### Getting command output (Example) Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Example of retrieving command output from an endpoint using curl. ```APIDOC ## Getting command output (Example) **Request:** ```bash curl -skH "Api-key: admin" "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/command" ``` **Response:** ```json { "data": { "uuid": "f3e15c2e-c46e-082d-53a3-fd7621453505", "name": "cmd.exe", "args": [ "cmd.exe", "/c", "dir", "C:\\" ], "drop": [], "fetch": {}, "stdout": "IFZvbHVtZSBpbiBkcml2ZSBDIGhhcyBubyBsYWJlbC4NCiBWb2x1bWUgU2VyaWFsIE51bWJlciBpcyA5Mjc0LTcxQzENCg0KIERpcmVjdG9yeSBvZiBDOlwNCg0KMDMvMDIvMjAyMSAgMDg6MjggQU0gICAgPERJUj4gICAgICAgICAgUHJvZ3JhbSBGaWxlcw0KMDEvMTEvMjAxOSAgMDU6MDYgUE0gICAgPERJUj4gICAgICAgICAgUHJvZ3JhbSBGaWxlcyAoeDg2KQ0KMDYvMTIvMjAxOSAgMTA6NTEgQU0gICAgPERJUj4gICAgICAgICAgVXNlcnMNCjAzLzAzLzIwMjEgIDAyOjA1IFBNICAgIDxESVI+ICAgICAgICAgIFdpbmRvd3MNCiAgICAgICAgICAgICAgIDAgRmlsZShzKSAgICAgICAgICAgICAgMCBieXRlcw0KICAgICAgICAgICAgICAgNCBEaXIocykgIDE0LDY1Niw5MzcsOTg0IGJ5dGVzIGZyZWUNCg==", "stderr": null, "error": "", "sent": true, "background": false, "completed": true, "timeout": 0, "sent-time": "2021-03-03T14:32:40.939939135+01:00" }, "message": "OK", "error": "" } ``` ``` -------------------------------- ### Initial command execution request example Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md This is an example of an initial request to execute a command, showing the structure of the response including command details and status. ```json { "data": { "uuid": "f3e15c2e-c46e-082d-53a3-fd7621453505", "name": "cmd.exe", "args": [ "cmd.exe", "/c", "dir", "C:\\" ], "drop": [], "fetch": {}, "stdout": "IFZvbHVtZSBpbiBkcml2ZSBDIGhhcyBubyBsYWJlbC4NCiBWb2x1bWUgU2VyaWFsIE51bWJlciBpcyA5Mjc0LTcxQzENCg0KIERpcmVjdG9yeSBvZiBDOlwNCg0KMDMvMDIvMjAyMSAgMDg6MjggQU0gICAgPERJUj4gICAgICAgICAgUHJvZ3JhbSBGaWxlcw0KMDEvMTEvMjAyMSAgMDU6MDYgUE0gICAgPERJUj4gICAgICAgICAgUHJvZ3JhbSBGaWxlcyAoeDg2KQ0KMDYvMTIvMjAxOSAgMTA6NTEgQU0gICAgPERJUj4gICAgICAgICAgVXNlcnMNCjAzLzAzLzIwMjEgIDAyOjA1IFBNICAgIDxESVI+ICAgICAgICAgIFdpbmRvd3MNCiAgICAgICAgICAgICAgIDAgRmlsZShzKSAgICAgICAgICAgICAgMCBieXRlcw0KICAgICAgICAgICAgICAgNCBEaXIocykgIDE0LDY1Niw5MzcsOTg0IGJ5dGVzIGZyZWUNCg==", "stderr": null, "error": "", "sent": true, "background": false, "completed": true, "timeout": 0, "sent-time": "2021-03-03T14:32:40.939939135+01:00" }, "message": "OK", "error": "" } ``` -------------------------------- ### Executing a command on endpoint (Example) Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Example of executing a command on an endpoint using curl. ```APIDOC ## Executing a command on endpoint (Example) ### Pushing the command on the endpoint **Request:** ```bash # POST command curl -skH "Api-key: admin" -d @/tmp/command.json "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/command" ``` ``` -------------------------------- ### Example command JSON for execution Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md This JSON structure represents a command to be executed, specifying the command line. ```json { "command-line": "cmd.exe /c dir C:\\" } ``` -------------------------------- ### GET /rules/save Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Saves the current set of rules to disk. ```APIDOC ## GET /rules/save ### Description Saves the current set of rules to disk. ### Method GET ### Endpoint `https://localhost:8001/rules/save` ### Request Example ```bash curl -skH "Api-key: admin" "https://localhost:8001/rules/save" ``` ### Response #### Success Response (200) - **data** (null) - Indicates success. - **message** (string) - Confirmation message, e.g., "Rules saved succesfully on disk". - **error** (string) - Empty string if successful. ``` -------------------------------- ### Get file or directory stats Source: https://github.com/0xrawsec/whids/blob/master/doc/edr-commands.md Retrieve statistics for a file or directory. ```bash stat C:\\Windows\\System32\\cmd.exe ``` -------------------------------- ### Get Single Endpoint Information Source: https://context7.com/0xrawsec/whids/llms.txt Retrieve detailed system information and Sysmon configuration for a specific endpoint using its UUID. ```bash # Get endpoint by UUID curl -skH "Api-key: admin" "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef" ``` -------------------------------- ### Retrieve Endpoint Alerts Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Use this API endpoint to get alerts collected from a specific endpoint. Ensure endpoint logging is configured on the manager. Parameters like start, stop, pivot, and delta can be used to filter alerts by time. ```bash curl -skH "Api-key: admin" "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/alerts" ``` -------------------------------- ### GET /endpoints/{ENDPOINT_UUID}/artifacts/{PROCESS_GUID}/{EVENT_HASH}/{FILENAME} Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Downloads a specific artifact file from an endpoint. ```APIDOC ## GET /endpoints/{ENDPOINT_UUID}/artifacts/{PROCESS_GUID}/{EVENT_HASH}/{FILENAME} ### Description Downloads a given artifact. ### Method GET ### Endpoint `/endpoints/{ENDPOINT_UUID}/artifacts/{PROCESS_GUID}/{EVENT_HASH}/{FILENAME}` ### Query Parameters - **raw** (boolean) - Optional - If true, returns the raw file content. - **gunzip** (boolean) - Optional - If true, gunzips the artifact content before sending. Accepted values: true, false, t, f, 0, 1. ### Request Example ```bash curl -skH Api-key: admin https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/artifacts/515cd0d1-9064-60e4-577c-000000004e00/443884f68ad4203613ff54a80d4fba15/event.json.gz ``` ### Response #### Success Response (200) - **data** (string) - The content of the artifact file, potentially gunzipped. - **message** (string) - Status message. - **error** (string) - Error message, if any. #### Response Example ```json { "data": "H4sIAAAAAAAE/5xUW2/iRhT+K+g8tZKdnfFcfJGiyvgS6JINislW27oPXvvAWgseNDZJKOK/V2MDSbZNH5q84Jn5zu37vnOA5BGbDoLTj7joCvMRNiW2ndItBBAFef5b3VTqqc3zbN92uGFOnreoH+sS2yt8RrAgUptN0VSzukEIIO9Rc61WutiM0nqN7einZ0/+nOc3Sq3WmOcP26ro8Pw9fJlYOYw+tI/lEHJbNHsIYMCMZrPIHO+0xqaLa41lp7S5f1NieykRLIixLXW97WrVvMSZNm1XrNeowQJT22fU7fCAXrErJq88ChZMivYbmgFkk5BeU8cXJPaJTFOXsJSFNCHj2HdZGoXOmDOWiHDsENe6jcW1H0oZsjhxhOenLiUed2SYMjccu6kcc2plk9AR8jr0KeNUSEdyxmIRk5S4MUsiTjweSjdNZSoo8yIWsVTyhMk4JhENEx5xh0VSWNPb+STMJtdunFKPSof5kRhHnhCSkJhThxJOZCTGYMF0U6wQAoiC/P8Rc46R1X+ZOFRwLqQ5bDpc6brbz/AR1xDAoBGwYKZWqrnZ1RUEcBBUlBWpqF15FG1JqtJGlzCbEHL5P55BUwMhzwxdsOBO16u6KdaGqk/FxiQfBPEiGrBgXhhVRG9k+I4ufpDugJxuipUJ/QYztPIvcj9hfmz9l0shc61KbNv/6J58JeTSPUfSdz/EPYH7KUiPX4JmOHgOgleZHlrU54N3kvpEclsS5LZw3fKfSQdYn853eZ9Pq2pXdi+eGWYNFtzv1mcWbLDgVUmrXW9psGCBemMYy7A1xuoDE7DgVOqnxSh8WEzu7qeLL3mefckWya257cpF3dPrEIfaxLWJHFE3oF7geFe+T+BowQ02OG2WymypSNddXRbruttDQIkFWb1qim6nEYI/4KH53qin5lLgn0frLM3gANG3oml6ud7WpVatWnb2acvZ2b7dqObD3RZ1YTZHsTZrR222u64fdZxkHxd3c3v26/3nhBgPREprXPePITgcrWGtTmMIwKySfsneY6l01Z85gvie4xtk8ozlziQxRZ2JMDiHMseM8pvG4oTinJgRfMT9k9KVUQF59i7mGf6Mg04+NDzebUtVGVmbi7lWj3VlWjjAzdmWrkuYJ5Z26TiFzRkS++uSlzaRSyF9b7n8WvnGlifjvTcsU1eG5U73XBx6pvs2MpvawqaeebAo2u+niRiiI41Fh5VpfPCZOYTgFfuLV+wzJgUl5HcT6DPqtlYNBCDgeDz+DQAA//8BAAD//1JaS5vGBgAA", "message": "OK", "error": "" } ``` ``` -------------------------------- ### Manage Sysmon Configuration via API Source: https://context7.com/0xrawsec/whids/llms.txt Use curl to interact with Sysmon configurations on endpoints, including getting, uploading (XML), and deleting configurations. ```bash # Get Sysmon configuration curl -skH "Api-key: admin" \ "https://localhost:8001/endpoints/windows/sysmon/config?version=4.70" ``` ```bash # Upload Sysmon configuration (XML) curl -skH "Api-key: admin" -X POST \ -H "Content-Type: application/xml" \ -d @sysmon-config.xml \ "https://localhost:8001/endpoints/windows/sysmon/config" ``` ```bash # Delete Sysmon configuration curl -skH "Api-key: admin" -X DELETE \ "https://localhost:8001/endpoints/windows/sysmon/config?version=4.70" ``` -------------------------------- ### GET /rules Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Retrieves rules loaded in the EDR manager. ```APIDOC ## GET /rules ### Description This endpoint is used to retrieve rules loaded in the EDR manager (also deployed on all the endpoints connected). ### Method GET ### Endpoint /rules ### Parameters #### Query Parameters - **name** (string) - Optional - Regular expression to filter rules by name ### Response #### Success