From 3825f2bd937194c0f719da08348b283c78c6fd97 Mon Sep 17 00:00:00 2001 From: Elad Levi <58475124+JakePeralta7@users.noreply.github.com> Date: Fri, 8 Dec 2023 20:34:37 +0200 Subject: [PATCH 1/5] Refactoring the delete_file action --- cyberwindowsremotemanagement.json | 3469 +++++++++++++++++++++++++++++ winrm_connector.py | 10 +- 2 files changed, 3475 insertions(+), 4 deletions(-) create mode 100644 cyberwindowsremotemanagement.json diff --git a/cyberwindowsremotemanagement.json b/cyberwindowsremotemanagement.json new file mode 100644 index 0000000..087a652 --- /dev/null +++ b/cyberwindowsremotemanagement.json @@ -0,0 +1,3469 @@ +{ + "appid": "024da1a3-b64f-4974-b841-051b4d3c993d", + "name": "Cyber Windows Remote Management", + "description": "This app integrates with the Windows Remote Management service to execute various actions", + "type": "endpoint", + "product_vendor": "Microsoft_clone_1702059179715", + "logo": "logo_microsoft.svg", + "logo_dark": "logo_microsoft_dark.svg", + "product_name": "Windows Remote Management_clone_1702059179715", + "product_version_regex": ".*", + "publisher": "Splunk", + "license": "Copyright (c) 2018-2023 Splunk Inc.", + "app_version": "1.0.0", + "utctime_updated": "2023-12-08T18:13:44.087303Z", + "package_name": "phantom_cyberwindowsremotemanagement", + "main_module": "winrm_connector.py", + "min_phantom_version": "6.1.1", + "fips_compliant": true, + "python_version": "3", + "latest_tested_versions": [ + "On-premise, Windows Server 2012 R2 Standard" + ], + "app_wizard_version": "1.0.0", + "configuration": { + "endpoint": { + "description": "IP/Hostname (For TEST CONNECTIVITY and default, if not provided in an action)", + "data_type": "string", + "order": 0, + "name": "endpoint", + "id": 0 + }, + "verify_server_cert": { + "description": "Verify Server Certificate", + "data_type": "boolean", + "default": "False", + "order": 1, + "name": "verify_server_cert", + "id": 1 + }, + "default_protocol": { + "description": "Default protocol for actions", + "data_type": "string", + "default": "http", + "order": 2, + "value_list": [ + "http", + "https" + ], + "name": "default_protocol", + "id": 2 + }, + "default_port": { + "description": "Default port for actions", + "data_type": "numeric", + "default": 5985, + "order": 3, + "name": "default_port", + "id": 3 + }, + "domain": { + "description": "Domain", + "data_type": "string", + "order": 4, + "name": "domain", + "id": 4 + }, + "username": { + "description": "Username", + "data_type": "string", + "required": true, + "order": 5, + "name": "username", + "id": 5 + }, + "password": { + "description": "Password", + "data_type": "password", + "required": true, + "order": 6, + "name": "password", + "id": 6 + }, + "transport": { + "description": "Type of transport to use", + "data_type": "string", + "required": true, + "value_list": [ + "basic", + "ntlm" + ], + "default": "basic", + "order": 7, + "name": "transport", + "id": 7 + } + }, + "actions": [ + { + "action": "test connectivity", + "description": "Validate the asset configuration for connectivity using supplied configuration", + "type": "test", + "identifier": "test_connectivity", + "read_only": true, + "parameters": {}, + "output": [], + "versions": "EQ(*)" + }, + { + "action": "run command", + "description": "Execute a command on the endpoint", + "verbose": "Unless you implement a custom parser, this action will always succeed regardless of the input. Either a command or pair of command_id and shell_id must be specified. If a command_id is present, all other parameters will be ignored.

Note: The command_id and shell_id you provide to fetch the output can only be used once because once the output is fetched successfully server will remove output from its cache.

", + "type": "generic", + "identifier": "run_command", + "read_only": false, + "parameters": { + "command": { + "description": "The command to be run", + "data_type": "string", + "order": 1, + "name": "command" + }, + "arguments": { + "description": "The arguments for the command", + "data_type": "string", + "order": 2, + "name": "arguments" + }, + "parser": { + "description": "The vault ID of a custom parser to use for output", + "contains": [ + "vault id" + ], + "primary": true, + "data_type": "string", + "order": 3, + "name": "parser" + }, + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + }, + "async": { + "description": "Start the command, but don't wait for output", + "data_type": "boolean", + "default": false, + "order": 4, + "name": "async" + }, + "command_id": { + "description": "Command ID of async command (Provide with shell_id)", + "data_type": "string", + "primary": true, + "order": 5, + "contains": [ + "winrm command id" + ], + "name": "command_id" + }, + "shell_id": { + "description": "Shell ID of async command (Provide with command_id)", + "data_type": "string", + "order": 6, + "contains": [ + "winrm shell id" + ], + "primary": true, + "name": "shell_id" + } + }, + "output": [ + { + "data_path": "action_result.parameter.arguments", + "data_type": "string", + "example_values": [ + "/all" + ] + }, + { + "data_path": "action_result.parameter.async", + "data_type": "boolean", + "example_values": [ + true, + false + ] + }, + { + "data_path": "action_result.parameter.command", + "data_type": "string", + "example_values": [ + "ipconfig" + ] + }, + { + "data_path": "action_result.parameter.command_id", + "data_type": "string", + "contains": [ + "winrm command id" + ], + "example_values": [ + "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" + ] + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.parameter.parser", + "data_type": "string", + "contains": [ + "vault id" + ], + "example_values": [ + "8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56" + ] + }, + { + "data_path": "action_result.parameter.shell_id", + "data_type": "string", + "contains": [ + "winrm shell id" + ], + "example_values": [ + "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" + ] + }, + { + "data_path": "action_result.data.*.status_code", + "data_type": "numeric", + "example_values": [ + 0 + ] + }, + { + "data_path": "action_result.data.*.std_err", + "data_type": "string", + "example_values": [ + "Error message" + ] + }, + { + "data_path": "action_result.data.*.std_out", + "data_type": "string", + "example_values": [ + "Successful output" + ] + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "column_name": "Message", + "column_order": 0, + "example_values": [ + "Successfully ran command" + ] + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.summary.command_id", + "data_type": "string", + "contains": [ + "winrm command id" + ], + "example_values": [ + "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" + ] + }, + { + "data_path": "action_result.summary.shell_id", + "data_type": "string", + "contains": [ + "winrm shell id" + ], + "example_values": [ + "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" + ] + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "run script", + "description": "Run a PowerShell script on the endpoint", + "verbose": "The script you provide can either be in the vault, or it can just be a string of the script to run. If both values are present, it will use the script_file over the script_str. Unless you implement a custom parser, this action will always succeed regardless of the input. If command_id and shell_id are present, script_file and script_str will be ignored. This action will fail if at least one of script_file, script_str, or the pair of command_id and shell_id are not specified.

Note: The command_id and shell_id you provide to fetch the output can only be used once because once the output is fetched successfully server will remove output from its cache.

", + "type": "generic", + "identifier": "run_script", + "read_only": false, + "parameters": { + "script_file": { + "description": "The vault ID of a PowerShell script to run", + "contains": [ + "vault id" + ], + "data_type": "string", + "primary": true, + "order": 1, + "name": "script_file" + }, + "script_str": { + "description": "A PowerShell script to run", + "data_type": "string", + "order": 2, + "name": "script_str" + }, + "parser": { + "description": "The vault ID of a custom parser to use for output", + "contains": [ + "vault id" + ], + "data_type": "string", + "primary": true, + "order": 3, + "name": "parser" + }, + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + }, + "async": { + "description": "Start the command, but don't wait for output", + "data_type": "boolean", + "default": false, + "order": 4, + "name": "async" + }, + "command_id": { + "description": "Command ID of async command (Provide with shell_id)", + "data_type": "string", + "order": 5, + "primary": true, + "contains": [ + "winrm command id" + ], + "name": "command_id" + }, + "shell_id": { + "description": "Shell ID of async command (Provide with command_id)", + "data_type": "string", + "order": 6, + "contains": [ + "winrm shell id" + ], + "primary": true, + "name": "shell_id" + } + }, + "output": [ + { + "data_path": "action_result.parameter.async", + "data_type": "boolean", + "example_values": [ + true, + false + ] + }, + { + "data_path": "action_result.parameter.command_id", + "data_type": "string", + "contains": [ + "winrm command id" + ], + "example_values": [ + "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" + ] + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.parameter.parser", + "data_type": "string", + "contains": [ + "vault id" + ], + "example_values": [ + "8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56" + ] + }, + { + "data_path": "action_result.parameter.script_file", + "data_type": "string", + "contains": [ + "vault id" + ], + "example_values": [ + "8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56" + ] + }, + { + "data_path": "action_result.parameter.script_str", + "data_type": "string", + "example_values": [ + "Write-Host Hello" + ] + }, + { + "data_path": "action_result.parameter.shell_id", + "data_type": "string", + "contains": [ + "winrm shell id" + ], + "example_values": [ + "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" + ] + }, + { + "data_path": "action_result.data.*.status_code", + "data_type": "numeric", + "example_values": [ + 0 + ] + }, + { + "data_path": "action_result.data.*.std_err", + "data_type": "string", + "example_values": [ + "Error message" + ] + }, + { + "data_path": "action_result.data.*.std_out", + "data_type": "string", + "example_values": [ + "Successful output" + ] + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "column_name": "Message", + "column_order": 0, + "example_values": [ + "Successfully ran PowerShell script" + ] + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.summary.command_id", + "data_type": "string", + "contains": [ + "winrm command id" + ], + "example_values": [ + "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" + ] + }, + { + "data_path": "action_result.summary.shell_id", + "data_type": "string", + "contains": [ + "winrm shell id" + ], + "example_values": [ + "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" + ] + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "list processes", + "description": "List the currently running processes", + "type": "investigate", + "identifier": "list_processes", + "read_only": true, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + } + }, + "output": [ + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.data.*.handles", + "data_type": "numeric", + "example_values": [ + 33 + ] + }, + { + "data_path": "action_result.data.*.name", + "data_type": "string", + "contains": [ + "process name" + ], + "example_values": [ + "cmd" + ], + "column_name": "Process Name", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.non_paged_memory", + "data_type": "numeric", + "example_values": [ + 3 + ], + "column_name": "Non Paged Memory", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.paged_memory", + "data_type": "numeric", + "example_values": [ + 1564 + ], + "column_name": "Paged Memory", + "column_order": 3 + }, + { + "data_path": "action_result.data.*.pid", + "data_type": "numeric", + "example_values": [ + 3108 + ], + "contains": [ + "pid" + ], + "column_name": "PID", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.processor_time_(s)", + "data_type": "numeric", + "example_values": [ + 0.02 + ], + "column_name": "Processor Time (s)", + "column_order": 5 + }, + { + "data_path": "action_result.data.*.virtual_memory", + "data_type": "numeric", + "example_values": [ + 14 + ] + }, + { + "data_path": "action_result.data.*.working_set", + "data_type": "numeric", + "example_values": [ + 2384 + ], + "column_name": "Working Set", + "column_order": 4 + }, + { + "data_path": "action_result.data.*.session_id", + "data_type": "numeric" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully got process list" + ] + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.summary.num_processes", + "data_type": "numeric", + "example_values": [ + 451 + ] + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "terminate process", + "description": "Terminate a process", + "type": "generic", + "identifier": "terminate_process", + "read_only": false, + "parameters": { + "pid": { + "description": "The PID of the process to terminate", + "data_type": "numeric", + "primary": true, + "contains": [ + "pid" + ], + "order": 1, + "name": "pid" + }, + "name": { + "description": "Name of program to terminate, accepts wildcards", + "data_type": "string", + "primary": true, + "contains": [ + "process name" + ], + "order": 2, + "name": "name" + }, + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + } + }, + "output": [ + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.parameter.name", + "data_type": "string", + "contains": [ + "process name" + ], + "example_values": [ + "iexplore" + ] + }, + { + "data_path": "action_result.parameter.pid", + "data_type": "numeric", + "contains": [ + "pid" + ], + "example_values": [ + 451 + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully terminated process" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "list connections", + "description": "List all active connections", + "type": "investigate", + "identifier": "list_connections", + "read_only": true, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + } + }, + "output": [ + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.data.*.foreign_address_ip", + "data_type": "string", + "example_values": [ + "8.8.8.8" + ], + "contains": [ + "ip" + ], + "column_name": "Foreign Address", + "column_order": 3 + }, + { + "data_path": "action_result.data.*.foreign_address_port", + "data_type": "string", + "example_values": [ + "11100" + ], + "contains": [ + "port" + ], + "column_name": "Foreign Address Port", + "column_order": 4 + }, + { + "data_path": "action_result.data.*.local_address_ip", + "data_type": "string", + "example_values": [ + "8.8.8.8" + ], + "contains": [ + "ip" + ], + "column_name": "Local Address", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.local_address_port", + "data_type": "string", + "example_values": [ + "11100" + ], + "contains": [ + "port" + ], + "column_name": "Local Address Port", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.pid", + "data_type": "numeric", + "example_values": [ + 451 + ], + "contains": [ + "pid" + ], + "column_name": "PID", + "column_order": 5 + }, + { + "data_path": "action_result.data.*.protocol", + "data_type": "string", + "example_values": [ + "TCP" + ], + "column_name": "Protocol", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.state", + "data_type": "string", + "example_values": [ + "ESTABLISHED" + ] + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully listed connections" + ] + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.summary.num_connections", + "data_type": "numeric", + "example_values": [ + 451 + ] + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "list firewall rules", + "description": "List the firewall rules", + "verbose": "When you are using the other parameter, you can match for any field which is returned in the action result. It will only return a rule if it matches all of the criteria, not if it matches at least one.", + "type": "investigate", + "identifier": "list_firewall_rules", + "read_only": true, + "parameters": { + "filter_port": { + "description": "Only show firewall rules acting on this port", + "data_type": "string", + "primary": true, + "contains": [ + "port" + ], + "order": 1, + "name": "filter_port" + }, + "filter_ip": { + "description": "Only show firewall rules acting on this ip", + "data_type": "string", + "primary": true, + "contains": [ + "ip" + ], + "order": 2, + "name": "filter_ip" + }, + "direction": { + "description": "Only show firewall rules in this direction", + "data_type": "string", + "value_list": [ + "in", + "out" + ], + "order": 3, + "name": "direction" + }, + "protocol": { + "description": "Only show firewall rules using this protocol", + "data_type": "string", + "contains": [ + "winrm protocol" + ], + "order": 4, + "primary": true, + "name": "protocol" + }, + "other": { + "description": "JSON object of key value pairs of other fields to match", + "data_type": "string", + "order": 5, + "name": "other" + }, + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + } + }, + "output": [ + { + "data_path": "action_result.parameter.direction", + "data_type": "string", + "example_values": [ + "in" + ] + }, + { + "data_path": "action_result.parameter.filter_ip", + "data_type": "string", + "example_values": [ + "8.8.8.8" + ], + "contains": [ + "ip" + ] + }, + { + "data_path": "action_result.parameter.filter_port", + "data_type": "string", + "example_values": [ + 11100 + ], + "contains": [ + "port" + ] + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.parameter.other", + "data_type": "string", + "example_values": [ + "{\"enabled\": \"yes\"}" + ] + }, + { + "data_path": "action_result.parameter.protocol", + "data_type": "string", + "example_values": [ + "tcp" + ], + "contains": [ + "winrm protocol" + ] + }, + { + "data_path": "action_result.data.