2.1.2. Codebreaker Engine
2.1.2.1. Presentation
The detection of exploitative techniques that are offensive, discrete, and sophisticated
De-encoding of encrypted payloads
Detection of polymorphic shellcodes
Note
Codebreaker detects shellcodes for 32 and 64 bit Windows and Linux platforms.
2.1.2.2. Events generated
- in the main interface named WEB UI of the GCenter in the
`Alerts`screen (the main interface named WEB UI is described in Overview of the WEB UI).To view alerts, select the SHELLCODE filter and view the list of alerts: see the presentation of Web UI `Alerts` screen.By clicking on an alert, the detailed information of this alert is displayed:See Codebreaker Shellcode for Shellcode Codebreaker
See Codebreaker Powershell for Powershell Codebreaker
- In the Kibana UI interface: for thisTo view alerts, select the SHELLCODE filter and view the list of alerts: see the presentation of Web UI `Alerts` screen.By clicking on an alert, select on the command
`Go hunting`then select the arrow to the left of the alert.The interface displayed is the interface named Kibana UI (described in Overview of the Kibana GUI).The detailed information of this alert can be viewed in table or jason format.The detailed information of this alert is displayed:See Codebreaker Shellcode for Shellcode Codebreaker
See Codebreaker Powershell for Powershell Codebreaker
2.1.2.2.1. Codebreaker Shellcode
2.1.2.2.1.1. Example of a Codebreaker Shellcode alert in the WebUI
The counters are detailed in Codebreaker Shellcode log data structure.
Example of a Codebreaker Shellcode log
{
"_index": "codebreaker-2023.10.11-000164",
"_type": "_doc",
"_id": "kAP9HosBeBoubSygpAwN",
"_version": 1,
"_score": 1,
"_source": {
"encodings": [
{
"options": "EBX, 3, Mixed",
"count": 1,
"name": "Alpha"
}
],
"gcap": "gcap-xxxxxxxxx.domain.local",
"state": "Exploit",
"uuid": "e3f51d11-661d-4164-9ce6-3aade7d3cfd6",
"timestamp_analyzed": "2023-10-11T13:47:00.895Z",
"dest_port": "37644",
"type": "codebreaker",
"timestamp_detected": "2023-10-11T13:45:47.655Z",
"dest_ip": "X.X.X.X",
"src_port": "4242",
"event_type": "shellcode",
"MD5": "933b3f084048ca6...",
"severity": 1,
"@version": "1",
"calls": {
"0": {
"ret": "0",
"args": "{'filename': 'THIS IS SP... SHELLCODE !', 'argv': ['THIS IS SP... SHELLCODE !'], 'envp': []}",
"call": "sys_execve"
},
"stop": "End of shellcode (Exit)"
},
"flow_id": "2046395805270250",
"gcenter": "gcenter-xxx.domain.local",
"SHA256": "5017d890b00903bba30a692e673b6ba740642bad846d4f9a6ac63f3a1551a502",
"file_id": "10-11-2023T13:46:56_b2b0c75...9c_gcap-xxxxxxxxx.domain.local",
"src_ip": "X.X.X.X",
"sub_type": "Linux_x86_32",
"@timestamp": "2023-10-11T13:47:00.895Z"
},
"fields": {
"calls.0.ret": [
"0"
],
"calls.stop": [
"End of shellcode (Exit)"
],
"type": [
"codebreaker"
],
"uuid": [
"e3f51d11-661d-4164-9ce6-3aade7d3cfd6"
],
"calls.0.args": [
"{'filename': 'THIS IS SP... SHELLCODE !', 'argv': ['THIS IS SP... SHELLCODE !'], 'envp': []}"
],
"calls.0.call": [
"sys_execve"
],
"src_ip": [
"X.X.X.X"
],
"event_type": [
"shellcode"
],
"sub_type": [
"Linux_x86_32"
],
"flow_id": [
2046395805270250
],
"@version": [
"1"
],
"state": [
"Exploit"
],
"dest_port": [
37644
],
"severity": [
1https://10.2.19.128/ui/home/main
],
"gcenter": [
"gcenter-xxx.domain.local"
],
"timestamp_detected": [
"2023-10-11T13:45:47.655Z"
],
"SHA256": [
"5017d890b00903bba30a692e673b6ba740642bad846d4f9a6ac63f3a1551a502"
],
"src_port": [
4242
],
"@timestamp": [
"2023-10-11T13:47:00.895Z"
],
"dest_ip": [
"X.X.X.X"
],
"file_id": [
"10-11-2023T13:46:56_b2b0c75...9c_gcap-xxxxxxxxx.domain.local"
],
"encodings.count": [
1
],
"gcap": [
"gcap-xxxxxxxxx.domain.local"
],
"timestamp_analyzed": [
"2023-10-11T13:47:00.895Z"
],
"encodings.options": [
"EBX, 3, Mixed"
],
"encodings.name": [
"Alpha"
],
"MD5": [
"933b3f084048ca6..."
