search

jeFF0Falltrades / rat_king_parser

A robust, multiprocessing-capable, multi-family RAT config parser/config extractor for AsyncRAT, DcRAT, VenomRAT, QuasarRAT, and cloned/derivative RAT families.
MIT License
22 stars 3 forks source link

Hello from CCCS! 🍁 #7

Open cccs-rs opened 2 months ago

cccs-rs commented 2 months ago

Hi there,

I was wondering if you're interested in including your extractor in Assemblyline, our open-source malware analysis platform.

I believe adding the work that you've done would be a boon to the cybersecurity community!

If you're interested or having any questions, feel free to reach out! 😀

jeFF0Falltrades commented 2 months ago

So good to hear from you CCCS!

This looks like a great tool, and I’ll make some time to try it out and get familiar.

I’m definitely open to having this parser integrated, so long as we can find a way for any updates to make it downstream to AssemblyLine when the parser gets updated - If anyone there can point me to the best place in the repo to start looking at integration, I can take a look!

cccs-rs commented 2 months ago

Thanks for your response!

I can see this being integrated with the ConfigExtractor service in Assemblyline which allows users to configure sources to pull extractors from periodically and use them for analysis.

The underlying library that "collects" and runs the extractors is configextractor-py which is written to support multiple extractor frameworks in a common tool and outputs to a common standard called MACO which undergoes data validation via Pydantic. The library has official support for MWCP and MACO extractors, still pending on malduck support 🤞🤞.

So I would definitely explore these two Python packages mentioned to make your extractor compatible with Assemblyline via local testing on your host. Then you can try a test with Assemblyline to make sure everything works from there as well.

Also, if you find there's something that the MACO output standard doesn't capture, feel free to let us know!

If you have any other questions about this or Assemblyline in general, feel free to join our Discord for a more immediate response or respond to this issue. 🤓

doomedraven commented 1 month ago

oh hello guys, nice to see CCCS here too, i just added tihs extractors to CAPE https://github.com/kevoreilly/CAPEv2/pull/2135 adding readme mentioning the owner work, is that fine for you @jeFF0Falltrades ?

jeFF0Falltrades commented 1 month ago

oh hello guys, nice to see CCCS here too, i just added tihs extractors to CAPE kevoreilly/CAPEv2#2135 adding readme mentioning the owner work, is that fine for you @jeFF0Falltrades ?

More than fine, especially given you’ve done the hard work already, and also provided the license - well done and thank you very much!