2020-09-21 07:02 PM
I'm not exactly sure how to approach this. I have an IOC that is an image in an html based email with a height=0 and width=0. I think I need write a LUA parser. I'm not up to speed with this. Is there anyone that can help?
Sample message segment:
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252"></head>
<body>
<br>
<div>Message text
<br>
<br>
<img src="hxxp://www.badsite.com/directory/image.png" width="0" height="0">
</div>
</body>
</html>
Regards,
/Dion Stempfley
2020-09-22 08:05 AM
There's a couple standard parsers that come close to what you want, but not exactly.
The phishing_lua parser will register the host portion of links found in email messages - including img src. Optionally it will also register the path components (directory, filename, extension).
The HTML_threat parser will register the existence of most hidden elements (iframe, div, span, etc.). But not img. Perhaps it could, but there would be a lot of noise since that's a tactic commonly used by tracking, advertising, etc.
As a custom parser, if the HTML will always look exactly like that, you could simply use that exact string as your token then register meta when the token matches - creating a signature essentially. Something as simple as this would work,
local badImg = nw.createParser("badImg", "badImg")
badImg:setKeys({
nwlanguagekey.create("ioc")
})function badImg:onImg()
nw.createMeta(self.keys.ioc, "bad image")
endbadImg:setCallbacks({
['<img src="hxxp://www.badsite.com/directory/image.png" width="0" height="0">'] = badImg.onImg
})
2020-09-22 08:26 AM
Thank you. I'll see if I can run with this.
/D