Registry key paths that contain whitespaces are truncated about ioc-finder HOT 5 CLOSED

Thanks for finding and reporting this @Javiery3889 ! I believe I have fixed the problem, but let me know if you find other edge-cases.

from ioc-finder.

Thanks for reporting this @Javiery3889 ! And thank you for looking into the problem; that is really helpful (and most people don't do that)! I'll take a look and will hopefully have a fix soon.

from ioc-finder.

I've pushed an update to fix this issue. Thanks again for reporting! With the new implementation, there is one caveat (which I've noted in the readme):

A registry key path with a space in the final section (the part after the final \) will not be taken as part of the registry key. For example:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\ConsoleIME will be parsed as HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\ConsoleIME

and

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\ConsoleIME foo... will be parsed as HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\ConsoleIME (notice that everything after the space in the last section is removed)

from ioc-finder.

Hi @fhightower just discovered another bug regarding registry keys with multiple whitespaces, the path gets truncated as well shown below on Python 3.6.7.

from ioc_finder import find_iocs
text = "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"
iocs = find_iocs(text)
print(iocs['registry_key_paths'])
# output: 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image'

However, I am unsure about the workaround this time, any advice? Thanks.

from ioc-finder.

Good catch. I'll take a look at that.

from ioc-finder.