]
}
}
2.1.2.2.1.2. Codebreaker Shellcode log data structure
The logs are composed of different parts:
The leading part
The source part defined by "_source"
The field portion defined by "_fields"
The header part of the Codebreaker Shellcode logs
The header section contains:
{
"_index": "codebreaker-2023.10.11-000164",
"_type": "_doc",
"_id": "kAP9HosBeBoubSygpAwN",
"_version": 1,
"_score": 1,
Field |
Required |
Description |
Values or example |
|---|---|---|---|
_index |
Yes |
Internal index |
codebreaker-2023.10.11-000164 |
_type |
Yes |
default type |
_doc |
_id |
Yes |
internal identifier |
kAP9HosBeBoubSygpAwN |
_version |
Yes |
internal version |
1 |
_score |
Yes |
relevance of the response to the request |
1 |
The source part of the Codebreaker Shellcode logs
The source part defined by "_source" contains:
"_source": {
"encodings": [
{
"options": "EBX, 3, Mixed",
"count": 1,
"name": "Alpha"
}
],
"gcap": "gcap-xxxxxxxxx.domain.local",
"state": "Exploit",
"uuid": "e3f51d11-661d-4164-9ce6-3aade7d3cfd6",
"timestamp_analyzed": "2023-10-11T13:47:00.895Z",
"dest_port": "37644",
"type": "codebreaker",
"timestamp_detected": "2023-10-11T13:45:47.655Z",
"dest_ip": "X.X.X.X",
"src_port": "4242",
"event_type": "shellcode",
"MD5": "933b3f084048ca6...",
"severity": 1,
"@version": "1",
"calls": {
"0": {
"ret": "0",
"args": "{'filename': 'THIS IS SP... SHELLCODE !', 'argv': ['THIS IS SP... SHELLCODE !'], 'envp': []}",
"call": "sys_execve"
},
"stop": "End of shellcode (Exit)"
},
"flow_id": "2046395805270250",
"gcenter": "gcenter-xxx.domain.local",
"SHA256": "5017d890b00903bba30a692e673b6ba740642bad846d4f9a6ac63f3a1551a502",
"file_id": "10-11-2023T13:46:56_b2b0c75...9c_gcap-xxxxxxxxx.domain.local",
"src_ip": "X.X.X.X",
"sub_type": "Linux_x86_32",
"@timestamp": "2023-10-11T13:47:00.895Z"
},
Field |
Required |
Description |
Values or example |
|---|---|---|---|
@timestamp |
Yes |
Timestamp analyzed |
2023-10-11T13:47:00.895Z |
@version |
yes |
version of document |
1 |
calls |
Yes |
Category calls see the summary table of the counters in the category "calls" |
|
dest_ip |
Yes |
Destination IP address |
x.x.x.x |
Description (in WebUI) |
yes |
Threat description field. Only present in web ui |
adversaries may abuse command and script interpreters to execute commands, scripts or binaries... |
dest_port |
No |
Port of destination |
37644 |
encodings |
yes |
Category encodings see Summary table of counters in category "Encodings" |
1 |
event_type (Alert type in WebUI) |
Yes |
Type of exploit |
shellcode |
file_id |
Yes |
Fileinfo category: File ID |
0-11-2023T13:46:56_b2b0c75...9c_gcap-xxxxxxxxx.domain.local |
flow_id |
Yes |
Unique identifier of the flow. Allows to find the associated fileinfo |
2046395805270250 |
gcap |
Yes |
Name of the gcap associated with the alert |
gcap-xxx.domain.local |
gcenter |
Yes |
GCenter name associated with alert. |
gcenter-xxx.domain.local |
Hostname (WebUI) |
yes |
Host name of the threat originator |
If the hostname is not present, its IP is displayed |
MD5 |
Yes |
MD5 hash of the analyzed file |
933b3f084048ca6... |
MITRE ASSOCIATIONS |
yes |
Threat MITRE category |
Execution |
Name in WebUI |
Yes |
sum of state + sub_type + MD5 + SHA256 field information |
Execution: Command and Scripting Interpreter
Persistence: Hijack Execution Flow
Privilege Escalation: Hijack Execution Flow
Defense Evasion: Hijack Execution Flow
|
severity |
Yes |
Analysis result code. |
Between 0 and 3.