*.action", + "data_type": "string", + "example_values": [ + "allow" + ] + }, + { + "data_path": "action_result.data.*.direction", + "data_type": "string", + "example_values": [ + "in" + ], + "column_name": "Direction", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.edge_traversal", + "data_type": "string", + "example_values": [ + "no" + ] + }, + { + "data_path": "action_result.data.*.enabled", + "data_type": "string", + "example_values": [ + "yes" + ] + }, + { + "data_path": "action_result.data.*.grouping", + "data_type": "string", + "example_values": [ + "windows remote management" + ] + }, + { + "data_path": "action_result.data.*.local_ip", + "data_type": "string", + "example_values": [ + "any" + ], + "contains": [ + "ip" + ], + "column_name": "Local IP", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.local_port", + "data_type": "string", + "example_values": [ + "5985" + ], + "contains": [ + "port" + ], + "column_name": "Local Port", + "column_order": 3 + }, + { + "data_path": "action_result.data.*.profiles", + "data_type": "string", + "example_values": [ + "domain,private" + ] + }, + { + "data_path": "action_result.data.*.protocol", + "data_type": "string", + "example_values": [ + "tcp" + ], + "contains": [ + "winrm protocol" + ] + }, + { + "data_path": "action_result.data.*.remote_ip", + "data_type": "string", + "example_values": [ + "any" + ], + "contains": [ + "ip" + ], + "column_name": "Remote IP", + "column_order": 4 + }, + { + "data_path": "action_result.data.*.remote_port", + "data_type": "string", + "example_values": [ + "any" + ], + "contains": [ + "port" + ], + "column_name": "Remote Port", + "column_order": 5 + }, + { + "data_path": "action_result.data.*.rule_name", + "data_type": "string", + "example_values": [ + "windows remote management (http-in)" + ], + "contains": [ + "windows firewall rule name" + ], + "column_name": "Rule Name", + "column_order": 0 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully retrieved firewall rules" + ] + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.summary.num_rules", + "data_type": "numeric", + "example_values": [ + 451 + ] + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "delete firewall rule", + "description": "Remove a firewall rule using netsh", + "verbose": "This action will invoke the command netsh advfirewall firewall delete rule, and the rest is determined by the input. At a minimum, the rule name must be provided, but if you need to you can also specify any other arguments which the command accepts, in the same manner, that input from the add firewall rule gets added.", + "type": "generic", + "identifier": "delete_firewall_rule", + "read_only": false, + "parameters": { + "name": { + "description": "The name of the rule to remove", + "data_type": "string", + "contains": [ + "windows firewall rule name" + ], + "primary": true, + "required": true, + "order": 1, + "name": "name" + }, + "dir": { + "description": "Blocks inbound or outbound traffic", + "data_type": "string", + "value_list": [ + "in", + "out" + ], + "order": 2, + "name": "dir" + }, + "remote_ip": { + "description": "Firewall rule acts on this remote IP", + "data_type": "string", + "contains": [ + "ip" + ], + "order": 3, + "primary": true, + "name": "remote_ip" + }, + "local_ip": { + "description": "Firewall rule acts on this local IP", + "data_type": "string", + "contains": [ + "ip" + ], + "order": 4, + "primary": true, + "name": "local_ip" + }, + "remote_port": { + "description": "Firewall rule acts on this remote port", + "data_type": "string", + "contains": [ + "port" + ], + "order": 5, + "primary": true, + "name": "remote_port" + }, + "local_port": { + "description": "Firewall rule acts on this local port", + "data_type": "string", + "contains": [ + "port" + ], + "order": 6, + "primary": true, + "name": "local_port" + }, + "protocol": { + "description": "Firewall rule acts on this protocol", + "data_type": "string", + "contains": [ + "winrm protocol" + ], + "order": 7, + "primary": true, + "name": "protocol" + }, + "other": { + "description": "JSON object of key value pairs for other parameters to include", + "data_type": "string", + "order": 8, + "name": "other" + }, + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + } + }, + "output": [ + { + "data_path": "action_result.parameter.dir", + "data_type": "string", + "example_values": [ + "in", + "out" + ] + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.parameter.local_ip", + "data_type": "string", + "contains": [ + "ip" + ], + "example_values": [ + "8.8.8.8" + ] + }, + { + "data_path": "action_result.parameter.local_port", + "data_type": "string", + "contains": [ + "port" + ], + "example_values": [ + "443" + ] + }, + { + "data_path": "action_result.parameter.name", + "data_type": "string", + "contains": [ + "windows firewall rule name" + ], + "example_values": [ + "test rule" + ] + }, + { + "data_path": "action_result.parameter.other", + "data_type": "string", + "example_values": [ + "{\"profile\": \"domain\"}" + ] + }, + { + "data_path": "action_result.parameter.protocol", + "data_type": "string", + "contains": [ + "winrm protocol" + ], + "example_values": [ + "any", + "tcp" + ] + }, + { + "data_path": "action_result.parameter.remote_ip", + "data_type": "string", + "contains": [ + "ip" + ], + "example_values": [ + "8.8.8.8" + ] + }, + { + "data_path": "action_result.parameter.remote_port", + "data_type": "string", + "contains": [ + "port" + ], + "example_values": [ + "443" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully deleted firewall rules" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.summary.rules_deleted", + "data_type": "numeric", + "example_values": [ + 2 + ] + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "block ip", + "description": "Create a firewall rule to block a specified IP", + "type": "generic", + "identifier": "block_ip", + "read_only": false, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + }, + "name": { + "description": "The name of the rule to add", + "data_type": "string", + "required": true, + "contains": [ + "windows firewall rule name" + ], + "order": 1, + "primary": true, + "name": "name" + }, + "remote_ip": { + "description": "Block this IP", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "ip" + ], + "order": 2, + "name": "remote_ip" + } + }, + "output": [ + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.parameter.name", + "data_type": "string", + "contains": [ + "windows firewall rule name" + ], + "example_values": [ + "test rule" + ] + }, + { + "data_path": "action_result.parameter.remote_ip", + "data_type": "string", + "contains": [ + "ip" + ], + "example_values": [ + "8.8.8.8" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully created firewall rule" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "add firewall rule", + "description": "Add a firewall rule using netsh", + "verbose": "This action will invoke the command netsh advfirewall firewall add rule, where the rest is determined by the input. Each key-value pair from the other parameter will be added in the form of key=value. The user input will be sanitized.", + "type": "generic", + "identifier": "create_firewall_rule", + "read_only": false, + "parameters": { + "name": { + "description": "The name of the rule to add", + "data_type": "string", + "required": true, + "contains": [ + "windows firewall rule name" + ], + "order": 1, + "primary": true, + "name": "name" + }, + "dir": { + "description": "Block inbound or outbound traffic", + "data_type": "string", + "required": true, + "value_list": [ + "in", + "out" + ], + "order": 2, + "name": "dir" + }, + "action": { + "description": "What the firewall will do with packets", + "data_type": "string", + "required": true, + "value_list": [ + "allow", + "block", + "bypass" + ], + "order": 3, + "name": "action" + }, + "remote_ip": { + "description": "Firewall rule acts on this remote IP", + "data_type": "string", + "primary": true, + "contains": [ + "ip" + ], + "order": 4, + "name": "remote_ip" + }, + "local_ip": { + "description": "Firewall rule acts on this local IP", + "data_type": "string", + "primary": true, + "contains": [ + "ip" + ], + "order": 5, + "name": "local_ip" + }, + "remote_port": { + "description": "Firewall rule acts on this remote port", + "data_type": "string", + "contains": [ + "port" + ], + "primary": true, + "order": 6, + "name": "remote_port" + }, + "local_port": { + "description": "Firewall rule acts on this local port", + "data_type": "string", + "contains": [ + "port" + ], + "order": 7, + "primary": true, + "name": "local_port" + }, + "protocol": { + "description": "Firewall rule acts on this protocol", + "data_type": "string", + "contains": [ + "winrm protocol" + ], + "order": 8, + "primary": true, + "name": "protocol" + }, + "other": { + "description": "JSON object of key value pairs for other parameters to include", + "data_type": "string", + "order": 9, + "name": "other" + }, + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + } + }, + "output": [ + { + "data_path": "action_result.parameter.action", + "data_type": "string", + "example_values": [ + "block" + ] + }, + { + "data_path": "action_result.parameter.dir", + "data_type": "string", + "example_values": [ + "in", + "out" + ] + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.parameter.local_ip", + "data_type": "string", + "contains": [ + "ip" + ], + "example_values": [ + "8.8.8.8" + ] + }, + { + "data_path": "action_result.parameter.local_port", + "data_type": "string", + "contains": [ + "port" + ], + "example_values": [ + "443" + ] + }, + { + "data_path": "action_result.parameter.name", + "data_type": "string", + "contains": [ + "windows firewall rule name" + ], + "example_values": [ + "test rule" + ] + }, + { + "data_path": "action_result.parameter.other", + "data_type": "string", + "example_values": [ + "{\"profile\": \"domain\"}" + ] + }, + { + "data_path": "action_result.parameter.protocol", + "data_type": "string", + "contains": [ + "winrm protocol" + ], + "example_values": [ + "any", + "tcp" + ] + }, + { + "data_path": "action_result.parameter.remote_ip", + "data_type": "string", + "contains": [ + "ip" + ], + "example_values": [ + "8.8.8.8" + ] + }, + { + "data_path": "action_result.parameter.remote_port", + "data_type": "string", + "contains": [ + "port" + ], + "example_values": [ + "443" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully created firewall rule" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "logoff user", + "description": "Logoff a user", + "type": "generic", + "identifier": "logoff_user", + "read_only": false, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + }, + "session_id": { + "description": "Session ID", + "data_type": "string", + "required": true, + "primary": true, + "order": 1, + "contains": [ + "windows session id" + ], + "name": "session_id" + } + }, + "output": [ + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ], + "contains": [ + "ip", + "host name" + ] + }, + { + "data_path": "action_result.parameter.session_id", + "data_type": "string", + "example_values": [ + "2" + ], + "contains": [ + "windows session id" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully logged off user" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "list sessions", + "description": "List all active sessions", + "type": "investigate", + "identifier": "list_sessions", + "read_only": true, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + } + }, + "output": [ + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ], + "contains": [ + "ip", + "host name" + ] + }, + { + "data_path": "action_result.data.*.id", + "data_type": "string", + "example_values": [ + "0" + ], + "contains": [ + "windows session id" + ], + "column_name": "Session ID", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.name", + "data_type": "string", + "example_values": [ + "services" + ], + "column_name": "Name", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.this", + "data_type": "boolean", + "example_values": [ + true, + false + ] + }, + { + "data_path": "action_result.data.*.type", + "data_type": "string" + }, + { + "data_path": "action_result.data.*.username", + "data_type": "string", + "contains": [ + "user name" + ], + "column_name": "User Name", + "column_order": 2 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully listed all sessions" + ] + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.summary.num_sessions", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "deactivate partition", + "description": "Deactivate a partition", + "verbose": "Deactivates the system partitions of a machine, which disallows booting from said partition. The subsequent boot of the machine results in using the next option specified in the BIOS to boot from. Often used to netboot for remote reimaging.", + "type": "contain", + "identifier": "deactivate_partition", + "read_only": false, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + } + }, + "output": [ + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully deactivated partition" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "activate partition", + "description": "Activate a partition", + "type": "correct", + "identifier": "activate_partition", + "read_only": false, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + } + }, + "output": [ + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully activated partition" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "shutdown system", + "description": "Shutdown a system", + "type": "generic", + "identifier": "shutdown_system", + "read_only": false, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "primary": true, + "order": 0, + "contains": [ + "ip", + "host name" + ], + "name": "ip_hostname" + }, + "comment": { + "description": "Comment to show to users", + "data_type": "string", + "order": 1, + "name": "comment" + } + }, + "output": [ + { + "data_path": "action_result.parameter.comment", + "data_type": "string", + "example_values": [ + "Test shutdown" + ] + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully initiated system shutdown" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "restart system", + "description": "Restart a system", + "type": "generic", + "identifier": "restart_system", + "read_only": false, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "primary": true, + "order": 0, + "contains": [ + "ip", + "host name" + ], + "name": "ip_hostname" + }, + "comment": { + "description": "Comment to show to users", + "data_type": "string", + "order": 1, + "name": "comment" + } + }, + "output": [ + { + "data_path": "action_result.parameter.comment", + "data_type": "string", + "example_values": [ + "Test restart" + ] + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully initiated system restart" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "list policies", + "description": "List AppLocker Policies", + "type": "investigate", + "identifier": "list_applocker_policies", + "read_only": true, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + }, + "location": { + "description": "Which policies to list", + "data_type": "string", + "required": true, + "order": 1, + "value_list": [ + "local", + "domain", + "effective" + ], + "name": "location" + }, + "ldap": { + "description": "LDAP Server. Will only have an effect if 'location' is set to 'domain'", + "data_type": "string", + "order": 2, + "name": "ldap" + } + }, + "output": [ + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ], + "contains": [ + "ip", + "host name" + ] + }, + { + "data_path": "action_result.parameter.ldap", + "data_type": "string", + "example_values": [ + "LDAP://8.8.8.8/CN={31b2f340-016d-11d2-945f-00c04fb984f9},CN=Policies,CN=System,DC=domain,DC=local" + ] + }, + { + "data_path": "action_result.parameter.location", + "data_type": "string", + "example_values": [ + "local" + ] + }, + { + "data_path": "action_result.data.