Response (200) - **data** (array) - List of rule objects #### Response Example { "data": [ { "Name": "HighlyPolymorphicCode", "Tags": ["WHIDS"], "Meta": { "EventIDs": [1], "Criticality": 10 }, "Condition": "$lowboundproc or $lowboundpproc" } ], "message": "OK", "error": "" } ``` -------------------------------- ### GET /endpoints Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Retrieves a list of all configured endpoints that are communicating with the manager. ```APIDOC ## GET /endpoints ### Description API endpoint to list all the available endpoints configured to communicate with the manager. ### Method GET ### Endpoint `https://localhost:8001/endpoints` ### Request Example ```bash curl -skH "Api-key: admin" "https://localhost:8001/endpoints" ``` ### Response #### Success Response (200) - **data** (array) - A list of endpoint objects. - **uuid** (string) - The unique identifier for the endpoint. - **hostname** (string) - The hostname of the endpoint. - **ip** (string) - The IP address of the endpoint. - **key** (string) - The security key for the endpoint. - **last-connection** (string) - The timestamp of the last connection. - **message** (string) - Confirmation message, e.g., "OK". - **error** (string) - Empty string if successful. ``` -------------------------------- ### Save WHIDS Rules to Disk Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md This GET request saves all currently loaded rules to disk. This is useful for persisting rule changes. ```bash curl -skH "Api-key: admin" "https://localhost:8001/rules/save" ``` -------------------------------- ### Get Single Endpoint Information Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Fetch detailed information for a specific endpoint using its UUID. This includes hostname, IP, API key, and last connection timestamp. ```bash curl -skH "Api-key: admin" "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef" ``` -------------------------------- ### List All Endpoints Source: https://context7.com/0xrawsec/whids/llms.txt Retrieve a list of all configured endpoints with their connection status and system information. ```bash # List all endpoints curl -skH "Api-key: admin" "https://localhost:8001/endpoints" ``` -------------------------------- ### GET /endpoints/{ENDPOINT_UUID}/reports Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md API endpoint to get an EDR report about a given endpoint. ```APIDOC ## GET /endpoints/{ENDPOINT_UUID}/reports ### Description API endpoint to get an EDR report about a given endpoint. ### Method GET ### Endpoint /endpoints/{ENDPOINT_UUID}/reports ### Parameters #### Path Parameters - **ENDPOINT_UUID** (string) - Required - The unique identifier of the endpoint. ### Request Example ```bash curl -skH "Api-key: admin" "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/report" ``` ### Response #### Success Response (200) - **data** (object) - Contains EDR report data for the specified endpoint. - **identifier** (string) - The unique identifier of the endpoint. - **alert-count** (integer) - The total number of alerts for the endpoint. - **count-by-signature** (object) - A map of signature names to their counts. - **signatures** (array) - A list of signature names detected. - **techniques** (array) - A list of MITRE ATT&CK techniques detected. - **tactics** (array) - A list of MITRE ATT&CK tactics detected. - **signature-count** (integer) - Total count of signatures. - **sum-alert-criticality** (number) - Sum of alert criticality scores. - **avg-alert-criticality** (number) - Average alert criticality score. - **std-dev-alert-criticality** (number) - Standard deviation of alert criticality scores. - **sum-rule-criticality** (integer) - Sum of rule criticality scores. - **avg-signature-criticality** (number) - Average signature criticality score. - **std-dev-signature-criticality** (number) - Standard deviation of signature criticality scores. - **signature-diversity** (integer) - Metric for signature diversity. - **count-uniq-signatures** (integer) - Count of unique signatures. - **signature-criticality-metric** (integer) - Metric for signature criticality. - **alert-criticality-metric** (integer) - Metric for alert