AutoResponder is a tool aimed to help people to carry out their Incident Response tasks WITH the help of Carbon Black Response’s awesome capabilities and WITHOUT much bothering IT/System/Network Teams
Module | ✔️ / ❌ |
---|---|
Delete Files | ✔️ |
Delete Registry Values | ✔️ |
Delete Win32 Service Entries | ✔️ |
Delete Scheduled Task Entries | ✔️ |
Detailed Sensor List Export | ✔️ |
Find Files | ✔️ |
Find Registry Values | ✔️ |
Download Files | ✔️ |
Download A list of Win32 Service Entries | ✔️ |
Download A list of Scheduled Task Entries | ✔️ |
Download A list of WMI Entries | ✔️ |
Isolate/Unisolate Sensors | ✔️ |
Kill Running Processes | ✔️ |
Restart Sensors | ✔️ |
Restart Endpoints | ✔️ |
Generate CSV reports | ✔️ |
Scan Collected binaries with THOR APT Scanner | ✔️ |
Delete WMI Entries | ❌ |
Solve the whole case and generate a nice report so we can all have a cold beer | ❌ |
You are a | ✔️ / ❌ |
---|---|
Government agency | ✔️ |
State agency | ✔️ |
Bank | ✔️ |
Public/Private Institution | ✔️ |
Company that has Carbon Black Response installed in the environment as an EDR product | ✔️ |
A company doing Incident Response | ✔️ |
Startup? (Doubt it) | ✔️ |
Person who has no idea what Carbon Black is | ❌ |
For those who aren’t familiar with Carbon Black Response, it is a quite amazing product that delivers a solution to Incident Response cases in its own unique and awesome way. Carbon Black Response has a python API integration which helps people automate their tasks – saving a lot of time. So all you see in this project is just python API magic – nothing more, nothing less.
For the past months there was a lot of Incident Response cases that our team had to deal with. Although we got through it like a champ, I’ve noticed that our team had been struggling to communicate with the customer’s IT/System/Network Teams and when they did a single file search would result in weeks. Because we are Carbon Black’s Incident Response partner and because we heavily use Carbon Black Response in most cases we’re involved, I’ve decided to write a tool to help our team to get very BIG tasks done in a very short time with a minimum amount of help from others.
Fair enough, Now, Imagine a scenario where hundreds of the endpoints have been compromised, the attacker has established persistence on all of them and dropped a ton of files. And what a coincidence that is – whole IT team decided to go on a vacation leaving nobody back at the office to deal with the Incident and Domain Admin wants to file a paper for every key that’s pressed on his keyboard – eleminating your ability to identify and eradicate threats on compromised systems. Good luck! (True story btw)
The code is written in python3 so any version above 3.4 will do fine
git clone
pip3 install -r requirements.txt
To scan the binary repository with THOR you just need to
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…