*.Conditions.FilePublisherCondition.@BinaryName", + "data_type": "string", + "example_values": [ + "*" + ] + }, + { + "data_path": "action_result.data.*.Conditions.FilePublisherCondition.@ProductName", + "data_type": "string", + "example_values": [ + "*" + ] + }, + { + "data_path": "action_result.data.*.Conditions.FilePublisherCondition.@PublisherName", + "data_type": "string", + "example_values": [ + "*" + ] + }, + { + "data_path": "action_result.data.*.Conditions.FilePublisherCondition.BinaryVersionRange.@HighSection", + "data_type": "string", + "example_values": [ + "*" + ] + }, + { + "data_path": "action_result.data.*.Conditions.FilePublisherCondition.BinaryVersionRange.@LowSection", + "data_type": "string", + "example_values": [ + "8.8.8.8" + ], + "contains": [ + "ip" + ] + }, + { + "data_path": "action_result.data.*.action", + "data_type": "string", + "example_values": [ + "Allow" + ], + "column_name": "Action", + "column_order": 3 + }, + { + "data_path": "action_result.data.*.description", + "data_type": "string", + "example_values": [ + "Allows members of the Everyone group to run packaged apps that are signed." + ], + "column_name": "Description", + "column_order": 1 + }, + { + "data_path": "action_result.data.*.enforcement_mode", + "data_type": "string", + "example_values": [ + "NotConfigured" + ] + }, + { + "data_path": "action_result.data.*.file_path_condition", + "data_type": "string", + "example_values": [ + "%SYSTEM32%\\NOTEPAD.EXE" + ], + "contains": [ + "file path" + ], + "column_name": "File Path Condition", + "column_order": 2 + }, + { + "data_path": "action_result.data.*.id", + "data_type": "string", + "example_values": [ + "a9e18c21-ff8f-43cf-b9fc-db40eed693ba" + ], + "contains": [ + "windows applocker policy id" + ], + "column_name": "ID", + "column_order": 4 + }, + { + "data_path": "action_result.data.*.name", + "data_type": "string", + "example_values": [ + "(Default Rule) All signed packaged apps" + ], + "column_name": "Name", + "column_order": 0 + }, + { + "data_path": "action_result.data.*.type", + "data_type": "string", + "example_values": [ + "Appx" + ], + "column_name": "Type", + "column_order": 6 + }, + { + "data_path": "action_result.data.*.user_or_group_sid", + "data_type": "string", + "contains": [ + "winrm user or group sid" + ], + "example_values": [ + "S-1-1-0" + ], + "column_name": "User Or Group SID", + "column_order": 5 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully listed AppLocker Policies" + ] + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "block file path", + "description": "Create a new AppLocker policy to block a file path", + "verbose": "By default, this policy will apply to the \"Everyone\" group. You can specify the user with either a variety of formats, which are documented here. By specifying LDAP, it will apply that policy to that GPO, as opposed to just the local machine. By default, Windows does not have the service required service running for AppLocker policies to be enforced. The Application Identity service must be running for AppLocker to enforce its policies.", + "type": "generic", + "identifier": "create_applocker_policy", + "read_only": false, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + }, + "deny_allow": { + "description": "Set this rule to allow or deny", + "data_type": "string", + "required": true, + "order": 1, + "value_list": [ + "deny", + "allow" + ], + "name": "deny_allow" + }, + "file_path": { + "description": "File path to set rule to. Allows wildcards (i.e. C:\\Windows\\System32\\*.exe)", + "data_type": "string", + "required": true, + "primary": true, + "order": 2, + "contains": [ + "file path" + ], + "name": "file_path" + }, + "user": { + "description": "User or group to apply rule to", + "data_type": "string", + "order": 3, + "contains": [ + "winrm user or group sid" + ], + "primary": true, + "name": "user" + }, + "rule_name_prefix": { + "description": "Prefix for new rule name", + "data_type": "string", + "order": 4, + "name": "rule_name_prefix" + }, + "ldap": { + "description": "LDAP Server", + "data_type": "string", + "order": 5, + "name": "ldap" + } + }, + "output": [ + { + "data_path": "action_result.parameter.deny_allow", + "data_type": "string", + "example_values": [ + "allow", + "deny" + ] + }, + { + "data_path": "action_result.parameter.file_path", + "data_type": "string", + "contains": [ + "file path" + ], + "example_values": [ + "C:\\Windows\\System32\\notepad.exe" + ] + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ], + "contains": [ + "ip", + "host name" + ] + }, + { + "data_path": "action_result.parameter.ldap", + "data_type": "string", + "example_values": [ + "LDAP://8.8.8.8/CN={31b2f340-016d-11d2-945f-00c04fb984f9},CN=Policies,CN=System,DC=domain,DC=local" + ] + }, + { + "data_path": "action_result.parameter.rule_name_prefix", + "data_type": "string", + "example_values": [ + "test" + ] + }, + { + "data_path": "action_result.parameter.user", + "data_type": "string", + "contains": [ + "winrm user or group sid" + ], + "example_values": [ + "Administrator" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully created AppLocker policy" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "delete policy", + "description": "Delete an AppLocker policy", + "type": "generic", + "identifier": "delete_applocker_policy", + "read_only": false, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + }, + "applocker_policy_id": { + "description": "ID of policy to delete", + "data_type": "string", + "required": true, + "primary": true, + "order": 1, + "contains": [ + "windows applocker policy id" + ], + "name": "applocker_policy_id" + }, + "ldap": { + "description": "LDAP Server", + "data_type": "string", + "order": 2, + "name": "ldap" + } + }, + "output": [ + { + "data_path": "action_result.parameter.applocker_policy_id", + "data_type": "string", + "example_values": [ + "084ab400-83b8-432d-8dc2-f180fbe301ca" + ], + "contains": [ + "windows applocker policy id" + ] + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ], + "contains": [ + "ip", + "host name" + ] + }, + { + "data_path": "action_result.parameter.ldap", + "data_type": "string", + "example_values": [ + "LDAP://8.8.8.8/CN={31b2f340-016d-11d2-945f-00c04fb984f9},CN=Policies,CN=System,DC=domain,DC=local" + ] + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully deleted AppLocker Policy" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "get file", + "description": "Copy a file from the Windows Endpoint to the Vault", + "type": "investigate", + "identifier": "get_file", + "read_only": true, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + }, + "file_path": { + "description": "Path to file", + "data_type": "string", + "required": true, + "order": 1, + "primary": true, + "contains": [ + "file path" + ], + "name": "file_path" + } + }, + "output": [ + { + "data_path": "action_result.parameter.file_path", + "data_type": "string", + "example_values": [ + "C:\\Users\\administrator.CORP\\logo.jpg", + "C:\\Users\\Administrator\\Desktop\\c.txt" + ], + "contains": [ + "file path" + ], + "column_name": "File Path", + "column_order": 1 + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ], + "contains": [ + "ip", + "host name" + ], + "column_name": "IP/Hostname", + "column_order": 2 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully retrieved file and added it to the Vault" + ] + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.summary.vault_id", + "data_type": "string", + "example_values": [ + "8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56" + ], + "contains": [ + "sha1", + "vault id" + ], + "column_name": "New Vault ID", + "column_order": 0 + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "upload file", + "description": "Copy a file from the vault to the Windows Endpoint", + "type": "generic", + "identifier": "send_file", + "read_only": false, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + }, + "vault_id": { + "description": "Vault ID of file", + "data_type": "string", + "required": true, + "order": 1, + "primary": true, + "contains": [ + "vault id" + ], + "name": "vault_id" + }, + "destination": { + "description": "Path to copy file to", + "data_type": "string", + "required": true, + "order": 2, + "contains": [ + "file path" + ], + "primary": true, + "name": "destination" + } + }, + "output": [ + { + "data_path": "action_result.parameter.destination", + "data_type": "string", + "example_values": [ + "C:\\Users\\administrator.CORP\\Desktop\\aasdf.txt" + ], + "contains": [ + "file path" + ], + "column_name": "Destination", + "column_order": 2 + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ], + "contains": [ + "ip", + "host name" + ], + "column_name": "IP/Hostname", + "column_order": 3 + }, + { + "data_path": "action_result.parameter.vault_id", + "data_type": "string", + "example_values": [ + "8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56" + ], + "contains": [ + "vault id" + ], + "column_name": "Vault ID", + "column_order": 1 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully sent file" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "copy file", + "description": "Run the copy command on the Windows Endpoint", + "verbose": "For best results, both the from and to parameters should be absolute paths to their respective locations.", + "type": "generic", + "identifier": "copy_file", + "read_only": false, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "order": 0, + "contains": [ + "ip", + "host name" + ], + "primary": true, + "name": "ip_hostname" + }, + "from": { + "description": "File source (path)", + "data_type": "string", + "required": true, + "primary": true, + "order": 1, + "contains": [ + "file path" + ], + "name": "from" + }, + "to": { + "description": "File destination (path)", + "data_type": "string", + "required": true, + "order": 2, + "contains": [ + "file path" + ], + "primary": true, + "name": "to" + } + }, + "output": [ + { + "data_path": "action_result.parameter.from", + "data_type": "string", + "example_values": [ + "C:\\Windows\\System32\\notepad.exe" + ], + "contains": [ + "file path" + ], + "column_name": "From", + "column_order": 1 + }, + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ], + "contains": [ + "ip", + "host name" + ], + "column_name": "IP/Hostname", + "column_order": 3 + }, + { + "data_path": "action_result.parameter.to", + "data_type": "string", + "example_values": [ + "C:\\Windows\\System32\\notepad_copy.exe" + ], + "contains": [ + "file path" + ], + "column_name": "To", + "column_order": 2 + }, + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully copied files" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric", + "example_values": [ + 1 + ] + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric", + "example_values": [ + 1 + ] + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + }, + { + "action": "delete file", + "identifier": "delete_file", + "description": "Run the delete command on the Windows Endpoint", + "verbose": "For best results, the file path parameter should be an absolute path to a location.", + "type": "generic", + "read_only": false, + "parameters": { + "ip_hostname": { + "description": "IP/Hostname", + "data_type": "string", + "required": false, + "primary": true, + "contains": [ + "ip", + "host name" + ], + "value_list": [], + "default": "", + "order": 0, + "name": "ip_hostname", + "id": 1, + "param_name": "ip_hostname" + }, + "file_path": { + "description": "Path to file / directory", + "data_type": "string", + "required": true, + "primary": true, + "contains": [ + "file path" + ], + "value_list": [], + "default": "", + "order": 1, + "name": "file_path", + "id": 2, + "param_name": "file_path" + }, + "force": { + "description": "Use the force flag for delete", + "data_type": "boolean", + "required": false, + "primary": false, + "contains": [], + "default": false, + "order": 2, + "name": "force", + "id": 3, + "param_name": "force" + }, + "recurse": { + "description": "Use the recurse flag to delete directory content recursively", + "data_type": "boolean", + "required": false, + "primary": false, + "contains": [], + "default": "", + "order": 3, + "name": "recurse", + "id": 4, + "param_name": "recurse" + } + }, + "output": [ + { + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "contains": [ + "ip", + "host name" + ], + "column_name": "ip_hostname", + "column_order": 0 + }, + { + "data_path": "action_result.parameter.file_path", + "data_type": "string", + "contains": [ + "file path" + ], + "column_name": "file_path", + "column_order": 1 + }, + { + "data_path": "action_result.parameter.force", + "data_type": "boolean", + "contains": [], + "column_name": "force", + "column_order": 2 + }, + { + "data_path": "action_result.parameter.recurse", + "data_type": "boolean", + "contains": [], + "column_name": "recurse", + "column_order": 3 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "column_name": "status", + "column_order": 4 + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "summary.total_objects", + "data_type": "numeric" + }, + { + "data_path": "summary.total_objects_successful", + "data_type": "numeric" + } + ], + "render": { + "type": "table" + }, + "versions": "EQ(*)" + } + ], + "pip39_dependencies": { + "wheel": [ + { + "module": "beautifulsoup4", + "input_file": "wheels/py3/beautifulsoup4-4.9.1-py3-none-any.whl" + }, + { + "module": "certifi", + "input_file": "wheels/py3/certifi-2023.7.22-py3-none-any.whl" + }, + { + "module": "cffi", + "input_file": "wheels/py39/cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + }, + { + "module": "charset_normalizer", + "input_file": "wheels/py39/charset_normalizer-3.3.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + }, + { + "module": "cryptography", + "input_file": "wheels/py3/cryptography-41.0.5-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" + }, + { + "module": "idna", + "input_file": "wheels/py3/idna-3.4-py3-none-any.whl" + }, + { + "module": "pycparser", + "input_file": "wheels/shared/pycparser-2.21-py2.py3-none-any.whl" + }, + { + "module": "pyspnego", + "input_file": "wheels/py3/pyspnego-0.10.2-py3-none-any.whl" + }, + { + "module": "pywinrm", + "input_file": "wheels/shared/pywinrm-0.4.3-py2.py3-none-any.whl" + }, + { + "module": "requests_ntlm", + "input_file": "wheels/py3/requests_ntlm-1.2.0-py3-none-any.whl" + }, + { + "module": "six", + "input_file": "wheels/shared/six-1.16.0-py2.py3-none-any.whl" + }, + { + "module": "soupsieve", + "input_file": "wheels/py3/soupsieve-2.5-py3-none-any.whl" + }, + { + "module": "urllib3", + "input_file": "wheels/py3/urllib3-2.0.7-py3-none-any.whl" + }, + { + "module": "xmltodict", + "input_file": "wheels/shared/xmltodict-0.13.0-py2.py3-none-any.whl" + } + ] + }, + "copied_from_id": 19, + "copied_from_version": "2.2.6", + "directory": "cyberwindowsremotemanagement_024da1a3-b64f-4974-b841-051b4d3c993d", + "version": 1, + "appname": "-", + "executable": "spawn3", + "disabled": false, + "custom_made": true +} \ No newline at end of file diff --git a/winrm_connector.py b/winrm_connector.py index 711dd48..66548f9 100644 --- a/winrm_connector.py +++ b/winrm_connector.py @@ -995,11 +995,13 @@ def _handle_delete_file(self, param): return action_result.get_status() file_path = self._handle_py_ver_compat_for_input_str(param['file_path']) - force_delete = '-Force ' if param.get('force') else '' + recurse_delete = ' -Recurse' if param.get('recurse') else '' + force_delete = ' -Force' if param.get('force') else '' - ps_script = "& del {0}{1}".format( - force_delete, - self._sanitize_string(file_path) + ps_script = "Remove-Item -Path {0}{1}{2}".format( + self._sanitize_string(file_path), + recurse_delete, + force_delete ) ret_val = self._run_ps(action_result, ps_script, parse_callback=pc.check_exit_no_data2) From c54608e2345e9e8af510cf5e16ec8ec663ff553a Mon Sep 17 00:00:00 2001 From: Elad Levi <58475124+JakePeralta7@users.noreply.github.com> Date: Fri, 8 Dec 2023 20:40:55 +0200 Subject: [PATCH 2/5] Update README.md Adding documentation for the delete_file action --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b84bcf4..97e9d47 100644 --- a/README.md +++ b/README.md @@ -837,18 +837,20 @@ For best results, the file path parameter should be an absolute path to a PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS --------- | -------- | ----------- | ---- | -------- **ip_hostname** | optional | IP/Hostname | string | `ip` `host name` -**file_path** | required | Path to file | string | `file path` +**file_path** | required | Path to file / directory | string | `file path` **force** | optional | Use the force flag for delete | boolean | +**recurse** | optional | Use the recurse flag to delete directory content recursively | boolean | #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- action_result.parameter.file_path | string | `file path` | C:\\Windows\\System32\\notepad.exe action_result.parameter.force | boolean | | True False +action_result.parameter.recurse | boolean | | True False action_result.parameter.ip_hostname | string | `ip` `host name` | 8.8.8.8 8.8.8.8\\testphantom.local action_result.data | string | | action_result.status | string | | success failed action_result.message | string | | Successfully deleted files action_result.summary | string | | summary.total_objects | numeric | | 1 -summary.total_objects_successful | numeric | | 1 \ No newline at end of file +summary.total_objects_successful | numeric | | 1 From ac053e891b2c4698f32f8cc5af890218b385c5e4 Mon Sep 17 00:00:00 2001 From: Elad Levi <58475124+JakePeralta7@users.noreply.github.com> Date: Wed, 21 Feb 2024 21:09:06 +0200 Subject: [PATCH 3/5] Update winrm.json --- winrm.json | 399 +++++++++++++++++++++++++++++++++-------------------- 1 file changed, 252 insertions(+), 147 deletions(-) diff --git a/winrm.json b/winrm.json index 1f6c5d3..8f0f24f 100644 --- a/winrm.json +++ b/winrm.json @@ -1,18 +1,18 @@ { - "appid": "a0222b95-b006-4c9e-9578-1428defcec0f", - "name": "Windows Remote Management", + "appid": "024da1a3-b64f-4974-b841-051b4d3c993d", + "name": "Cyber Windows Remote Management", "description": "This app integrates with the Windows Remote Management service to execute various actions", "type": "endpoint", - "product_vendor": "Microsoft", + "product_vendor": "Microsoft_clone_1702059179715", "logo": "logo_microsoft.svg", "logo_dark": "logo_microsoft_dark.svg", - "product_name": "Windows Remote Management", + "product_name": "Windows Remote Management_clone_1702059179715", "product_version_regex": ".