RTR_GetExtractedFileContents Stream Files to Disk Example

[modubyk]

Is anyone able to share an example of using the RTR_GetExtractedFileContents method to stream a file's contents to disk without storing the content in memory?

[jshcodes]

I've started researching this question, and have working code for the file download piece.

I'm still working on proving out that the contents of the file are not stored in memory during execution (zipped or not), but figured we could use this code to start the discussion.

Flag

This is the test file I planted as a flag on a host in my test environment.

                  _________-----_____
       _____------           __      ----_
___----             ___------              \
   ----________        ----                 \
               -----__    |             _____)
                    __-                /     \
        _______-----    ___--          \    /)\
  ------_______      ---____            \__/  /
               -----__    \ --    _          /\
                      --__--__     \_____/   \_/\
                              ----|   /          |
                                  |  |___________|
                                  |  | ((_(_)| )_)
       FLAG CAPTURED!             |  \_((_(_)|/(_)
                                  \             (
                                   \_____________)

Testing code

A couple of notes:

• I'm using a local configuration file to store the API credentials for this scenario. This file is in JSON format and contains two values, "falcon_client_id" and "falcon_client_secret".
• I'm using py7zr to extract the archive after executing RTR_GetExtractedFileContents.
• I'm intentionally writing the result of the API request straight to the file, but still need to prove that Python doesn't just throw it in a temporary variable anyway.
• Properly done, this solution should use the cloud_request_id to check the status of the request. I cheated and just wait 5 seconds.
• After executing the code, the file should be saved to a folder called "retrieved" and the associated zip should be removed.

import os
import json
import time
import py7zr
from falconpy import real_time_response as RTR

with open('config.json', 'r') as file_config:
    config = json.loads(file_config.read())

device_id = "DEVICE_ID_WOULD_GO_HERE"
target_file = "/home/ec2-user/flag.txt"
destination_file = "result.zip"
falconRTR = RTR.Real_Time_Response(creds={
    "client_id": config["falcon_client_id"],
    "client_secret": config["falcon_client_secret"]
    }
)

session = falconRTR.RTR_InitSession(body={"device_id": device_id})
if session["body"]["errors"]:
    print(session["body"]["errors"][0]["message"])
else:
    session_id = session["body"]["resources"][0]["session_id"]
    print("Session started")

    result = falconRTR.RTR_ExecuteActiveResponderCommand(body={
        "base_command": "get",
        "command_string": f"get {target_file}",
        "session_id": session_id,
        "device_id": device_id
        }
    )
    print("Get request executed")
    request_id = result["body"]["resources"][0]["cloud_request_id"]
    print(f"Sleeping for 5 seconds to wait on request: {request_id}")
    time.sleep(5)
    files = falconRTR.RTR_ListFiles(parameters={"session_id": session_id})
    print("Searching available files")
    if files["body"]["resources"]:
        for item in files["body"]["resources"]:
            if item["cloud_request_id"] == request_id:
                sha = item["sha256"]
                print(f"Requested file found: {sha}")
        print("Saving requested file archive")
        open(destination_file, "wb").write(
            falconRTR.RTR_GetExtractedFileContents(parameters={
                "session_id": session_id,
                "sha256": sha,
                "filename": target_file
            })
        )
        print("Extracting archive")
        # There are a couple of ways to do this. 
        # This method I'm pretty sure has the archive file in memory, 
        # so if that's an issue we might have to try something else. 
        # The file inside the archive wouldn't be loaded until it's extracted, 
        # but at that point could also be resident as a pointer
        # (or as it's contents depending on how the extraction works).
        archive = py7zr.SevenZipFile(destination_file, mode="r", password="infected")
        archive.extractall(path="./retrieved")
        archive.close()
        print("Cleaning up")
        if os.path.exists(destination_file):
            os.remove(destination_file)
        
    else:
        print("File was not retrieved successfully")

Sample execution

Here's an example of my testing from my local machine:

√ src % python3 GetExtractedFileContents_example.py
Session started
Get request executed
Sleeping for 5 seconds to wait on request: b606d4e7-3a49-REDACTED
Searching available files
Requested file found: 644b12071dc36f243e847b2fb093d88378aREDACTED
Saving requested file archive
Extracting archive
Cleaning up
√ src % cat retrieved/flag.txt

                  _________-----_____
       _____------           __      ----_
___----             ___------              \
   ----________        ----                 \
               -----__    |             _____)
                    __-                /     \
        _______-----    ___--          \    /)\
  ------_______      ---____            \__/  /
               -----__    \ --    _          /\
                      --__--__     \_____/   \_/\
                              ----|   /          |
                                  |  |___________|
                                  |  | ((_(_)| )_)
       FLAG CAPTURED!             |  \_((_(_)|/(_)
                                  \             (
                                   \_____________)

[modubyk]

Thank you Josh! I appreciate the detailed example and quick turnaround. Worked great for me. The only difference in my implementation is the use of 7z tool rather then py7zr. It appears py7zr holds the contents in memory where as 7z will not. Thanks again!

with open(staging_dir + staging_file + ".7z", "wb") as f: 
	f.write(
	falconRTR.RTR_GetExtractedFileContents(parameters={
                "session_id": session_id,
                "sha256": sha,
                "filename": target_file
            })
	)
os.system("7z e -pinfected -so \"{}.7z\" > \"{}\"".format(staging_dir + staging_file, staging_dir + staging_file))
os.remove(staging_dir + staging_file + ".7z")

[jshcodes]

Happy to help. Let us know if there are any more questions! 😎