Skip to content

Commit

Permalink
bugfix for base64 encoded arguments (#1295)
Browse files Browse the repository at this point in the history
* bugfix for base64 encoded arguments

* split on quotes and spaces for better coverage

* additional edge cases and tests

* adjust

* move padding to is_base64 helper

* readded root command exclusion
  • Loading branch information
arielkr256 authored Jul 23, 2024
1 parent e894362 commit 990bbe3
Show file tree
Hide file tree
Showing 4 changed files with 190 additions and 4 deletions.
4 changes: 3 additions & 1 deletion global_helpers/panther_base_helpers.py
Original file line number Diff line number Diff line change
Expand Up @@ -521,9 +521,11 @@ def is_base64(b64: str) -> str:
# handle false positives for very short strings
if len(b64) < 12:
return ""
# Pad args with "=" to ensure proper decoding
b64 = b64.ljust((len(b64) + 3) // 4 * 4, "=")
# Check if the matched string can be decoded back into ASCII
try:
return b64decode(b64).decode("ascii")
return b64decode(b64, validate=True).decode("ascii")
except AsciiError:
pass
except UnicodeDecodeError:
Expand Down
5 changes: 3 additions & 2 deletions rules/crowdstrike_rules/crowdstrike_base64_encoded_args.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,9 @@ def rule(event):

# Split arguments from process path
command_line_args = event.udm("cmd")
command_line_args = command_line_args.replace('"', "")
command_line_args = command_line_args.replace("'", "")
command_line_args = command_line_args.replace('"', " ")
command_line_args = command_line_args.replace("'", " ")
command_line_args = command_line_args.replace("=", " ")
command_line_args = command_line_args.split(" ")[1:]

# Check if Base64 encoded arguments are present in the command line
Expand Down
183 changes: 183 additions & 0 deletions rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,67 @@ Tests:
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution without Base64 Argument (Negative) 6
ExpectedResult: false
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": '"C:\Windows\system32\cmd.exe" /Q /C ""C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\uninstall.cmd" --dir="C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0""',
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: Command Line Tool Execution without Base64 Argument (Negative) 7
ExpectedResult: false
Log:
{
Expand Down Expand Up @@ -562,3 +623,125 @@ Tests:
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: base64 quoted argument
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": '/usr/bin/somebinary --b64="aGVsbG8taXMtaXQtbWUteW91cmUtbG9va2luZy1mb3IK"',
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
- Name: base64 prefixed argument
ExpectedResult: true
Log:
{
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"Entitlements": "15",
"TreeId": "4295752857",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event":
{
"AuthenticationId": "293628",
"AuthenticodeHashData": "98a4762f52a",
"CommandLine": '/usr/bin/somebinary --b64=aGVsbG8taXMtaXQtbWUteW91cmUtbG9va2luZy1mb3==',
"ConfigBuild": "1007.3.0016606.11",
"ConfigStateHash": "3645117824",
"EffectiveTransmissionClass": "2",
"Entitlements": "15",
"ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ImageSubsystem": "3",
"IntegrityLevel": "12288",
"MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad",
"ParentAuthenticationId": "293628",
"ParentBaseFileName": "pwsh.exe",
"ParentProcessId": "4370948876",
"ProcessCreateFlags": "1024",
"ProcessEndTime": "",
"ProcessParameterFlags": "24577",
"ProcessStartTime": "1682368414.719",
"ProcessSxsFlags": "64",
"RawProcessId": "3120",
"SHA1HashData": "0000000000000000000000000000000000000000",
"SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3",
"SessionId": "2",
"SignInfoFlags": "8683538",
"SourceProcessId": "4370948876",
"SourceThreadId": "112532918543",
"Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253",
"TargetProcessId": "10413665481",
"TokenType": "1",
"TreeId": "4295752857",
"UserSid": "S-1-5-21-239183934-720705223-383019856-500",
"aid": "877761efa8db44d792ddc2redacted",
"aip": "1.1.1.1",
"cid": "cfe698690964434083fecdredacted",
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"timestamp": "1682368416719",
},
"event_platform": "Win",
"event_simpleName": "ProcessRollup2",
"fdr_event_type": "ProcessRollup2",
"id": "b0c07877-f288-49f8-8cb3-150149a557b2",
"name": "ProcessRollup2V19",
"p_log_type": "Crowdstrike.FDREvent",
"timestamp": "2023-04-24 20:33:36.719",
}
2 changes: 1 addition & 1 deletion rules/standard_rules/standard_dns_base64.yml
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,6 @@ Tests:
"externalIp": "136.24.229.58",
"timestamp": "2020-05-21 19:20:25.000",
"responseCode": "NOERROR",
"domain": "c29tZSBsb25nIGJhc2.example.io.",
"domain": "c29tZSBsb25IGJhc2.example.io.",
"p_log_type": "CiscoUmbrella.DNS",
}

0 comments on commit 990bbe3

Please sign in to comment.