PyWhatCMS – Unofficial WhatCMS API Package

Python package for whatcms.com APIThe package provides a simple way to use the whatcms.org API for detecting 467 different Content Management Systems (CMS)Installationpip install pywhatcmsUsageFirst of all, import pywhatcms:from pywhatcms import whatcmsQuery a domain:whatcms(‘API-KEY’, ‘blog.underc0de.org’)Obtain info:whatcms.namewhatcms.codewhatcms.confidencewhatcms.cms_urlwhatcms.versionwhatcms.msgwhatcms.idwhatcms.requestwhatcms.request_webDownload Pywhatcms

Link: http://feedproxy.google.com/~r/PentestTools/~3/MipV-mhuXs0/pywhatcms-unofficial-whatcms-api-package.html

FTPBruter – A FTP Server Brute Forcing Tool

Brute forcing tool for FTP server. FTPBruter can work in any OS if they have and support Python 3.FeatureBrute force a FTP server with a username or a list of usernames (That’s all).Install and Run on LinuxYou have to install Python 3 first:Install Python 3 on Arch Linux and its distros: sudo pacman -S python3 Install Python 3 on Debian and its distros: sudo apt install python3 git clone https://github.com/GitHackTools/FTPBrutercd FTPBruterpython3 ftpbruter.pyInstall and Run on WindowsDownload and run Python 3.7.x setup file from Python.org. On Install Python 3.7, enable Add Python 3.7 to PATH.Download and run Git setup file from Git-scm.com and choose Use Git from Windows Command Propmt.After that, open PowerShell or Command Propmt and enter these commands:git clone https://github.com/GitHackTools/FTPBrutercd FTPBruterpython3 ftpbruter.pyIf you don’t want to install Git, you can download FTPBruter-master.zip, extract and use it.ScreenshotsContact to coderWebsite: GitHackTools.blogspot.comTwitter: @SecureGFTo-do listsCheck anonymous login.Auto-change proxy with brute force.Download FTPBruter

Link: http://feedproxy.google.com/~r/PentestTools/~3/hudxodR8GrU/ftpbruter-ftp-server-brute-forcing-tool.html

fireELF – Fileless Linux Malware Framework

fireELF is a opensource fileless linux malware framework thats crossplatform and allows users to easily create and manage payloads. By default is comes with ‘memfd_create’ which is a new way to run linux elf executables completely from memory, without having the binary touch the harddrive.FeaturesChoose and build payloads.Ability to minify payloads.Ability to shorten payloads by uploading the payload source to a pastebin, it then creates a very small stager compatible with python <= 2.7 which allows for easy deployment.Output created payload to file.Ability to create payload from either a url or a local binary.Included payload memfd_createThe only included payload 'memfd_create' is based on the research of Stuart, this payload creates an anonymous file descriptor in memory it then uses fexecve to execute the binary directly from the file descriptor. This allows for the execution completely in memory which means that if the linux system gets restarted, the payload will be no where to be found.Creating a PayloadBy default fireELF comes with 'memfd_create' but users can develop their own payloads. By default the payloads are stored in payloads/ and in order to create a valid payload you simply need to include a dictonary named 'desc' with the parameters 'name', 'description', 'archs', and 'python_vers'. An example desc dictonary is below:desc = {"name" : "test payload", "description" : "new memory injection or fileless elf payload", "archs" : "all", "python_vers" : ">2.5"}In addition to the ‘desc’ dictonary the entry point the plugin engine i built uses requires a main function which will automatically get passed two parameters, one is a boolean that if its true it means its getting passed a url the second parameter it gets passed is the data. An example of a simple entry point is below:def main(is_url, url_or_payload): returnIf you have a method feel free to commit a payload!ScreenshotsInstallationDownload the dependencies by running:pip3 -U -r dep.txtfireELF is developed in Python 3.x.xUsageusage: main.py [-h] [-s] [-p PAYLOAD_NAME] [-w PAYLOAD_FILENAME] (-u PAYLOAD_URL | -e EXECUTABLE_PATH)fireELF, Linux Fileless Malware Generatoroptional arguments: -h, –help show this help message and exit -s Supress Banner -p PAYLOAD_NAME Name of Payload to Use -w PAYLOAD_FILENAME Name of File to Write Payload to (Highly Recommended if You’re not Using the Paste Site Option) -u PAYLOAD_URL Url of Payload to be Executed -e EXECUTABLE_PATH Location of ExecutableDownload fireELF

