This artifact can be used to extract all binary exports to research potential lolbins. Selecting the AllBinaryInfo tickbox will return complete Binary information.
name: Windows.Binary.Exports
author: Matt Green - @mgreen27
description: |
This artifact can be used to extract all binary exports to research
potential lolbins. Selecting the AllBinaryInfo tickbox will return
complete Binary information.
type: CLIENT
parameters:
- name: TargetGlob
default: C:/ProgramData/*
description: Glob to target
- name: AllBinaryInfo
type: bool
description: Select to extract all binary info
sources:
- query: |
Let Targets = SELECT * FROM glob(globs=TargetGlob)
WHERE NOT IsDir
LET all_binary_info = SELECT
dict(OSPath=OSPath,Name=Name,Size=Size,IsLink=IsLink) as FileDetails,
dict(Mtime=Mtime,Atime=Atime,Ctime=Ctime,Btime=Btime) as SI,
parse_pe(file=OSPath) as BinaryInfo,
authenticode(filename=OSPath) as Authenticode,
hash(path=OSPath) as Hash
FROM Targets
WHERE BinaryInfo
LET binary_exports = SELECT
dict(OSPath=OSPath,Name=Name,Size=Size,IsLink=IsLink) as FileDetails,
parse_pe(file=OSPath).Exports as Exports
FROM Targets
WHERE Exports
SELECT * FROM if(condition=AllBinaryInfo,
then=all_binary_info,
else=binary_exports)