Skip to content
/ amp-04-check-sha256-execution Public

Check if a given SHA256 has been executed in an AMP for Endpoints environment

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

CiscoSecurity/amp-04-check-sha256-execution

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
check_for_execution.py
check_for_execution.py
 
 

Repository files navigation

Gitter chat

AMP for Endpoints check SHA256 for execution:

Takes a SHA256 as input and queries the environment for GUIDs that have seen the file. Then queries the trajectory of each GUID to verify the endpoint has executed the file. If a SHA256 is not provided as a command line argument, the script will prompt for one.

Before using you must update the following:

  • client_id
  • api_key

Usage:

python check_for_execution.py

or

python check_for_execution.py db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

Example script output:

Computers that have seen the file: 15

Hosts observed executing the file:
14dcfce3-9663-434d-9beb-c8836de035ce - Demo_AMP_Intel
  File: cmd.exe
  Path: /c:/windows/system32/cmd.exe

43ea5bb6-a4ec-48fa-876c-59cc304fda17 - Demo_AMP
  File: cmd.exe
  Path: /c:/windows/system32/cmd.exe

About

Check if a given SHA256 has been executed in an AMP for Endpoints environment

Topics

amp-for-endpoints

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages