forked from mhaskar/Octopus
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathesa.py
92 lines (81 loc) · 2.78 KB
/
esa.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/python
from termcolor import colored
import tabulate
from .functions import listeners_information
avs = []
AV_list = {
"Kaspersky": ["avp", "avpui", "klif", "KAVFS", "kavfsslp"],
"Symantec": ["SmcGui", "SISIPSService"],
"Avast": ["aswBcc", "bcc"],
"Bitdefender": ["epag", "EPIntegrationService", "EPProtectedService", "EPSecurityService"],
"Cylance": ["CylanceSvc", "CylanceUi"],
"ESET": ["epfw", "epfwlwf", "epfwwfp"],
"FireEye Endpoint Agent": ["xagt"],
"F-Secure": ["fsdevcon", "FSORSPClient"],
"MacAfee": ["enterceptagent", "McAfeeEngineService", "McAfeeFramework"],
"SentinelOne": ["SentinelAgent", "SentinelOne"],
"Sophos": ["sophosssp", "sophossps"],
"TrendMicro": ["tmntsrv"],
"Windows Defender": ["MsMpEng"],
"ZoneALarm": ["zlclient"],
"Panda AntiVirus": ["AVENGINE"],
"AVG": ["avgemc"],
"Avira" : ["avscan"],
"G data" : ["AVKProxy"],
}
SIEM = {
"winlogbeat":"winlogbeat"
}
def esa(processes, session):
sysmon = False
siem_found = False
# check for AVs
for process in processes:
for key in list(AV_list.keys()):
for av_process in AV_list[key]:
if process == av_process:
avs.append(key)
# check for SIEM collector
for process in processes:
for siem in SIEM:
if process == siem:
siem_found = process
# check for sysmon
for process in processes:
if process == "Sysmon64":
sysmon = True
hostname = session[2]
os_version = session[7]
domain = session[5]
if domain == "WORKGROUP":
domain = "Not domain-joined device !"
arch = session[7].split("(")[1].split(")")
anti_virus = ",".join(i for i in set(avs))
siem = siem_found
systime = processes[-1]
uptime = processes[-2]
language = processes[-3]
os_build = processes[-4]
internal_ips = processes[-5].split(";")
print(colored('\nEndpoint situation awareness report for %s' % hostname, "yellow"))
print(colored("\n============="))
print("Hostname : \t%s" % hostname)
print("Domain : \t%s" % domain)
print("OS : \t\t%s" % os_version)
print("OS build : \t%s" % os_build)
print("OS arch : \t%s" % arch[0])
print("AntiVirus : \t%s" % anti_virus)
print("SIEM collector : %s" % siem)
print("SysMon Enabled : %s" % sysmon)
# print "Mail Applications : "
print("Internal interfaces/IPs :")
for ip in internal_ips:
print("\tIP : %s" % ip)
print("\n")
# print "SMBshares : "
# print "Device connected to internet : "
# print "Powershell logging enabled : "
print("Device language : %s" % language)
print("Device uptime : %s hours" % uptime)
print("Device local time : %s" % systime)
#print "Installed APPs : "