event: - title: Notification Event - description: An event name for an event listener. An event will be published - to this listener once the flow finishes - type: string - required: false - queue: - title: Queue - description: The queue to use for the hunt - type: string - required: false - cpu_limit: - title: CPU Limit - description: A limit on the client CPU seconds used by this flow - type: integer - required: false - network_bytes_limit: - title: Network Bytes Limit - description: A limit on the total traffic used by this flow - type: integer - required: false - client_limit: - title: Client Limit - description: 'Maximum number of clients participating in the hunt. Best practice - is for all hunts to use a limit to start with and remove it only when client - impact has been assessed by looking at hunt stats. Note that this limit - can be overshot by a small number of clients if there are multiple workers - running ' - type: integer - required: false - expiry_time: - title: Expiry Time - description: Expiry time for the hunt - type: integer - required: false - client_rate: - title: Client Rate - description: The maximum number of clients to engage per minute. A rate of - 0 means to schedule clients as fast as possible - type: integer - required: false - crash_alert_email: - title: Crash Alert Email - description: An email address to send mails to when a client crashes during - execution of this hunt - type: string - required: false - match_mode: - title: Match Mode - description: Match mode to trigger this hunt - type: string - required: false - enum: - - MATCH_ALL - - MATCH_ANY - label: - title: Label - description: Label that triggers this hunt - type: '[]string' - required: false - operating_system: - title: Operating System - description: Type of operating system to trigger this hunt - type: string - required: false - enum: - - Os_windows - - Os_linux - - Os_darwin - regex: - title: Regex - description: Use a regular expression to trigger this hunt - type: boolean - required: false - attribute_regex: - title: Attribute Regex - description: The regular expression - type: string - required: false - field: - title: Field - description: Field Specification - type: string - required: false - default: UNSET - enum: - - UNSET - - USERNAMES - - UNAME - - FQDN - - HOST_TIPS - - CLIENT_NAME - - CLIENT_DESCRIPTION - - SYSTEM - - MAC_ADDRESSES - - KERNEL_VERSION - - OS_VERSION - - OS_RELEASE - - CLIENT_LABELS - - INSTALL_TIME - - CLIENT_VERSION - - LAST_BOOT_TIME - - CLIENT_CLOCK - integer: - title: Integer - description: Integer to trigger this hunt - type: boolean - required: false - operator: - title: Operator - description: Operator - type: string - required: false - enum: - - EQUAL - - LESS_THAN - - GREATER_THAN - value: - title: Value - description: Value - type: integer - required: false - output_plugin_name: - title: Output Plugin Name - description: The name of the output plugin - type: string - required: false - enum: - - EmailOutput - - BigQueryOutput - email_address: - title: Email Address - description: The email address that messages will be sent to - type: string - required: false - emails_limit: - title: Emails Limit - description: The emails limit - type: integer - required: false - export_files_contents: - title: Export Files Contents - description: 'If this is true, open files and export their full or partial - contents. Note: this may require additional datastore roundtrips and slow - down the export process, also exporting file contents may significantly - increase size of the exported data' - type: boolean - required: false - follow_urns: - title: Follow URNs - description: 'If this is true, follow urns and try to export not only the - urns themselves, but also the data they are pointing to. Note: this may - require additional datastore roundtrips and slow down the export process' - type: boolean - required: false - export_files_hashes: - title: Export Files Hashes - description: If this is true, export hashes when dealing with file-related - values. The files won't be hashed during the export, hashes will only be - exported if they were collected before the export. This option affects exporting - VFSFile and StatEntry RDFValues. This is true by default even though it - requires extra datastore roundtrips because it's very useful and users expect - the hashes to be there - type: boolean - required: false - convert_values: - title: Convert Values - description: If true, convert values for export-friendly format - type: boolean - required: false - annotations: - title: Annotations - description: Annotations to add to exported data. This field can be used to - differentiate sets of exported data inside a particular exported type. e.g. - data collected by users vs. data collected by cronjob - type: '[]string' - required: false - output: - results: - title: Results - type: string - description: Issues found with TruffleHog - required: false diff --git a/plugins/grr/requirements.txt b/plugins/grr/requirements.txt deleted file mode 100755 index 718a6919e6..0000000000 --- a/plugins/grr/requirements.txt +++ /dev/null @@ -1,11 +0,0 @@ -# List third-party dependencies here, separated by newlines. -# All dependencies must be version-pinned, eg. requests==1.2.0 -# See: https://pip.pypa.io/en/stable/user_guide/#requirements-files -ConfigParser==3.5.0 -grr-response-proto==3.2.3.post2 -cryptography==2.0.3 -ipython==5.0.0 -protobuf==3.3.0 -requests==2.20.0 -Werkzeug==0.11.3 -grr-api-client==3.2.3.post2 diff --git a/plugins/grr/setup.py b/plugins/grr/setup.py deleted file mode 100755 index f12dc2500d..0000000000 --- a/plugins/grr/setup.py +++ /dev/null @@ -1,14 +0,0 @@ -# GENERATED BY INSIGHT-PLUGIN - DO NOT EDIT -from setuptools import setup, find_packages - - -setup(name="grr-rapid7-plugin", - version="3.0.1", - description="Organize and start threat hunts using GRR", - author="rapid7", - author_email="", - url="", - packages=find_packages(), - install_requires=['komand'], # Add third-party dependencies to requirements.txt, not here! - scripts=['bin/icon_grr'] - )