*", "publisher": "Splunk", "license": "Copyright (c) 2018-2023 Splunk Inc.", - "app_version": "2.2.6", - "utctime_updated": "2023-12-05T12:42:47.000000Z", - "package_name": "phantom_winrm", + "app_version": "1.0.0", + "utctime_updated": "2023-12-08T18:13:44.087303Z", + "package_name": "phantom_cyberwindowsremotemanagement", "main_module": "winrm_connector.py", "min_phantom_version": "6.1.1", "fips_compliant": true, @@ -25,13 +25,17 @@ "endpoint": { "description": "IP/Hostname (For TEST CONNECTIVITY and default, if not provided in an action)", "data_type": "string", - "order": 0 + "order": 0, + "name": "endpoint", + "id": 0 }, "verify_server_cert": { "description": "Verify Server Certificate", "data_type": "boolean", - "default": false, - "order": 1 + "default": "False", + "order": 1, + "name": "verify_server_cert", + "id": 1 }, "default_protocol": { "description": "Default protocol for actions", @@ -41,30 +45,40 @@ "value_list": [ "http", "https" - ] + ], + "name": "default_protocol", + "id": 2 }, "default_port": { "description": "Default port for actions", "data_type": "numeric", "default": 5985, - "order": 3 + "order": 3, + "name": "default_port", + "id": 3 }, "domain": { "description": "Domain", "data_type": "string", - "order": 4 + "order": 4, + "name": "domain", + "id": 4 }, "username": { "description": "Username", "data_type": "string", "required": true, - "order": 5 + "order": 5, + "name": "username", + "id": 5 }, "password": { "description": "Password", "data_type": "password", "required": true, - "order": 6 + "order": 6, + "name": "password", + "id": 6 }, "transport": { "description": "Type of transport to use", @@ -75,7 +89,9 @@ "ntlm" ], "default": "basic", - "order": 7 + "order": 7, + "name": "transport", + "id": 7 } }, "actions": [ @@ -100,12 +116,14 @@ "command": { "description": "The command to be run", "data_type": "string", - "order": 1 + "order": 1, + "name": "command" }, "arguments": { "description": "The arguments for the command", "data_type": "string", - "order": 2 + "order": 2, + "name": "arguments" }, "parser": { "description": "The vault ID of a custom parser to use for output", @@ -114,7 +132,8 @@ ], "primary": true, "data_type": "string", - "order": 3 + "order": 3, + "name": "parser" }, "ip_hostname": { "description": "IP/Hostname", @@ -124,13 +143,15 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" }, "async": { "description": "Start the command, but don't wait for output", "data_type": "boolean", "default": false, - "order": 4 + "order": 4, + "name": "async" }, "command_id": { "description": "Command ID of async command (Provide with shell_id)", @@ -139,7 +160,8 @@ "order": 5, "contains": [ "winrm command id" - ] + ], + "name": "command_id" }, "shell_id": { "description": "Shell ID of async command (Provide with command_id)", @@ -148,7 +170,8 @@ "contains": [ "winrm shell id" ], - "primary": true + "primary": true, + "name": "shell_id" } }, "output": [ @@ -313,12 +336,14 @@ ], "data_type": "string", "primary": true, - "order": 1 + "order": 1, + "name": "script_file" }, "script_str": { "description": "A PowerShell script to run", "data_type": "string", - "order": 2 + "order": 2, + "name": "script_str" }, "parser": { "description": "The vault ID of a custom parser to use for output", @@ -327,7 +352,8 @@ ], "data_type": "string", "primary": true, - "order": 3 + "order": 3, + "name": "parser" }, "ip_hostname": { "description": "IP/Hostname", @@ -337,13 +363,15 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" }, "async": { "description": "Start the command, but don't wait for output", "data_type": "boolean", "default": false, - "order": 4 + "order": 4, + "name": "async" }, "command_id": { "description": "Command ID of async command (Provide with shell_id)", @@ -352,7 +380,8 @@ "primary": true, "contains": [ "winrm command id" - ] + ], + "name": "command_id" }, "shell_id": { "description": "Shell ID of async command (Provide with command_id)", @@ -361,7 +390,8 @@ "contains": [ "winrm shell id" ], - "primary": true + "primary": true, + "name": "shell_id" } }, "output": [ @@ -529,7 +559,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" } }, "output": [ @@ -683,7 +714,8 @@ "contains": [ "pid" ], - "order": 1 + "order": 1, + "name": "pid" }, "name": { "description": "Name of program to terminate, accepts wildcards", @@ -692,7 +724,8 @@ "contains": [ "process name" ], - "order": 2 + "order": 2, + "name": "name" }, "ip_hostname": { "description": "IP/Hostname", @@ -702,7 +735,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" } }, "output": [ @@ -798,7 +832,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" } }, "output": [ @@ -951,7 +986,8 @@ "contains": [ "port" ], - "order": 1 + "order": 1, + "name": "filter_port" }, "filter_ip": { "description": "Only show firewall rules acting on this ip", @@ -960,7 +996,8 @@ "contains": [ "ip" ], - "order": 2 + "order": 2, + "name": "filter_ip" }, "direction": { "description": "Only show firewall rules in this direction", @@ -969,7 +1006,8 @@ "in", "out" ], - "order": 3 + "order": 3, + "name": "direction" }, "protocol": { "description": "Only show firewall rules using this protocol", @@ -978,12 +1016,14 @@ "winrm protocol" ], "order": 4, - "primary": true + "primary": true, + "name": "protocol" }, "other": { "description": "JSON object of key value pairs of other fields to match", "data_type": "string", - "order": 5 + "order": 5, + "name": "other" }, "ip_hostname": { "description": "IP/Hostname", @@ -993,7 +1033,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" } }, "output": [ @@ -1229,7 +1270,8 @@ ], "primary": true, "required": true, - "order": 1 + "order": 1, + "name": "name" }, "dir": { "description": "Blocks inbound or outbound traffic", @@ -1238,7 +1280,8 @@ "in", "out" ], - "order": 2 + "order": 2, + "name": "dir" }, "remote_ip": { "description": "Firewall rule acts on this remote IP", @@ -1247,7 +1290,8 @@ "ip" ], "order": 3, - "primary": true + "primary": true, + "name": "remote_ip" }, "local_ip": { "description": "Firewall rule acts on this local IP", @@ -1256,7 +1300,8 @@ "ip" ], "order": 4, - "primary": true + "primary": true, + "name": "local_ip" }, "remote_port": { "description": "Firewall rule acts on this remote port", @@ -1265,7 +1310,8 @@ "port" ], "order": 5, - "primary": true + "primary": true, + "name": "remote_port" }, "local_port": { "description": "Firewall rule acts on this local port", @@ -1274,7 +1320,8 @@ "port" ], "order": 6, - "primary": true + "primary": true, + "name": "local_port" }, "protocol": { "description": "Firewall rule acts on this protocol", @@ -1283,12 +1330,14 @@ "winrm protocol" ], "order": 7, - "primary": true + "primary": true, + "name": "protocol" }, "other": { "description": "JSON object of key value pairs for other parameters to include", "data_type": "string", - "order": 8 + "order": 8, + "name": "other" }, "ip_hostname": { "description": "IP/Hostname", @@ -1298,7 +1347,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" } }, "output": [ @@ -1457,7 +1507,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" }, "name": { "description": "The name of the rule to add", @@ -1467,7 +1518,8 @@ "windows firewall rule name" ], "order": 1, - "primary": true + "primary": true, + "name": "name" }, "remote_ip": { "description": "Block this IP", @@ -1477,7 +1529,8 @@ "contains": [ "ip" ], - "order": 2 + "order": 2, + "name": "remote_ip" } }, "output": [ @@ -1574,7 +1627,8 @@ "windows firewall rule name" ], "order": 1, - "primary": true + "primary": true, + "name": "name" }, "dir": { "description": "Block inbound or outbound traffic", @@ -1584,7 +1638,8 @@ "in", "out" ], - "order": 2 + "order": 2, + "name": "dir" }, "action": { "description": "What the firewall will do with packets", @@ -1595,7 +1650,8 @@ "block", "bypass" ], - "order": 3 + "order": 3, + "name": "action" }, "remote_ip": { "description": "Firewall rule acts on this remote IP", @@ -1604,7 +1660,8 @@ "contains": [ "ip" ], - "order": 4 + "order": 4, + "name": "remote_ip" }, "local_ip": { "description": "Firewall rule acts on this local IP", @@ -1613,7 +1670,8 @@ "contains": [ "ip" ], - "order": 5 + "order": 5, + "name": "local_ip" }, "remote_port": { "description": "Firewall rule acts on this remote port", @@ -1622,7 +1680,8 @@ "port" ], "primary": true, - "order": 6 + "order": 6, + "name": "remote_port" }, "local_port": { "description": "Firewall rule acts on this local port", @@ -1631,7 +1690,8 @@ "port" ], "order": 7, - "primary": true + "primary": true, + "name": "local_port" }, "protocol": { "description": "Firewall rule acts on this protocol", @@ -1640,12 +1700,14 @@ "winrm protocol" ], "order": 8, - "primary": true + "primary": true, + "name": "protocol" }, "other": { "description": "JSON object of key value pairs for other parameters to include", "data_type": "string", - "order": 9 + "order": 9, + "name": "other" }, "ip_hostname": { "description": "IP/Hostname", @@ -1655,7 +1717,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" } }, "output": [ @@ -1814,7 +1877,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" }, "session_id": { "description": "Session ID", @@ -1824,7 +1888,8 @@ "order": 1, "contains": [ "windows session id" - ] + ], + "name": "session_id" } }, "output": [ @@ -1910,7 +1975,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" } }, "output": [ @@ -2030,7 +2096,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" } }, "output": [ @@ -2106,7 +2173,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" } }, "output": [ @@ -2182,12 +2250,14 @@ "contains": [ "ip", "host name" - ] + ], + "name": "ip_hostname" }, "comment": { "description": "Comment to show to users", "data_type": "string", - "order": 1 + "order": 1, + "name": "comment" } }, "output": [ @@ -2270,12 +2340,14 @@ "contains": [ "ip", "host name" - ] + ], + "name": "ip_hostname" }, "comment": { "description": "Comment to show to users", "data_type": "string", - "order": 1 + "order": 1, + "name": "comment" } }, "output": [ @@ -2358,7 +2430,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" }, "location": { "description": "Which policies to list", @@ -2369,12 +2442,14 @@ "local", "domain", "effective" - ] + ], + "name": "location" }, "ldap": { "description": "LDAP Server. Will only have an effect if 'location' is set to 'domain'", "data_type": "string", - "order": 2 + "order": 2, + "name": "ldap" } }, "output": [ @@ -2576,7 +2651,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" }, "deny_allow": { "description": "Set this rule to allow or deny", @@ -2586,7 +2662,8 @@ "value_list": [ "deny", "allow" - ] + ], + "name": "deny_allow" }, "file_path": { "description": "File path to set rule to. Allows wildcards (i.e. C:\\Windows\\System32\\*.exe)", @@ -2596,7 +2673,8 @@ "order": 2, "contains": [ "file path" - ] + ], + "name": "file_path" }, "user": { "description": "User or group to apply rule to", @@ -2605,17 +2683,20 @@ "contains": [ "winrm user or group sid" ], - "primary": true + "primary": true, + "name": "user" }, "rule_name_prefix": { "description": "Prefix for new rule name", "data_type": "string", - "order": 4 + "order": 4, + "name": "rule_name_prefix" }, "ldap": { "description": "LDAP Server", "data_type": "string", - "order": 5 + "order": 5, + "name": "ldap" } }, "output": [ @@ -2733,7 +2814,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" }, "applocker_policy_id": { "description": "ID of policy to delete", @@ -2743,12 +2825,14 @@ "order": 1, "contains": [ "windows applocker policy id" - ] + ], + "name": "applocker_policy_id" }, "ldap": { "description": "LDAP Server", "data_type": "string", - "order": 2 + "order": 2, + "name": "ldap" } }, "output": [ @@ -2841,7 +2925,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" }, "file_path": { "description": "Path to file", @@ -2851,7 +2936,8 @@ "primary": true, "contains": [ "file path" - ] + ], + "name": "file_path" } }, "output": [ @@ -2953,7 +3039,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" }, "vault_id": { "description": "Vault ID of file", @@ -2963,7 +3050,8 @@ "primary": true, "contains": [ "vault id" - ] + ], + "name": "vault_id" }, "destination": { "description": "Path to copy file to", @@ -2973,7 +3061,8 @@ "contains": [ "file path" ], - "primary": true + "primary": true, + "name": "destination" } }, "output": [ @@ -3076,7 +3165,8 @@ "ip", "host name" ], - "primary": true + "primary": true, + "name": "ip_hostname" }, "from": { "description": "File source (path)", @@ -3086,7 +3176,8 @@ "order": 1, "contains": [ "file path" - ] + ], + "name": "from" }, "to": { "description": "File destination (path)", @@ -3096,7 +3187,8 @@ "contains": [ "file path" ], - "primary": true + "primary": true, + "name": "to" } }, "output": [ @@ -3185,114 +3277,119 @@ }, { "action": "delete file", + "identifier": "delete_file", "description": "Run the delete command on the Windows Endpoint", "verbose": "For best results, the file path parameter should be an absolute path to a location.", "type": "generic", - "identifier": "delete_file", "read_only": false, "parameters": { "ip_hostname": { "description": "IP/Hostname", "data_type": "string", - "order": 0, + "required": false, + "primary": true, "contains": [ "ip", "host name" ], - "primary": true + "value_list": [], + "default": "", + "order": 0, + "name": "ip_hostname", + "id": 1, + "param_name": "ip_hostname" }, "file_path": { - "description": "Path to file", + "description": "Path to file / directory", "data_type": "string", "required": true, - "order": 1, "primary": true, "contains": [ "file path" - ] + ], + "value_list": [], + "default": "", + "order": 1, + "name": "file_path", + "id": 2, + "param_name": "file_path" }, "force": { "description": "Use the force flag for delete", "data_type": "boolean", + "required": false, + "primary": false, + "contains": [], "default": false, - "order": 2 + "order": 2, + "name": "force", + "id": 3, + "param_name": "force" + }, + "recurse": { + "description": "Use the recurse flag to delete directory content recursively", + "data_type": "boolean", + "required": false, + "primary": false, + "contains": [], + "default": "", + "order": 3, + "name": "recurse", + "id": 4, + "param_name": "recurse" } }, "output": [ { - "data_path": "action_result.parameter.file_path", + "data_path": "action_result.parameter.ip_hostname", "data_type": "string", - "example_values": [ - "C:\\Windows\\System32\\notepad.exe" + "contains": [ + "ip", + "host name" ], + "column_name": "ip_hostname", + "column_order": 0 + }, + { + "data_path": "action_result.parameter.file_path", + "data_type": "string", "contains": [ "file path" ], - "column_name": "File Path", - "column_order": 2 + "column_name": "file_path", + "column_order": 1 }, { "data_path": "action_result.parameter.force", "data_type": "boolean", - "example_values": [ - true, - false - ], - "column_name": "Force", - "column_order": 1 + "contains": [], + "column_name": "force", + "column_order": 2 }, { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ], - "contains": [ - "ip", - "host name" - ], - "column_name": "IP/HOSTNAME", + "data_path": "action_result.parameter.recurse", + "data_type": "boolean", + "contains": [], + "column_name": "recurse", "column_order": 3 }, - { - "data_path": "action_result.data", - "data_type": "string" - }, { "data_path": "action_result.status", "data_type": "string", - "example_values": [ - "success", - "failed" - ] + "column_name": "status", + "column_order": 4 }, { "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully deleted files" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", "data_type": "string" }, { "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] + "data_type": "numeric" }, { "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] + "data_type": "numeric" } ], "render": { @@ -3360,5 +3457,13 @@ "input_file": "wheels/shared/xmltodict-0.13.0-py2.py3-none-any.whl" } ] - } + }, + "copied_from_id": 19, + "copied_from_version": "2.2.6", + "directory": "cyberwindowsremotemanagement_024da1a3-b64f-4974-b841-051b4d3c993d", + "version": 1, + "appname": "-", + "executable": "spawn3", + "disabled": false, + "custom_made": true } From 5b3ddfb58e693c500138f4344d4567a2d0d96876 Mon Sep 17 00:00:00 2001 From: Elad Levi <58475124+JakePeralta7@users.noreply.github.com> Date: Wed, 21 Feb 2024 21:10:28 +0200 Subject: [PATCH 4/5] Update winrm.json --- winrm.json | 399 ++++++++++++++++++++--------------------------------- 1 file changed, 147 insertions(+), 252 deletions(-) diff --git a/winrm.json b/winrm.json index 8f0f24f..1f6c5d3 100644 --- a/winrm.json +++ b/winrm.json @@ -1,18 +1,18 @@ { - "appid": "024da1a3-b64f-4974-b841-051b4d3c993d", - "name": "Cyber Windows Remote Management", + "appid": "a0222b95-b006-4c9e-9578-1428defcec0f", + "name": "Windows Remote Management", "description": "This app integrates with the Windows Remote Management service to execute various actions", "type": "endpoint", - "product_vendor": "Microsoft_clone_1702059179715", + "product_vendor": "Microsoft", "logo": "logo_microsoft.svg", "logo_dark": "logo_microsoft_dark.svg", - "product_name": "Windows Remote Management_clone_1702059179715", + "product_name": "Windows Remote Management", "product_version_regex": ".