Skip to main content

How to upload files to McAfee ATD using Powershell


Hi all,
In this post I want to introduce a Powershell script cmdlet that I have written to upload files to a McAfee Advanced Threat Defense box.
This is the first time that I write something in Powershell, I have tried to follow the specifications specially in terms of output and binding, in such a way that the files to be uploaded to the ATD box can be piped from a list, external file or another cmdlet and in the same way the cmdlet outputs information in an object format that allows to work on the results obtained from the upload operation.

Installation process:

  • The Script can be downloaded from the following link:
    https://github.com/built4tech/submit-atd
  • The current execution polity of the system where the cmdlet Script is going to be executed must allow the execution of unsigned scripts (Unresricted)


  • If the current policy doesn't allow to execute unsigned scripts, you must change that policy, with the set-execution-policy cmdlet. It is important to note that this change requires administrative privileges.

  • Once the policy is changed, you can import the module, and check that in the function space the new cmdlet (Submit-Atd) has been loaded.

  • You can now, invoke the cmdlet. Bellow you can see some examples of how the script can be invoked and the information obtained:
1) Submit-atd -Atd_host 192.168.20.140 -Atd_user admin -Atd_pass McAfee123! -Fullname C:\test\source.bin

sucess    : True
file_size : 561659
mimeType  : application/vnd.openxmlformats-officedocument.wordprocessingml.document
md5       : CBECAE24EEAAC476CA9F5828AABB0AB6
sha1       : C41C619C9355A30747DFA4F9DDF25B6367CA0CCC
file_name : source.bin
detail      : Upload process sucessfull
sha256    : D66C3A184327B3E675725D1A70844B8A7653C1FD9774CC02B7C04F9FD78E909B

2) Submit-atd -Atd_host 192.168.20.140 -Atd_user admin -Atd_pass McAfee123! -Fullname C:\test\source.bin, C:\test\source-2.bin

sucess    : True
file_size : 561659
mimeType  : application/vnd.openxmlformats-officedocument.wordprocessingml.document
md5       : CBECAE24EEAAC476CA9F5828AABB0AB6
sha1      : C41C619C9355A30747DFA4F9DDF25B6367CA0CCC
file_name : source.bin
detail    : Upload process sucessfull
sha256    : D66C3A184327B3E675725D1A70844B8A7653C1FD9774CC02B7C04F9FD78E909B

sucess    : True
file_size : 561659
mimeType  : application/vnd.openxmlformats-officedocument.wordprocessingml.document
md5       : CBECAE24EEAAC476CA9F5828AABB0AB6
sha1      : C41C619C9355A30747DFA4F9DDF25B6367CA0CCC
file_name : source-2.bin
detail    : Upload process sucessfull
sha256    : D66C3A184327B3E675725D1A70844B8A7653C1FD9774CC02B7C04F9FD78E909B

3) get-content .\input.txt | Submit-atd -Atd_host 192.168.20.140 -Atd_user admin -Atd_pass McAfee123!

Output removed for brevity

4) Get-ChildItem -Path c:\test | Select-Object -ExpandProperty Fullname | Submit-atd -Atd_host 192.168.20.140 -Atd_user admin -Atd_pass McAfee123!

Output removed for brevity

5) Get-ChildItem -Path c:\test | Select-Object Fullname | Submit-atd -Atd_host 192.168.20.140 -Atd_user admin -Atd_pass McAfee123! | select-object sucess, file_name, file_size, md5

sucess file_name      file_size     md5                             
------    ---------          ---------       ---                             
 True   codecs.ps1     963          8395B77C7F7ECD46E9FC19152D3E8292
 True   source-2.bin  561659    CBECAE24EEAAC476CA9F5828AABB0AB6
 True   source.bin     561659    CBECAE24EEAAC476CA9F5828AABB0AB6

6) Get-ChildItem -path c:\test | select-object @{n='Fullname'; e={$_.FullName}} | Submit-atd -Atd_host 192.168.20.140 -Atd_user admin -Atd_pass McAfee123! | select-object sucess, file_name, file_size, sha256

sucess file_name      file_size     sha256
------    ---------          ---------       ------                             
 True   codecs.ps1     963          A36E1FE536D1C6A38615D28D8A4A408480.....
 True   source-2.bin  561659    D66C3A184327B3E675725D1A70844B8A76......
 True   source.bin     561659    D66C3A184327B3E675725D1A70844B8A76......

That's all, thanks for reading

Comments

Post a Comment

Popular posts from this blog

Working with McAfee SIEM API

McAfee SIEM has a strong API that allows to interact with the application programatically. This API offers a RESTful interface and its documentation is available in the following URL on a running ESM https://<ESM_IP>/rs/esm/help In this post, through a set of code snippets I will show you how to connect to the ESM API via RESTful and execute different API commands. 1) Initial connection to the API Server In this first code snippet we are authenticating against the API and we obtain a token in the response that we use in order to create an authenticated header that will be used for the rest of API connections. 2) Testing that we have all the authentication parameters needed. Getting the time of the system. In this second code snippet we use the just obtained authentication header in order to get the system time through the available command (essmgtGetESSTime)   3) Getting the version (builtstamp) of the system.   4) Other useful available ...
2 comments
Read more

Integrating McAfee SIEM with Apache Nifi Video 2/3

In this second video, I will show how to create a workflow blueprint. The workflow created, does the following steps: Collect information from twitter and filter them by some keywords, in order to do this certain credentials must be obtained from the twitter api (Consumer secret and access token secret), the sensible information is not shown on the video. Next step is pull key attributes, from the twitter json string, so we don't have to deal with the information we are not interested in, in this example I am extracting user name, language used and message information. Next, we check that it is in fact a twitter message and if so we route the information to the next step. Next , the traffic flow is transformed into a json string Last step is to send the information as the message string of a syslog event to the receiver. In the SIEM receiver we create a Data Source and log the unknown syslog information as unknown, in the next post I will create a parser so the...
13 comments
Read more

How to blacklist IPs on McAfee Network Security Platform

Python script that allows to blacklist IPs on McAfee Network Security Platform. The uses is quite straightforward, bellow you can see some examples Usage nsmcli.py [-h] -u USER -p PASSWORD -nsm NSM_IP [-get_sensors][-get_qhosts][-sensor SENSOR_NAME][-i IP_ADDRESS][-quarantine][-remove] [-t {15,30,45,60,240,480,720,960,999}][--version] Examples of usage Get the list of sensors managed by a Network Security Manager nsmcli.py -u admin -p admin123 -nsm 192.168.0.202 -get_sensors Name ID           Model   Sensor     IP                     SW Ver    Sigset Ver   Active M2750-4pocs   1001     M-2750   192.168.0.203   7.5.3.16   7.6.14.9       1 Get the list of quarantine IPs nsmcli.py -u admin -p admin123 -nsm 192.168.0.202 -get_qhosts Quarantined hosts for M2750-4pocs ...
1 comment
Read more