Link: http://feedproxy.google.com/~r/PentestTools/~3/nkiWxHsqM50/fireelf-fileless-linux-malware-framework.html

FLASHMINGO – Automatic Analysis Of SWF Files Based On Some Heuristics

Automatic Analysis Of SWF Files Based On Some Heuristics. Extensible Via Plugins.InstallInstall the Python (2.7) packages listed in requirements.txt.You can use the following command: pip install -r requirements.txtIf you want to use the decompilation functionality you need to install Jython. Ubuntu/Debian users can issue apt install jythonClone the project or download the zip file.WhatFLASHMINGO is an analysis framework for SWF files. The tool automatically triages suspicious Flash files and guides the further analysis process, freeing precious resources in your team. You can easily incorporate FLASHMINGO’s analysis modules into your workflow.WhyTo this day forensic investigators and malware analysts must deal with suspicious SWF files. If history repeats itself the security threat may even become bigger beyond Flash’s end of life in 2020. Systems will continue to support a legacy file format that is not going to be updated with security patches anymore. Automation is the best way to deal with this issue and this is where FLASHMINGO can help you. FLASHMINGO is an analysis framework to automatically process SWF files that enables you to flag suspicious Flash samples and analyze them with minimal effort. It integrates into various analysis workflows as a stand-alone application or a powerful library. Users can easily extend the tool’ s functionality via custom Python plugins.HowArchitectureFLASHMINGO is designed with simplicity in mind. It reads a SWF file and creates an object (SWFObject) representing its contents and structure. Afterwards FLASHMINGO runs a series of plugins acting on this SWFObject and returning their values to the main program.Below a mandatory ASCII art flow diagram: +———-+ | | +————+———–>+ PLUGIN 1 +————+ | | | | | | | +———-+ | | | | | | +———-+ | | | | | |+———+ | +———–>+ PLUGIN 2 +——–+ ||SWF FILE +———–>+ FLASHMINGO | | | | |+———+ | | +———-+ | | | | | | | | | | | | | | | | +—–v—v-+ | | | | | | | | +—–+——+————————->+ SWFOBJECT | ^ | | | | | | +—–+—–+ | | | | | | +—————————————+When using FLASHMINGO as a library in your own projects, you only need to take care of two kind of objects:one or many SWFObject(s), representing the sample(s)a Flashmingo object. This acts essentially as a harness connecting plugins and SWFObject(s).Plugins!FLASHMINGO plugins are stored in their own directories under… you guessed it: plugins When a Flashmingo object is instantiated, it goes through this directory and process all plugins’ manifests. Should this indicate that the plugin is active, this is registered for later use. At the code level, this means that a small plugin_info dictionary is added to the plugins list.Plugins are invoked via the run_plugin API with two arguments:the plugin’s namethe SWFObject instanceOptionally, most of the plugins allow you to pass your own user data. This is plugin dependent (read the documentation) and it can be more easily be explained with an example. The default plugin SuspiciousNames will search all constant pools for strings containing suspicious substrings (for example: ‘overflow’, ‘spray’, ‘shell’, etc.) There is a list of common substrings already hard-coded in the plugin so that it can be used as-is. However, you may pass a list of your own defined substrings, in this case via the names parameter.Code example:fm = Flashmingo()print fm.run_plugin(‘DangerousAPIs’, swf=swf)print fm.run_plugin(‘SuspiciousNames’, swf=swf, names=[‘spooky’])Default pluginsFLASHMINGO ships with some useful plugins out of the box:binary_datadangerous_apisdecompilersuspicious_constantssuspicious_loopssuspicious_namestemplate :)Extending FLASHMINGOA template plugin is provided for easy development. Extending FLASHMINGO is rather straightforward. Follow these simple steps:Copy the templateEdit the manifestOverride the run methodAdd your custom codeYou are ready to go :)FLASHMINGO as a libraryAPISee the docs directory for autogenerated documentationSee FireEye’s blog post for an exampleFront-endsConsoleCreate Documentation$ pip install sphinxcontrib-napoleonAfter setting up Sphinx to build your docs, enable napoleon in the Sphinx conf.py file:In conf.py, add napoleon to the extensions listextensions = [‘sphinxcontrib.napoleon’]Use sphinx-apidoc to build your API documentation:$ sphinx-apidoc -f -o docs/source projectdirThis creates .rst files for Sphinx to process$ make htmlThat’s it! :)Download Flashmingo

