-
Notifications
You must be signed in to change notification settings - Fork 10
/
.functions.sh
138 lines (128 loc) · 6.93 KB
/
.functions.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/bin/bash
# Path: cloud-storage-protection/.functions.sh
# Helper functions for the CrowdStrike Falcon GCP Bucket Protection demo
all_done(){
echo -e "$LB"
echo '╭━━━┳╮╱╱╭╮╱╱╱╭━━━┳━━━┳━╮╱╭┳━━━╮'
echo '┃╭━╮┃┃╱╱┃┃╱╱╱╰╮╭╮┃╭━╮┃┃╰╮┃┃╭━━╯'
echo '┃┃╱┃┃┃╱╱┃┃╱╱╱╱┃┃┃┃┃╱┃┃╭╮╰╯┃╰━━╮'
echo '┃╰━╯┃┃╱╭┫┃╱╭╮╱┃┃┃┃┃╱┃┃┃╰╮┃┃╭━━╯'
echo '┃╭━╮┃╰━╯┃╰━╯┃╭╯╰╯┃╰━╯┃┃╱┃┃┃╰━━╮'
echo '╰╯╱╰┻━━━┻━━━╯╰━━━┻━━━┻╯╱╰━┻━━━╯'
echo -e "$NC"
}
env_destroyed(){
echo -e "$RD"
echo '╭━━━┳━━━┳━━━┳━━━━┳━━━┳━━━┳╮╱╱╭┳━━━┳━━━╮'
echo '╰╮╭╮┃╭━━┫╭━╮┃╭╮╭╮┃╭━╮┃╭━╮┃╰╮╭╯┃╭━━┻╮╭╮┃'
echo '╱┃┃┃┃╰━━┫╰━━╋╯┃┃╰┫╰━╯┃┃╱┃┣╮╰╯╭┫╰━━╮┃┃┃┃'
echo '╱┃┃┃┃╭━━┻━━╮┃╱┃┃╱┃╭╮╭┫┃╱┃┃╰╮╭╯┃╭━━╯┃┃┃┃'
echo '╭╯╰╯┃╰━━┫╰━╯┃╱┃┃╱┃┃┃╰┫╰━╯┃╱┃┃╱┃╰━━┳╯╰╯┃'
echo '╰━━━┻━━━┻━━━╯╱╰╯╱╰╯╰━┻━━━╯╱╰╯╱╰━━━┻━━━╯'
echo -e "$NC"
}
# GCP Project ID
gcp_get_project_id() {
# Get the GCP project ID
if [ -z "$(gcloud config get-value project 2> /dev/null)" ]; then
project_ids=$(gcloud projects list --format json | jq -r '.[].projectId')
project_count=$(wc -w <<< "$project_ids")
if [ "$project_count" == "1" ]; then
gcloud config set project "$project_ids"
else
gcloud projects list
echo "Multiple pre-existing GCP projects found. Please select project using the following command before re-trying"
echo " gcloud config set project VALUE"
exit 1
fi
fi
echo "$(gcloud config get-value project 2> /dev/null)"
}
### API FALCON CLOUD LOGIC ###
cs_cloud() {
case "${cs_falcon_cloud}" in
us-1) echo "api.crowdstrike.com";;
us-2) echo "api.us-2.crowdstrike.com";;
eu-1) echo "api.eu-1.crowdstrike.com";;
us-gov-1) echo "api.laggar.gcw.crowdstrike.com";;
*) die "Unrecognized Falcon Cloud: ${cs_falcon_cloud}";;
esac
}
json_value() {
KEY=$1
num=$2
awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'"$KEY"'\042/){print $(i+1)}}}' | tr -d '"' | sed -n "${num}p"
}
die() {
echo -e "$RD"
echo "Error: $*" >&2
echo -e "$NC"
exit 1
}
cs_verify_auth() {
if ! command -v curl > /dev/null 2>&1; then
die "The 'curl' command is missing. Please install it before continuing. Aborting..."
fi
token_result=$(echo "client_id=$FID&client_secret=$FSECRET" | \
curl -X POST -s -L "https://$(cs_cloud)/oauth2/token" \
-H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
--dump-header "${response_headers}" \
--data @-)
token=$(echo "$token_result" | json_value "access_token" | sed 's/ *$//g' | sed 's/^ *//g')
if [ -z "$token" ]; then
die "Unable to obtain CrowdStrike Falcon OAuth Token. Response was $token_result"
fi
}
cs_set_base_url() {
region_hint=$(grep -i ^x-cs-region: "$response_headers" | head -n 1 | tr '[:upper:]' '[:lower:]' | tr -d '\r' | sed 's/^x-cs-region: //g')
if [ -z "${region_hint}" ]; then
die "Unable to obtain region hint from CrowdStrike Falcon OAuth API, something went wrong."
