Using the Script Catalog
The catalog includes several hundred stock scripts to help you get started counteracting any found threats. These scripts have been vetted and tested by the Cisco Talos Intelligence Group, and represent a robust collection. A few example scripts are:
- Delete a Directory
- Delete a File
- Force Logout
- Stop Service
- Terminate a Process By PID
- Rename/Move a Directory
- WMI Persistence Cleanup
Viewing Catalog Script
To open a Script Details Catalog page, click a script name link. Each script catalog page includes a description of the script, the script Python statement, and any Mitre tactics and techniques associated with the script, as shown in the figure below:
Finding Catalog Script with Filter and Search
Orbital provides you with two methods for locating the desired script to use, filters and search.
Filters
Use the filters listed on the left side of the page to filter the display of catalog scripts. The display will include all scripts that have been grouped into the selected filter category, as shown in the figure below.
For example, select the New Script filter to display only those scripts that have been added to the Catalog within the last 90 days.
Search Catalog
Type the desired terms or phrases in the Search Catalog field at the top of the Catalog page to locate your desired script or scripts. Search phrases can include partial words and variations on the script name. This will list all matching scripts in the catalog.
You can also narrow down your search further by selecting one or more filters. In this instance, the search will be limited to the selected options as seen in the following sample, which shows the search results for the term user, with the Forensics filter set.
Note: Catalog scripts that have been deprecated cannot be added to your scripts favorites list. Further, those scripts that have been deprecated will be removed from your favorites list, if you have previously added them.
Editing a Custom Script
There may be times when you will need to edit a custom script that has been saved to the catalog. In order to edit a custom script:
-
Open the Catalog page.
-
Navigate to the desired script. This can be done by:
- Browsing to the desired query, using the Page Navigation Buttons, shown in the figure below.
or
- Using the Search Catalog field, shown in the figure below, to find the query.
-
Highlight the desired custom script.
-
Click the script’s action menu.
-
Select the Edit menu command.
This will display the Edit Script popup, as shown in the figure below.
-
Make the necessary changes to the script, using the Name, Description, OS, and Custom Script interface elements.
-
Save the changes to the script by clicking Save.
Copy or Add the Python to a New Script
The detailed Script Catalog page provides the script Python code.
- To copy the Python, click the Copy icon above the Python code.
- To add the Python code to a script you are building, click the Add (
+) icon. Catalog scripts are designed to be run independently, so you can only add one to run at a time.
Download Organization Scripts
The Download organization scripts link, shown in the figure below, allows you to download all of the scripts, stored in the Orbital Catalog, that have been created by your organization.
Note: This download feature will not include any of the stock scripts in the downloaded file. Stock scripts are those scripts that have been added to the Orbital Catalog by the Orbital development team.
When you click the Download organization scripts link, a file named orgScripts.json will be downloaded to your computer. The structure of this file is shown in the figure below.
{
"scripts": {
"Script Name": {
"created": "Date and Time Script Was Created",
"creator": {
"id": "User ID Number",
"name": "Developer's Name"
},
"description": "The description of the script is typed in this field. This can"
"include information such as its purpose, what its target is, and so on.",
"id": "This is the organization's ID number",
"script": "The Python Script")",
"args": ["Parameter Arguments Here"]
]
}
. . .
}