{ "info": { "author": "Andrew J Krug", "author_email": "andrewkrug@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 2 - Pre-Alpha", "Intended Audience :: Developers", "License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0)", "Natural Language :: English", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7" ], "description": "=============\nssm-acquire\n=============\n\n\n.. image:: https://img.shields.io/pypi/v/ssm_acquire.svg\n :target: https://pypi.python.org/pypi/ssm_acquire\n\n.. image:: https://readthedocs.org/projects/ssm-acquire/badge/?version=latest\n :target: https://ssm-acquire.readthedocs.io/en/latest/?badge=latest\n :alt: Documentation Status\n\nA python module for orchestrating content acquisitions and analysis via amazon ssm. Note: This is a pre-release.\n\n* Free software: MPL 2.0 License\n* Documentation: https://ssm-acquire.readthedocs.io.\n\nFeatures\n----------\n\n* Acquire memory from a linux instance to an S3 bucket using SSM.\n* Interrogate an instance for top-10 IOCs using OSQuery and save the jsonified output.\n* Analyze a memory sample on a machine using docker.\n* Create a rekall profile using an instance as a build target running the Amazon SSM Agent.\n\n\nUsage\n---------\n\nSample Cli Usage\n^^^^^^^^^^^^^^^^^^^^^^\n::\n\n pip install ssm_acquire\n Usage: ssm_acquire [OPTIONS]\n\n ssm_acquire a rapid evidence preservation tool for Amazon EC2.\n\n Options:\n --instance_id TEXT The instance you would like to operate on.\n --region TEXT The aws region where the instance can be found.\n --build Specify if you would like to build a rekall profile with\n this capture.\n --acquire Use linpmem to acquire a memory sample from the system\n in question.\n --interrogate Use OSQuery binary to preserve top 10 type queries for\n rapid forensics.\n --analyze Use docker and rekall to autoanalyze the memory capture.\n --deploy Create a lambda function with a handler to take events\n from AWS GuardDuty.\n --help Show this message and exit.\n\nGetting Started\n^^^^^^^^^^^^^^^^^^^^^\n\nDeploy Responder Role into AWS Account with the CloudFormation Template: cloudformation/responder_role.yml. (Note: this role requires 2FA to assume) This will create a role with the required permissions to run ssm commands on ec2 instances and an s3 bucket to store the memory assets. You will need the bucket name and the ARN of the role in the next step.\n\nSetup a config file in your home directory. It should be named `.threatresponse.ini` There is a sample config file in conf/settings.ini - it has three required parameters.\n\n* mfa_serial_number: the serial number for your MFA device for assuming the role.\n* asset_bucket: the name of the bucket to store the assets. This was created in step 1.\n* ssm_acquire_role_arn: the ARN of the Responder Role you created in step 1.\n\n``pip install ssm_acquire``\n\nTo acquire memory and build a rekall profile from an instance:\n\n``ssm_acquire --instance_id i-xxxxxxxx --region us-west-2 --build --acquire``\n\nYou can analyze your memory capture right away with:\n\n``ssm_acquire --instance_id i-xxxxxxx --analyze``\n\nThis will analyze the memory dump with the most common rekall plugins: [psaux, pstree, netstat, ifconfig, pidhashtable]\nWhen the analysis is done it will upload the results back to the asset store.\n\n\nCredits\n----------\n\nThis package was created with Cookiecutter_ and the `audreyr/cookiecutter-pypackage`_ project template.