TAP Remediation Workflow For Advanced Threat URLs

hayden_redd · March 2, 2021, 4:17pm

so on the other side of the fence, they are sending URLs that are hidden in other … URLs… Here is an example

hxxps://www.google.com/url?blah=blah&url=hxxps://www.evil.com/ (hxxps added so it would show this full url string)

When I run this through the Extract plugin to grab 2 urls it only gets 1. I want to scan both URLs in my workflow.

A lot of times this first URL leads to the second URL and the second URL leads to another site…

joey_mcadams · March 2, 2021, 5:15pm

Phew…that one is tricky. Extract It is doing the right thing because that is indeed one URL.

You could do string split on HTTP and see if more than 2 results come back. If so, manually extract the 2nd result.

hayden_redd · March 2, 2021, 5:24pm

yea that actually works. The array.[2] comes out with evil.com using delimiter as =