Link: http://feedproxy.google.com/~r/PentestTools/~3/ACw-482_MOc/flashmingo-automatic-analysis-of-swf.html

Pepe – Collect Information About Email Addresses From Pastebin

Collect information about leaked email addresses from PastebinAboutScript parses Pastebin email:password dumps and gather information about each email address. It supports Google, Trumail, Pipl, FullContact and HaveIBeenPwned. Moreover, it allows you to send an informational mail to person about his leaked password, at the end every information lands in Elasticsearch for further exploration.It supports only one format – email:password.Everything else will not work!For now, notification works when it finds match on FullContact and next sends you email address and associated social media accounts.Requirements:Python 3FullContact API https://www.fullcontact.com/developer/GooglePipl API https://pipl.com/api/HaveIBeenPwnedSafePush (for notification – optional – In progress) https://www.pushsafer.com/Trumail https://trumail.io/Gmail account (sending emails)Elasticsearch (optional)pip install -r requirementsConfig{“domains": { #domains to whitelist or blacklist "whitelist": [""], "blacklist": ["yahoo.com"]},"keys": { #API KEYS "pushsafer": "API_KEY", "fullcontact": "API_KEY", "pipl": "API_KEY"},"gmail": { #GMAIL credentials and informational message that will be send "username": "your_username@gmail.com", "password": "password", "message": "Hey,\n\nI am a security researcher and I want to inform you that your password !PASSWORD! has been leaked and you should change it immediately.\nThis email is part of the research, you can find more about it on https://medium.com/@wojciech\n\nStay safe!"},"elasticsearch": { #ElasticSearch connection info "host": "127.0.0.1", "port": 9200}}Usageroot@kali:~/PycharmProjects/pepe# python pepe.py -husage: pepe.py [-h] [–file FILE] [–stream] [–interactive] [–modules MODULES [MODULES …]] [–elasticsearch] [–whitelist] [–blacklist] ,=. ,=””==.__.=" o".___ ,=.==" ___/ ,==.," , , \,==="" < ,==) "'"=._.==) `=='' `" ` clover/snark^ http://ascii.co.uk/art/platypus Post Exploitation Pastebin Emails github.com/woj-ciech medium.com/@woj_ciech Example: python pepe.py --file <dump.txt> –interactive –whitelist python pepe.py –file <dump.txt> –modules hibp google trumail –elasticsearch –blacklistoptional arguments: -h, –help show this help message and exit –file FILE Load file –stream Stream Pastebin –interactive Interactive mode –modules MODULES [MODULES …] Modules to check in non-interactive mode –elasticsearch Output to ElasticSearch –whitelist Whitelist –blacklist BlacklistExampleInteractive mode, each email is checked individually and specific module is executed.root@kali:~/PycharmProjects/pepe# python pepe.py –file paste.txt –interactive –blacklist———————–Found email [REDACTED]@hotmail.com with password [REDACTED]———————–[A] Add domain hotmail.com to blacklist[T] Test[G] Google search[H] HaveIBeenPwned[P] Pipl[F] FullContact[I] Inform[N] Next> G—Google Search—http://[REDACTED]http://[REDACTED]http://[REDACTED][A] Add domain gmail.com to blacklist[T] Test[G] Google search[H] HaveIBeenPwned[P] Pipl[F] FullContact[I] Inform[N] Next> N———————–Found email [REDACTED].[REDACTED]@gmail.com with password [REDACTED]———————–[A] Add domain gmail.com to blacklist[T] Test[G] Google search[H] HaveIBeenPwned[P] Pipl[F] FullContact[I] Inform[N] Next> F—FullContact—[REDACTED] [REDACTED]< br/>https://twitter.com/[REDACTED]https://facebook.com/[REDACTED]https:/linkedin.com/[REDACTED][A] Add domain gmail.com to blacklist[T] Test[G] Google search[H] HaveIBeenPwned[P] Pipl[F] FullContact[I] Inform[N] Next> P—Pipl—Name: [REDACTED][REDACTED] years oldJobs:Quality Control [REDACTED] (since 2018)[REDACTED] Review [REDACTED] (2017-2018)[REDACTED] Attorney [REDACTED] (2017-2018)[REDACTED] Attorney at [REDACTED] (2017-2017)…[REDACTED] (2012-2012)[REDACTED] Assistant at [REDACTED] (2012-2012)Author/Founder at [REDACTED] (2009-2011)https://www.linkedin.com/in/[REDACTED]http://www.facebook.com/people/[REDACTED]http://twitter.com/[REDACTED]http://pinterest.com/[REDACTED]https://plus.google.com/[REDACTED]…[REDACTED]Non-interactive mode, when only choosen modules are executed against email addressess.root@kali:~/PycharmProjects/# python pepe.py –file pastetest.txt –blacklist –modules hibp google fullcontact trumail –elasticsearch———————–Found email [REDACTED]@hotmail.com with password [REDACTED]————————–Google Search—https://pastebin.com/[REDACTED]—Have I Been Pwned—LinkedIn—FullContact—No results—Trumail—Email test passed———————–Found email charlie.[REDACTED]@live.com with password [REDACTED]————————–Google Search—https://justpaste.it/[REDACTED]https://pastebin.com/[REDACTED]—Have I Been Pwned—MyHeritageRiverCityMediaTumblrYouveBeenScraped—FullContact—Charlie [REDACTED]https://twitter.com/[REDACTED][REDACTED]—Trumail—Email test passed———————–Found email [REDACTED].[REDACTED]@gmail.com with password [REDACTED]———————– —Google Search—http://[REDACTED]http://[REDACTED]http://[REDACTED]https://pastebin.com/[REDACTED]—Have I Been Pwned—BTSecExactisHauteLookHouzzLinkedIn—FullContact—[REDACTED] [REDACTED]https://www.facebook.com/[REDACTED][REDACTED]—Trumail—Email test passed———————–Found email [REDACTED].[REDACTED]@gmail.com with password [REDACTED]————————–Google Search—https://[REDACTED]https://[REDACTED]https://[REDACTED]https://pastebin.com/[REDACTED]—Have I Been Pwned—LastfmLinkedInMySpaceTrillianTumblr—FullContact—[REDACTED] [REDACTED] [REDACTED].https://www.facebook.com/[REDACTED]https://plus.google.com/[REDACTED]https://www.linkedin.com/in/[REDACTED]http://www.pinterest.com/[REDACTED]https://twitter.com/[REDACTED]https://youtube.com/user/[REDACTED][REDACTE D]ScreensDownload Pepe