criticality. - **score** (integer) - An aggregated metric to rank endpoints. - **start-time** (string) - The start time of the report. - **median-time** (string) - The median time of the report. - **stop-time** (string) - The stop time of the report. - **message** (string) - Status message. - **error** (string) - Error message, if any. #### Response Example ```json { "data": { "identifier": "03e31275-2277-d8e0-bb5f-480fac7ee4ef", "alert-count": 99, "count-by-signature": { "DefenderConfigChanged": 2, "ExecTimestomping": 1, "ExecutableFileCreated": 3, "HeurPersistentRAT": 1, "HeurSpawnShell": 1, "NewAutorun": 8, "StopSvchostAccess": 71, "UnknownServices": 6, "UntrustedDriverLoaded": 4, "UntrustedService": 3 }, "signatures": [ "DefenderConfigChanged", "UntrustedDriverLoaded", "HeurPersistentRAT", "NewAutorun", "ExecutableFileCreated", "StopSvchostAccess", "UnknownServices", "HeurSpawnShell", "UntrustedService", "ExecTimestomping" ], "techniques": [ "T1014", "T1060", "T1035" ], "tactics": [ "persistence", "Execution", "Defense Evasion" ], "signature-count": 100, "sum-alert-criticality": 744, "avg-alert-criticality": 7.51, "std-dev-alert-criticality": 1.05, "sum-rule-criticality": 747, "avg-signature-criticality": 7.47, "std-dev-signature-criticality": 1.05, "signature-diversity": 100, "count-uniq-signatures": 10, "signature-criticality-metric": 70, "alert-criticality-metric": 751, "score": 821, "start-time": "2021-03-03T21:34:51.3769993Z", "median-time": "2021-03-03T21:43:01.53481525Z", "stop-time": "2021-03-03T21:51:11.6926312Z" }, "message": "OK", "error": "" } ``` ``` -------------------------------- ### List loaded modules Source: https://github.com/0xrawsec/whids/blob/master/doc/edr-commands.md Retrieve the full list of modules that have been loaded since system boot, monitored via Sysmon logs. ```bash modules ``` -------------------------------- ### GET /endpoints/reports Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md API endpoint to get EDR reports about all the endpoints connected. Reports are not persistent across restarts of the manager. ```APIDOC ## GET /endpoints/reports ### Description API endpoint to get EDR reports about all the endpoints connected. Reports are not persistent across restarts of the manager. ### Method GET ### Endpoint /endpoints/reports ### Request Example ```bash curl -skH "Api-key: admin" "https://localhost:8001/endpoints/reports" ``` ### Response #### Success Response (200) - **data** (object) - Contains EDR reports for each endpoint. - **[ENDPOINT_UUID]** (object or null) - Report data for a specific endpoint or null if no report is available. - **identifier** (string) - The unique identifier of the endpoint. - **alert-count** (integer) - The total number of alerts for the endpoint. - **count-by-signature** (object) - A map of signature names to their counts. - **signatures** (array) - A list of signature names detected. - **techniques** (array) - A list of MITRE ATT&CK techniques detected. - **tactics** (array) - A list of MITRE ATT&CK tactics detected. - **signature-count** (integer) - Total count of signatures. - **sum-alert-criticality** (number) - Sum of alert criticality scores. - **avg-alert-criticality** (number) - Average alert criticality score. - **std-dev-alert-criticality** (number) - Standard deviation of alert criticality scores. - **sum-rule-criticality** (integer) - Sum of rule criticality scores. - **avg-signature-criticality** (number) - Average signature criticality score. - **std-dev-signature-criticality** (number) - Standard deviation of signature criticality scores. - **signature-diversity** (integer) - Metric for signature diversity. - **count-uniq-signatures** (integer) - Count of unique signatures. - **signature-criticality-metric** (integer) - Metric for signature criticality. - **alert-criticality-metric** (integer) - Metric for alert criticality. - **score** (integer) - An aggregated metric to rank endpoints. - **start-time** (string) - The start time of the report. - **median-time** (string) - The median time of the report. - **stop-time** (string) - The stop time of the report. - **message** (string) - Status message. - **error** (string) - Error message, if any. #### Response