Calculate the Gimphash for a Golang binary.
See: https://github.com/NextronSystems/gimphash
This artifact can be called from within another artifact (such as one looking for Golang binaries) to enrich the data made available by that artifact.
Ex.
SELECT * from Artifact.Server.Enrichment.Gimphash(File=$YOURFILE)
NOTE: You will need to change the tool URL if using Linux as your server OS.
name: Exchange.Server.Enrichment.Gimphash
description: |
Calculate the Gimphash for a Golang binary.
See: https://github.com/NextronSystems/gimphash
This artifact can be called from within another artifact (such as one looking for Golang binaries) to enrich the data made available by that artifact.
Ex.
`SELECT * from Artifact.Server.Enrichment.Gimphash(File=$YOURFILE)`
NOTE: You will need to change the tool URL if using Linux as your server OS.
author: Wes Lambert -- @therealwlambert
tools:
- name: Gimphash
url: https://github.com/NextronSystems/gimphash/releases/download/0.2.0/go_gimphash_windows.exe
parameters:
- name: File
type: string
description: File for which Gimphash is to be calculated
default:
sources:
- query: |
LET GH <= SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="Gimphash", IsExecutable=FALSE)
LET ExecGH <= SELECT * FROM execve(argv=[
GH.FullPath[0], File])
SELECT grok(grok=("%{DATA:gimphash} %{GREEDYDATA:file}"), data=Stdout).file AS File, grok(grok=("%{DATA:gimphash} %{GREEDYDATA:file}"), data=Stdout).gimphash AS Gimphash FROM ExecGH