Link: http://www.kitploit.com/2019/04/pepe-collect-information-about-email.html

TeleKiller – A Tool Session Hijacking And Stealer Local Passcode Telegram Windows

A Tools Session Hijacking And Stealer Local passcode Telegram Windows.Features :Session HijackingStealer Local PasscodeKeyloggerShellBypass 2 Step VerificationBypass Av (Coming Soon)Installation Windowsgit clone https://github.com/ultrasecurity/TeleKiller.gitcd TeleKillerpip install -r requirements.txtpython TeleKiller.pyDependency :python 2.7pyHookpywin32Video TutorialOperating Systems TestedWindows 10Windows 8.1Windows 8Windows 7ContactWebSite Ultra Security Team: https://ultrasec.orgChannel Telegram: https://t.me/UltraSecurityThanks toMilad RanjbarMrQadirDownload TeleKiller

Link: http://www.kitploit.com/2019/04/telekiller-tool-session-hijacking-and.html

pwnedOrNot v1.1.7 – OSINT Tool To Find Passwords For Compromised Email Addresses

pwnedOrNot uses haveibeenpwned v2 api to test email accounts and tries to find the password in Pastebin Dumps.Featureshaveibeenpwned offers a lot of information about the compromised email, some useful information is displayed by this script:Name of BreachDomain NameDate of BreachFabrication statusVerification StatusRetirement statusSpam StatusAnd with all this information pwnedOrNot can easily find passwords for compromised emails if the dump is accessible and it contains the passwordTested onKali Linux 18.2Ubuntu 18.04Kali NethunterTermuxInstallationUbuntu / Kali Linux / Nethunter / Termuxchmod 777 install.sh./install.shUsagepython3 pwnedornot.py -husage: pwnedornot.py [-h] [-e EMAIL] [-f FILE] [-d DOMAIN] [-n] [-l] [-c CHECK]optional arguments: -h, –help show this help message and exit -e EMAIL, –email EMAIL Email Address You Want to Test -f FILE, –file FILE Load a File with Multiple Email Addresses -d DOMAIN, –domain DOMAIN Filter Results by Domain Name -n, –nodumps Only Check Breach Info and Skip Password Dumps -l, –list Get List of all pwned Domains -c CHECK, –check CHECK Check if your Domain is pwned# Examples# Check Single Emailpython3 pwnedornot.py -e #ORpython3 pwnedornot.py –email <email># Check Multiple Emails from Filepython3 pwnedornot.py -f <file name># ORpython3 pwnedornot.py –file <file name># Filter Result for a Domain Name [Ex : adobe.com]python3 pwnedornot.py -e <email> -d <domain name>#ORpython3 pwnedornot.py -f <file name> –domain <domain name># Get only Breach Info, Skip Password Dumpspython3 pwnedornot.py -e <email> -n#ORpython3 pwnedornot.py -f <file name> –nodumps# Get List of all Breached Domainspython3 pwnedornot.py -l#ORpython3 pwnedornot.py –list# Check if a Domain is Pwnedpython3 pwnedornot.py -c <domain name>#ORpython3 pwnedornot.py –check <domain name>DemoDownload pwnedOrNot

