Last active
October 13, 2016 09:15
-
-
Save caoimhinp/86047fcbcc47cfa0d0f2cb4cb5748c09 to your computer and use it in GitHub Desktop.
Revisions
-
caoimhinp revised this gist
Oct 13, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -56,7 +56,7 @@ def eval_expressions(input) def get_tree(path) # outputs a tree of the directory # WARNING: this is not safe and you can absolutely hack yourself :) # Don't automate this or setuid root or whatever. `tree "#{path}"` end -
Oct 13, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,72 @@ #!/usr/bin/env ruby # # EAgentSummary # # This short script provides a summary of Empire agent # timelines and loot without the output. # I may or may not do anything else to this. # I just wrote it to make reviewing agents logs a bit # faster. # # usage: # # caoimhinp # # usage: # EAgentSummary.rb <agent log file> # # Example: # EAgentSummary.rb ./YYMDGDGWEEODFSNG/agent.log # require 'pry' require 'pry-nav' class EAgentSummary @@expressions = {:internal_regex => /internal_ip/, :checkin_regex => /checkin_time/, :hostname_regex => /hostname/, :username_regex => /username/, :listener_regex => /listener/, :external_regex => /external_ip/, :lastseen_regex => /lastseen_time/} # Matches date lines @@command_regex = /\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} :/ def eval_expressions(input) matched_prev = false input.each_line do |i| if matched_prev matched_prev = false puts i else @@expressions.each_value {|value| puts i if i =~ value} # capture the date line as an indicator that a command was run # tell the script to output the next line as well if i =~ @@command_regex then matched_prev = true puts i next end end end end def get_tree(path) # outputs a tree of the directory # WARNING: this is not safe and you can absolutely hack yourself # Don't automate this or setuid root or whatever. `tree "#{path}"` end end agent_log = ARGV[0] agent_path = File.dirname(ARGV[0]) file = File.open(agent_log, "rb") contents = file.read Empire = EAgentSummary.new() Empire.eval_expressions(contents) puts Empire.get_tree(agent_path)