\n\n.. _Cookiecutter: https://github.com/audreyr/cookiecutter\n.. _`audreyr/cookiecutter-pypackage`: https://github.com/audreyr/cookiecutter-pypackage\n\n\n\n=========\nHistory\n=========\n\n\n0.1.0 (2018-11-10)\n---------------------\n\n* Initial Commit to Github\n\n\n0.1.0.4 (2018-11-25)\n------------------------\n\n* Publish to warehouse for AWS Re: Invent 2018", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/andrewkrug/ssm_acquire", "keywords": "ssm_acquire", "license": "MIT license", "maintainer": "", "maintainer_email": "", "name": "ssm-acquire", "package_url": "https://pypi.org/project/ssm-acquire/", "platform": "", "project_url": "https://pypi.org/project/ssm-acquire/", "project_urls": { "Homepage": "https://github.com/andrewkrug/ssm_acquire" }, "release_url": "https://pypi.org/project/ssm-acquire/0.1.0.5/", "requires_dist": null, "requires_python": "", "summary": "A python module for orchestrating content acquisitions and light analysis via amazon ssm.", "version": "0.1.0.5" }, "last_serial": 5640614, "releases": { "0.1.0.4": [ { "comment_text": "", "digests": { "md5": "1d3a1f6e6ea76f204e837a1c550d32b7", "sha256": "3a0bf0ad8a5675f7137f3d3f999fc7761fc61ae6bf5a67a5910d527721a22ee7" }, "downloads": -1, "filename": "ssm_acquire-0.1.0.4-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "1d3a1f6e6ea76f204e837a1c550d32b7", "packagetype": "bdist_wheel", "python_version": "py2.py3", "requires_python": null, "size": 18221, "upload_time": "2018-11-25T23:11:10", "url": "https://files.pythonhosted.org/packages/f2/8f/93d76b6e8d38e226e2ea341fab6fc0bb06fff7f4047cccfcd42e95584200/ssm_acquire-0.1.0.4-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "fe2196eee886a39bc1d3dc2538bdcd68", "sha256": "fe12732f2a04600174daa4d7b620a65ca6883e92d09043beafbf2a1d3884514b" }, "downloads": -1, "filename": "ssm_acquire-0.1.0.4.tar.gz", "has_sig": false, "md5_digest": "fe2196eee886a39bc1d3dc2538bdcd68", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 21694, "upload_time": "2018-11-25T23:11:12", "url": "https://files.pythonhosted.org/packages/9f/26/96e0533ff04e292192eeaac694363c6e9cb39de59dfd3b8221a55e7d8cc3/ssm_acquire-0.1.0.4.tar.gz" } ], "0.1.0.5": [ { "comment_text": "", "digests": { "md5": "40e6f65418eac5bf956a5096a04cda34", "sha256": "39ea49a505317d47dd700b884d3479803c54db9f34853566da9964f497eb8a03" }, "downloads": -1, "filename": "ssm_acquire-0.1.0.5.linux-x86_64.tar.gz", "has_sig": false, "md5_digest": "40e6f65418eac5bf956a5096a04cda34", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 17094, "upload_time": "2019-08-06T15:57:31", "url": "https://files.pythonhosted.org/packages/ed/d0/44a56a1e3825a2e6a12595e2ec74f5d1a7da66537e761cddec5f29763249/ssm_acquire-0.1.0.5.linux-x86_64.tar.gz" }, { "comment_text": "", "digests": { "md5": "21b0cde6c77f1e86ec51e5371592b93f", "sha256": "924a79518b8004e37ee999f266d1cd08bea735c1095f7a7205991310c51e3ec7" }, "downloads": -1, "filename": "ssm_acquire-0.1.0.5-py2.7.egg", "has_sig": false, "md5_digest": "21b0cde6c77f1e86ec51e5371592b93f", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 22904, "upload_time": "2019-08-06T15:57:29", "url": "https://files.pythonhosted.org/packages/60/2c/ea22886f1cebdaca034f0d23ed9585b699af4cdb69f2d3dd15f83cf0318f/ssm_acquire-0.1.0.5-py2.7.egg" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "40e6f65418eac5bf956a5096a04cda34", "sha256": "39ea49a505317d47dd700b884d3479803c54db9f34853566da9964f497eb8a03" }, "downloads": -1, "filename": "ssm_acquire-0.1.0.5.linux-x86_64.tar.gz", "has_sig": false, "md5_digest": "40e6f65418eac5bf956a5096a04cda34", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 17094, "upload_time": "2019-08-06T15:57:31", "url": "https://files.pythonhosted.org/packages/ed/d0/44a56a1e3825a2e6a12595e2ec74f5d1a7da66537e761cddec5f29763249/ssm_acquire-0.1.0.5.linux-x86_64.tar.gz" }, { "comment_text": "", "digests": { "md5": "21b0cde6c77f1e86ec51e5371592b93f", "sha256": "924a79518b8004e37ee999f266d1cd08bea735c1095f7a7205991310c51e3ec7" }, "downloads": -1, "filename": "ssm_acquire-0.1.0.5-py2.7.egg", "has_sig": false, "md5_digest": "21b0cde6c77f1e86ec51e5371592b93f", "packagetype": "bdist_egg", "python_version": "2.7", "requires_python": null, "size": 22904, "upload_time": "2019-08-06T15:57:29", "url": "https://files.pythonhosted.org/packages/60/2c/ea22886f1cebdaca034f0d23ed9585b699af4cdb69f2d3dd15f83cf0318f/ssm_acquire-0.1.0.5-py2.7.egg" } ] }