*", "publisher": "Splunk", "license": "Copyright (c) 2018-2023 Splunk Inc.", - "app_version": "1.0.0", - "utctime_updated": "2023-12-08T18:13:44.087303Z", - "package_name": "phantom_cyberwindowsremotemanagement", + "app_version": "2.2.6", + "utctime_updated": "2023-12-05T12:42:47.000000Z", + "package_name": "phantom_winrm", "main_module": "winrm_connector.py", "min_phantom_version": "6.1.1", "fips_compliant": true, @@ -25,17 +25,13 @@ "endpoint": { "description": "IP/Hostname (For TEST CONNECTIVITY and default, if not provided in an action)", "data_type": "string", - "order": 0, - "name": "endpoint", - "id": 0 + "order": 0 }, "verify_server_cert": { "description": "Verify Server Certificate", "data_type": "boolean", - "default": "False", - "order": 1, - "name": "verify_server_cert", - "id": 1 + "default": false, + "order": 1 }, "default_protocol": { "description": "Default protocol for actions", @@ -45,40 +41,30 @@ "value_list": [ "http", "https" - ], - "name": "default_protocol", - "id": 2 + ] }, "default_port": { "description": "Default port for actions", "data_type": "numeric", "default": 5985, - "order": 3, - "name": "default_port", - "id": 3 + "order": 3 }, "domain": { "description": "Domain", "data_type": "string", - "order": 4, - "name": "domain", - "id": 4 + "order": 4 }, "username": { "description": "Username", "data_type": "string", "required": true, - "order": 5, - "name": "username", - "id": 5 + "order": 5 }, "password": { "description": "Password", "data_type": "password", "required": true, - "order": 6, - "name": "password", - "id": 6 + "order": 6 }, "transport": { "description": "Type of transport to use", @@ -89,9 +75,7 @@ "ntlm" ], "default": "basic", - "order": 7, - "name": "transport", - "id": 7 + "order": 7 } }, "actions": [ @@ -116,14 +100,12 @@ "command": { "description": "The command to be run", "data_type": "string", - "order": 1, - "name": "command" + "order": 1 }, "arguments": { "description": "The arguments for the command", "data_type": "string", - "order": 2, - "name": "arguments" + "order": 2 }, "parser": { "description": "The vault ID of a custom parser to use for output", @@ -132,8 +114,7 @@ ], "primary": true, "data_type": "string", - "order": 3, - "name": "parser" + "order": 3 }, "ip_hostname": { "description": "IP/Hostname", @@ -143,15 +124,13 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true }, "async": { "description": "Start the command, but don't wait for output", "data_type": "boolean", "default": false, - "order": 4, - "name": "async" + "order": 4 }, "command_id": { "description": "Command ID of async command (Provide with shell_id)", @@ -160,8 +139,7 @@ "order": 5, "contains": [ "winrm command id" - ], - "name": "command_id" + ] }, "shell_id": { "description": "Shell ID of async command (Provide with command_id)", @@ -170,8 +148,7 @@ "contains": [ "winrm shell id" ], - "primary": true, - "name": "shell_id" + "primary": true } }, "output": [ @@ -336,14 +313,12 @@ ], "data_type": "string", "primary": true, - "order": 1, - "name": "script_file" + "order": 1 }, "script_str": { "description": "A PowerShell script to run", "data_type": "string", - "order": 2, - "name": "script_str" + "order": 2 }, "parser": { "description": "The vault ID of a custom parser to use for output", @@ -352,8 +327,7 @@ ], "data_type": "string", "primary": true, - "order": 3, - "name": "parser" + "order": 3 }, "ip_hostname": { "description": "IP/Hostname", @@ -363,15 +337,13 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true }, "async": { "description": "Start the command, but don't wait for output", "data_type": "boolean", "default": false, - "order": 4, - "name": "async" + "order": 4 }, "command_id": { "description": "Command ID of async command (Provide with shell_id)", @@ -380,8 +352,7 @@ "primary": true, "contains": [ "winrm command id" - ], - "name": "command_id" + ] }, "shell_id": { "description": "Shell ID of async command (Provide with command_id)", @@ -390,8 +361,7 @@ "contains": [ "winrm shell id" ], - "primary": true, - "name": "shell_id" + "primary": true } }, "output": [ @@ -559,8 +529,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true } }, "output": [ @@ -714,8 +683,7 @@ "contains": [ "pid" ], - "order": 1, - "name": "pid" + "order": 1 }, "name": { "description": "Name of program to terminate, accepts wildcards", @@ -724,8 +692,7 @@ "contains": [ "process name" ], - "order": 2, - "name": "name" + "order": 2 }, "ip_hostname": { "description": "IP/Hostname", @@ -735,8 +702,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true } }, "output": [ @@ -832,8 +798,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true } }, "output": [ @@ -986,8 +951,7 @@ "contains": [ "port" ], - "order": 1, - "name": "filter_port" + "order": 1 }, "filter_ip": { "description": "Only show firewall rules acting on this ip", @@ -996,8 +960,7 @@ "contains": [ "ip" ], - "order": 2, - "name": "filter_ip" + "order": 2 }, "direction": { "description": "Only show firewall rules in this direction", @@ -1006,8 +969,7 @@ "in", "out" ], - "order": 3, - "name": "direction" + "order": 3 }, "protocol": { "description": "Only show firewall rules using this protocol", @@ -1016,14 +978,12 @@ "winrm protocol" ], "order": 4, - "primary": true, - "name": "protocol" + "primary": true }, "other": { "description": "JSON object of key value pairs of other fields to match", "data_type": "string", - "order": 5, - "name": "other" + "order": 5 }, "ip_hostname": { "description": "IP/Hostname", @@ -1033,8 +993,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true } }, "output": [ @@ -1270,8 +1229,7 @@ ], "primary": true, "required": true, - "order": 1, - "name": "name" + "order": 1 }, "dir": { "description": "Blocks inbound or outbound traffic", @@ -1280,8 +1238,7 @@ "in", "out" ], - "order": 2, - "name": "dir" + "order": 2 }, "remote_ip": { "description": "Firewall rule acts on this remote IP", @@ -1290,8 +1247,7 @@ "ip" ], "order": 3, - "primary": true, - "name": "remote_ip" + "primary": true }, "local_ip": { "description": "Firewall rule acts on this local IP", @@ -1300,8 +1256,7 @@ "ip" ], "order": 4, - "primary": true, - "name": "local_ip" + "primary": true }, "remote_port": { "description": "Firewall rule acts on this remote port", @@ -1310,8 +1265,7 @@ "port" ], "order": 5, - "primary": true, - "name": "remote_port" + "primary": true }, "local_port": { "description": "Firewall rule acts on this local port", @@ -1320,8 +1274,7 @@ "port" ], "order": 6, - "primary": true, - "name": "local_port" + "primary": true }, "protocol": { "description": "Firewall rule acts on this protocol", @@ -1330,14 +1283,12 @@ "winrm protocol" ], "order": 7, - "primary": true, - "name": "protocol" + "primary": true }, "other": { "description": "JSON object of key value pairs for other parameters to include", "data_type": "string", - "order": 8, - "name": "other" + "order": 8 }, "ip_hostname": { "description": "IP/Hostname", @@ -1347,8 +1298,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true } }, "output": [ @@ -1507,8 +1457,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true }, "name": { "description": "The name of the rule to add", @@ -1518,8 +1467,7 @@ "windows firewall rule name" ], "order": 1, - "primary": true, - "name": "name" + "primary": true }, "remote_ip": { "description": "Block this IP", @@ -1529,8 +1477,7 @@ "contains": [ "ip" ], - "order": 2, - "name": "remote_ip" + "order": 2 } }, "output": [ @@ -1627,8 +1574,7 @@ "windows firewall rule name" ], "order": 1, - "primary": true, - "name": "name" + "primary": true }, "dir": { "description": "Block inbound or outbound traffic", @@ -1638,8 +1584,7 @@ "in", "out" ], - "order": 2, - "name": "dir" + "order": 2 }, "action": { "description": "What the firewall will do with packets", @@ -1650,8 +1595,7 @@ "block", "bypass" ], - "order": 3, - "name": "action" + "order": 3 }, "remote_ip": { "description": "Firewall rule acts on this remote IP", @@ -1660,8 +1604,7 @@ "contains": [ "ip" ], - "order": 4, - "name": "remote_ip" + "order": 4 }, "local_ip": { "description": "Firewall rule acts on this local IP", @@ -1670,8 +1613,7 @@ "contains": [ "ip" ], - "order": 5, - "name": "local_ip" + "order": 5 }, "remote_port": { "description": "Firewall rule acts on this remote port", @@ -1680,8 +1622,7 @@ "port" ], "primary": true, - "order": 6, - "name": "remote_port" + "order": 6 }, "local_port": { "description": "Firewall rule acts on this local port", @@ -1690,8 +1631,7 @@ "port" ], "order": 7, - "primary": true, - "name": "local_port" + "primary": true }, "protocol": { "description": "Firewall rule acts on this protocol", @@ -1700,14 +1640,12 @@ "winrm protocol" ], "order": 8, - "primary": true, - "name": "protocol" + "primary": true }, "other": { "description": "JSON object of key value pairs for other parameters to include", "data_type": "string", - "order": 9, - "name": "other" + "order": 9 }, "ip_hostname": { "description": "IP/Hostname", @@ -1717,8 +1655,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true } }, "output": [ @@ -1877,8 +1814,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true }, "session_id": { "description": "Session ID", @@ -1888,8 +1824,7 @@ "order": 1, "contains": [ "windows session id" - ], - "name": "session_id" + ] } }, "output": [ @@ -1975,8 +1910,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true } }, "output": [ @@ -2096,8 +2030,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true } }, "output": [ @@ -2173,8 +2106,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true } }, "output": [ @@ -2250,14 +2182,12 @@ "contains": [ "ip", "host name" - ], - "name": "ip_hostname" + ] }, "comment": { "description": "Comment to show to users", "data_type": "string", - "order": 1, - "name": "comment" + "order": 1 } }, "output": [ @@ -2340,14 +2270,12 @@ "contains": [ "ip", "host name" - ], - "name": "ip_hostname" + ] }, "comment": { "description": "Comment to show to users", "data_type": "string", - "order": 1, - "name": "comment" + "order": 1 } }, "output": [ @@ -2430,8 +2358,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true }, "location": { "description": "Which policies to list", @@ -2442,14 +2369,12 @@ "local", "domain", "effective" - ], - "name": "location" + ] }, "ldap": { "description": "LDAP Server. Will only have an effect if 'location' is set to 'domain'", "data_type": "string", - "order": 2, - "name": "ldap" + "order": 2 } }, "output": [ @@ -2651,8 +2576,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true }, "deny_allow": { "description": "Set this rule to allow or deny", @@ -2662,8 +2586,7 @@ "value_list": [ "deny", "allow" - ], - "name": "deny_allow" + ] }, "file_path": { "description": "File path to set rule to. Allows wildcards (i.e. C:\\Windows\\System32\\*.exe)", @@ -2673,8 +2596,7 @@ "order": 2, "contains": [ "file path" - ], - "name": "file_path" + ] }, "user": { "description": "User or group to apply rule to", @@ -2683,20 +2605,17 @@ "contains": [ "winrm user or group sid" ], - "primary": true, - "name": "user" + "primary": true }, "rule_name_prefix": { "description": "Prefix for new rule name", "data_type": "string", - "order": 4, - "name": "rule_name_prefix" + "order": 4 }, "ldap": { "description": "LDAP Server", "data_type": "string", - "order": 5, - "name": "ldap" + "order": 5 } }, "output": [ @@ -2814,8 +2733,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true }, "applocker_policy_id": { "description": "ID of policy to delete", @@ -2825,14 +2743,12 @@ "order": 1, "contains": [ "windows applocker policy id" - ], - "name": "applocker_policy_id" + ] }, "ldap": { "description": "LDAP Server", "data_type": "string", - "order": 2, - "name": "ldap" + "order": 2 } }, "output": [ @@ -2925,8 +2841,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true }, "file_path": { "description": "Path to file", @@ -2936,8 +2851,7 @@ "primary": true, "contains": [ "file path" - ], - "name": "file_path" + ] } }, "output": [ @@ -3039,8 +2953,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true }, "vault_id": { "description": "Vault ID of file", @@ -3050,8 +2963,7 @@ "primary": true, "contains": [ "vault id" - ], - "name": "vault_id" + ] }, "destination": { "description": "Path to copy file to", @@ -3061,8 +2973,7 @@ "contains": [ "file path" ], - "primary": true, - "name": "destination" + "primary": true } }, "output": [ @@ -3165,8 +3076,7 @@ "ip", "host name" ], - "primary": true, - "name": "ip_hostname" + "primary": true }, "from": { "description": "File source (path)", @@ -3176,8 +3086,7 @@ "order": 1, "contains": [ "file path" - ], - "name": "from" + ] }, "to": { "description": "File destination (path)", @@ -3187,8 +3096,7 @@ "contains": [ "file path" ], - "primary": true, - "name": "to" + "primary": true } }, "output": [ @@ -3277,119 +3185,114 @@ }, { "action": "delete file", - "identifier": "delete_file", "description": "Run the delete command on the Windows Endpoint", "verbose": "For best results, the file path parameter should be an absolute path to a location.", "type": "generic", + "identifier": "delete_file", "read_only": false, "parameters": { "ip_hostname": { "description": "IP/Hostname", "data_type": "string", - "required": false, - "primary": true, + "order": 0, "contains": [ "ip", "host name" ], - "value_list": [], - "default": "", - "order": 0, - "name": "ip_hostname", - "id": 1, - "param_name": "ip_hostname" + "primary": true }, "file_path": { - "description": "Path to file / directory", + "description": "Path to file", "data_type": "string", "required": true, + "order": 1, "primary": true, "contains": [ "file path" - ], - "value_list": [], - "default": "", - "order": 1, - "name": "file_path", - "id": 2, - "param_name": "file_path" + ] }, "force": { "description": "Use the force flag for delete", "data_type": "boolean", - "required": false, - "primary": false, - "contains": [], "default": false, - "order": 2, - "name": "force", - "id": 3, - "param_name": "force" - }, - "recurse": { - "description": "Use the recurse flag to delete directory content recursively", - "data_type": "boolean", - "required": false, - "primary": false, - "contains": [], - "default": "", - "order": 3, - "name": "recurse", - "id": 4, - "param_name": "recurse" + "order": 2 } }, "output": [ - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "column_name": "ip_hostname", - "column_order": 0 - }, { "data_path": "action_result.parameter.file_path", "data_type": "string", + "example_values": [ + "C:\\Windows\\System32\\notepad.exe" + ], "contains": [ "file path" ], - "column_name": "file_path", - "column_order": 1 + "column_name": "File Path", + "column_order": 2 }, { "data_path": "action_result.parameter.force", "data_type": "boolean", - "contains": [], - "column_name": "force", - "column_order": 2 + "example_values": [ + true, + false + ], + "column_name": "Force", + "column_order": 1 }, { - "data_path": "action_result.parameter.recurse", - "data_type": "boolean", - "contains": [], - "column_name": "recurse", + "data_path": "action_result.parameter.ip_hostname", + "data_type": "string", + "example_values": [ + "8.8.8.8", + "8.8.8.8\\testphantom.local" + ], + "contains": [ + "ip", + "host name" + ], + "column_name": "IP/HOSTNAME", "column_order": 3 }, + { + "data_path": "action_result.data", + "data_type": "string" + }, { "data_path": "action_result.status", "data_type": "string", - "column_name": "status", - "column_order": 4 + "example_values": [ + "success", + "failed" + ] }, { "data_path": "action_result.message", + "data_type": "string", + "example_values": [ + "Successfully deleted files" + ], + "column_name": "Message", + "column_order": 0 + }, + { + "data_path": "action_result.summary", "data_type": "string" }, { "data_path": "summary.total_objects", - "data_type": "numeric" + "data_type": "numeric", + "example_values": [ + 1 + ] }, { "data_path": "summary.total_objects_successful", - "data_type": "numeric" + "data_type": "numeric", + "example_values": [ + 1 + ] } ], "render": { @@ -3457,13 +3360,5 @@ "input_file": "wheels/shared/xmltodict-0.13.0-py2.py3-none-any.whl" } ] - }, - "copied_from_id": 19, - "copied_from_version": "2.2.6", - "directory": "cyberwindowsremotemanagement_024da1a3-b64f-4974-b841-051b4d3c993d", - "version": 1, - "appname": "-", - "executable": "spawn3", - "disabled": false, - "custom_made": true + } } From ed39087db8ada71856771e38f4a43f1427bf15af Mon Sep 17 00:00:00 2001 From: Elad Levi <58475124+JakePeralta7@users.noreply.github.com> Date: Wed, 21 Feb 2024 21:10:49 +0200 Subject: [PATCH 5/5] Delete cyberwindowsremotemanagement.json --- cyberwindowsremotemanagement.json | 3469 ----------------------------- 1 file changed, 3469 deletions(-) delete mode 100644 cyberwindowsremotemanagement.json diff --git a/cyberwindowsremotemanagement.json b/cyberwindowsremotemanagement.json deleted file mode 100644 index 087a652..0000000 --- a/cyberwindowsremotemanagement.json +++ /dev/null @@ -1,3469 +0,0 @@ -{ - "appid": "024da1a3-b64f-4974-b841-051b4d3c993d", - "name": "Cyber Windows Remote Management", - "description": "This app integrates with the Windows Remote Management service to execute various actions", - "type": "endpoint", - "product_vendor": "Microsoft_clone_1702059179715", - "logo": "logo_microsoft.svg", - "logo_dark": "logo_microsoft_dark.svg", - "product_name": "Windows Remote Management_clone_1702059179715", - "product_version_regex": ".