Example ```json { "data": { "03e31275-2277-d8e0-bb5f-480fac7ee4ef": { "identifier": "03e31275-2277-d8e0-bb5f-480fac7ee4ef", "alert-count": 99, "count-by-signature": { "DefenderConfigChanged": 2, "ExecTimestomping": 1, "ExecutableFileCreated": 3, "HeurPersistentRAT": 1, "HeurSpawnShell": 1, "NewAutorun": 8, "StopSvchostAccess": 71, "UnknownServices": 6, "UntrustedDriverLoaded": 4, "UntrustedService": 3 }, "signatures": [ "DefenderConfigChanged", "UntrustedDriverLoaded", "HeurPersistentRAT", "NewAutorun", "UnknownServices", "HeurSpawnShell", "UntrustedService", "ExecTimestomping", "ExecutableFileCreated", "StopSvchostAccess" ], "techniques": [ "T1014", "T1060", "T1035" ], "tactics": [ "Defense Evasion", "persistence", "Execution" ], "signature-count": 100, "sum-alert-criticality": 744, "avg-alert-criticality": 7.51, "std-dev-alert-criticality": 1.05, "sum-rule-criticality": 747, "avg-signature-criticality": 7.47, "std-dev-signature-criticality": 1.05, "signature-diversity": 100, "count-uniq-signatures": 10, "signature-criticality-metric": 70, "alert-criticality-metric": 751, "score": 821, "start-time": "2021-03-03T21:34:51.3769993Z", "median-time": "2021-03-03T21:43:01.53481525Z", "stop-time": "2021-03-03T21:51:11.6926312Z" }, "1829e1ac-acf6-953f-c3a8-27818820bb9f": null, "5949e4a8-82c3-2284-58d1-0a93a3f8ed04": null, "7fa7a8ab-4725-bf63-f8b3-9c72ed07f45a": null }, "message": "OK", "error": "" } ``` ``` -------------------------------- ### Execute osquery command Source: https://github.com/0xrawsec/whids/blob/master/doc/edr-commands.md Alias to `osqueryi --json -A`. Use this to query system information using osquery. ```bash osquery processes ``` -------------------------------- ### List All Endpoints Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Retrieve a list of all configured endpoints communicating with the manager. The response includes details like hostname, IP address, and last connection time. ```bash curl -skH "Api-key: admin" "https://localhost:8001/endpoints" ``` -------------------------------- ### List loaded drivers Source: https://github.com/0xrawsec/whids/blob/master/doc/edr-commands.md Retrieve the full list of drivers that have been loaded since system boot, monitored via Sysmon logs. ```bash drivers ``` -------------------------------- ### List directory contents Source: https://github.com/0xrawsec/whids/blob/master/doc/edr-commands.md List the contents of a specified directory. ```bash ls C:\\Windows\\ ``` -------------------------------- ### List running processes Source: https://github.com/0xrawsec/whids/blob/master/doc/edr-commands.md Retrieve the full list of currently running processes, monitored via Sysmon logs. ```bash processes ``` -------------------------------- ### GET /rules/reload Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Reloads the rule engine, applying any changes to the active rules. ```APIDOC ## GET /rules/reload ### Description API endpoint used to reload the rule engine. ### Method GET ### Endpoint `https://localhost:8001/rules/reload` ### Request Example ```bash curl -skH "Api-key: admin" "https://localhost:8001/rules/reload" ``` ### Response #### Success Response (200) - **data** (object) - Contains statistics about the rules and endpoints. - **endpoint-count** (integer) - The number of active endpoints. - **rule-count** (integer) - The total number of loaded rules. - **message** (string) - Confirmation message, e.g., "OK". - **error** (string) - Empty string if successful. ``` -------------------------------- ### GET /endpoints/{ENDPOINT_UUID} Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Retrieves detailed information about a specific endpoint using its UUID. ```APIDOC ## GET /endpoints/{ENDPOINT_UUID} ### Description Endpoint used to list information about a single endpoint. ### Method GET ### Endpoint `https://localhost:8001/endpoints/{ENDPOINT_UUID}` ### Parameters #### Path Parameters - **ENDPOINT_UUID** (string) - Required - The unique identifier of the endpoint. ### Request Example ```bash curl -skH "Api-key: admin" "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef" ``` ### Response #### Success Response (200) - **data** (object) - Information