topic Re: How to know if a zip file is encrypted in XSOAR in Cortex XSOAR Discussions

How to know if a zip file is encrypted in XSOAR

Josep — Tue, 30 May 2023 09:13:16 GMT

Hello,

We'd like to know if a zip file is encrypted inside a playbook or a automation. The way in which XSOAR works with these files does not allow the use of python libraries. Is there a way through the File context value to know if the file is encrypted?

Re: How to know if a zip file is encrypted in XSOAR

gyldz — Tue, 30 May 2023 12:21:38 GMT

Hi @Josep , if you use zipfile instead of 7z while unzipping, the error will be provided if the zip file is protected. You can handle the error in the playbook to catch if the zip is password protected.

!UnzipFile entryID=${File.EntryID} zipTool="zipfile"

Reason

zipfile couldn't extract this file - try using zipTool=7z If you already tried both zipfile and 7z check that the zip file is valid. File <ZipInfo filename=filename compress_type=deflate filemode='-rw-r--r--' file_size=1118 compress_size=624> is encrypted, password required for extraction

Re: How to know if a zip file is encrypted in XSOAR

chrking — Wed, 31 May 2023 00:09:41 GMT

I'm confused by this statement: "The way in which XSOAR works with these files does not allow the use of python libraries." If you use a custom automation with a custom docker image you can import and use basically any library you want, I don't understand what the the restriction would be here.

Re: How to know if a zip file is encrypted in XSOAR

gyldz — Wed, 31 May 2023 07:27:09 GMT

Yes building your automation for this purpose is another solution. You can use the built-in command "/docker_image_create" and specify other parameters. The only potential issue is you won't be able to delete dockers from the UI. You will need to go into the server to delete them.

/docker_image_create name=<name_here> base=<base_image> dependencies=<comma_seperated_deps>

I hope this helps.

Re: How to know if a zip file is encrypted in XSOAR

shcrews — Thu, 01 Jun 2023 15:31:34 GMT

This may help, in the wrar section of the script there is reference to passing the password if encrypted.

https://xsoar.pan.dev/docs/reference/scripts/unzip-file , line 125 in the editor.

Re: How to know if a zip file is encrypted in XSOAR

Josep — Tue, 06 Jun 2023 11:35:26 GMT

Thanks for the response.

We are using Graph to get the files in sharepoint. This forces us that when we download the file it can only be placed in the context with the name "File". If we try to use this format within an automation, the output is not valid for processing. This is why you cannot download and use a downloaded file in the same automation, it must first be placed in the context in the XSOAR format and then used in the automation.

Re: How to know if a zip file is encrypted in XSOAR

Josep — Tue, 06 Jun 2023 11:38:35 GMT

Thanks for the reply.

We want to check that the file can carry malware, for this we use a sandbox that only works if the file does not contain a password. This is why we don't want to open the file, just check if it has a password.

Re: How to know if a zip file is encrypted in XSOAR

chrking — Wed, 07 Jun 2023 04:20:55 GMT

It sounds like you could implement your playbook with logic something like this to meet your requirements:

Fetch file from Graph (file entry ID is written to context) -> Conditional task which calls a custom automation, where the custom integration uses the python zipfile (or similar) library to determine if the zip is encrypted, then returns the result

-> (If unencrypted) sends to sandbox / (else) do other custom processing for encrypted zips.