From 1d4bcd34d198a96f4dee7621744b0c9ea81a9d6a Mon Sep 17 00:00:00 2001 From: Derek Ditch Date: Tue, 29 Nov 2022 16:27:08 -0600 Subject: [PATCH] Updated docs with new tools and bumped version to 8.5.2 --- README.md | 15 +++++++++++++++ pyproject.toml | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 18b98b1..0a4a23b 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,9 @@ The current list of tools are: - `url-encode`, a tool to encode common character or all special characters to urlencoded strings - `zlib-compress`, a tool to perform zlib compression/deflation on the command line - `zlib-decompress`, a tool to perform zlib decompression/inflation on the command line +- `zlib-deflate`, an alias for zlib-compress +- `zlib-decompress`, an alias for zlib-decompress +- `unmap-pe`, processes a PE binary, removing the memory mapping. Useful for analyzing process memory dumps ## Installation @@ -152,3 +155,15 @@ $ lucene-query --since 'now-12M' 'dns.question.name: puerto2547.duckdns.org' -c | jq '._source.agent.id' -r | sort -u ec82f608-3d1b-4651-900e-b970c68bbeef ``` + +Extract a single binary using Elastic Defend integration with +[optional sample collection](https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack) enabled. +Note that additional shell scripting would be needed to loop over a set of results. + +```shell +eql-query 'process where ?process.Ext.memory_region.bytes_compressed_present == true' \ + --size 1 \ + --fields 'process.Ext.memory_region.bytes_compressed' | \ + jq -r '.process.Ext.memory_region.bytes_compressed' | \ + base64 -d | zlib-decompress > captured_sample.bin +``` diff --git a/pyproject.toml b/pyproject.toml index a64d41a..dffd44b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "thrunting-tools" -version = "8.5.1" +version = "8.5.2" description = "A collection of utilities to help with threat hunting on the command line." authors = ["Derek Ditch "] license = "Apache-2.0"