Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

special character parse_json_array: invalid character '\x15' in string literal #3962

Open
IRPsych opened this issue Dec 10, 2024 · 6 comments
Open

special character parse_json_array: invalid character '\x15' in string literal #3962

IRPsych opened this issue Dec 10, 2024 · 6 comments

Comments

@IRPsych
Copy link

IRPsych commented Dec 10, 2024

Guys there is an invalid character when VRaptor run hunts and parsing data to get stdout, this character is (\x15) and will not return any results on any hunt that has it. This will affect analysts jumping to conclude that the hunt went okay and nothing is there.
@scudette
Copy link
Contributor

I guess the issue is here that parse_json_array() is emitting the error at INFO level and not ERROR level. Therefore it is hard to know that the collection failed. We should emit this error at the ERROR level since it is probably a serious error.

Error handling is discussed here: https://docs.velociraptor.app/docs/vql/#vql-error-handling

It is not necessary that the collection be marked as failed when some errors occur - users should always check the query error logs

@IRPsych
Copy link
Author

IRPsych commented Dec 10, 2024

Yep not from the collection but from the JSON parser it some how decided to not to return anything.

I ran the same collection against the same data through power-shell and I was able to retrieve what I wanted in json.

@IRPsych IRPsych closed this as completed Dec 10, 2024
@IRPsych IRPsych reopened this Dec 10, 2024
@scudette
Copy link
Contributor

This is probably a bug with the VQL - can you attach the exact artifact you ran?

Usually when filtering the output of powershell it will be unicode utf16 encoded and needs to be decoded before further processing.

@IRPsych
Copy link
Author

IRPsych commented Dec 11, 2024

Sure, here is the artifact details:
Name: Exchange.Windows.ActiveDirectory.PrivilegedUsers

best,

@IRPsych IRPsych closed this as completed Dec 11, 2024
@IRPsych IRPsych reopened this Dec 11, 2024
@scudette
Copy link
Contributor

It is difficult to replicate this artifact because it needs to run on a system with Remote Server Administration Tools (RSAT) installed so the ActiveDirectory powershell module is present, and also this needs to be domain joined to an AD server.

In general if you have an issue parsing the output of powershell it is worth to see the exact output so you can understand what is going wrong.

I would replace the last query in the artifact with

      SELECT Stdout, parse_json_array(data=Stdout) AS Output
          FROM execve(argv=["powershell",
               "-ExecutionPolicy", "Unrestricted", "-encodedCommand",
                  base64encode(string=utf16_encode(
                  string=script))
            ], length=1000000)

I added the Stdout column but kept the other columns as they are in the artifact. If you collect this on a system that the powershell script should work you will see the output and see why it is not properly parsing.

Likely the issue is that the endpoint is failing to run the script at all (or even does not have the right product type) so the script is giving an empty string (which is not a valid json array).

@IRPsych
Copy link
Author

IRPsych commented Dec 12, 2024

Thanks a lot for your prompt response.
That's got to do.
Cheers,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scudette @IRPsych