NetWitness Community

DionStempfley · ‎2020-09-21

I'm not exactly sure how to approach this. I have an IOC that is an image in an html based email with a height=0 and width=0. I think I need write a LUA parser. I'm not up to speed with this. Is there anyone that can help?

Sample message segment:

<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"></head>
<body>
<br>
<div>Message text
<br>
<br>
<img src="hxxp://www.badsite.com/directory/image.png" width="0" height="0">
</div>
</body>
</html>

Regards,

/Dion Stempfley

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses

WilliamMotley1 · ‎2020-09-22

There's a couple standard parsers that come close to what you want, but not exactly.

The phishing_lua parser will register the host portion of links found in email messages - including img src. Optionally it will also register the path components (directory, filename, extension).

The HTML_threat parser will register the existence of most hidden elements (iframe, div, span, etc.). But not img. Perhaps it could, but there would be a lot of noise since that's a tactic commonly used by tracking, advertising, etc.

As a custom parser, if the HTML will always look exactly like that, you could simply use that exact string as your token then register meta when the token matches - creating a signature essentially. Something as simple as this would work,

local badImg = nw.createParser("badImg", "badImg")
badImg:setKeys({
 nwlanguagekey.create("ioc")
})
function badImg:onImg()
 nw.createMeta(self.keys.ioc, "bad image")
end
badImg:setCallbacks({
 ['<img src="hxxp://www.badsite.com/directory/image.png" width="0" height="0">'] = badImg.onImg
})

DionStempfley · ‎2020-09-22

Thank you. I'll see if I can run with this.

/D

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses

NetWitness Community

I need to find links in an html email