*", - "publisher": "Splunk", - "license": "Copyright (c) 2018-2023 Splunk Inc.", - "app_version": "1.0.0", - "utctime_updated": "2023-12-08T18:13:44.087303Z", - "package_name": "phantom_cyberwindowsremotemanagement", - "main_module": "winrm_connector.py", - "min_phantom_version": "6.1.1", - "fips_compliant": true, - "python_version": "3", - "latest_tested_versions": [ - "On-premise, Windows Server 2012 R2 Standard" - ], - "app_wizard_version": "1.0.0", - "configuration": { - "endpoint": { - "description": "IP/Hostname (For TEST CONNECTIVITY and default, if not provided in an action)", - "data_type": "string", - "order": 0, - "name": "endpoint", - "id": 0 - }, - "verify_server_cert": { - "description": "Verify Server Certificate", - "data_type": "boolean", - "default": "False", - "order": 1, - "name": "verify_server_cert", - "id": 1 - }, - "default_protocol": { - "description": "Default protocol for actions", - "data_type": "string", - "default": "http", - "order": 2, - "value_list": [ - "http", - "https" - ], - "name": "default_protocol", - "id": 2 - }, - "default_port": { - "description": "Default port for actions", - "data_type": "numeric", - "default": 5985, - "order": 3, - "name": "default_port", - "id": 3 - }, - "domain": { - "description": "Domain", - "data_type": "string", - "order": 4, - "name": "domain", - "id": 4 - }, - "username": { - "description": "Username", - "data_type": "string", - "required": true, - "order": 5, - "name": "username", - "id": 5 - }, - "password": { - "description": "Password", - "data_type": "password", - "required": true, - "order": 6, - "name": "password", - "id": 6 - }, - "transport": { - "description": "Type of transport to use", - "data_type": "string", - "required": true, - "value_list": [ - "basic", - "ntlm" - ], - "default": "basic", - "order": 7, - "name": "transport", - "id": 7 - } - }, - "actions": [ - { - "action": "test connectivity", - "description": "Validate the asset configuration for connectivity using supplied configuration", - "type": "test", - "identifier": "test_connectivity", - "read_only": true, - "parameters": {}, - "output": [], - "versions": "EQ(*)" - }, - { - "action": "run command", - "description": "Execute a command on the endpoint", - "verbose": "Unless you implement a custom parser, this action will always succeed regardless of the input. Either a command or pair of command_id and shell_id must be specified. If a command_id is present, all other parameters will be ignored.

Note: The command_id and shell_id you provide to fetch the output can only be used once because once the output is fetched successfully server will remove output from its cache.

", - "type": "generic", - "identifier": "run_command", - "read_only": false, - "parameters": { - "command": { - "description": "The command to be run", - "data_type": "string", - "order": 1, - "name": "command" - }, - "arguments": { - "description": "The arguments for the command", - "data_type": "string", - "order": 2, - "name": "arguments" - }, - "parser": { - "description": "The vault ID of a custom parser to use for output", - "contains": [ - "vault id" - ], - "primary": true, - "data_type": "string", - "order": 3, - "name": "parser" - }, - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - }, - "async": { - "description": "Start the command, but don't wait for output", - "data_type": "boolean", - "default": false, - "order": 4, - "name": "async" - }, - "command_id": { - "description": "Command ID of async command (Provide with shell_id)", - "data_type": "string", - "primary": true, - "order": 5, - "contains": [ - "winrm command id" - ], - "name": "command_id" - }, - "shell_id": { - "description": "Shell ID of async command (Provide with command_id)", - "data_type": "string", - "order": 6, - "contains": [ - "winrm shell id" - ], - "primary": true, - "name": "shell_id" - } - }, - "output": [ - { - "data_path": "action_result.parameter.arguments", - "data_type": "string", - "example_values": [ - "/all" - ] - }, - { - "data_path": "action_result.parameter.async", - "data_type": "boolean", - "example_values": [ - true, - false - ] - }, - { - "data_path": "action_result.parameter.command", - "data_type": "string", - "example_values": [ - "ipconfig" - ] - }, - { - "data_path": "action_result.parameter.command_id", - "data_type": "string", - "contains": [ - "winrm command id" - ], - "example_values": [ - "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" - ] - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.parameter.parser", - "data_type": "string", - "contains": [ - "vault id" - ], - "example_values": [ - "8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56" - ] - }, - { - "data_path": "action_result.parameter.shell_id", - "data_type": "string", - "contains": [ - "winrm shell id" - ], - "example_values": [ - "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" - ] - }, - { - "data_path": "action_result.data.*.status_code", - "data_type": "numeric", - "example_values": [ - 0 - ] - }, - { - "data_path": "action_result.data.*.std_err", - "data_type": "string", - "example_values": [ - "Error message" - ] - }, - { - "data_path": "action_result.data.*.std_out", - "data_type": "string", - "example_values": [ - "Successful output" - ] - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "column_name": "Message", - "column_order": 0, - "example_values": [ - "Successfully ran command" - ] - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.summary.command_id", - "data_type": "string", - "contains": [ - "winrm command id" - ], - "example_values": [ - "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" - ] - }, - { - "data_path": "action_result.summary.shell_id", - "data_type": "string", - "contains": [ - "winrm shell id" - ], - "example_values": [ - "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" - ] - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "run script", - "description": "Run a PowerShell script on the endpoint", - "verbose": "The script you provide can either be in the vault, or it can just be a string of the script to run. If both values are present, it will use the script_file over the script_str. Unless you implement a custom parser, this action will always succeed regardless of the input. If command_id and shell_id are present, script_file and script_str will be ignored. This action will fail if at least one of script_file, script_str, or the pair of command_id and shell_id are not specified.

Note: The command_id and shell_id you provide to fetch the output can only be used once because once the output is fetched successfully server will remove output from its cache.

", - "type": "generic", - "identifier": "run_script", - "read_only": false, - "parameters": { - "script_file": { - "description": "The vault ID of a PowerShell script to run", - "contains": [ - "vault id" - ], - "data_type": "string", - "primary": true, - "order": 1, - "name": "script_file" - }, - "script_str": { - "description": "A PowerShell script to run", - "data_type": "string", - "order": 2, - "name": "script_str" - }, - "parser": { - "description": "The vault ID of a custom parser to use for output", - "contains": [ - "vault id" - ], - "data_type": "string", - "primary": true, - "order": 3, - "name": "parser" - }, - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - }, - "async": { - "description": "Start the command, but don't wait for output", - "data_type": "boolean", - "default": false, - "order": 4, - "name": "async" - }, - "command_id": { - "description": "Command ID of async command (Provide with shell_id)", - "data_type": "string", - "order": 5, - "primary": true, - "contains": [ - "winrm command id" - ], - "name": "command_id" - }, - "shell_id": { - "description": "Shell ID of async command (Provide with command_id)", - "data_type": "string", - "order": 6, - "contains": [ - "winrm shell id" - ], - "primary": true, - "name": "shell_id" - } - }, - "output": [ - { - "data_path": "action_result.parameter.async", - "data_type": "boolean", - "example_values": [ - true, - false - ] - }, - { - "data_path": "action_result.parameter.command_id", - "data_type": "string", - "contains": [ - "winrm command id" - ], - "example_values": [ - "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" - ] - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.parameter.parser", - "data_type": "string", - "contains": [ - "vault id" - ], - "example_values": [ - "8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56" - ] - }, - { - "data_path": "action_result.parameter.script_file", - "data_type": "string", - "contains": [ - "vault id" - ], - "example_values": [ - "8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56" - ] - }, - { - "data_path": "action_result.parameter.script_str", - "data_type": "string", - "example_values": [ - "Write-Host Hello" - ] - }, - { - "data_path": "action_result.parameter.shell_id", - "data_type": "string", - "contains": [ - "winrm shell id" - ], - "example_values": [ - "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" - ] - }, - { - "data_path": "action_result.data.*.status_code", - "data_type": "numeric", - "example_values": [ - 0 - ] - }, - { - "data_path": "action_result.data.*.std_err", - "data_type": "string", - "example_values": [ - "Error message" - ] - }, - { - "data_path": "action_result.data.*.std_out", - "data_type": "string", - "example_values": [ - "Successful output" - ] - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "column_name": "Message", - "column_order": 0, - "example_values": [ - "Successfully ran PowerShell script" - ] - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.summary.command_id", - "data_type": "string", - "contains": [ - "winrm command id" - ], - "example_values": [ - "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" - ] - }, - { - "data_path": "action_result.summary.shell_id", - "data_type": "string", - "contains": [ - "winrm shell id" - ], - "example_values": [ - "1AAA1111-1A11-11A1-1111-1A1AAA1A11A1" - ] - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "list processes", - "description": "List the currently running processes", - "type": "investigate", - "identifier": "list_processes", - "read_only": true, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - } - }, - "output": [ - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.data.*.handles", - "data_type": "numeric", - "example_values": [ - 33 - ] - }, - { - "data_path": "action_result.data.*.name", - "data_type": "string", - "contains": [ - "process name" - ], - "example_values": [ - "cmd" - ], - "column_name": "Process Name", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.non_paged_memory", - "data_type": "numeric", - "example_values": [ - 3 - ], - "column_name": "Non Paged Memory", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.paged_memory", - "data_type": "numeric", - "example_values": [ - 1564 - ], - "column_name": "Paged Memory", - "column_order": 3 - }, - { - "data_path": "action_result.data.*.pid", - "data_type": "numeric", - "example_values": [ - 3108 - ], - "contains": [ - "pid" - ], - "column_name": "PID", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.processor_time_(s)", - "data_type": "numeric", - "example_values": [ - 0.02 - ], - "column_name": "Processor Time (s)", - "column_order": 5 - }, - { - "data_path": "action_result.data.*.virtual_memory", - "data_type": "numeric", - "example_values": [ - 14 - ] - }, - { - "data_path": "action_result.data.*.working_set", - "data_type": "numeric", - "example_values": [ - 2384 - ], - "column_name": "Working Set", - "column_order": 4 - }, - { - "data_path": "action_result.data.*.session_id", - "data_type": "numeric" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully got process list" - ] - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.summary.num_processes", - "data_type": "numeric", - "example_values": [ - 451 - ] - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "terminate process", - "description": "Terminate a process", - "type": "generic", - "identifier": "terminate_process", - "read_only": false, - "parameters": { - "pid": { - "description": "The PID of the process to terminate", - "data_type": "numeric", - "primary": true, - "contains": [ - "pid" - ], - "order": 1, - "name": "pid" - }, - "name": { - "description": "Name of program to terminate, accepts wildcards", - "data_type": "string", - "primary": true, - "contains": [ - "process name" - ], - "order": 2, - "name": "name" - }, - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - } - }, - "output": [ - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.parameter.name", - "data_type": "string", - "contains": [ - "process name" - ], - "example_values": [ - "iexplore" - ] - }, - { - "data_path": "action_result.parameter.pid", - "data_type": "numeric", - "contains": [ - "pid" - ], - "example_values": [ - 451 - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully terminated process" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "list connections", - "description": "List all active connections", - "type": "investigate", - "identifier": "list_connections", - "read_only": true, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - } - }, - "output": [ - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.data.*.foreign_address_ip", - "data_type": "string", - "example_values": [ - "8.8.8.8" - ], - "contains": [ - "ip" - ], - "column_name": "Foreign Address", - "column_order": 3 - }, - { - "data_path": "action_result.data.*.foreign_address_port", - "data_type": "string", - "example_values": [ - "11100" - ], - "contains": [ - "port" - ], - "column_name": "Foreign Address Port", - "column_order": 4 - }, - { - "data_path": "action_result.data.*.local_address_ip", - "data_type": "string", - "example_values": [ - "8.8.8.8" - ], - "contains": [ - "ip" - ], - "column_name": "Local Address", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.local_address_port", - "data_type": "string", - "example_values": [ - "11100" - ], - "contains": [ - "port" - ], - "column_name": "Local Address Port", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.pid", - "data_type": "numeric", - "example_values": [ - 451 - ], - "contains": [ - "pid" - ], - "column_name": "PID", - "column_order": 5 - }, - { - "data_path": "action_result.data.