Skip to content

Splunk async queries, powershell deobfuscator and viewer.
Compare
Choose a tag to compare
@ianhelle ianhelle released this 23 Mar 03:13
· 624 commits to main since this release
v1.7.5
3587ed4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Introduction

An intermediate release while we prepare the ground for v2.0.0 of MSTICPy.
The release includes some small features a several fixes

What's Changed

  • Added Splunk async provider and unit_tests by @d3vzer0 in #337
    The default is now to execute splunk queries asynchronously - the previous default was to run all queries as
    one-shot queries so limiting the size of results sets that could be returned. To use the previous behaviour
    add the oneshot=True parameter to the query function.

    Big thanks to @d3vzer0 (Joey Dreyer) for this (in addition to previous Splunk queries!)

  • Powershell simple de-obfuscator and code viewer. by @ianhelle in #335

obfus_str = """
IF($PSVerSIONTAble.PSVErSion.MaJoR -gE 3){$43de2=[REF].AsSEmbly.GetTypE(\'System.Management.Automation.Utils\')."GEtFIe`LD"(\'cachedGroupPolicySettings\',\'N\'+\'onPublic,Static\');IF($43DE2)
...
"""
from msticpy.analysis.code_cleanup import format_powershell
from msticpy.vis.code_view import display_html
display_html(
    format_powershell(obfus_str),
    language="powershell"
)

output

if($psversiontable.psversion.major -ge 3)
{
    $43de2=[ref].assembly.gettype('system.management.automation.utils')."getfield"('cachedgrouppolicysettings','nonpublic,static')
    if($43de2)
    {
        $712db=$43de2.getvalue($null)
        if($712db['scriptblocklogging'])
  • Fixed incorrect use of httpx.codes enum in odata_driver by @ianhelle in #345
  • Added refresh and delete functions for keyring cached secrets by @ianhelle in #336
  • Bump readthedocs-sphinx-ext from 2.1.4 to 2.1.5 by @dependabot in #339

Other Fixes and minor changes

3af4379@
Bump readthedocs-sphinx-ext from 2.1.4 to 2.1.5 (#339)Bumps [readthedocs-sphinx-ext]

c0fc7fa@

  • Fixed incorrect use of httpx.codes enum in odata_driver
  • Added httpx timeouts (30sec connect, 10sec other) to cybereason_driver and http_base and other users of httpx
  • Splitting keyring into its own module so that we can load without Keyring as a dependency - avoiding
    load failure on linux systems without keyring support
  • Prevent VTLookupV3 from trying to load automatically and throwing exception
  • Moved IPStack check for API key out of constructor so avoid error if loaded with no configuration.
  • Change Msticpy exceptions to output plaintext if not running in a notebook (e.g. IPython)
  • Added -utf16 argument to %b64 magic to allow correct decoding of Windows strings

Contributors

ianhelle, dependabot, and d3vzer0
Assets 2
Loading