Matthew's Cyber Paste

A set of hotkeys I've made to make formatting easier and to help with investiagations.

Installation

1. Download the Files from GitHub
2. Download and Install Python
3. In a terminal Install pyperclip, and pynput.
   pip install pyperclip pynput
   I believe that requirments.txt should cover this step.
4. In the terminal, navigate to the location of Cyber_Paste.py
   cd <path>
5. In the terminal start the program (You should see a list of the available hotkeys)
   python Cyber_Paste.py
6. Press ctrl+alt+shift+esc to exit

Notes on Formatting

Anytime \s(space) \t(tab) or \n(newline) is seen, this is to show the formatting kibana has for the respective object, if you just copy and pasted it, and does not need to be added to get the hotkeys to function properly.

Arrows( → , ↳ ) indicate what that line is transformed into after the hotkey. Arrows( → , ↳ ) without anything to their left indicates that this hotkey inserts the stuff on the right of the Arrow( → , ↳ ) in its formatting process.

Curly Braces( { } ) indicate text that is not in the formating but that helps with clarity.

Usage

All hotkeys used after copying their respective information to your clipboard, the hotkey will then put the formatted version of the information back into your clipboard, ready for you to paste it into your case or discover.

Hotkey Combination: Hotkey Name

ctrl+alt+v: Format

• This hotkey takes alert fields and capitalizes and adds spaces to the field name and puts the feild content in backticks. It will apply the formating to as many lines as you have copied from the alert tab.
    eg.
      this.example.field \t field content → This Example Field `field content`
• Adds Group `` on a new line under the User field as well as adding a black line to seperate Host, User, and Group from the rest of the info that is copied at that time.
    eg.
      host.name \t exampleHost → Host `exampleHost`
      user.name \t exampleUser → User `exampleUser`
      → Group ``
      → {empty line}
      process.executable \t exampleProcess.exe → Process Executable `exampleProcess.exe`
• Removes extrenous parts of field names: Events, events, text, pe, name, or process if the next word is parent or command
• Removes uninteresting fields from the overview tab: agent.status, Endpoint.policy.applied.artifacts.global.channel, or Source Event

ctrl+alt+shift+v: Observation Statement Format

• This hotkey takes the host, user, group and the last line copied and converts it into my standard Observation Statement format
    eg.
      Host `exampleHost`
      User `exampleUser`
      Group `exampleGroup`
      {any number of inrelevant lines, your choice based off what you copy}
      Process Executable `exampleProcess.exe`
      File Path `exampleFile.path`
      ↳ File Path `exampleFile.path` flagged for {you would insert the alert name here} on Host `exampleHost` under User `exampleUser` at Group `exampleGroup`.

ctrl+win+shift+v: Duplicate Format (MacOS Cmd Key)

• This hotkey takes the url for a hive case and optionally the case number and formates into a duplicate hive case link.
• To add the case number, copy it to your clipboard and then use the Extra Text hotkey to store it. Then copy the url and use this hotkey.
• hiveCase.URL → Duplicate of [Hive Case #{value stored with the Extra Text Hotkey}](hiveCase.URL)

ctrl+alt+shift+x: Extra Text Format

• This hotkey stores your clipboard for another hotkey to use later.

ctrl+alt+1: Extra Text 1 Format

• This hotkey is to store additional info, currently only used to store the User Job Title in the Person Info hotkey.

ctrl+alt+2: Extra Text 2 Format

• This hotkey is to store additional info, currently only used to store the User Department in the Person Info hotkey.

ctrl+alt+c: Column Format

• This hotkey takes a column from discover and puts each entry in backticks( ` ). This version cuts off the first and last charcter of each entry since copying a column from discover has quotes( " ) around the values.
• Will also put anything stored with the Extra Text hotkey at the start of the column.

ctrl+win+c: Column Format - Non Destructive (MacOS Cmd Key)

• This hotkey is the same as Column Format but doesnt remove the first and last character of each entry.

ctrl+alt+d: Discover Link Format

• This hotkey takes the link to discover and makes the hyperlink format.
• discovertab.URL → This [Discover tab](discovertab.URL) shows

ctrl+` : Quote Format

• This hotkey puts what ever you have copied into backticks( ` ).
    eg.
      exampleText → `exampleText`

ctrl+alt+p: Person Info Format

• This hotkey takes the hyperlink to people finder and adds text to have the users title and department listed easily.
• Optionally will put the user name, title, and department into the formated text.
    eg.
      people\finder.URL → [{Extra Text}](people\finder.URL) is a `{Extra Text 1}` in the `{Extra Text 2}` department.

ctrl+alt+h: Hive Search Format

• This hotkey puts the copied text into a format to search in hive.
• ie. put astricks( * ) around each word and replacing special characters( - \s \ _ ) with astricks( * ) as well.

