diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py index 856eb5115..ea7cbbfb8 100644 --- a/global_helpers/panther_base_helpers.py +++ b/global_helpers/panther_base_helpers.py @@ -521,9 +521,11 @@ def is_base64(b64: str) -> str: # handle false positives for very short strings if len(b64) < 12: return "" + # Pad args with "=" to ensure proper decoding + b64 = b64.ljust((len(b64) + 3) // 4 * 4, "=") # Check if the matched string can be decoded back into ASCII try: - return b64decode(b64).decode("ascii") + return b64decode(b64, validate=True).decode("ascii") except AsciiError: pass except UnicodeDecodeError: diff --git a/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.py b/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.py index 56b2d4683..1690a5e8f 100644 --- a/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.py +++ b/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.py @@ -25,8 +25,9 @@ def rule(event): # Split arguments from process path command_line_args = event.udm("cmd") - command_line_args = command_line_args.replace('"', "") - command_line_args = command_line_args.replace("'", "") + command_line_args = command_line_args.replace('"', " ") + command_line_args = command_line_args.replace("'", " ") + command_line_args = command_line_args.replace("=", " ") command_line_args = command_line_args.split(" ")[1:] # Check if Base64 encoded arguments are present in the command line diff --git a/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml b/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml index 049bd1ccf..41f7a8b98 100644 --- a/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml +++ b/rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml @@ -502,6 +502,67 @@ Tests: "timestamp": "2023-04-24 20:33:36.719", } - Name: Command Line Tool Execution without Base64 Argument (Negative) 6 + ExpectedResult: false + Log: + { + "ConfigBuild": "1007.3.0016606.11", + "ConfigStateHash": "3645117824", + "Entitlements": "15", + "TreeId": "4295752857", + "aid": "877761efa8db44d792ddc2redacted", + "aip": "1.1.1.1", + "cid": "cfe698690964434083fecdredacted", + "event": + { + "AuthenticationId": "293628", + "AuthenticodeHashData": "98a4762f52a", + "CommandLine": '"C:\Windows\system32\cmd.exe" /Q /C ""C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0\uninstall.cmd" --dir="C:\Program Files (x86)\Google\GoogleUpdater\128.0.6537.0""', + "ConfigBuild": "1007.3.0016606.11", + "ConfigStateHash": "3645117824", + "EffectiveTransmissionClass": "2", + "Entitlements": "15", + "ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "ImageSubsystem": "3", + "IntegrityLevel": "12288", + "MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad", + "ParentAuthenticationId": "293628", + "ParentBaseFileName": "pwsh.exe", + "ParentProcessId": "4370948876", + "ProcessCreateFlags": "1024", + "ProcessEndTime": "", + "ProcessParameterFlags": "24577", + "ProcessStartTime": "1682368414.719", + "ProcessSxsFlags": "64", + "RawProcessId": "3120", + "SHA1HashData": "0000000000000000000000000000000000000000", + "SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3", + "SessionId": "2", + "SignInfoFlags": "8683538", + "SourceProcessId": "4370948876", + "SourceThreadId": "112532918543", + "Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253", + "TargetProcessId": "10413665481", + "TokenType": "1", + "TreeId": "4295752857", + "UserSid": "S-1-5-21-239183934-720705223-383019856-500", + "aid": "877761efa8db44d792ddc2redacted", + "aip": "1.1.1.1", + "cid": "cfe698690964434083fecdredacted", + "event_platform": "Win", + "event_simpleName": "ProcessRollup2", + "id": "b0c07877-f288-49f8-8cb3-150149a557b2", + "name": "ProcessRollup2V19", + "timestamp": "1682368416719", + }, + "event_platform": "Win", + "event_simpleName": "ProcessRollup2", + "fdr_event_type": "ProcessRollup2", + "id": "b0c07877-f288-49f8-8cb3-150149a557b2", + "name": "ProcessRollup2V19", + "p_log_type": "Crowdstrike.FDREvent", + "timestamp": "2023-04-24 20:33:36.719", + } + - Name: Command Line Tool Execution without Base64 Argument (Negative) 7 ExpectedResult: false Log: { @@ -562,3 +623,125 @@ Tests: "p_log_type": "Crowdstrike.FDREvent", "timestamp": "2023-04-24 20:33:36.719", } + - Name: base64 quoted argument + ExpectedResult: true + Log: + { + "ConfigBuild": "1007.3.0016606.11", + "ConfigStateHash": "3645117824", + "Entitlements": "15", + "TreeId": "4295752857", + "aid": "877761efa8db44d792ddc2redacted", + "aip": "1.1.1.1", + "cid": "cfe698690964434083fecdredacted", + "event": + { + "AuthenticationId": "293628", + "AuthenticodeHashData": "98a4762f52a", + "CommandLine": '/usr/bin/somebinary --b64="aGVsbG8taXMtaXQtbWUteW91cmUtbG9va2luZy1mb3IK"', + "ConfigBuild": "1007.3.0016606.11", + "ConfigStateHash": "3645117824", + "EffectiveTransmissionClass": "2", + "Entitlements": "15", + "ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "ImageSubsystem": "3", + "IntegrityLevel": "12288", + "MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad", + "ParentAuthenticationId": "293628", + "ParentBaseFileName": "pwsh.exe", + "ParentProcessId": "4370948876", + "ProcessCreateFlags": "1024", + "ProcessEndTime": "", + "ProcessParameterFlags": "24577", + "ProcessStartTime": "1682368414.719", + "ProcessSxsFlags": "64", + "RawProcessId": "3120", + "SHA1HashData": "0000000000000000000000000000000000000000", + "SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3", + "SessionId": "2", + "SignInfoFlags": "8683538", + "SourceProcessId": "4370948876", + "SourceThreadId": "112532918543", + "Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253", + "TargetProcessId": "10413665481", + "TokenType": "1", + "TreeId": "4295752857", + "UserSid": "S-1-5-21-239183934-720705223-383019856-500", + "aid": "877761efa8db44d792ddc2redacted", + "aip": "1.1.1.1", + "cid": "cfe698690964434083fecdredacted", + "event_platform": "Win", + "event_simpleName": "ProcessRollup2", + "id": "b0c07877-f288-49f8-8cb3-150149a557b2", + "name": "ProcessRollup2V19", + "timestamp": "1682368416719", + }, + "event_platform": "Win", + "event_simpleName": "ProcessRollup2", + "fdr_event_type": "ProcessRollup2", + "id": "b0c07877-f288-49f8-8cb3-150149a557b2", + "name": "ProcessRollup2V19", + "p_log_type": "Crowdstrike.FDREvent", + "timestamp": "2023-04-24 20:33:36.719", + } + - Name: base64 prefixed argument + ExpectedResult: true + Log: + { + "ConfigBuild": "1007.3.0016606.11", + "ConfigStateHash": "3645117824", + "Entitlements": "15", + "TreeId": "4295752857", + "aid": "877761efa8db44d792ddc2redacted", + "aip": "1.1.1.1", + "cid": "cfe698690964434083fecdredacted", + "event": + { + "AuthenticationId": "293628", + "AuthenticodeHashData": "98a4762f52a", + "CommandLine": '/usr/bin/somebinary --b64=aGVsbG8taXMtaXQtbWUteW91cmUtbG9va2luZy1mb3==', + "ConfigBuild": "1007.3.0016606.11", + "ConfigStateHash": "3645117824", + "EffectiveTransmissionClass": "2", + "Entitlements": "15", + "ImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", + "ImageSubsystem": "3", + "IntegrityLevel": "12288", + "MD5HashData": "c031e215b8b08c752bf362f6d4c5d3ad", + "ParentAuthenticationId": "293628", + "ParentBaseFileName": "pwsh.exe", + "ParentProcessId": "4370948876", + "ProcessCreateFlags": "1024", + "ProcessEndTime": "", + "ProcessParameterFlags": "24577", + "ProcessStartTime": "1682368414.719", + "ProcessSxsFlags": "64", + "RawProcessId": "3120", + "SHA1HashData": "0000000000000000000000000000000000000000", + "SHA256HashData": "840e1f9dc5a29bebf01626822d7390251e9cf05bb3560ba7b68bdb8a41cf08e3", + "SessionId": "2", + "SignInfoFlags": "8683538", + "SourceProcessId": "4370948876", + "SourceThreadId": "112532918543", + "Tags": "25, 27, 40, 151, 874, 924, 12094627905582, 12094627906234, 211106232533012, 263882790666253", + "TargetProcessId": "10413665481", + "TokenType": "1", + "TreeId": "4295752857", + "UserSid": "S-1-5-21-239183934-720705223-383019856-500", + "aid": "877761efa8db44d792ddc2redacted", + "aip": "1.1.1.1", + "cid": "cfe698690964434083fecdredacted", + "event_platform": "Win", + "event_simpleName": "ProcessRollup2", + "id": "b0c07877-f288-49f8-8cb3-150149a557b2", + "name": "ProcessRollup2V19", + "timestamp": "1682368416719", + }, + "event_platform": "Win", + "event_simpleName": "ProcessRollup2", + "fdr_event_type": "ProcessRollup2", + "id": "b0c07877-f288-49f8-8cb3-150149a557b2", + "name": "ProcessRollup2V19", + "p_log_type": "Crowdstrike.FDREvent", + "timestamp": "2023-04-24 20:33:36.719", + } diff --git a/rules/standard_rules/standard_dns_base64.yml b/rules/standard_rules/standard_dns_base64.yml index a9399f864..4d5b479d1 100644 --- a/rules/standard_rules/standard_dns_base64.yml +++ b/rules/standard_rules/standard_dns_base64.yml @@ -210,6 +210,6 @@ Tests: "externalIp": "136.24.229.58", "timestamp": "2020-05-21 19:20:25.000", "responseCode": "NOERROR", - "domain": "c29tZSBsb25nIGJhc2.example.io.", + "domain": "c29tZSBsb25IGJhc2.example.io.", "p_log_type": "CiscoUmbrella.DNS", }