0=clean, 1=infected, 2=suspicious, 3=Other
|
SHA256 |
Yes |
SHA256 hash of the analyzed file |
5017d890b00903bb... |
src_ip |
Yes |
Source IP address |
X.X.X.X |
src_port |
Yes |
Source port |
4242 |
state |
Yes |
Result of codebreaker analysis (Exploit, Suspicious) |
Exploit |
sub_type |
Yes |
The file subtype (Windows_x86_32, Linux_x86_32)
The operating system linked to the executable if it is a shellcode.
|
Linux_x86_32 |
timestamp analyzed |
Yes |
Date and time of last file scan |
2023-10-11T13:47:00.895Z |
timestamp detected |
Yes |
Date and time of first file capture |
2023-10-11T13:45:47.655Z |
type |
Yes |
Type of event |
codebreaker |
uuid or id |
Yes |
Unique identifier of the alert |
e3f51d11-661d-4164-9ce6-3aade7d3cfd6 |
Field |
Required |
Description |
Values or example |
|---|---|---|---|
return |
Yes |
System call return code used |
0 |
args |
Yes |
Arguments of the system call used |
{'filename': 'THIS IS SP... SHELLCODE!', 'argv': ['THIS IS SP... SHELLCODE! '], 'envp': []} |
call |
Yes |
Name of system call used |
sys_execve |
stop |
Yes |
Marks the end of shellcode (End of shellcode) |
End of shellcode (output) |
index |
yes |
Internal index |
0 |
Field |
Required |
Description |
Values or example |
|---|---|---|---|
encodings.compter |
yes |
Number of successive encodings f |
1 |
encodings.name |
yes |
Encoding name |
1 |
encodings.options |
yes |
Encoding options |
EBX, 3, mixed |
The fields part of the Codebreaker Shellcode logs
The field part defined by "fields" contains the same counters as in the source part: refer to the source part section
2.1.2.2.2. Codebreaker Powershell
2.1.2.2.2.1. Example of a Codebreaker Powershell alert in the WebUI
The counters are detailed in Codebreaker Powershell log data structure.
2.1.2.2.2.2. Codebreaker Powershell log example
{
"_index": "codebreaker-2023.10.11-000164",
"_type": "_doc",
"_id": "EAP8HosBeBoubSygnQy_",
"_version": 1,
"_score": 1,
"_source": {
"gcap": "gcap-xxxxxxxxx.domain.local",
"event_type": "powershell",
"state": "Exploit",
"severity": 1,
"MD5": "01c0d252b17e794fd7007fd46ec469c0",
"@version": "1",
"flow_id": "2061844798658535",
"scores": {
"proba_obfuscated": 1,
"analysis_detailed": {
"FmtStr": 198,
"StrReplace": 0,
"StartBitsTransfer": 0,
"GetContent": 0,
"CharInt": 16,
"InvokeExpression": 0,
"WebClientInvokation": 0,
"StreamWriter": 0,
"AddContent": 0,
"StrJoin": 0,
"StreamReader": 0,
"SystemIOFile": 0,
"InvokeWebRequest": 0,
"InvokeRestMethod": 0,
"Base64": 0,
"StrCat": 28,
"SetContent": 0
},
"analysis": 242
},
"dest_port": "57244",
"SHA256": "dc6b2982353692543ad03c7e87e667d916564e5eccfef97acce877aa4d5fd3fc",
"uuid": "9a1333a3-e864-478e-88ae-f9823623dfec",
"file_id": "10-11-2023T13:45:46...32_gcap-xxxxxxxxx.domain.local",
"type": "codebreaker",
"src_ip": "X.X.X.X",
"timestamp_analyzed": "2023-10-11T13:45:53.836Z",
"timestamp_detected": "2023-10-11T13:44:46.022Z",
"gcenter": "gcenter-xxx.domain.local",
"dest_ip": "X.X.X.X",
"sub_type": "powershell",
"src_port": "4242",
"@timestamp": "2023-10-11T13:45:53.836Z"
},
"fields": {
"scores.analysis_detailed.SystemIOFile": [
0
],
"scores.analysis_detailed.Base64": [
0
],
"scores.analysis_detailed.StreamWriter": [
0
],
"type": [
"codebreaker"
],
"uuid": [
"9a1333a3-e864-478e-88ae-f9823623dfec"
],
"scores.analysis_detailed.WebClientInvokation": [
0
],
"src_ip": [
"X.X.X.X"
],
"scores.analysis_detailed.StrReplace": [
0
],
"event_type": [
"powershell"
],
"scores.analysis_detailed.InvokeRestMethod": [
0
],
"sub_type": [
"powershell"
],
"flow_id": [
