![]() ![]() Next, we going to start decoding the base64 strings.Īgain, press Ctrl + Arrow-Down to go end of column, and type the formula as below: Your Excel will look something like this: Then paste/ Ctrl + V to fill all column with string “ ASCII“. Then, press Ctrl + Shift + Arrow-Up to select from bottom to top. After that, type in string “ ASCII” in one of the row and copy it ( Ctrl-C). This is particularly useful with attackers hiding their data (via base64 encoding for example) and being able to decode these fields on the fly within SPL without needing to export the data is extremely useful. Just press Ctrl + Arrow-Down to quickly go to end/bottom of data column. Let’s say you have 300 row of data in your Excel, then fill 300 of “ ASCII” strings besides it. We need to fill up column “ ASCII” with string “ ASCII” until end/bottom of your data. Then, create 2 new column in the Excel sheet column named “ ASCII” and “ Decoded Base64“: This configuration will dictate what mutex and DCRat features are enabled in this compiled DCRat malware. Paste macro code given above inside the editor:Īfter that, close the editor window. DCRat will decode and decompress its configuration data embedded in the binary. Create new macro – you can give any name you want. To use it, first, we need to open the Splunk result that we exported earlier.Īfter that, press Alt-F8 to open the macro editor. TextBase64Encode = Replace(Replace(.Text, vbCr, ""), vbLf, "")įunction TextBase64Decode(strBase64, strCharset) With CreateObject("MSXML2.DOMDocument").createElement("tmp") The macro code that we’ll be using as below:įunction TextBase64Encode(strText, strCharset) MACRO) to automatically decode those base64 strings for us. So… We going to leverage Excel & macro (yes. How can I quickly decode all these base64 strings? We not gonna decode it one-by-one aren’t we? There are hundreds or probably thousand of it. If you decode the base64 from the example of raw event above: KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC5YOjQ0M3x8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC9YLlguWC4xODo0NDMpfGJhc2g= The result after we export it from Splunk (opened in Excel) looks like: Using the Splunk query above, it will show you a table formatted data which contains extracted base64 under field named “ string“. ![]()
0 Comments
Leave a Reply. |