caoimhinp · October 13, 2016 09:15
diff --git a/EAgentSummary.rb b/EAgentSummary.rb
 #!/usr/bin/env ruby
 #
 # EAgentSummary
 #
 # This short script provides a summary of Empire agent
 # timelines and loot without the output.
 # I may or may not do anything else to this.
 # I just wrote it to make reviewing agents logs a bit
 # faster.
 #
 # usage:
 #
 # caoimhinp
 #
 #  usage:
 #  EAgentSummary.rb <agent log file>
 #
 #  Example:
 #  EAgentSummary.rb ./YYMDGDGWEEODFSNG/agent.log
 #

 require 'pry'
 require 'pry-nav'


 class EAgentSummary

    @@expressions = {:internal_regex => /internal_ip/,
                    :checkin_regex => /checkin_time/,
                    :hostname_regex => /hostname/,
                    :username_regex => /username/,
                    :listener_regex => /listener/,
                    :external_regex => /external_ip/,
                    :lastseen_regex => /lastseen_time/}
    # Matches date lines
    @@command_regex = /\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} :/

    def eval_expressions(input)
      matched_prev = false
      input.each_line do |i|
        if matched_prev
          matched_prev = false
          puts i
        else
          @@expressions.each_value {|value| puts i if i =~ value}
          # capture the date line as an indicator that a command was run
          # tell the script to output the next line as well
          if i =~ @@command_regex then
            matched_prev = true
            puts i
            next
          end
        end
      end
    end

    def get_tree(path)
      # outputs a tree of the directory
      # WARNING: this is not safe and you can absolutely hack yourself :)
      # Don't automate this or setuid root or whatever.
      `tree "#{path}"`
    end
 end

 agent_log = ARGV[0]
 agent_path = File.dirname(ARGV[0])
 file = File.open(agent_log, "rb")
 contents = file.read

 Empire = EAgentSummary.new()
 Empire.eval_expressions(contents)
 puts Empire.get_tree(agent_path)
	#!/usr/bin/env ruby
	#
	# EAgentSummary
	#
	# This short script provides a summary of Empire agent
	# timelines and loot without the output.
	# I may or may not do anything else to this.
	# I just wrote it to make reviewing agents logs a bit
	# faster.
	#
	# usage:
	#
	# caoimhinp
	#
	# usage:
	# EAgentSummary.rb <agent log file>
	#
	# Example:
	# EAgentSummary.rb ./YYMDGDGWEEODFSNG/agent.log
	#

	require 'pry'
	require 'pry-nav'


	class EAgentSummary

	@@expressions = {:internal_regex => /internal_ip/,
	:checkin_regex => /checkin_time/,
	:hostname_regex => /hostname/,
	:username_regex => /username/,
	:listener_regex => /listener/,
	:external_regex => /external_ip/,
	:lastseen_regex => /lastseen_time/}
	# Matches date lines
	@@command_regex = /\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} :/

	def eval_expressions(input)
	matched_prev = false
	input.each_line do \|i\|
	if matched_prev
	matched_prev = false
	puts i
	else
	@@expressions.each_value {\|value\| puts i if i =~ value}
	# capture the date line as an indicator that a command was run
	# tell the script to output the next line as well
	if i =~ @@command_regex then
	matched_prev = true
	puts i
	next
	end
	end
	end
	end

	def get_tree(path)
	# outputs a tree of the directory
	# WARNING: this is not safe and you can absolutely hack yourself :)
	# Don't automate this or setuid root or whatever.
	`tree "#{path}"`
	end
	end

	agent_log = ARGV[0]
	agent_path = File.dirname(ARGV[0])
	file = File.open(agent_log, "rb")
	contents = file.read

	Empire = EAgentSummary.new()
	Empire.eval_expressions(contents)
	puts Empire.get_tree(agent_path)
No results found