Link: http://feedproxy.google.com/~r/PentestTools/~3/zMsIKFBaGtY/pwnedornot-v117-osint-tool-to-find.html

[python]Disabling and enabling Windows proxy settings

References: https://superuser.com/questions/1113796/how-to-run-a-python-script-with-cmd-exe-and-make-it-invisible/1113801 https://stackoverflow.com/questions/31348111/setting-proxy-settings-in-windows-with-python-using-internetsetoption Requirements Disable and enable the proxy without closing internet explorer. Enable the proxy setting when auto configuration url (PAC location) is not available. Trigger the script to disable proxy when your laptop is connected out of office. Trigger the script to enable the proxy when your laptop is connected to your domain … Continue reading [python]Disabling and enabling Windows proxy settings

Link: http://cyruslab.net/2019/04/09/pythondisabling-and-enabling-windows-proxy-settings/

DefectDojo v1.5.4 – Application Vulnerability Correlation And Security Orchestration Application

DefectDojo is a security program and vulnerability management tool. DefectDojo allows you to manage your application security program, maintain product and application information, schedule scans, triage vulnerabilities and push findings into defect trackers. Consolidate your findings into one source of truth with DefectDojo.DemoTry out DefectDojo in the testing environment with the following credentials.admin / defectdojo@demo#appsecproduct_manager / defectdojo@demo#productQuick Startgit clone https://github.com/DefectDojo/django-DefectDojocd django-DefectDojodocker-compose upNavigate to http://localhost:8080.DocumentationFor detailed documentation you can visit Read the Docs.Installation OptionsKubernetesDockerGetting StartedWe recommend checking out the about document to learn the terminology of DefectDojo and the getting started guide for setting up a new installation. We’ve also created some example workflows that should give you an idea of how to use DefectDojo for your own team.Client APIsInstall the DefectDojo Python API via pip install defectdojo_api or clone the repository.Browse the API on SwaggerHub.Getting InvolvedRealtime discussion is done in the OWASP Slack Channel, #defectdojo. Get Access.DefectDojo Twitter Account tweets project updates and changes.Available PluginsEngagement Surveys – A plugin that adds answerable surveys to engagements.LDAP IntegrationSAML IntegrationMulti-Factor AuthAbout UsDefectDojo is maintained by:Greg AndersonAaron Weaver (@weavera)Matt Tesauro (@matt_tesauro)Hall of FameCharles Neill (@ccneill) – Charles served as a DefectDojo Maintainer for years and wrote some of Dojo’s core functionality.Jay Paz (@jjpaz) – Jay was a DefectDojo maintainer for years. He performed Dojo’s first UI overhaul, optomized code structure/features, and added numerous enhancements.Download django-DefectDojo

Link: http://feedproxy.google.com/~r/PentestTools/~3/y_c8QTZckgk/defectdojo-v154-application.html

Beagle – An Incident Response And Digital Forensics Tool Which Transforms Security Logs And Data Into Graphs

