Skip to content

Commit

Permalink
add fixed decoded data output as preview_upload method (Velocidex#2663)
Browse files Browse the repository at this point in the history 
Fix CobaltStrike parser DecodedData output and changed to preview_upload
format

![image](https://user-images.githubusercontent.com/13081800/236494843-5caf5597-4e37-4ee0-8d99-24a28e146552.png)
  • Loading branch information
@mgreen27
mgreen27 authored May 6, 2023
1 parent 4b6b750 commit 5cb5708
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 17 deletions.
32 changes: 17 additions & 15 deletions artifacts/definitions/Windows/Carving/CobaltStrike.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@ sources:
LET ByteConfiguration = SELECT Rule,
len(list=TargetBytes) as Size,
hash(path=TargetBytes,accessor='data') as Hash,
--String.Offset as Offset,
format(format="%v_%v.bin", args=[Rule,String.Offset]) as _DecodedDataName,
Xor,_Data,
Rule as _Group
FROM switch( -- switchcase will find beacon as priority, then search for shellcode
Expand All @@ -480,8 +480,7 @@ sources:
rules=FindShellcode, number=99)
},
section_encoded_pe = {
SELECT
FullPath,Size,
SELECT *,
'Embedded data section: ' + Rule as Rule,
substr(start=0,end=1,str=String.Data) as Xor,
read_file(accessor='data',
Expand All @@ -497,8 +496,7 @@ sources:
accessor='data', rules=FindConfig, number=99)
},
section_encoded_stager = {
SELECT
FullPath,Size,
SELECT *,
'' as Xor,
'Embedded data section: ' + Rule as Rule,
read_file(accessor='data',
Expand Down Expand Up @@ -532,7 +530,8 @@ sources:
FullPath, Size,
hash(path=FullPath) as Hash,
Xor,_Data,
Rule + '|' + FullPath.String as _Group
Rule + '|' + FullPath.String as _Group,
format(format="%v_%v_%v.bin", args=[Rule,FullPath,String.Offset]) as _DecodedDataName
FROM switch( -- switchcase will find beacon as priority, then search for shellcode
beacon = {
SELECT *,
Expand All @@ -551,8 +550,7 @@ sources:
},
section_encoded_pe = {
SELECT
FullPath,Size,
SELECT *,
'Embedded data section: ' + Rule as Rule,
substr(start=0,end=1,str=String.Data) as Xor,
read_file(accessor='data',filename=File.OSPath,
Expand All @@ -565,8 +563,7 @@ sources:
accessor='data', rules=FindConfig, number=99)
},
section_encoded_stager = {
SELECT
FullPath,Size,
SELECT *,
'' as Xor,
'Embedded data section: ' + Rule as Rule,
read_file(accessor='data',
Expand Down Expand Up @@ -608,7 +605,7 @@ sources:
query={
SELECT Rule,
Pid, ProcessName, CommandLine,
--String.Offset as Offset,
format(format="%v_%v_%v_%v.bin", args=[Rule,ProcessName,Pid,String.Offset]) as _DecodedDataName,
Xor,_Data,_Group
FROM switch( -- switchcase will find beacon as priority, then search for shellcode
beacon = {
Expand Down Expand Up @@ -679,10 +676,11 @@ sources:
-- add decoded data seperate to keep pretty output
LET output_decoded_data = SELECT *,
format(format="% x",
args=if(condition= Rule='cobalt_strike_beacon',
then=xor(string=_Data,key=Xor),
else=_Data)) as DecodedData
upload(accessor = 'data',
file = if(condition = Rule='cobalt_strike_beacon',
then = xor(string=_Data,key=unhex(string=Xor)),
else = _Data),
name = _DecodedDataName) as DecodedData
FROM results
LET cleanup(config) = to_dict(item=
Expand All @@ -709,3 +707,7 @@ sources:
else= results)
GROUP BY _Group
}, exclude=["_Data","_Group"])
column_types:
- name: DecodedData
type: preview_upload
Loading

0 comments on commit 5cb5708

Please sign in to comment.