forked from dod-cyber-crime-center/DC3-MWCP
-
Notifications
You must be signed in to change notification settings - Fork 0
/
PowerShell.py
65 lines (55 loc) · 1.75 KB
/
PowerShell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import re
from typing import List
from mwcp import Parser, metadata
class Script(Parser):
"""
Generic parser for pulling suspect URLs from a Powershell script
"""
DESCRIPTION = "PowerShell Script"
AUTHOR = "DC3"
INVALID_DOMAINS = [
"ipify.org",
"whatismyipaddress.com"
]
URL_REGEX = re.compile(
(
# HTTP/HTTPS.
b"(https?://)"
b"((["
# IP address.
b"(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\."
b"(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\."
b"(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\."
b"(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])]|"
# Or domain name.
b"[a-zA-Z0-9.-]+)"
# Optional port.
b"(:\\d+)?"
# URI.
b"(/[()a-zA-Z0-9_:%=/.-]*)?"
)
)
@classmethod
def identify(cls, file_object):
return file_object.name.endswith(".ps1")
def extract_urls(self, data: bytes) -> List[str]:
"""
Extract URLs using regular expression.
:param data: Data to search for URLs in
:return: List of extracted URLs (with duplicates removed)
:rtype: list[str]
"""
urls = set()
for match in self.URL_REGEX.finditer(data):
url = match.group().decode()
if not any(invalid in url for invalid in self.INVALID_DOMAINS):
urls.add(url)
return list(urls)
def run(self):
"""
Presently only search for extract-able URLs.
"""
# General report of URLS.
urls = self.extract_urls(self.file_object.data)
for url in urls:
self.report.add(metadata.URL(url))