Skip to content

CybercentreCanada/assemblyline-service-frankenstrings

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

521 Commits

.vscode

.vscode

 
 

frankenstrings

frankenstrings

 
 

pipelines

pipelines

 
 

tests

tests

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

Dockerfile

Dockerfile

 
 

LICENCE.md

LICENCE.md

 
 

README.md

README.md

 
 

pkglist.txt

pkglist.txt

 
 

requirements.txt

requirements.txt

 
 

service_manifest.yml

service_manifest.yml

 
 

Repository files navigation

FrankenStrings Service

NOTE: This service does not require you to buy any licence and is preinstalled and working after a default installation.

When not in deep scan mode, this AL service will skip detection modules based on a submitted file's size (to prevent service backlog and timeouts). The defaults are intentionally set at low sizes. Filters can be easily changed in the service configuration, based on the amount of traffic/hardware your AL instance is running.

Service Configuration

  • max_size: Maximum size of submitted file for this service
  • max_length: String length maximum. Used in basic ASCII and UNICODE modules
  • st_max_size: String list maximum size. List produced by basic ASCII and UNICODE module results, and will determine if patterns.py will only evaluate network IOC patterns
  • bb_max_size: BBcrack maximum size of submitted file to run module

Service Details

  1. String Extraction:

    • ASCII and unicode string IOC checking. (see patterns.py)
    • Balbuzard's bbcrack level 1 (level 2 for deep scan) XOR transform modules. Matches specific IOCs only (see patterns.py, bbcrack.py)
    • Base64 string extract

  2. File Extraction:

    • Balbuzard's bbcrack level 1 (level 2 for deep scan) XOR transform modules. (Searches for PE files only)
    • Base64 module search for file types of interest (see frankenstrings.py)
    • Embedded PE file extraction
    • Unicode, Hex, Ascii-Hex extraction modules (for possible shellcode)

Result Output

  1. Static Strings (ASCII, UNICODE, BASE64):
    • Tag strings matching IOC patterns of interest
    • Decoded BASE64. Extract content over 200 bytes, otherwise combine all decoded content and extract in single text file
  2. Embedded PE files:
    • Extract PE files embedded in the file
    • Extract reversed PE files embedded in the file
  3. ASCII Hex Strings:
    • Content extraction of ascii hex data successfully decoded (any data over 500 bytes)
    • Tag IOC pattern matching for any successfully decoded data
    • Tag URI pattern matching after custom brute force xor module (see bbcrack.py for added module)
  4. BBCrack XOR Strings:
    • Tag all strings matching IOC patterns of interest
    • Extract decoded XOR'd PE File

Licences

FIREEYE FLARE-FLOSS: See flarefloss/LICENSE.txt

BALBUZARD: BSD 2-Clause Licence, see top of balbuzard code files

About

Assemblyline 4 IOC and String extraction service

cybercentrecanada.github.io/assemblyline4_docs/

Topics

ioc malware-analysis string-extractor assemblyline

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

3 stars

Watchers

2 watching

Forks

5 forks
Report repository

Releases 79

v4.5.0.stable4 Latest
Apr 18, 2024
+ 78 releases

Packages

No packages published

Contributors 7

Languages