Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rework base64 recognition to use python functions rather than regex #1146

Merged
merged 7 commits into from
Mar 15, 2024
Merged

Rework base64 recognition to use python functions rather than regex #1146

merged 7 commits into from
Mar 15, 2024

Conversation

arielkr256
Copy link
Contributor

Background

Regex for matching base64 encoded commands and domains was causing false positives because they were matching any ASCII word whose length was a multiple of 4. These are technically valid base64 encodings, but cannot be converted back into ASCII strings. This PR switches from regex to b64decode(arg).decode("ascii") which will throw an error if the base64 string cannot be converted into an ASCII string.

Changes

  • Updates Crowdstrike.Base64EncodedArgs and Standard.DNSBase64 to use new base64 recognition function
  • Updates CrowdStrike data model to maintain case sensitivity, which is necessary for base64 matching
  • Updates test cases to include strings which were causing false positives in the previous regex method

Testing

  • make test with new test cases

@arielkr256 arielkr256 requested review from a team March 12, 2024 17:45
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 12, 2024
edited

😱
looks like somethings could be wrong with the packs

[ERROR][root]: There are packs that are potentially missing detections: gcp_audit.yml: GCP.compute.instances.create.Privilege.Escalation,GCP.IAM.serviceAccounts.signJwt.Privilege.Escalation
<!-- thollander/actions-comment-pull-request "check-packs" -->

@arielkr256
Copy link
Contributor Author

This new method also has the added benefit of being able to return the decoded string.

@arielkr256 arielkr256 enabled auto-merge (squash) March 15, 2024 00:25
@arielkr256 arielkr256 merged commit 615b638 into release Mar 15, 2024
6 checks passed
@arielkr256 arielkr256 deleted the base64-recognition branch March 15, 2024 00:28
egibs pushed a commit that referenced this pull request Mar 18, 2024
@arielkr256
Rework base64 recognition to use python functions rather than regex (#…
bd4f24c 
…1146)

* base64 rules use python funtions not regex

* better alertcontext for standard_dns_base64

* command line tools as global var

* regex and length checks for edge cases

* new global_helper for is_base64()
arielkr256 added a commit that referenced this pull request Mar 19, 2024
@akozlovets098 @melenevskyi
@egibs @arielkr256 @kjihso @darwayne @le4ker
fix - Several GCP rules with NoneType errors (#1155)
8a857e3 
* Fixed IndexOutOfRange error in get_zoom_usergroup_context (#1141)

* Use correct key when retrieving string_set in Okta Stolen Session Rule (#1142)

* Fix key when retrieving string_set in Okta Stolen Session Rule

* fmt

* rolling back changes related to simple_rules dir (#1143)

Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* typo fix: gcp_privilege_escalation_by_deploymants (#1140)

* Update PAT to 0.42.0 (#1145)

Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* converted is_private to not is_global (#1150)

Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* Rework base64 recognition to use python functions rather than regex (#1146)

* base64 rules use python funtions not regex

* better alertcontext for standard_dns_base64

* command line tools as global var

* regex and length checks for edge cases

* new global_helper for is_base64()

* renames .yaml files to .yml (#1151)

* THREAT-241 Several GCP rules with NoneType errors

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: kjihso <133820431+kjihso@users.noreply.github.com>
Co-authored-by: darwayne <darwaynelynch@gmail.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
egibs added a commit that referenced this pull request Mar 19, 2024
@egibs @arielkr256
@le4ker @akozlovets098 @melenevskyi @kjihso @darwayne
Prepare for 3.46.0 (#1156)
5fb9be9 
* converted is_private to not is_global (#1150)

Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* Rework base64 recognition to use python functions rather than regex (#1146)

* base64 rules use python funtions not regex

* better alertcontext for standard_dns_base64

* command line tools as global var

* regex and length checks for edge cases

* new global_helper for is_base64()

* renames .yaml files to .yml (#1151)

* THREAT-240 GCP compute.instance.create AttributeError (#1152)

* Add GCP.IAM.serviceAccounts.getAccessToken.Privilege.Escalation rule (#1149)

* Add GCP.IAM.serviceAccounts.getAccessToken.Privilege.Escalation  rule

* Add GCP.IAM.serviceAccounts.signBlob rule

* Lolbas tuning (#1147)

* lower severity and set disabled false

* lower severity and disable

* Update PAT to 0.43.0 (#1154)

* fix - Several GCP rules with NoneType errors (#1155)

* Fixed IndexOutOfRange error in get_zoom_usergroup_context (#1141)

* Use correct key when retrieving string_set in Okta Stolen Session Rule (#1142)

* Fix key when retrieving string_set in Okta Stolen Session Rule

* fmt

* rolling back changes related to simple_rules dir (#1143)

Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* typo fix: gcp_privilege_escalation_by_deploymants (#1140)

* Update PAT to 0.42.0 (#1145)

Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* converted is_private to not is_global (#1150)

Co-authored-by: Evan Gibler <evan.gibler@panther.com>

* Rework base64 recognition to use python functions rather than regex (#1146)

* base64 rules use python funtions not regex

* better alertcontext for standard_dns_base64

* command line tools as global var

* regex and length checks for edge cases

* new global_helper for is_base64()

* renames .yaml files to .yml (#1151)

* THREAT-241 Several GCP rules with NoneType errors

---------

Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: Evan Gibler <evan.gibler@panther.com>
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: kjihso <133820431+kjihso@users.noreply.github.com>
Co-authored-by: darwayne <darwaynelynch@gmail.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>

---------

Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Co-authored-by: Panos Sakkos <panos.sakkos@panther.com>
Co-authored-by: akozlovets098 <95437895+akozlovets098@users.noreply.github.com>
Co-authored-by: Oleh Melenevskyi <767472+melenevskyi@users.noreply.github.com>
Co-authored-by: kjihso <133820431+kjihso@users.noreply.github.com>
Co-authored-by: darwayne <darwaynelynch@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jacknagz jacknagz jacknagz left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@arielkr256 @jacknagz