about the specified endpoint. - **uuid** (string) - The unique identifier for the endpoint. - **hostname** (string) - The hostname of the endpoint. - **ip** (string) - The IP address of the endpoint. - **key** (string) - The security key for the endpoint. - **last-connection** (string) - The timestamp of the last connection. - **message** (string) - Confirmation message, e.g., "OK". - **error** (string) - Empty string if successful. ``` -------------------------------- ### Execute sysmon command Source: https://github.com/0xrawsec/whids/blob/master/doc/edr-commands.md Alias to the sysmon binary. Use this to access sysmon functionalities. Refer to sysmon documentation for available options. ```bash sysmon -h ``` -------------------------------- ### GET /endpoints/{ENDPOINT_UUID}/command Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Retrieves information about a pending or executed command on a specific endpoint. ```APIDOC ## GET /endpoints/{ENDPOINT_UUID}/command ### Description This API endpoint is used to get information about a pending or executed command. In order to make sure the command has been ran, a specific flag in the response can be checked. ### Method GET ### Endpoint `https://localhost:8001/endpoints/{ENDPOINT_UUID}/command` ### Parameters #### Path Parameters - **ENDPOINT_UUID** (string) - Required - The unique identifier of the endpoint. ### Request Example ```bash curl -skH "Api-key: admin" "https://localhost:8001/endpoints/{ENDPOINT_UUID}/command" ``` ``` -------------------------------- ### GET /stats Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Retrieves basic statistics about the EDR manager, including endpoint and rule counts. ```APIDOC ## GET /stats ### Description Used to retrieve basic statistics about the EDR manager. ### Method GET ### Endpoint /stats ### Response #### Success Response (200) - **data** (object) - Contains endpoint-count and rule-count - **message** (string) - Status message - **error** (string) - Error message if any #### Response Example { "data": { "endpoint-count": 1, "rule-count": 133 }, "message": "OK", "error": "" } ``` -------------------------------- ### Execute a command on an endpoint Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Use this POST endpoint to execute commands or fetch files from an endpoint. Files can be dropped prior to execution and are removed afterward. The EDR agent on the endpoint checks for commands, so no direct connection from manager to agent is made. ```json { "command-line": "cmd /c dir C:\\Windows\\System32", "fetch-files": [ "C:\\Windows\\System32\\malware.exe" ], "drop-files": [ "" ], "timeout": 10 } ``` -------------------------------- ### Execute Command on Endpoint Source: https://context7.com/0xrawsec/whids/llms.txt Send a command to a remote endpoint and retrieve the results. Standard output is returned in base64 encoding. ```bash # Create command JSON cat > /tmp/command.json << 'EOF' { "command-line": "cmd.exe /c dir C:\\" } EOF # Send command to endpoint curl -skH "Api-key: admin" -d @/tmp/command.json \ "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/command" # Get command result (stdout is base64 encoded) curl -skH "Api-key: admin" \ "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/command" # Check specific command field curl -skH "Api-key: admin" \ "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/command/completed" ``` -------------------------------- ### Get EDR Statistics Source: https://context7.com/0xrawsec/whids/llms.txt Retrieve basic manager statistics including endpoint count and loaded rules. ```bash # Get manager statistics curl -skH "Api-key: admin" "https://localhost:8001/stats" ``` -------------------------------- ### Download Artifacts Source: https://context7.com/0xrawsec/whids/llms.txt Download specific artifact files, with options for raw content and automatic decompression. ```bash curl -skH "Api-key: admin" \ "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/artifacts/515cd0d1-9064-60e4-577c-000000004e00/443884f68ad4203613ff54a80d4fba15/event.json.gz" ``` ```bash curl -skH "Api-key: admin" \ "https://localhost:8001/endpoints/.../artifacts/.../event.json.gz?raw=true&gunzip=true" ``` -------------------------------- ### GET /endpoints/{ENDPOINT_UUID}/artifacts Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Lists the artifacts collected on a given endpoint, optionally filtered by update time. ```APIDOC ## GET /endpoints/{ENDPOINT_UUID}/artifacts ### Description Lists the artifacts collected (following an alert) on a given endpoint. ### Method GET ### Endpoint `/endpoints/{ENDPOINT_UUID}/artifacts` ### Query Parameters - **since** (string) - Optional - RFC 3339 formatted timestamp used to retrieve artifacts collected last updated after this date. ### Request Example ```bash curl -skH Api-key: admin https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/artifacts?since=2021-07-06T17:19:42.835802162Z ``` ### Response #### Success Response (200) - **data** (array) - An array of artifact objects. - **update** (string) - Timestamp of the artifact update. - **process-guid** (string) - GUID of the process associated with the artifact. - **event-hash** (string) - Hash of the event. - **base-url** (string) - Base URL for the artifact. - **files** (array) - List of files included in the artifact. - **message** (string) - Status message. - **error** (string) - Error message, if any. #### Response Example ```json { "data": [ { "update": "2021-07-06T19:21:50.655802826Z", "process-guid": "515cd0d1-ab35-60e4-827c-000000004e00", "event-hash": "2252cc3dee2623a44f5d1644338129b9", "base-url": "/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/artifacts/515cd0d1-ab35-60e4-827c-000000004e00/2252cc3dee2623a44f5d1644338129b9/", "files": [ "event.json.gz", "powershell.exe_12644_1625598794801114200.dmp.gz", "report.json.gz" ] } ], "message": "OK", "error": "" } ``` ``` -------------------------------- ### Hash a file Source: https://github.com/0xrawsec/whids/blob/master/doc/edr-commands.md Calculate the hash of a specified file. ```bash hash C:\\Windows\\System32\\cmd.exe ``` -------------------------------- ### Get EDR Statistics Source: https://context7.com/0xrawsec/whids/llms.txt Retrieve basic statistics about the EDR manager including endpoint count and loaded rules. ```APIDOC ## GET /stats ### Description Retrieve basic statistics about the EDR manager including endpoint count and loaded rules. ### Method GET ### Endpoint /stats ### Request Example ```bash curl -skH "Api-key: admin" "https://localhost:8001/stats" ``` ### Response #### Success Response (200) - **endpoint-count** (integer) - The number of connected endpoints. - **rule-count** (integer) - The number of loaded detection rules. #### Response Example ```json { "data": { "endpoint-count": 1, "rule-count": 133 }, "message": "OK", "error": "" } ``` ``` -------------------------------- ### Execute Command with File Operations Source: https://context7.com/0xrawsec/whids/llms.txt Execute commands while simultaneously dropping files to or fetching files from the endpoint. ```bash # Command with file fetch cat > /tmp/command.json << 'EOF' { "command-line": "cmd /c dir C:\\Windows\\System32", "fetch-files": ["C:\\Windows\\System32\\malware.exe"], "drop-files": ["/local/path/to/script.ps1"], "timeout": 10 } EOF curl -skH "Api-key: admin" -d @/tmp/command.json \ "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/command" ``` -------------------------------- ### List Endpoint Artifacts Source: https://context7.com/0xrawsec/whids/llms.txt Retrieve a list of collected files and memory dumps for a specific endpoint. ```bash curl -skH "Api-key: admin" \ "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/artifacts?since=2021-07-06T17:19:42Z" ``` -------------------------------- ### GET /endpoints/{ENDPOINT_UUID}/alerts Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Retrieves alerts collected from a specific endpoint. Requires endpoint logging to be configured on the manager. ```APIDOC ## GET /endpoints/{ENDPOINT_UUID}/alerts ### Description API endpoint to use in order to retrieve alerts collected from a given endpoint. ### Method GET ### Endpoint /endpoints/{ENDPOINT_UUID}/alerts ### Parameters #### Path Parameters - **ENDPOINT_UUID** (string) - Required - The unique identifier of the endpoint. #### Query Parameters - **start** (string) - Optional - RFC 