2061844798658535
],
"@version": [
"1"
],
"state": [
"Exploit"
],
"dest_port": [
57244
],
"scores.analysis_detailed.InvokeWebRequest": [
0
],
"severity": [
1
],
"scores.analysis_detailed.FmtStr": [
198
],
"scores.analysis_detailed.StreamReader": [
0
],
"gcenter": [
"gcenter-xxx.domain.local"
],
"scores.analysis_detailed.SetContent": [
0
],
"scores.proba_obfuscated": [
1
],
"timestamp_detected": [
"2023-10-11T13:44:46.022Z"
],
"scores.analysis_detailed.GetContent": [
0
],
"SHA256": [
"dc6b2982353692543ad03c7e87e667d916564e5eccfef97acce877aa4d5fd3fc"
],
"src_port": [
4242
],
"scores.analysis_detailed.StrCat": [
28
],
"@timestamp": [
"2023-10-11T13:45:53.836Z"
],
"scores.analysis_detailed.AddContent": [
0
],
"dest_ip": [
"X.X.X.X"
],
"file_id": [
"10-11-2023T13:45:46...32_gcap-xxxxxxxxx.domain.local"
],
"scores.analysis_detailed.StrJoin": [
0
],
"scores.analysis_detailed.InvokeExpression": [
0
],
"gcap": [
"gcap-xxxxxxxxx.domain.local"
],
"timestamp_analyzed": [
"2023-10-11T13:45:53.836Z"
],
"scores.analysis": [
242
],
"scores.analysis_detailed.StartBitsTransfer": [
0
],
"scores.analysis_detailed.CharInt": [
16
],
"MD5": [
"01c0d252b17e794fd7007fd46ec469c0"
]
}
}
2.1.2.2.2.3. Codebreaker Powershell log data structure
The logs are composed of different parts:
The leading part
The source part defined by "_source"
The field portion defined by "_fields"
The header part of the Codebreaker Powershell logs
The header section contains:
{
"_index": "codebreaker-2023.10.11-000164",
"_type": "_doc",
"_id": "EAP8HosBeBoubSygnQy",
"_version": 1,
"_score": 1,
Field |
Required |
Description |
Values or example |
|---|---|---|---|
_index |
Yes |
Internal index |
codebreaker-2023.10.11-000164 |
_type |
Yes |
default type |
_doc |
_id |
Yes |
internal identifier |
EAP8HosBeBoubSygnQy |
_version |
Yes |
internal version |
1 |
_score |
Yes |
relevance of the response to the request |
1 |
The source part of the Codebreaker Powershell logs
The source part defined by "_source" contains:
"_source": {
"gcap": "gcap-xxxxxxxxx.domain.local",
"event_type": "powershell",
"state": "Exploit",
"severity": 1,
"MD5": "01c0d252b17e794fd7007fd46ec469c0",
"@version": "1",
"flow_id": "2061844798658535",
"scores": {
"proba_obfuscated": 1,
"analysis_detailed": {
"FmtStr": 198,
"StrReplace": 0,
"StartBitsTransfer": 0,
"GetContent": 0,
"CharInt": 16,
"InvokeExpression": 0,
"WebClientInvokation": 0,
"StreamWriter": 0,
"AddContent": 0,
"StrJoin": 0,
"StreamReader": 0,
"SystemIOFile": 0,
"InvokeWebRequest": 0,
"InvokeRestMethod": 0,
"Base64": 0,
"StrCat": 28,
"SetContent": 0
},
"analysis": 242
},
"dest_port": "57244",
"SHA256": "dc6b2982353692543ad03c7e87e667d916564e5eccfef97acce877aa4d5fd3fc",
"uuid": "9a1333a3-e864-478e-88ae-f9823623dfec",
"file_id": "10-11-2023T13:45:46...32_gcap-xxxxxxxxx.domain.local",
"type": "codebreaker",
"src_ip": "X.X.X.X",
"timestamp_analyzed": "2023-10-11T13:45:53.836Z",
"timestamp_detected": "2023-10-11T13:44:46.022Z",
"gcenter": "gcenter-xxx.domain.local",
"dest_ip": "X.X.X.X",
"sub_type": "powershell",
"src_port": "4242",
"@timestamp": "2023-10-11T13:45:53.836Z"
},
Field |
Required |
Description |
Values or example |
|---|---|---|---|
gcap |
Yes |
Name of the gcap associated with the alert |
gcap-xxx.domain.local |
event_type |
Yes |
Type of exploit |
powershell |
state |
Yes |
Result of codebreaker analysis (Exploit, Suspicious) |
Exploit |
severity |
Yes |
Analysis result code |
Between 0 and 3
0=clean, 1=infected, 2=suspicious, 3=Other
|
MD5 |
Yes |
MD5 hash of the analyzed file |
