TAP Remediation Workflow For Advanced Threat URLs

so on the other side of the fence, they are sending URLs that are hidden in other … URLs… Here is an example

hxxps://www.google.com/url?blah=blah&url=hxxps://www.evil.com/ (hxxps added so it would show this full url string)

When I run this through the Extract plugin to grab 2 urls it only gets 1. I want to scan both URLs in my workflow.

A lot of times this first URL leads to the second URL and the second URL leads to another site…

Phew…that one is tricky. Extract It is doing the right thing because that is indeed one URL.

You could do string split on HTTP and see if more than 2 results come back. If so, manually extract the 2nd result.

1 Like

yea that actually works. The array.[2] comes out with evil.com using delimiter as =