Beagle is an incident response and digital forensics tool which transforms data sources and logs into graphs. Supported data sources include FireEye HX Triages, Windows EVTX files, SysMon logs and Raw Windows memory images. The resulting Graphs can be sent to graph databases such as Neo4J or DGraph, or they can be kept locally as Python NetworkX objects.Beagle can be used directly as a python library, or through a provided web interface.The library can be used either as a sequence of functional calls.>>> from beagle.datasources import SysmonEVTX>>> graph = SysmonEVTX(“malicious.evtx").to_graph()>>> graphOr by strictly calling each intermediate step of the data source to graph process.>>> from beagle.backends import NetworkX>>> from beagle.datasources import SysmonEVTX>>> from beagle.transformers import SysmonTransformer>>> datasource = SysmonEVTX("malicious.evtx")# Transformers take a datasource, and transform each event# into a tuple of one or more nodes.>>> transformer = SysmonTransformer(datasource=datasource)>>> nodes = transformer.run()# Transformers output an array of nodes.[ (<SysMonProc> process_guid="{0ad3e319-0c16-59c8-0000-0010d47d0000}"), (<File> host="DESKTOP-2C3IQHO" full_path="C:\Windows\System32\services.exe"), …]# Backends take the nodes, and transform them into graphs>>> backend = NetworkX(nodes=nodes)>>> G = backend.graph()<networkx.classes.multidigraph.MultiDiGraph at 0x126b887f0>Graphs are centered around the activity of individual processes, and are meant primarily to help analysts investigate activity on hosts, not between them.InstallationDockerBeagle is available as a docker file:docker pull yampelo/beaglemkdir -p data/beagledocker run -v "$PWD/data/beagle":"/data/beagle" -p 8000:8000 yampelo/beaglePython PackageIt is also available as library. Full API Documentation is available on https://beagle-graphs.readthedocs.iopip install pybeagleConfigurationComplete overview of each configuration entryAny entry in the configuration file can be modified using environment variables that follow the following format; BEAGLE__{SECTION}__{KEY}. For example, in order to change the VirusTotal API Key used when using the docker image, you would use -e parameter and set the BEAGLE__VIRUSTOTAL__API_KEY variable:docker run -v "data/beagle":"/data/beagle" -p 8000:8000 -e "BEAGLE__VIRUSTOTAL__API_KEY=$API_KEY" beagleEnvironment variables and directories can be easily defined using docker composeversion: "3" services: beagle: image: yampelo/beagle volumes: – /data/beagle:/data/beagle ports: – "8000:8000" environment: – BEAGLE__VIRUSTOTAL__API_KEY=$key$ Web InterfaceBeagle’s docker image comes with a web interface that wraps around the process of both transforming data into graphs, as well as using them to investigate data.Uploading DataThe upload form wraps around the graph creation process, and automatically uses NetworkX as the backend. Depending on the parameters required by the data source, the form will either prompt for a file upload, or text input. For example:VT API Sandbox Report asks for the hash to graph.FireEye HX requires the HX triage.Any graph created is stored locally in the folder defined under the dir key from the storage section in the configuration. This can be modified by setting the BEAGLE__STORAGE__DIR enviroment variable.Optionally, a comment can be added to any graph to better help describe it.Each data source will automatically extract metadata from the provided parameter. The metadata and comment are visible later on when viewing the existing graphs of the datasource.Browsing Existing GraphsClicking on a datasource on the sidebar renders a table of all parsed graphs for that datasource.Graph InterfaceViewing a graph in Beagle provides a web interface that allows analysts to quickly pivot around an incident.The interface is split into two main parts, the left part which contains various perspectives of the graph (Graph, Tree, Table, etc), and the right part which allows you to filter nodes and edges by type, search for nodes, and expand a nodes properties. It also allows you to undo and redo operations you perform on the graph.Any element in the graph that has a divider above it is collapsible:Inspecting Nodes and EdgesNodes in the graph display the first 15 characters of their a specific field. For example, for a process node, this will be the process name.Edges simply show the edge type.A single click on a node or edge will focus that node and display its information in the "Node Info" panel on the right sidebar.Focusing on a NodeFocusing on an EdgeExpanding NeighboursA double click on a node will pull in any neighbouring nodes. A neighbouring node is any node connected to the clicked on node by an edge. If there are no neighbors to be pulled in, no change will be seen in the graph.This is regardless of direction. That means that a parent process or a child process could be pulled in when double clicking on a node.Beagle will only pull in 25 nodes at a time.Hiding NodesA long single click on a node will hide it from the graph, as well as any edges that depend on it.Running MutatorsRight clicking on a node exposes a context menu that allows you to run graph mutators. Mutators are functions which