Skip to content

ScanPkcs7

Extracts files from PKCS7 certificate files.

Source code in strelka/src/python/strelka/scanners/scan_pkcs7.py 
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
class ScanPkcs7(strelka.Scanner):
    """Extracts files from PKCS7 certificate files."""

    def scan(self, data, file, options, expire_at):
        # Set the temporary directory for storing data. The default is "/tmp/".
        tmp_directory = options.get("tmp_directory", "/tmp/")

        # Initialize the "total" field in the event object with the number of certificates and extracted files.
        self.event["total"] = {"certificates": 0, "extracted": 0}

        try:
            # Needs a file to load data, not a buffer.
            # Try to create a temporary file in the specified temporary directory.
            with tempfile.NamedTemporaryFile(dir=tmp_directory) as tmp_data:
                tmp_data.write(data)
                tmp_data.flush()

                # Try to load the PKCS7 key file.
                try:
                    if data[:1] == b"0":
                        pkcs7 = SMIME.load_pkcs7_der(tmp_data.name)
                    else:
                        pkcs7 = SMIME.load_pkcs7(tmp_data.name)
                except SMIME.SMIME_Error:
                    self.flags.append(
                        f"{self.__class__.__name__} Exception:  Error loading PKCS7 key file with SMIME error."
                    )
                    return
                except Exception as e:
                    self.flags.append(
                        f"{self.__class__.__name__} Exception: {str(e)[:50]}"
                    )
                    return

                # Try to get the signers from the PKCS7 file.
                try:
                    certs = pkcs7.get0_signers(X509.X509_Stack())
                except X509.X509Error:
                    self.flags.append(
                        f"{self.__class__.__name__} Exception:  Error collecting PKCS7 signers."
                    )
                    return
                except Exception as e:
                    self.flags.append(
                        f"{self.__class__.__name__} Exception: {str(e)[:50]}"
                    )
                    return

                # If there are signers in the PKCS7 file, process them.
                if certs:
                    self.event["total"]["certificates"] = len(certs)
                    for cert in certs:
                        try:
                            self.emit_file(
                                cert.as_der(), name=f"sn_{cert.get_serial_number()}"
                            )
                        except Exception:
                            self.flags.append(
                                f"{self.__class__.__name__} Exception:  Error processing PKCS7 signers."
                            )
                            return
                        self.event["total"]["extracted"] += 1
        except tempfile.NamedTemporaryFile:
            self.flags.append(
                f"{self.__class__.__name__} Exception: Error creating temporary file for PKCS7 file."
            )
        except Exception as e:
            self.flags.append(f"{self.__class__.__name__} Exception: {str(e)[:50]}")

Features

The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.

Feature
Support
IOC Support
Emit Files
Extended Docs
Malware Scanner
Image Thumbnails

Tastes

Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.

Source Filetype
Include / Exclude
pkcs7_file

Scanner Fields

This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.

Failure

No fields to display. The test file may not exist or could not be processed.

Sample Event

Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.

Failure

Test file not found for scanner pkcs7