*.protocol", - "data_type": "string", - "example_values": [ - "TCP" - ], - "column_name": "Protocol", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.state", - "data_type": "string", - "example_values": [ - "ESTABLISHED" - ] - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully listed connections" - ] - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.summary.num_connections", - "data_type": "numeric", - "example_values": [ - 451 - ] - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "list firewall rules", - "description": "List the firewall rules", - "verbose": "When you are using the other parameter, you can match for any field which is returned in the action result. It will only return a rule if it matches all of the criteria, not if it matches at least one.", - "type": "investigate", - "identifier": "list_firewall_rules", - "read_only": true, - "parameters": { - "filter_port": { - "description": "Only show firewall rules acting on this port", - "data_type": "string", - "primary": true, - "contains": [ - "port" - ], - "order": 1, - "name": "filter_port" - }, - "filter_ip": { - "description": "Only show firewall rules acting on this ip", - "data_type": "string", - "primary": true, - "contains": [ - "ip" - ], - "order": 2, - "name": "filter_ip" - }, - "direction": { - "description": "Only show firewall rules in this direction", - "data_type": "string", - "value_list": [ - "in", - "out" - ], - "order": 3, - "name": "direction" - }, - "protocol": { - "description": "Only show firewall rules using this protocol", - "data_type": "string", - "contains": [ - "winrm protocol" - ], - "order": 4, - "primary": true, - "name": "protocol" - }, - "other": { - "description": "JSON object of key value pairs of other fields to match", - "data_type": "string", - "order": 5, - "name": "other" - }, - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - } - }, - "output": [ - { - "data_path": "action_result.parameter.direction", - "data_type": "string", - "example_values": [ - "in" - ] - }, - { - "data_path": "action_result.parameter.filter_ip", - "data_type": "string", - "example_values": [ - "8.8.8.8" - ], - "contains": [ - "ip" - ] - }, - { - "data_path": "action_result.parameter.filter_port", - "data_type": "string", - "example_values": [ - 11100 - ], - "contains": [ - "port" - ] - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.parameter.other", - "data_type": "string", - "example_values": [ - "{\"enabled\": \"yes\"}" - ] - }, - { - "data_path": "action_result.parameter.protocol", - "data_type": "string", - "example_values": [ - "tcp" - ], - "contains": [ - "winrm protocol" - ] - }, - { - "data_path": "action_result.data.*.action", - "data_type": "string", - "example_values": [ - "allow" - ] - }, - { - "data_path": "action_result.data.*.direction", - "data_type": "string", - "example_values": [ - "in" - ], - "column_name": "Direction", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.edge_traversal", - "data_type": "string", - "example_values": [ - "no" - ] - }, - { - "data_path": "action_result.data.*.enabled", - "data_type": "string", - "example_values": [ - "yes" - ] - }, - { - "data_path": "action_result.data.*.grouping", - "data_type": "string", - "example_values": [ - "windows remote management" - ] - }, - { - "data_path": "action_result.data.*.local_ip", - "data_type": "string", - "example_values": [ - "any" - ], - "contains": [ - "ip" - ], - "column_name": "Local IP", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.local_port", - "data_type": "string", - "example_values": [ - "5985" - ], - "contains": [ - "port" - ], - "column_name": "Local Port", - "column_order": 3 - }, - { - "data_path": "action_result.data.*.profiles", - "data_type": "string", - "example_values": [ - "domain,private" - ] - }, - { - "data_path": "action_result.data.*.protocol", - "data_type": "string", - "example_values": [ - "tcp" - ], - "contains": [ - "winrm protocol" - ] - }, - { - "data_path": "action_result.data.*.remote_ip", - "data_type": "string", - "example_values": [ - "any" - ], - "contains": [ - "ip" - ], - "column_name": "Remote IP", - "column_order": 4 - }, - { - "data_path": "action_result.data.*.remote_port", - "data_type": "string", - "example_values": [ - "any" - ], - "contains": [ - "port" - ], - "column_name": "Remote Port", - "column_order": 5 - }, - { - "data_path": "action_result.data.*.rule_name", - "data_type": "string", - "example_values": [ - "windows remote management (http-in)" - ], - "contains": [ - "windows firewall rule name" - ], - "column_name": "Rule Name", - "column_order": 0 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully retrieved firewall rules" - ] - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.summary.num_rules", - "data_type": "numeric", - "example_values": [ - 451 - ] - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "delete firewall rule", - "description": "Remove a firewall rule using netsh", - "verbose": "This action will invoke the command netsh advfirewall firewall delete rule, and the rest is determined by the input. At a minimum, the rule name must be provided, but if you need to you can also specify any other arguments which the command accepts, in the same manner, that input from the add firewall rule gets added.", - "type": "generic", - "identifier": "delete_firewall_rule", - "read_only": false, - "parameters": { - "name": { - "description": "The name of the rule to remove", - "data_type": "string", - "contains": [ - "windows firewall rule name" - ], - "primary": true, - "required": true, - "order": 1, - "name": "name" - }, - "dir": { - "description": "Blocks inbound or outbound traffic", - "data_type": "string", - "value_list": [ - "in", - "out" - ], - "order": 2, - "name": "dir" - }, - "remote_ip": { - "description": "Firewall rule acts on this remote IP", - "data_type": "string", - "contains": [ - "ip" - ], - "order": 3, - "primary": true, - "name": "remote_ip" - }, - "local_ip": { - "description": "Firewall rule acts on this local IP", - "data_type": "string", - "contains": [ - "ip" - ], - "order": 4, - "primary": true, - "name": "local_ip" - }, - "remote_port": { - "description": "Firewall rule acts on this remote port", - "data_type": "string", - "contains": [ - "port" - ], - "order": 5, - "primary": true, - "name": "remote_port" - }, - "local_port": { - "description": "Firewall rule acts on this local port", - "data_type": "string", - "contains": [ - "port" - ], - "order": 6, - "primary": true, - "name": "local_port" - }, - "protocol": { - "description": "Firewall rule acts on this protocol", - "data_type": "string", - "contains": [ - "winrm protocol" - ], - "order": 7, - "primary": true, - "name": "protocol" - }, - "other": { - "description": "JSON object of key value pairs for other parameters to include", - "data_type": "string", - "order": 8, - "name": "other" - }, - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - } - }, - "output": [ - { - "data_path": "action_result.parameter.dir", - "data_type": "string", - "example_values": [ - "in", - "out" - ] - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.parameter.local_ip", - "data_type": "string", - "contains": [ - "ip" - ], - "example_values": [ - "8.8.8.8" - ] - }, - { - "data_path": "action_result.parameter.local_port", - "data_type": "string", - "contains": [ - "port" - ], - "example_values": [ - "443" - ] - }, - { - "data_path": "action_result.parameter.name", - "data_type": "string", - "contains": [ - "windows firewall rule name" - ], - "example_values": [ - "test rule" - ] - }, - { - "data_path": "action_result.parameter.other", - "data_type": "string", - "example_values": [ - "{\"profile\": \"domain\"}" - ] - }, - { - "data_path": "action_result.parameter.protocol", - "data_type": "string", - "contains": [ - "winrm protocol" - ], - "example_values": [ - "any", - "tcp" - ] - }, - { - "data_path": "action_result.parameter.remote_ip", - "data_type": "string", - "contains": [ - "ip" - ], - "example_values": [ - "8.8.8.8" - ] - }, - { - "data_path": "action_result.parameter.remote_port", - "data_type": "string", - "contains": [ - "port" - ], - "example_values": [ - "443" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully deleted firewall rules" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.summary.rules_deleted", - "data_type": "numeric", - "example_values": [ - 2 - ] - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "block ip", - "description": "Create a firewall rule to block a specified IP", - "type": "generic", - "identifier": "block_ip", - "read_only": false, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - }, - "name": { - "description": "The name of the rule to add", - "data_type": "string", - "required": true, - "contains": [ - "windows firewall rule name" - ], - "order": 1, - "primary": true, - "name": "name" - }, - "remote_ip": { - "description": "Block this IP", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "ip" - ], - "order": 2, - "name": "remote_ip" - } - }, - "output": [ - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.parameter.name", - "data_type": "string", - "contains": [ - "windows firewall rule name" - ], - "example_values": [ - "test rule" - ] - }, - { - "data_path": "action_result.parameter.remote_ip", - "data_type": "string", - "contains": [ - "ip" - ], - "example_values": [ - "8.8.8.8" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully created firewall rule" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "add firewall rule", - "description": "Add a firewall rule using netsh", - "verbose": "This action will invoke the command netsh advfirewall firewall add rule, where the rest is determined by the input. Each key-value pair from the other parameter will be added in the form of key=value. The user input will be sanitized.", - "type": "generic", - "identifier": "create_firewall_rule", - "read_only": false, - "parameters": { - "name": { - "description": "The name of the rule to add", - "data_type": "string", - "required": true, - "contains": [ - "windows firewall rule name" - ], - "order": 1, - "primary": true, - "name": "name" - }, - "dir": { - "description": "Block inbound or outbound traffic", - "data_type": "string", - "required": true, - "value_list": [ - "in", - "out" - ], - "order": 2, - "name": "dir" - }, - "action": { - "description": "What the firewall will do with packets", - "data_type": "string", - "required": true, - "value_list": [ - "allow", - "block", - "bypass" - ], - "order": 3, - "name": "action" - }, - "remote_ip": { - "description": "Firewall rule acts on this remote IP", - "data_type": "string", - "primary": true, - "contains": [ - "ip" - ], - "order": 4, - "name": "remote_ip" - }, - "local_ip": { - "description": "Firewall rule acts on this local IP", - "data_type": "string", - "primary": true, - "contains": [ - "ip" - ], - "order": 5, - "name": "local_ip" - }, - "remote_port": { - "description": "Firewall rule acts on this remote port", - "data_type": "string", - "contains": [ - "port" - ], - "primary": true, - "order": 6, - "name": "remote_port" - }, - "local_port": { - "description": "Firewall rule acts on this local port", - "data_type": "string", - "contains": [ - "port" - ], - "order": 7, - "primary": true, - "name": "local_port" - }, - "protocol": { - "description": "Firewall rule acts on this protocol", - "data_type": "string", - "contains": [ - "winrm protocol" - ], - "order": 8, - "primary": true, - "name": "protocol" - }, - "other": { - "description": "JSON object of key value pairs for other parameters to include", - "data_type": "string", - "order": 9, - "name": "other" - }, - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - } - }, - "output": [ - { - "data_path": "action_result.parameter.action", - "data_type": "string", - "example_values": [ - "block" - ] - }, - { - "data_path": "action_result.parameter.dir", - "data_type": "string", - "example_values": [ - "in", - "out" - ] - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.parameter.local_ip", - "data_type": "string", - "contains": [ - "ip" - ], - "example_values": [ - "8.8.8.8" - ] - }, - { - "data_path": "action_result.parameter.local_port", - "data_type": "string", - "contains": [ - "port" - ], - "example_values": [ - "443" - ] - }, - { - "data_path": "action_result.parameter.name", - "data_type": "string", - "contains": [ - "windows firewall rule name" - ], - "example_values": [ - "test rule" - ] - }, - { - "data_path": "action_result.parameter.other", - "data_type": "string", - "example_values": [ - "{\"profile\": \"domain\"}" - ] - }, - { - "data_path": "action_result.parameter.protocol", - "data_type": "string", - "contains": [ - "winrm protocol" - ], - "example_values": [ - "any", - "tcp" - ] - }, - { - "data_path": "action_result.parameter.remote_ip", - "data_type": "string", - "contains": [ - "ip" - ], - "example_values": [ - "8.8.8.8" - ] - }, - { - "data_path": "action_result.parameter.remote_port", - "data_type": "string", - "contains": [ - "port" - ], - "example_values": [ - "443" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully created firewall rule" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "logoff user", - "description": "Logoff a user", - "type": "generic", - "identifier": "logoff_user", - "read_only": false, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - }, - "session_id": { - "description": "Session ID", - "data_type": "string", - "required": true, - "primary": true, - "order": 1, - "contains": [ - "windows session id" - ], - "name": "session_id" - } - }, - "output": [ - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ], - "contains": [ - "ip", - "host name" - ] - }, - { - "data_path": "action_result.parameter.session_id", - "data_type": "string", - "example_values": [ - "2" - ], - "contains": [ - "windows session id" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully logged off user" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "list sessions", - "description": "List all active sessions", - "type": "investigate", - "identifier": "list_sessions", - "read_only": true, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - } - }, - "output": [ - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ], - "contains": [ - "ip", - "host name" - ] - }, - { - "data_path": "action_result.data.*.id", - "data_type": "string", - "example_values": [ - "0" - ], - "contains": [ - "windows session id" - ], - "column_name": "Session ID", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.name", - "data_type": "string", - "example_values": [ - "services" - ], - "column_name": "Name", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.this", - "data_type": "boolean", - "example_values": [ - true, - false - ] - }, - { - "data_path": "action_result.data.*.type", - "data_type": "string" - }, - { - "data_path": "action_result.data.*.username", - "data_type": "string", - "contains": [ - "user name" - ], - "column_name": "User Name", - "column_order": 2 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully listed all sessions" - ] - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.summary.num_sessions", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "deactivate partition", - "description": "Deactivate a partition", - "verbose": "Deactivates the system partitions of a machine, which disallows booting from said partition. The subsequent boot of the machine results in using the next option specified in the BIOS to boot from. Often used to netboot for remote reimaging.", - "type": "contain", - "identifier": "deactivate_partition", - "read_only": false, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - } - }, - "output": [ - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully deactivated partition" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "activate partition", - "description": "Activate a partition", - "type": "correct", - "identifier": "activate_partition", - "read_only": false, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - } - }, - "output": [ - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully activated partition" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "shutdown system", - "description": "Shutdown a system", - "type": "generic", - "identifier": "shutdown_system", - "read_only": false, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "primary": true, - "order": 0, - "contains": [ - "ip", - "host name" - ], - "name": "ip_hostname" - }, - "comment": { - "description": "Comment to show to users", - "data_type": "string", - "order": 1, - "name": "comment" - } - }, - "output": [ - { - "data_path": "action_result.parameter.comment", - "data_type": "string", - "example_values": [ - "Test shutdown" - ] - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully initiated system shutdown" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "restart system", - "description": "Restart a system", - "type": "generic", - "identifier": "restart_system", - "read_only": false, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "primary": true, - "order": 0, - "contains": [ - "ip", - "host name" - ], - "name": "ip_hostname" - }, - "comment": { - "description": "Comment to show to users", - "data_type": "string", - "order": 1, - "name": "comment" - } - }, - "output": [ - { - "data_path": "action_result.parameter.comment", - "data_type": "string", - "example_values": [ - "Test restart" - ] - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully initiated system restart" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "list policies", - "description": "List AppLocker Policies", - "type": "investigate", - "identifier": "list_applocker_policies", - "read_only": true, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - }, - "location": { - "description": "Which policies to list", - "data_type": "string", - "required": true, - "order": 1, - "value_list": [ - "local", - "domain", - "effective" - ], - "name": "location" - }, - "ldap": { - "description": "LDAP Server. Will only have an effect if 'location' is set to 'domain'", - "data_type": "string", - "order": 2, - "name": "ldap" - } - }, - "output": [ - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ], - "contains": [ - "ip", - "host name" - ] - }, - { - "data_path": "action_result.parameter.ldap", - "data_type": "string", - "example_values": [ - "LDAP://8.8.8.8/CN={31b2f340-016d-11d2-945f-00c04fb984f9},CN=Policies,CN=System,DC=domain,DC=local" - ] - }, - { - "data_path": "action_result.parameter.location", - "data_type": "string", - "example_values": [ - "local" - ] - }, - { - "data_path": "action_result.data.