Skip to content

Improve MsgParser analyzer adding attachment and IOC as observables #1009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Improve MsgParser analyzer adding attachment and IOC as observables #1009

wants to merge 1 commit into from
+138 −345

Conversation

@Waltyon
Copy link

@Waltyon Waltyon commented Jun 9, 2021

Hello,
I was inspired by EmlParser to improve MsgParser.
It integrates attachments as observables as well as possible IOC.

  • Add refactor modules by using external libraries
  • Explore attachments to import into observables and the lists with their hashes (md5, sha1, sha256)
  • Search for possible IOC in the mail (IP, Hash, url, email address..)
  • The code structure was inspired by EmlParser analyzer

@Waltyon
Improve MsgParser analyzer adding attachment and IOC as observables
afecc0c 
* Add refactor modules by using external libraries
* Explore attachments to import into observables and the lists with their hashes (md5, sha1, sha256)
* Search for possible IOC in the mail (IP, Hash, url, email address..)
* The code structure was inspired by EmlParser analyzer
@azgaviperr
Copy link

azgaviperr commented Jun 14, 2021

Gonna try that tomorrow

@dadokkio
Copy link
Contributor

dadokkio commented Jun 15, 2021

I made some tests with random mails I had on my machine. 2 of them failed for reasons related to embedded attachments:

Traceback (most recent call last): 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 116, in <module> MsgParserAnalyzer().run() 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 110, in run parsingResult = self.parseMsg() 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 92, in parseMsg attachment_name = '{}/{}'.format(str(self.temp_dir.name), str(an_attachment.filename)) 
File "/usr/local/lib/python3.7/dist-packages/outlook_msg/attachment.py", line 23, in filename return self.mfs['PidTagAttachLongFilename'] 
File "/usr/local/lib/python3.7/dist-packages/outlook_msg/message_file_storage.py", line 104, in __getitem__ raise KeyError(item)
KeyError: 'PidTagAttachLongFilename'

Traceback (most recent call last): 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 116, in <module> MsgParserAnalyzer().run() 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 110, in run parsingResult = self.parseMsg() 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 95, in parseMsg with an_attachment.open() as attachment_fp, open(attachment_name, 'wb') as output_fp: 
File "/usr/local/lib/python3.7/dist-packages/outlook_msg/attachment.py", line 15, in open raise NotImplementedError(f"Unable to open attachments stored as: {self.attachment_method.name}")
NotImplementedError: Unable to open attachments stored as: EmbeddedMessage

For the remaining ones everything was fine. All attachments, emails and hashes have been added properly to the observable 👍

@Waltyon
Copy link
Author

Waltyon commented Jun 24, 2021
edited
Loading

I made some tests with random mails I had on my machine. 2 of them failed for reasons related to embedded attachments:

Traceback (most recent call last): 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 116, in <module> MsgParserAnalyzer().run() 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 110, in run parsingResult = self.parseMsg() 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 92, in parseMsg attachment_name = '{}/{}'.format(str(self.temp_dir.name), str(an_attachment.filename)) 
File "/usr/local/lib/python3.7/dist-packages/outlook_msg/attachment.py", line 23, in filename return self.mfs['PidTagAttachLongFilename'] 
File "/usr/local/lib/python3.7/dist-packages/outlook_msg/message_file_storage.py", line 104, in __getitem__ raise KeyError(item)
KeyError: 'PidTagAttachLongFilename'

Traceback (most recent call last): 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 116, in <module> MsgParserAnalyzer().run() 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 110, in run parsingResult = self.parseMsg() 
File "/opt/cortex/analyzers/MsgParser/parse.py", line 95, in parseMsg with an_attachment.open() as attachment_fp, open(attachment_name, 'wb') as output_fp: 
File "/usr/local/lib/python3.7/dist-packages/outlook_msg/attachment.py", line 15, in open raise NotImplementedError(f"Unable to open attachments stored as: {self.attachment_method.name}")
NotImplementedError: Unable to open attachments stored as: EmbeddedMessage

For the remaining ones everything was fine. All attachments, emails and hashes have been added properly to the observable 👍

Hello @dadokkio,

Would it be possible to have the .msg's that have an issue so I can see if I can fix it?
Unfortunately I have not been able to reproduce the problem with embedded attachments

Thanks

@jeromeleonard jeromeleonard added this to the 3.1.0 milestone Jul 21, 2021
@jeromeleonard jeromeleonard modified the milestones: 3.1.0, 3.2.0 Jan 24, 2022
@jeromeleonard jeromeleonard modified the milestones: 3.2.0, 3.3.0 Jul 22, 2022
@jeromeleonard jeromeleonard removed this from the 3.3.0 milestone Aug 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Waltyon @azgaviperr @dadokkio @jeromeleonard