Evolved into an attack vector method, malicious QR codes are seamlessly embedded in emails and documents, deceiving the victim into scanning and reading them.
The above news articles are just a few I have been able to find on the topic.
Well, a good start would be to add the capability to XSOAR to detect and read these QR codes, extract the data and the URL (if available) and do what we always do: enrich and respond.
import cv2
def detect_qrcode_image(path):
img = cv2.imread(path)
detect = cv2.QRCodeDetector()
value, points, straight_qrcode = detect.detectAndDecode(img)
if points is not None:
result = { "Detected" : True, "Value" : str(value)}
else:
result = { "Detected" : False}
return CommandResults(
outputs_prefix="QR.Data",
outputs=result
)
def main():
try:
entry_id = demisto.args().get('entry_id')
file_path = demisto.executeCommand("getFilePath", {
"id": entry_id
})[0].get('Contents').get('path')
return_results(detect_qrcode_image(file_path))
except Exception as ex:
demisto.error(traceback.format_exc()) # print the traceback
return_error(f'Failed to execute qrcodereader. Error: {str(ex)}')
if __name__ in ('__main__', '__builtin__', 'builtins'):
main()
The above code only needs the demisto/opencv container, at the time of writing, the version was 1.0.0.78792.
So now we can simply use this code as automation in our playbooks or playground to extract the value, which will be stored under QR in the context data.
Help other community members know this post is helpful by giving it a thumbs up!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 3 Likes | |
| 2 Likes | |
| 1 Like | |
| 1 Like | |
| 1 Like |