take the graph state, and return a new state.Two extremely useful mutators are:Backtracking a node: Find the sequence of nodes and edges that led to the creation of this node.Backtracking a process node will show its process tree.Expanding all descendants: From the current node, show every node that has this node as an ancestor.Expanding a process node will show every child process node it spawned, any file it may have touched, and pretty much every activity that happened as a result of this node.Backtracking a nodeBacktracking a node is extremely useful, and is similar to doing a root cause infection in log files.Expanding Node DescendantsExpanding a node’s descendants allows you to immediately view everything that happened because of this node. This action reveals the subgraph rooted at the selected node.Toggling Node and Edge TypesSometimes, a Node or Edge might not be relevant to the current incident, you can toggle edge and node types on and off. As soon as the type is toggled, the nodes or edges of that type are removed from the visible graph.Toggling a node type off prevents that node type to be used when using mutators, or when pulling in neighbours.Undo/Redo Action and ResetAny action in the graph is immediately reversable! Using the undo/redo buttons you can revert any action you perform. The reset button sets the graph state to when it loaded, saving you a refresh.Graph PerspectivesAs you change the graphs current state using the above action, you might also want to view the current set of visible node and edges in a different perspective. The tabs at the top of the graph screen allow you to transform the data into a variety of views:Graph (Default perspective)TreeTableTimelineMarkdownEach of the perspectives supports focusing on nodes by clicking on them.Python LibraryThe graph generation process can be performed programatically using the python library. The graph generation process is made up of three steps:DataSource classes parse and yield events one by one.Transformer classes take those inputs, and transform them into various Node classes such as Process.Backend classes take the array of nodes, place them into a graph structure, and send them to a desired location.The Python package can be installed via pip:version: "3"services: beagle: image: yampelo/beagle volumes: – /data/beagle:/data/beagle ports: – "8000:8000" environment: – BEAGLE__VIRUSTOTAL__API_KEY=$key$Creating a graph requires chaining these together. This can be done for you using the to_graph() function.pip install pybeagleIt can also be done explicitly at each step. Using the functional calls, you can also define which Backend you wish to use for example, to send data to DGraphfrom beagle.datasources import HXTriage# By default, using the to_graph() class uses NetworkX and the first transformer.G = HXTriage(‘test.mans’).to_graph()<networkx.classes.multidigraph.MultiDiGraph at 0x12700ee10>When calling the to_graph or to_transformer methods, you can pass in any arguments to those classes:from beagle.datasources import HXTriagefrom beagle.backends import DGraphfrom beagle.transformers import FireEyeHXTransformer# The data will be sent to the DGraph instance configured in the# configuration filebackend = HXTriage(‘test.mans’).to_graph(backend=DGraph)# Can also specify the transformerbackend = HXTriage(‘test.mans’).to_transformer(transformer=FireEyeHXTransformer).to_graph(backend=DGraph)You can also manually invoke each step in the above process, accessing the intermediary outputsfrom beagle.datasources import HXTriagefrom beagle.backends import Graphistry# Send the graphistry, anonymize the data first, and return the URLgraphistry_url = HXTriage(‘test.mans’).to_graph(backend=Graphistry, anonymize=True, render=False)If you want to manually call each step, you will need to ensure that the Transformer class instance is compatible with the output of the provided DataSource class.All Backends are compatible with all Transformers.Each data source defines the list of transformers it is compatible with, and this can be accessed via the .transformers attribute:>>> from beagle.backends import NetworkX>>> from beagle.datasources import HXTriage>>> from beagle.transformers import FireEyeHXTransformer>>> datasource = HXTriage("test.mans")>>> transformer = FireEyeHXTransformer(datasource=datasource)>>> nodes = transformer.run()>>> backend = NetworkX(nodes=nodes)>>> G = backend.graph()Controlling Edge GenerationBy default, edges are not condensed, that means that if a process node u writes to a file node v 5000 times, you will have 5000 edges between those nodes. Sometimes, especially when trying to visualize the data, this may overwhelm an analyst.You can condense all 5000 edges into a single edge for that type of action (wrote in this case), by passing the backend class the consolidate_edges=True parameter, for example:>>> from beagle.datasources import HXTriage>>> HXTriage.transformers[beagle.transformers.fireeye_hx_transformer.FireEyeHXTransformer]By default, the web interface will consolidate the edges.DocumentationREST API OverviewConfigurationDevelopementDesign LogicDownload Beagle

Link: http://www.kitploit.com/2019/04/beagle-incident-response-and-digital.html