Skip to content

Use Cases and Examples

Jump to bottom Edit New page
askkemp edited this page Jul 29, 2017 · 7 revisions

Table of Contents

  1. Introduction
  2. Network vs. Standalone Instance
    2.1. Standalone Instance
    2.2. Network Instance
  3. Use Cases and Examples 3.1. Email with Attachment 3.2. RTF inside ZIP

Introduction

This page gives examples of the different types of ways that Laika BOSS can be used including sample output from the usage. We highly recommend using jq to parse the Laika JSON output. It will make reading and manipulating the output much easier. All examples on this page will be parsed with jq.

Network vs. Standalone Instance

A standalone instance of Liaka means that the files that need to be scanned are located on the scanner itself. A single command, laika.py, is used for the scan.

A network instance of Liaka means that files are located on a client and sent to a server using the Liaka code. On the client, the command cloudscan.py is used to send the file to the server which is running the Liaka daemon (laikad.py).

Standalone instance (laika.py)

From the directory containing the framework code, you may run the standalone scanner, laika.py, against any file you choose.

Note: If you move laika.py from its installed directory, then you'll have to specify various config locations. By default it uses the configurations in the ./etc directory.

The below is an example of running laika.py against a SWF file that is then parsed with jq.

$ ./laika.py ~/test_files/testfile.cws.swf | jq '.scan_result[] | { "file type" : .fileType, "flags" : .flags, "md5" : .objectHash }'
100%[############################################] Processed: 1/1 total files (Elapsed Time: 0:00:00) Time: 0:00:00
{
  "md5": "dffcc2464911077d8ecd352f3d611ecc",
  "flags": [],
  "file type": [
    "cws",
    "swf"
  ]
}
{
  "md5": "587c8ac651011bc23ecefecd4c253cd4",
  "flags": [],
  "file type": [
    "fws",
    "swf"
  ]
}

Networked instance (laikad.py + cloudscan.py)

In the network instance, you must first start the laika daemon laikad.py which will listen for connections from the client. Configuration for client listen port is found in etc/laikad/laikad.conf.

$ ./laikad.py

The client using cloudscan.py sends the file to the server. The client must be configured to point to the IP address and port of the server running laikad.py. The "broker_host" should be changed in file etc/cloudscan/cloudscan.conf to point to the correct destination. For example, the below points cloudscan to IP 10.1.1.200 port 5558:

 'broker_host': 'tcp://10.1.1.200:5558',

The below is an example scan of a SWF file that is then parsed with jq. The scanning of the file itself is occurring on the server running the laika daemon.

$ ./cloudscan.py ~/test_files/testfile.cws.swf | jq '.scan_result[] | { "file type" : .fileType, "flags" : .flags, "md5" : .objectHash }'
{
  "md5": "dffcc2464911077d8ecd352f3d611ecc",
  "flags": [],
  "file type": [
    "cws",
    "swf"
  ]
}
{
  "md5": "587c8ac651011bc23ecefecd4c253cd4",
  "flags": [],
  "file type": [
    "fws",
    "swf"
  ]
}

Use Cases and Examples

The best way to introduce Laika BOSS is to give several examples of its use.

Email with Attachment

In example one, you feed Laika an email with a Office document (OLE) attachment. Laika will parse the contents of the email and extract all of the message objects. In this case, it extracts a plain text object, an HTML object, and an Office Word attachment. Before moving on, it generates metadata about the email (e.g. email addreses, IPs, domains, etc.). Next Laika moves on and determines that the Word document is in OLE format so it extracts the OLE streams. In one one of the streams, a VBA macro is discoverd so Laika extracts that too. All objects feed into and extracted by Laika are scanned by Yara and ClamAV. The conclusion is an output of the scan results and collected metadata in JSON format. Optionally, Laika will place the extracted contents into a folder for manual review.

 +------------------------------------------+
 | EMAIL ---> Text                          |
 |       ---> HTML                          |  output  +-------------------------------+
 |       ---> OLE ---> stream 1             | -------> |  Logged scan results (JSON)   |
 |                ---> stream 2             |          |  Extracted objects (optional) |
 |                ---> stream 3 ---> macro  |          +-------------------------------+
 |                ---> stream 4             |
 +------------------------------------------+

RTF inside ZIP

You scan a ZIP file called MyArchive.zip. Laika extracts the single item from the ZIP file. It determines that the extracted item is an RTF. It extracts all of the embedded objects from the RTF of which one is an EXE. Liaka collects metadata on the EXE. The conclusion is an output of the scan results and collected metadata in JSON format. Optionally, Laika will place the extracted contents into a folder for manual review.

Example with Laika.py

The below output is running the same scan four times against the same file using a different jq command to give a basic example of how the chain of events occur for the scan. i.e. a single scan provides the same results as all of the below and the below is done in a repetitive way for illustration.

The first output, with a depth of zero, is the initial input file. It is "0" in the order and has no sourceModule.

$ laika.py MyArchive.zip | jq '.scan_result[]|select(.depth == 0)| .filename, .sourceModule, .order'
"/root/SAMPLES/MyArchive.zip"
""
0

The EXPLODE_ZIP (the sourceModule) module extracts an RTF from the zip and names it "e_zip_WordRTFdocx.rtf."

$ laika.py MyArchive.zip | jq '.scan_result[]|select(.depth == 1)| .filename, .sourceModule, .order'
"e_zip_WordRTFdocx.rtf"
"EXPLODE_ZIP"
1

The EXPLODE_RTF module extracts an ole package from the RTF and names it "e_rtf_object_00003171.olepackage."

$ laika.py MyArchive.zip  | jq '.scan_result[]|select(.depth == 2)| .filename, .sourceModule, .order'
"e_rtf_object_00003171.olepackage"
"EXPLODE_RTF"
2

The "META_PE" module creates metadata (not shown) and extracts objects from the PE file.

$ laika.py MyArchive.zip  | jq '.scan_result[]|select(.depth == 3)| .filename, .sourceModule, .order'
"b'.text'"
"META_PE"
3
"b'.rdata'"
"META_PE"
4
"b'.data'"
"META_PE"
5
"b'.pdata'"
"META_PE"
6
"b'.rsrc'"
"META_PE"
7
"b'.reloc'"
"META_PE"
8

Example with cloudscan.py

Optionally, using the Laika daemon and cloudscan with a return level of full, the files extracted during the scan will be placed in a folder along with a text file of the scan results. Notice in the below output that all the files shown in the above laika.py output is in a folder which can then be used for manual interaction with the files.

./cloudscan.py --level=full  ~/SAMPLES/MyArchive.zip
...
Writing results to ./def7ddaf-bfaf-4d16-a009-8a300db088bb

cd def7ddaf-bfaf-4d16-a009-8a300db088bb

ls -l | grep '>' | awk '{print $9}'
b'.data'
b'.pdata'
b'.rdata'
b'.reloc'
b'.rsrc'
b'.text'
e_rtf_object_00003171.olepackage  # This is an EXE and originated in the RTF
e_zip_WordRTFdocx.rtf             # This is the RTF that originated in the ZIP
MyArchive.zip

Diagram

The below diagram illustrates how the ZIP is exploded into its various pieces and logged.

 +-----------------------------------------------+  output  +-------------------------------+
 | ZIP ---> RTF ---> embedded object 1 ---> exe  | -------> |  Logged scan results (JSON)   |
 +-----------------------------------------------+          |  Extracted objects (optional) |
                                                            +-------------------------------+
Add a custom footer
Add a custom sidebar
Clone this wiki locally