3339 formatted timestamp used as starting point for getting alerts. - **stop** (string) - Optional - RFC 3339 formatted timestamp used as stopping point for getting alerts. - **pivot** (string) - Optional - RFC 3339 formatted timestamp used as pivot point for retrieving logs. - **delta** (string) - Optional - Duration string used for getting alerts around pivot point. ### Request Example curl -skH "Api-key: admin" "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/alerts" ### Response #### Success Response (200) - **data** (array) - List of alert events. - **message** (string) - Status message. - **error** (string) - Error details if any. ``` -------------------------------- ### Get Endpoint Alerts Source: https://context7.com/0xrawsec/whids/llms.txt Retrieve security alerts for a specific endpoint, supporting time-based filtering via query parameters. ```bash # Get all alerts curl -skH "Api-key: admin" \ "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/alerts" # Get alerts with time range curl -skH "Api-key: admin" \ "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/alerts?start=2021-03-01T00:00:00Z&stop=2021-03-02T00:00:00Z" # Get alerts around a pivot time curl -skH "Api-key: admin" \ "https://localhost:8001/endpoints/03e31275-2277-d8e0-bb5f-480fac7ee4ef/alerts?pivot=2021-03-01T12:00:00Z&delta=5m" ``` -------------------------------- ### Sysmon Configuration Management Source: https://context7.com/0xrawsec/whids/llms.txt Endpoints for retrieving, uploading, and deleting Sysmon configurations for Windows endpoints. ```APIDOC ## GET /endpoints/windows/sysmon/config ### Description Retrieves the current Sysmon configuration. ### Method GET ### Endpoint https://localhost:8001/endpoints/windows/sysmon/config ### Parameters #### Query Parameters - **version** (string) - Required - The version of the configuration. ## POST /endpoints/windows/sysmon/config ### Description Uploads a new Sysmon configuration in XML format. ### Method POST ### Endpoint https://localhost:8001/endpoints/windows/sysmon/config ## DELETE /endpoints/windows/sysmon/config ### Description Deletes a specific version of the Sysmon configuration. ### Method DELETE ### Endpoint https://localhost:8001/endpoints/windows/sysmon/config ### Parameters #### Query Parameters - **version** (string) - Required - The version to delete. ``` -------------------------------- ### EDR Manager Configuration (TOML) Source: https://context7.com/0xrawsec/whids/llms.txt Configure the EDR manager settings, including rule directories, dump directories, API settings, logging, and TLS configuration. ```toml # Gene rules directory rules-dir = "./data/rules" # Artifact dump directory dump-dir = "./data/dumps" # Gene containers directory containers-dir = "./data/containers" # Administrative API settings [admin-api] host = "localhost" port = 8001 [[admin-api.users]] identifier = "admin" key = "admin" # Endpoint API settings [endpoint-api] host = "" port = 8000 server-key = "" [[endpoint-api.endpoints]] uuid = "03e31275-2277-d8e0-bb5f-480fac7ee4ef" key = "ztBdB6XGl81Vx957YmVXjmh1SfnqliRMeoa7zYewtimXCGCNoR6O2Nfw9YjVD8KX" # Logging settings [logging] root = "./data/logs" logfile = "forwarded" enable-endpoint-logging = true # TLS settings [tls] cert = "cert.pem" key = "key.pem" # MISP integration [misp] protocol = "" host = "" api-key = "" ``` -------------------------------- ### Get command execution status Source: https://github.com/0xrawsec/whids/blob/master/doc/apis.md Retrieve the status of a command executed on an endpoint. The response includes details about the command, its execution, and any output. ```json { "data": { "uuid": "03e31275-2277-d8e0-bb5f-480fac7ee4ef", "hostname": "DESKTOP-LLOYD", "ip": "192.168.0.93", "key": "ztBdB6XGl81Vx957YmVXjmh1SfnqliRMeoa7zYewtimXCGCNoR6O2Nfw9YjVD8KX", "command": { "uuid": "f3e15c2e-c46e-082d-53a3-fd7621453505", "name": "cmd.exe", "args": [ "/c", "dir", "C:\\" ], "drop": [], "fetch": {}, "stdout": null, "stderr": null, "error": "", "sent": false, "background": false, "completed": false, "timeout": 0, "sent-time": "0001-01-01T00:00:00Z" }, "last-connection": "2021-03-03T14:32:36.460166243+01:00" }, "message": "OK", "error": "" } ```