Endpoint Protection

This is refering to https://www.symantec.com/connect/forums/using-rest-api-getting-suspicious-files-endpoints-need-help

 

As per https://apidocs.symantec.com/home/saep#_send_a_suspicious_file_to_symantec_endpoint_protection_manager I was able to issue a "/api/v1/command-queue/files" command successfully which then returned the commandID.

Based on this ID I found the [BINARY_RESULTS_ID] in the [COMMAND] table with the given [COMMAND_ID] to run the "/api/v1/command-queue/file/{file_id}/content" successfully, too.

After saving the output so a file I was able to open the "archive" and saw two files:

- binary file
- metadata.xml

<?xml version="1.0" encoding="UTF-8"?>
<MetaFile>
<File Key="128" OriginalFileName="\\?\C:\Windows\System32\notepad.exe" OriginalFilePath="\\?\C:\Windows\System32" FileName="fa2258b2cc57610861ed1279079e2854cce6768178fe7b3e952a56a990403e66" FileSource="filesystem" FileXORed="true"/>
</MetaFile>

The only issue I'm facing now is that I'm unsure how to "convert" the binary file back to its original format (.exe)
I guess you would have to remove the XOR encryption.

the only thing related to the XOR decytption I could find was:

https://github.com/byt3bl33d3r/jamaal-re-tools/tree/master/pyqextract

http://www.hexacorn.com/blog/category/software-releases/dexray/, 

The en/decryption key actually is mentioned in the metadata file and is not the key-length: 128 / 0x80
Wherefore the whole fetch and XOR process can be combined into a single script.

GetFile_SEPM-API.ps1 -file "c:\windows\notepad.exe" -hash E5D90BEEB6F13F4613C3153DABBD1466F4A062B7252D931F37210907A7F914F7 -machineid 123xyz


Original Message:
Sent: 05-19-2019 12:39 PM
From: Simon Schaupp
Subject: Using REST API for getting suspicious files from endpoints

the only thing related to the XOR decytption I could find was:

https://github.com/byt3bl33d3r/jamaal-re-tools/tree/master/pyqextract

http://www.hexacorn.com/blog/category/software-releases/dexray/,