01c0d252b17e794fd7007fd46ec469c0 |
@version |
yes |
version of document |
1 |
flow_id |
Yes |
Unique identifier of the flow. Allows to find the associated fileinfo |
2061844798658535 |
scores |
Yes |
See "Scores" category counter summary table |
|
dest_port |
Yes |
Port of destination |
57244 |
SHA256 |
Yes |
SHA256 hash of the analyzed file |
dc6b2982353692543ad03c7e87e667... |
uuid |
Yes |
Unique identifier of the alert |
9a1333a3-e864-478e-88ae-f9823623dfec |
file_id |
Yes |
Fileinfo category: File ID |
10-11-2023T13:45:46...32_gcap-xxxxxxxxx.domain.local |
type |
Yes |
Type of event |
codebreaker |
src_ip |
Yes |
Source IP address |
X.X.X.X |
timestamp analyzed |
Yes |
Date and time of last file scan |
2023-10-11T13:45:53.836Z |
timestamp detected |
Yes |
Date and time of first file capture |
2023-10-11T13:44:46.022Z |
gcenter |
Yes |
GCenter name associated with alert. |
gcenter-xxx.domain.local |
dest_ip |
Yes |
Destination IP address |
x.x.x.x |
sub_type |
Yes |
The file subtype |
powershell |
src_port |
Yes |
Source port |
4242 |
@timestamp |
Yes |
Timestamp analyzed |
2023-10-11T13:45:53.836Z |
Field |
Required |
Description |
Values or example |
|---|---|---|---|
proba_obfuscated |
Yes |
Probability that the powershell is offended. Value between 0 and 1 |
1 |
analysis_detailed |
Yes |
detailed analysis. It includes the following meters: |
|
FmtStr |
Yes |
Category scores/analysis_detailed
Score represented by an integer of a/of detected fmtstr patterns
|
198 |
StrReplace |
Yes |
Category scores/analysis_detailed
Score represented by an integer of a/strreplace patterns detected
|
0 |
StartBitsTransfer |
Yes |
Category scores/analysis_detailed
Start-BitsTransfer Order
|
0 |
GetContent |
Yes |
Category scores/analysis_detailed
Get-Content applet to read file data
|
0 |
CharInt |
Yes |
Category scores/analysis_detailed
Score represented by an integer of one/of the detected charitable patterns
|
16 |
InvokeExpression |
Yes |
Category scores/analysis_detailed
InvokeExpression Applet
|
0 |
WebClientInvokation |
Yes |
Category scores/analysis_detailed
Score represented by an integer of one/of detected webclientinvokation patterns
|
0 |
StreamWriter |
Yes |
Category scores/analysis_detailed
Write a file that lists directories
|
0 |
AddContent |
Yes |
Category scores/analysis_detailed
Adds content to a file/folder
|
0 |
StrJoin |
Yes |
Category scores/analysis_detailed
Score represented by an integer of a/strjoin patterns detected
|
0 |
StreamReader |
Yes |
Category scores/analysis_detailed
Object to read and display each directory name
|
0 |
SystemIOFile |
Yes |
Category scores/analysis_detailed
Manipulation of a file (creation, opening, copy, etc.)
|
0 |
InvokeWebRequest |
Yes |
Category scores/analysis_detailed
Invoke-WebRequest applet sends HTTP and HTTPS requests to a webpage
|
0 |
Base64 |
Yes |
Category scores/analysis_detailed
Score represented by an integer of a/patterns base64 detected
|
0 |
StrCat |
Yes |
Category scores/analysis_detailed
Function that concatenates strings
|
28 |
SetContent |
Yes |
Category scores/analysis_detailed
Applet SetContent writes new content or replaces existing content in a file
|
0 |
analysis |
Yes |
Category scores |
242 |
The fields part of the Codebreaker Powershell logs
The field part defined by "fields" contains the same counters as in the source part: refer to the source part section
2.1.2.3. Viewing the status of Codebreaker
The current state of the motor is displayed in Web UI `Health checks` screen.