GithubHelp home page GithubHelp logo

jan-tee / tietzeio.cyshell Goto Github PK

View Code? Open in Web Editor NEW
8.0 8.0 8.0 216 KB

A Powershell module to interface with Cylance APIs

License: Other

PowerShell 10.69% C# 89.31%
api cylance cylance-apis powershell

tietzeio.cyshell's People

Contributors

jan-tee avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

soggysec joe-cosgrove ke4qqq eabra blackcyberry cjbok sreejith039

tietzeio.cyshell's Issues

New-CylanceZone Criticality Broken

New-CylanceZone -Name 'Whatever' -Policy $policy -Criticality (High|Medium|Low)

  • This command fails. If you remove the criticality parameter, everything works fine.

CyShell: Not all Memory Violation Types can be set

Not all memory violations can be set via CyShell, missing types are

RAM Scraping
Malicious Payload
DYLD Injection (macOS and Linux only)
Zero Allocate

How to reproduce:

connect-cylance goatnet
$p = New-CylancePolicy -Name somenewtest
$p.memoryviolation_actions.memory_violations

violation_type action

lsassread Alert
outofprocessunmapmemory Alert
stackpivot Alert
stackprotect Alert
outofprocessoverwritecode Alert
outofprocesscreatethread Alert
overwritecode Alert
outofprocesswritepe Alert
outofprocessallocation Alert
outofprocessmap Alert
outofprocesswrite Alert
outofprocessapc Alert

foreach($a in $p.memoryviolation_actions.memory_violations){
 $a.action = "Block"
}

$p.memoryviolation_actions.memory_violations

violation_type action

lsassread Block
outofprocessunmapmemory Block
stackpivot Block
stackprotect Block
outofprocessoverwritecode Block
outofprocesscreatethread Block
overwritecode Block
outofprocesswritepe Block
outofprocessallocation Block
outofprocessmap Block
outofprocesswrite Block
outofprocessapc Block

Update-CylancePolicy -Policy $p

cyapi_mem_pol

Filtering Detections does not work

How to reproduce:

$a = get-cylancedetections

$a[44]

id                : e4d0856b-36ca-4955-89a7-dd4e42ee3d69
PhoneticId        : E4D0-856B
Status            : New
Severity          : High
Device            : W********40L
DetectionRuleName : Cylance Security Masquerader
OccurrenceTime    : 7/1/2019 12:46:32 PM
ReceivedTime      : 7/1/2019 12:46:30 PM
$a | ?{$_.DetectionRuleName -eq " Cylance Security Masquerader"}
<no output>

Expected filtered output

@jan-tee now readable

Change the Status by Detection Type

How do we change the status of a detection by detection rule name and command line.
The below command is not working, any help is much appreciated.

Get-CylanceDetections | where DetectionRuleName -like "SVC*" |Get-CylanceDetection |Get-CylanceArtifact| where commandline -like โ€œmsmpengโ€ | Update-CyDetection -Status 'False Positive'

Error:

  • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    • FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
      Invoke-RestMethod : {"status":"CLIENT_ERROR","message":"None is not of type 'string'"}
      At C:\Program Files\WindowsPowerShell\Modules\CyCLI\0.9.7\CyAPI.ps1:548 char:9

Sync-CylanceCache does not work if the API token is missing access

I received a 403 Forbidden error when running Sync-CylanceCache. After troubleshooting, I determined the token I was using did not have access to OPTICS rules, thus the sync was failing to complete. Once I gave the token access, the cache sync'd perfectly.

Should the commandlet skip what you don't have access to, or allow you to choose which caches you would like to download.

No Zone Information

When We run Get-CylanceDevices | Get-CylanceDevice | Export-Csv 'C:\data.csv', I do not see zone information.

I need this info to filter out the devices in certain zones.

Any suggestions?

Get-CylanceDetectionRule throws error on certain rules

Get-CylanceDetectionRule throws the following error on two of the rules in Optics:
Network Share Connection Removal (MITRE)
Bash History Modification (MITRE)

Error:

Get-CylanceDetectionRule : Error reading string. Unexpected token: StartArray. Path 'Operands[0].Data', line 1, position 579.
At /Users/tfigueroa/OneDrive - Cylance/ps_scripts/dl_all_rules_to_json.ps1:9 char:12
+     $xxx | Get-CylanceDetectionRule
+            ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Get-CylanceDetectionRule], JsonReaderException
+ FullyQualifiedErrorId : Newtonsoft.Json.JsonReaderException,TietzeIO.CyShell.Cmdlets.DetectionRule.GetCylanceDetectionRule

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.