Decodes stdin or file(s) obfuscated with multiple layers of encodings to ascii.
Output file names are appended with '_dbfsctd' to prevent overwriting originals.
Project has also been ported to a Splunk custom search app.
| encoding | regex |
|---|---|
| %XX | %([A-F0-9]{2}) |
| &#xXX | &#x([A-F0-9]{2})(;) |
| 0xXX | [0|\\]x([A-F0-9]{2}) |
| \xXX | [0|\\]x([A-F0-9]{2} |
| &#XX; | &#([0-9]{2,3})(;) |
| char(0xXX) | char(0x([A-F0-9]{2,3})) |
| chr(XXX) | cha?r(([0-9]{2,3})) |
| char(XXX) | cha?r(([0-9]{2,3})) |
| char(XXX,XXX,...) | cha?r(((\d{2,3}),\s(\d{2,3},?\s?)+)) |
| \\XXX... | \\\\([0-7]+) |
-l --lowercase convert output to lowercase
-p --plus remove plus signs from output
-i --input path
-o --output path
capture stdin and output to stdout
cat log.txt | deobfuscate.py
process file.ext and output to stdout
deobfuscate.py -i file.ext
process all *.ext files in ./file/location/ and output to ./output/
deobfuscate.py -i ./file/location/*.ext -o ./output/
Click Apps > Manage Apps
Click Create app
Name: deobfuscate
Folder name: deobfuscate
Visible: No
Template: barebones
Click Save
Click Permissions link for the deobfuscate app
Check to ensure Everyone role has "Read" permissions
Apply selected role permissions to: select All apps (system)
Click "Save"
cp ./deobfuscate/deobfuscate.py $SPLUNK_HOME/etc/apps/deobfuscate/bin/
cp ./deobfuscate/splunk/bin/deobfuscate_splunk.py $SPLUNK_HOME/etc/apps/deobfuscate/bin/
cp ./deobfuscate/splunk/default/commands.conf $SPLUNK_HOME/etc/apps/deobfuscate/default/
cd $SPLUNK_HOME/etc/apps/deobfuscate/bin/
pip3 install -t . splunk-sdk
Click Settings > Server controls
Click Restart Splunk
Pipe a search to deobfuscate
index = "main" sourcetype = "access_combined" (select OR insert OR cast) | deobfuscate