ctrl+alt+q: Add Parent Format

• This hotkey puts .parent inbetween process and name or pid for discover queries.
    eg.
      (process.name: example.exe and process.pid: 1234) → (process.parent.name: example.exe and process.parent.pid: 1234)

ctrl+alt+r: Remove ' - ' From Column Format

• This hotkey removes any blank lines when copying a coulmn from discover. This will also put backticks( ` ) around each row.

ctrl+alt+shift+w: Source-Destination IP Format

• This hotkey takes the ip info from the timeline view and formats it nicely.
    eg.
      source 123.456.7.890 : 1234, destination 098.765.4.321 : 4321 → Source `123.456.7[.]890` : `1234` \n Destination `098.765.4[.]321` : `4321`

ctrl+alt+z: Two Column Format

• This hotkey puts two columns next to each other with a vertical line( | ) between the two columns.
• The coulmn that you want on the left should be stored by fromatting into column format and then use the Extra Text 1 Hotkey. Then copy your new column and use this hotkey and it will format your right hand column and put the two columns next to each other.

ctrl+alt+u: Unique Columns Format

• This hotkey will remove duplicate entries in the column format. This will also put backticks( ` ) around each row.

ctrl+alt+b: Discover Row with Backticking

• This hotkey puts backticks( ` ) around each field when copying from a row in discover.
    eg.
      Timestamp @ 10 \t exampleField1 \t example field 2 → `Timestamp @ 10` `exampleField1` `example field 2`
• Also works with any tab deliniated line.

ctrl+alt+shift+t: Timeline Process and Command Format

• This hotkey takes a copied line from the timeline view and puts the process in backticks( ` ) and puts the command on a new line. By combining the process args together and puts the command in backticks( ` ) as well.
    eg.    process.exe \n (process.pid field) \n processArg1 \n porcessArg2 \n ect.
     ↳ {Type if this is the Process or the Parent from the timeline view}`process.exe`
     ↳ Command `processArg1 processArg2 ect.`
• This is used on the line within the timeline view that has
  user.name \ user.domain @ host.name in process.working_directory started process process.name process.pid process.args with exit code process.exit_code via parent process process.parent.name process.parent.pid with result event.outcome

ctrl+alt+shift+p: Phishing Email Observationg Statement Format

• This hotkey takes the Email To Address, Email From Address Email Subject, and Email Reporter fields to write an observation statement.
    eg.
      Email To Address `example@address.ex1`
      Email From Address `example@address.ex2`
      Email Subject `exampleSubject`
      {any number of inrelevant lines, your choice based off what you copy}
      Email Reporter `example@address.ex3`
      ↳ Email with Subject `exampleSubject` from `example@address.ex2` sent to `example@address.ex1` was flagged as a Phishing Email by `example@address.ex3`.

alt+l: Link Format

• This hotkey takes the url for a website case and optionally the link name and text after the link and formates into a hyperlink.
• To add the link name, copy it to your clipboard and then use the Extra Text hotkey to store it.
• To add text after the link, copy it to your clipboard and then use the Extra Text 1 hotkey to store it. Then copy the url and use this hotkey.
• website.URL → [{value stored with the Extra Text Hotkey}](website.URL) {value stored with the Extra Text 1 Hotkey}

alt+shift+s: Virus Total Format

• This hotkey takes the url for Virus Total, the process or file your checking and optionally the maliciousness and popular threat label and formates into a hyperlink.
• To add the process or file name, copy it to your clipboard and then use the Extra Text hotkey to store it.
• To add maliciousness and popular threat label, copy the ratio of vendors flagging over vendors testing to your clipboard and then use the Extra Text 1 hotkey to store it. Next copy the popular threat label and use the Extra Text 2 hotkey to store it. Need both to get this variation of the format.
• Then copy the url and use this hotkey.
• website.URL, nothing stored in Extra Text 2 → [VT](website.URL) shows `{value stored with firstText}` is nonmalicious
• website.URL, something stored in Extra Text 2 → [VT](website.URL) shows {value stored in extraText1 (will look like x/y)} vendors flag `{value stored in firstText}` as malicious with `{value stored in extraText2}` being a popular threat label.

alt+shift+e: Current Exception Format

• This hotkey takes the text from the exception lists and formats it nicely. It removes the extreneous information, keeping only the exception name and the logic behind the exception.

alt+shift+cmd+a: Alert Name Format

• This hotkey takes the host name saved with the First Text hotkey and puts the pipe(|) between the alert name that is copied.
• This wil also put a second host name after the first if its saved with the Extra Text1 hotkey.
• If nothing is stored with the First Text hotkey, it will put Multiple Hosts in its place.

(back to top)