This module allows you to extract base64 encoded content from a string or columns of a Pandas DataFrame. The library returns the following information:
If the results of the decoding contain further encoded strings these will be decoded recursively. If the encoded string appears to be a zip, gzip or tar archive, the contents will be decompressed after decoding. In the case of zip and tar, the contents of the archive will also be checked for base64 encoded content and decoded/decompressed if possible.
You must have msticpy installed to run this notebook:
%pip install --upgrade msticpy
# Imports
import sys
MIN_REQ_PYTHON = (3,6)
if sys.version_info < MIN_REQ_PYTHON:
print('Check the Kernel->Change Kernel menu and ensure that Python 3.6')
print('or later is selected as the active kernel.')
sys.exit("Python %s.%s or later is required.\n" % MIN_REQ_PYTHON)
from IPython.display import display
import pandas as pd
# Import Base64 module
import msticpy
msticpy.init_notebook(globals())
from msticpy.transform import base64unpack
# Load test data
process_tree = pd.read_csv('data/process_tree.csv',
parse_dates=["TimeGenerated"],
infer_datetime_format=True)
process_tree[['CommandLine']].head()
CommandLine | |
---|---|
0 | .\ftp -s:C:\RECYCLER\xxppyy.exe |
1 | .\reg not /domain:everything that /sid:shines is /krbtgt:golden ! |
2 | cmd /c "systeminfo && systeminfo" |
3 | .\rundll32 /C 42424.exe |
4 | .\rundll32 /C c:\users\MSTICAdmin\42424.exe |
Base64 decode an input string.
Base64 decode an input string.
Parameters
----------
input_string : str, optional
single string to decode (the default is None)
trace : bool, optional
Show additional status (the default is None)
Returns
-------
Tuple[str, Optional[List[BinaryRecord]]]
Decoded string and additional metadata
Notes
-----
Items that decode to utf-8 or utf-16 strings will be returned as decoded
strings replaced in the original string. If the encoded string is a
known binary type it will identify the file type and return the hashes
of the file. If any binary types are known archives (zip, tar, gzip) it
will unpack the contents of the archive.
For any binary it will return the decoded file as a byte array, and as a
printable list of byte values. If the input is a string the function
returns:
- decoded string: this is the input string with any decoded sections
replaced by the results of the decoding
# get a commandline from our data set
cmdline = process_tree['CommandLine'].loc[39]
cmdline
'.\\powershell -enc JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAnACkAIAAkAHQA'
# Decode the string
base64_dec_str = base64unpack.unpack(input_string=cmdline)
# Print decoded string
print(base64_dec_str)
(".\\powershell -enc <decoded type='string' name='[None]' index='1' depth='1'>$\x00t\x00 \x00=\x00 \x00'\x00d\x00i\x00r\x00'\x00;\x00\r\x00\n\x00&\x00 \x00(\x00'\x00I\x00n\x00v\x00o\x00k\x00e\x00'\x00+\x00'\x00-\x00E\x00x\x00p\x00r\x00e\x00s\x00s\x00i\x00o\x00n\x00'\x00)\x00 \x00$\x00t\x00</decoded>", reference \ 0 (, 1., 1) original_string \ 0 JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ARQB4AHAAcgBlAHMAcwBpAG8A... file_name file_type \ 0 unknown None input_bytes \ 0 b"$\x00t\x00 \x00=\x00 \x00'\x00d\x00i\x00r\x00'\x00;\x00\r\x00\n\x00&\x00 \x00(\x00'\x00I\x00n\... decoded_string \ 0 $ t = '