*.Conditions.FilePublisherCondition.@BinaryName", - "data_type": "string", - "example_values": [ - "*" - ] - }, - { - "data_path": "action_result.data.*.Conditions.FilePublisherCondition.@ProductName", - "data_type": "string", - "example_values": [ - "*" - ] - }, - { - "data_path": "action_result.data.*.Conditions.FilePublisherCondition.@PublisherName", - "data_type": "string", - "example_values": [ - "*" - ] - }, - { - "data_path": "action_result.data.*.Conditions.FilePublisherCondition.BinaryVersionRange.@HighSection", - "data_type": "string", - "example_values": [ - "*" - ] - }, - { - "data_path": "action_result.data.*.Conditions.FilePublisherCondition.BinaryVersionRange.@LowSection", - "data_type": "string", - "example_values": [ - "8.8.8.8" - ], - "contains": [ - "ip" - ] - }, - { - "data_path": "action_result.data.*.action", - "data_type": "string", - "example_values": [ - "Allow" - ], - "column_name": "Action", - "column_order": 3 - }, - { - "data_path": "action_result.data.*.description", - "data_type": "string", - "example_values": [ - "Allows members of the Everyone group to run packaged apps that are signed." - ], - "column_name": "Description", - "column_order": 1 - }, - { - "data_path": "action_result.data.*.enforcement_mode", - "data_type": "string", - "example_values": [ - "NotConfigured" - ] - }, - { - "data_path": "action_result.data.*.file_path_condition", - "data_type": "string", - "example_values": [ - "%SYSTEM32%\\NOTEPAD.EXE" - ], - "contains": [ - "file path" - ], - "column_name": "File Path Condition", - "column_order": 2 - }, - { - "data_path": "action_result.data.*.id", - "data_type": "string", - "example_values": [ - "a9e18c21-ff8f-43cf-b9fc-db40eed693ba" - ], - "contains": [ - "windows applocker policy id" - ], - "column_name": "ID", - "column_order": 4 - }, - { - "data_path": "action_result.data.*.name", - "data_type": "string", - "example_values": [ - "(Default Rule) All signed packaged apps" - ], - "column_name": "Name", - "column_order": 0 - }, - { - "data_path": "action_result.data.*.type", - "data_type": "string", - "example_values": [ - "Appx" - ], - "column_name": "Type", - "column_order": 6 - }, - { - "data_path": "action_result.data.*.user_or_group_sid", - "data_type": "string", - "contains": [ - "winrm user or group sid" - ], - "example_values": [ - "S-1-1-0" - ], - "column_name": "User Or Group SID", - "column_order": 5 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully listed AppLocker Policies" - ] - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "block file path", - "description": "Create a new AppLocker policy to block a file path", - "verbose": "By default, this policy will apply to the \"Everyone\" group. You can specify the user with either a variety of formats, which are documented here. By specifying LDAP, it will apply that policy to that GPO, as opposed to just the local machine. By default, Windows does not have the service required service running for AppLocker policies to be enforced. The Application Identity service must be running for AppLocker to enforce its policies.", - "type": "generic", - "identifier": "create_applocker_policy", - "read_only": false, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - }, - "deny_allow": { - "description": "Set this rule to allow or deny", - "data_type": "string", - "required": true, - "order": 1, - "value_list": [ - "deny", - "allow" - ], - "name": "deny_allow" - }, - "file_path": { - "description": "File path to set rule to. Allows wildcards (i.e. C:\\Windows\\System32\\*.exe)", - "data_type": "string", - "required": true, - "primary": true, - "order": 2, - "contains": [ - "file path" - ], - "name": "file_path" - }, - "user": { - "description": "User or group to apply rule to", - "data_type": "string", - "order": 3, - "contains": [ - "winrm user or group sid" - ], - "primary": true, - "name": "user" - }, - "rule_name_prefix": { - "description": "Prefix for new rule name", - "data_type": "string", - "order": 4, - "name": "rule_name_prefix" - }, - "ldap": { - "description": "LDAP Server", - "data_type": "string", - "order": 5, - "name": "ldap" - } - }, - "output": [ - { - "data_path": "action_result.parameter.deny_allow", - "data_type": "string", - "example_values": [ - "allow", - "deny" - ] - }, - { - "data_path": "action_result.parameter.file_path", - "data_type": "string", - "contains": [ - "file path" - ], - "example_values": [ - "C:\\Windows\\System32\\notepad.exe" - ] - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ], - "contains": [ - "ip", - "host name" - ] - }, - { - "data_path": "action_result.parameter.ldap", - "data_type": "string", - "example_values": [ - "LDAP://8.8.8.8/CN={31b2f340-016d-11d2-945f-00c04fb984f9},CN=Policies,CN=System,DC=domain,DC=local" - ] - }, - { - "data_path": "action_result.parameter.rule_name_prefix", - "data_type": "string", - "example_values": [ - "test" - ] - }, - { - "data_path": "action_result.parameter.user", - "data_type": "string", - "contains": [ - "winrm user or group sid" - ], - "example_values": [ - "Administrator" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully created AppLocker policy" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "delete policy", - "description": "Delete an AppLocker policy", - "type": "generic", - "identifier": "delete_applocker_policy", - "read_only": false, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - }, - "applocker_policy_id": { - "description": "ID of policy to delete", - "data_type": "string", - "required": true, - "primary": true, - "order": 1, - "contains": [ - "windows applocker policy id" - ], - "name": "applocker_policy_id" - }, - "ldap": { - "description": "LDAP Server", - "data_type": "string", - "order": 2, - "name": "ldap" - } - }, - "output": [ - { - "data_path": "action_result.parameter.applocker_policy_id", - "data_type": "string", - "example_values": [ - "084ab400-83b8-432d-8dc2-f180fbe301ca" - ], - "contains": [ - "windows applocker policy id" - ] - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ], - "contains": [ - "ip", - "host name" - ] - }, - { - "data_path": "action_result.parameter.ldap", - "data_type": "string", - "example_values": [ - "LDAP://8.8.8.8/CN={31b2f340-016d-11d2-945f-00c04fb984f9},CN=Policies,CN=System,DC=domain,DC=local" - ] - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully deleted AppLocker Policy" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "get file", - "description": "Copy a file from the Windows Endpoint to the Vault", - "type": "investigate", - "identifier": "get_file", - "read_only": true, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - }, - "file_path": { - "description": "Path to file", - "data_type": "string", - "required": true, - "order": 1, - "primary": true, - "contains": [ - "file path" - ], - "name": "file_path" - } - }, - "output": [ - { - "data_path": "action_result.parameter.file_path", - "data_type": "string", - "example_values": [ - "C:\\Users\\administrator.CORP\\logo.jpg", - "C:\\Users\\Administrator\\Desktop\\c.txt" - ], - "contains": [ - "file path" - ], - "column_name": "File Path", - "column_order": 1 - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ], - "contains": [ - "ip", - "host name" - ], - "column_name": "IP/Hostname", - "column_order": 2 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully retrieved file and added it to the Vault" - ] - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "action_result.summary.vault_id", - "data_type": "string", - "example_values": [ - "8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56" - ], - "contains": [ - "sha1", - "vault id" - ], - "column_name": "New Vault ID", - "column_order": 0 - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "upload file", - "description": "Copy a file from the vault to the Windows Endpoint", - "type": "generic", - "identifier": "send_file", - "read_only": false, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - }, - "vault_id": { - "description": "Vault ID of file", - "data_type": "string", - "required": true, - "order": 1, - "primary": true, - "contains": [ - "vault id" - ], - "name": "vault_id" - }, - "destination": { - "description": "Path to copy file to", - "data_type": "string", - "required": true, - "order": 2, - "contains": [ - "file path" - ], - "primary": true, - "name": "destination" - } - }, - "output": [ - { - "data_path": "action_result.parameter.destination", - "data_type": "string", - "example_values": [ - "C:\\Users\\administrator.CORP\\Desktop\\aasdf.txt" - ], - "contains": [ - "file path" - ], - "column_name": "Destination", - "column_order": 2 - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ], - "contains": [ - "ip", - "host name" - ], - "column_name": "IP/Hostname", - "column_order": 3 - }, - { - "data_path": "action_result.parameter.vault_id", - "data_type": "string", - "example_values": [ - "8afa5c86de9ea94ecfe5b4c0837d2543d0b20b56" - ], - "contains": [ - "vault id" - ], - "column_name": "Vault ID", - "column_order": 1 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully sent file" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "copy file", - "description": "Run the copy command on the Windows Endpoint", - "verbose": "For best results, both the from and to parameters should be absolute paths to their respective locations.", - "type": "generic", - "identifier": "copy_file", - "read_only": false, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "order": 0, - "contains": [ - "ip", - "host name" - ], - "primary": true, - "name": "ip_hostname" - }, - "from": { - "description": "File source (path)", - "data_type": "string", - "required": true, - "primary": true, - "order": 1, - "contains": [ - "file path" - ], - "name": "from" - }, - "to": { - "description": "File destination (path)", - "data_type": "string", - "required": true, - "order": 2, - "contains": [ - "file path" - ], - "primary": true, - "name": "to" - } - }, - "output": [ - { - "data_path": "action_result.parameter.from", - "data_type": "string", - "example_values": [ - "C:\\Windows\\System32\\notepad.exe" - ], - "contains": [ - "file path" - ], - "column_name": "From", - "column_order": 1 - }, - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "example_values": [ - "8.8.8.8", - "8.8.8.8\\testphantom.local" - ], - "contains": [ - "ip", - "host name" - ], - "column_name": "IP/Hostname", - "column_order": 3 - }, - { - "data_path": "action_result.parameter.to", - "data_type": "string", - "example_values": [ - "C:\\Windows\\System32\\notepad_copy.exe" - ], - "contains": [ - "file path" - ], - "column_name": "To", - "column_order": 2 - }, - { - "data_path": "action_result.data", - "data_type": "string" - }, - { - "data_path": "action_result.status", - "data_type": "string", - "example_values": [ - "success", - "failed" - ] - }, - { - "data_path": "action_result.message", - "data_type": "string", - "example_values": [ - "Successfully copied files" - ], - "column_name": "Message", - "column_order": 0 - }, - { - "data_path": "action_result.summary", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric", - "example_values": [ - 1 - ] - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric", - "example_values": [ - 1 - ] - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - }, - { - "action": "delete file", - "identifier": "delete_file", - "description": "Run the delete command on the Windows Endpoint", - "verbose": "For best results, the file path parameter should be an absolute path to a location.", - "type": "generic", - "read_only": false, - "parameters": { - "ip_hostname": { - "description": "IP/Hostname", - "data_type": "string", - "required": false, - "primary": true, - "contains": [ - "ip", - "host name" - ], - "value_list": [], - "default": "", - "order": 0, - "name": "ip_hostname", - "id": 1, - "param_name": "ip_hostname" - }, - "file_path": { - "description": "Path to file / directory", - "data_type": "string", - "required": true, - "primary": true, - "contains": [ - "file path" - ], - "value_list": [], - "default": "", - "order": 1, - "name": "file_path", - "id": 2, - "param_name": "file_path" - }, - "force": { - "description": "Use the force flag for delete", - "data_type": "boolean", - "required": false, - "primary": false, - "contains": [], - "default": false, - "order": 2, - "name": "force", - "id": 3, - "param_name": "force" - }, - "recurse": { - "description": "Use the recurse flag to delete directory content recursively", - "data_type": "boolean", - "required": false, - "primary": false, - "contains": [], - "default": "", - "order": 3, - "name": "recurse", - "id": 4, - "param_name": "recurse" - } - }, - "output": [ - { - "data_path": "action_result.parameter.ip_hostname", - "data_type": "string", - "contains": [ - "ip", - "host name" - ], - "column_name": "ip_hostname", - "column_order": 0 - }, - { - "data_path": "action_result.parameter.file_path", - "data_type": "string", - "contains": [ - "file path" - ], - "column_name": "file_path", - "column_order": 1 - }, - { - "data_path": "action_result.parameter.force", - "data_type": "boolean", - "contains": [], - "column_name": "force", - "column_order": 2 - }, - { - "data_path": "action_result.parameter.recurse", - "data_type": "boolean", - "contains": [], - "column_name": "recurse", - "column_order": 3 - }, - { - "data_path": "action_result.status", - "data_type": "string", - "column_name": "status", - "column_order": 4 - }, - { - "data_path": "action_result.message", - "data_type": "string" - }, - { - "data_path": "summary.total_objects", - "data_type": "numeric" - }, - { - "data_path": "summary.total_objects_successful", - "data_type": "numeric" - } - ], - "render": { - "type": "table" - }, - "versions": "EQ(*)" - } - ], - "pip39_dependencies": { - "wheel": [ - { - "module": "beautifulsoup4", - "input_file": "wheels/py3/beautifulsoup4-4.9.1-py3-none-any.whl" - }, - { - "module": "certifi", - "input_file": "wheels/py3/certifi-2023.7.22-py3-none-any.whl" - }, - { - "module": "cffi", - "input_file": "wheels/py39/cffi-1.16.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" - }, - { - "module": "charset_normalizer", - "input_file": "wheels/py39/charset_normalizer-3.3.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" - }, - { - "module": "cryptography", - "input_file": "wheels/py3/cryptography-41.0.5-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl" - }, - { - "module": "idna", - "input_file": "wheels/py3/idna-3.4-py3-none-any.whl" - }, - { - "module": "pycparser", - "input_file": "wheels/shared/pycparser-2.21-py2.py3-none-any.whl" - }, - { - "module": "pyspnego", - "input_file": "wheels/py3/pyspnego-0.10.2-py3-none-any.whl" - }, - { - "module": "pywinrm", - "input_file": "wheels/shared/pywinrm-0.4.3-py2.py3-none-any.whl" - }, - { - "module": "requests_ntlm", - "input_file": "wheels/py3/requests_ntlm-1.2.0-py3-none-any.whl" - }, - { - "module": "six", - "input_file": "wheels/shared/six-1.16.0-py2.py3-none-any.whl" - }, - { - "module": "soupsieve", - "input_file": "wheels/py3/soupsieve-2.5-py3-none-any.whl" - }, - { - "module": "urllib3", - "input_file": "wheels/py3/urllib3-2.0.7-py3-none-any.whl" - }, - { - "module": "xmltodict", - "input_file": "wheels/shared/xmltodict-0.13.0-py2.py3-none-any.whl" - } - ] - }, - "copied_from_id": 19, - "copied_from_version": "2.2.6", - "directory": "cyberwindowsremotemanagement_024da1a3-b64f-4974-b841-051b4d3c993d", - "version": 1, - "appname": "-", - "executable": "spawn3", - "disabled": false, - "custom_made": true -} \ No newline at end of file