twigs Guide

Here are some common troubleshooting tips for twigs: • Twigs generates a log file called twigs.log in the current working directory. You can look at this file for any error or warning messages. • Twigs can export all discovered assets to specified JSON file using “–out” switch. You can view/edit this file if needed. • If the host running twigs has no connectivity to the internet, then twigs will be unable to automatically push the discovered assets to your ThreatWorx instance. Restore internet connectivity and then run twigs again. Note you can also import the generated JSON file if needed. If you observe any issues with twigs, please write to us at support@threatwatch.io and we would be happy to help.

Windows assets can be discovered using twigs Powershell script (twigs.ps1). Twigs Powershell script for windows discovery is digitally signed for security reasons. You can discover local or remote Windows hosts using Twigs Powershell script. Steps Follow the steps below to perform discovery of Windows assets using twigs Powershell script: • Logon to the Windows machine for discovery • Download twigs PowerShell script from here • Install signing certificate for the Powershell script • Right click the Powershell script in Windows explorer and select Properties • In the Properties window, click on “Digital Signatures” tab • In the “Signature List” table, select row for “ThreatWorx” • Click on “Details” and then “View Certificate” • Click on “Install Certificate…” to install the certificate for “Local Machine” in “Trusted Root Certificate Authorities” and “Trusted Publishers” store. • Note you will need API token key to perform discovery. • Please ensure that ExecutionPolicy allows running Powershell scripts. To view current execution policy, please run ‘Get-ExecutionPolicy’. Refer to note below for details on how to change it. • The typical command parameters to twigs Powershell script are as below .\twigs.ps1 [[-mode] <String>] [[-remote_hosts_csv] <String>] [[-host_list] <String>] [[-password] <String>] [-handle] <String> [[-token] <String>] [[-instance] <String>] [[-out] <String>] [[-assetid] <String>] [[-assetname] <String>] [[-tags] <String[]>] [-tag_critical] [-no_scan] [-email_report] [<CommonParameters>] • To view above help run ‘.\twigs.ps1 -?’ or for detailed help message run ‘Get-Help .\twigs.ps1 -detailed’ • For remote host discovery, you need to specify remote Windows host details in a CSV file. This CSV file has the format as below: hostname,userlogin,userpwd <Windows machine name or IP or CIDR>,<Login ID>,<Password> MyWindowsMachine,MyWindowsDomain\MyWindowsUser,MyWindowsUserPassword • Note it is recommended that you secure the password in the CSV file by using ‘-host_list’ option provided by Twigs Powershell script. • Specify appropriate arguments and run twigs Powershell script. Note you may need to relax the execution policy for Powershell scripts on your Windows box. Typically you can set it using Set-ExecutionPolicy as below: Set-ExecutionPolicy RemoteSigned or Set-ExecutionPolicy AllSigned

Overview Twigs can discover your source code as an asset. For a quick primer, read this. You can discover all repositories for a GitHub Enterprise Organization. Note you need to have GitHub CLI “gh” installed. Supported package / dependency managers for source code discovery are: • Python [pip] • Java Script [npm, yarn] • Ruby [ruby] • Java [maven, gradle, jar] • .NET/C# [nuget] • DLL (* for vulnerability assessment only) • Rust [cargo] There are multiple functionalities provided as below: • Identify vulnerabilities – This helps you identify any vulnerabilities in 3rd party libraries / packages used in your source code project. You can indicate to twigs whether you are interested in tracking vulnerabilities in direct (shallow level) or indirect (deep level) dependencies. • License compliance – You need to know how licensing of the open source components (libraries/packages) used in your software project impact you. For example – one cannot release a commercial software product built using open source components with a restrictive license • Code secrets – Twigs can be used to identify any secrets that are inadvertently embedded in your source code. Twigs can identify secrets using any or all of the three approach mentioned below: • Entropy – Detect secrets by automatically identifying high entropy strings in your source code. • Regular Expressions – twigs provides support for regular expressions for identifying standard secrets (like OAuth tokens, JWT tokens, etc.). You can specify your own custom regular expressions in a file if needed. • Common Passwords – twigs provides support for identifying common passwords from a top 500 common passwords list. You can provide your own common passwords file, if needed. • Static Application Security Testing (SAST) – You can perform SAST checks on your source code projects. • Infrastructure as Code (IaC) security tests on cloudformation, terraform, kubernetes, serverless, arm, terraform_plan, helm templates. Pre-requisites For static code analysis (SAST) tests, twigs uses an open source tool called semgrep. For more information on semgrep and how to download it, refer to this link. For security checks in your infrastructure-as-code (IaC) code, twigs uses an open source tool called checkov. For more information on checkov and how to download it, refer to this link. Steps involved The steps involved to discover your source code as an asset are as below: • Open a new shell / terminal. • Check that twigs is installed and running properly by running below command: twigs ghe -h • You can run the command as below: twigs ghe --gh_org GH_ORG [--type {pip,ruby,yarn,nuget,npm,maven,gradle,dll,jar,cargo}] [--level {shallow,deep}] [--include_unused_dependencies] [--assetid ASSETID] [--assetname ASSETNAME] [--secrets_scan] [--enable_entropy] [--regex_rules_file REGEX_RULES_FILE] [--check_common_passwords] [--common_passwords_file COMMON_PASSWORDS_FILE] [--include_patterns INCLUDE_PATTERNS] [--include_patterns_file INCLUDE_PATTERNS_FILE] [--exclude_patterns EXCLUDE_PATTERNS] [--exclude_patterns_file EXCLUDE_PATTERNS_FILE] [--mask_secret] [--no_code][--sast][--iac_checks] After discovery is complete, you can login into ThreatWorx Console to view the newly discovery asset from your source code. Pro Tips: • For certain dependency managers like npm, you can control the dependency levels to inspect by using the –level [shallow|deep] option. • twigs can determine the type of dependency manager by looking at the source code. But in case you want twigs to discover dependencies of a certain type, you can use the –type option. • For certain technologies (like npmjs), only used direct dependencies are considered by default (i.e. dependencies referenced in the source code). Use to the –include_unused_dependencies switch to consider all dependencies, note this may introduce false positives. • Secrets such as tokens, keys etc. embedded in the source code can be found using –secrets_scan option. A default set of regex rules are used for this which can be substituted for your regex rules file. A more advanced (but noisy) way is to use –enable_entropy to detect secrets based on text patterns. • The –mask_secret option will hide any secret strings that are collected from the source code. • The –no_code option will prevent any code snippet from being collected or transmitted as part of the discovery. The source file and line numbers will be collected and transmitted. • Common passwords embedded in source code can be scanned for using the –check_common_passwords option. You may provide your own list of common passwords as a simple text file using –common_passwords_file option. • The include_ and exclude_ options can be used to specify or skip certain file name patterns or directories while scanning the source code repository.