fi
cs_falcon_cloud="${region_hint}"
}
configure_cloud_shell() {
CHDIR="$1"
BUCKET=$(terraform -chdir=${CHDIR} output -raw demo_bucket)
FUNCTION_NAME=$(terraform -chdir=${CHDIR} output -raw demo_function_name)
echo -e "\nConfiguring Cloud Shell for demo...\n"
[[ -d $TESTS ]] || mkdir $TESTS
[[ -d ~/.cloudshell ]] || mkdir ~/.cloudshell && touch ~/.cloudshell/no-apt-get-warning
# SAFE EXAMPLES
echo -e "Downloading safe sample files...\n"
wget -q -O $TESTS/unscannable1.png https://adversary.crowdstrike.com/assets/images/Adversaries_Ocean_Buffalo.png
wget -q -O $TESTS/unscannable2.jpg https://www.crowdstrike.com/blog/wp-content/uploads/2018/04/April-Adversary-Stardust.jpg
sudo cp /usr/bin/whoami $TESTS/safe1.bin
sudo cp /usr/sbin/ifconfig $TESTS/safe2.bin
# MALICIOUS EXAMPLES
echo -e "Malicious file prep...\n"
sudo apt-get install -y p7zip-full
[[ -d /tmp/malicious ]] || mkdir /tmp/malicious
echo -e "Downloading malicious sample files...\n"
# PDF Lazarus https://bazaar.abuse.ch/sample/2b4e8f1927927bdc2f71914ba1f12511d9b6bdbdb2df390e267f54dc4f8919dd/
wget -q -O /tmp/malicious/malwarepdf.zip --post-data "query=get_file&sha256_hash=2b4e8f1927927bdc2f71914ba1f12511d9b6bdbdb2df390e267f54dc4f8919dd" https://mb-api.abuse.ch/api/v1/
7z x /tmp/malicious/malwarepdf.zip -o/tmp/malicious -pinfected
mv /tmp/malicious/*.pdf $TESTS/malicious1.pdf
# DOCX RemcosRAT https://bazaar.abuse.ch/sample/361ed7bfb2e63c069267c87af84ec2d9b165862af126b865e386e2b910f262df/
wget -q -O /tmp/malicious/malwaredocx.zip --post-data "query=get_file&sha256_hash=361ed7bfb2e63c069267c87af84ec2d9b165862af126b865e386e2b910f262df" https://mb-api.abuse.ch/api/v1/
7z x /tmp/malicious/malwaredocx.zip -o/tmp/malicious -pinfected
mv /tmp/malicious/*.doc $TESTS/malicious2.doc
# Helper scripts
echo -e "Copying helper functions...\n"
sudo cp ./bin/get-findings.sh /usr/local/bin/get-findings
sudo sed -i "s/FUNCTION/${FUNCTION_NAME}/g" /usr/local/bin/get-findings
sudo cp ./bin/upload.sh /usr/local/bin/upload
sudo sed -i "s/BUCKET/${BUCKET//\//\\/}/g" /usr/local/bin/upload
sudo sed -i "s/TESTS_DIR/${TESTS//\//\\/}/g" /usr/local/bin/upload
sudo cp ./bin/list-bucket.sh /usr/local/bin/list-bucket
sudo sed -i "s/BUCKET/${BUCKET//\//\\/}/g" /usr/local/bin/list-bucket
sudo chmod +x /usr/local/bin/get-findings /usr/local/bin/upload /usr/local/bin/list-bucket
# Clear screen
clear
all_done
echo -e "Welcome to the CrowdStrike Falcon GCP Bucket Protection demo environment!\n"
echo -e "The name of your bucket is ${BUCKET}.\n"
echo -e "There are test files in the ${TESTS} folder. \nUse these to test the cloud-function trigger on bucket uploads. \n\nNOTICE: Files labeled \`malicious\` are DANGEROUS!\n"
echo -e "Use the command \`upload\` to upload all of the test files to your demo bucket.\n"
echo -e "You can view the contents of your bucket with the command \`list-bucket\`.\n"
echo -e "Use the command \`get-findings\` to view all findings for your demo bucket.\n"
}