Solved: Convert BYTE to STRING

Mufa_shah · 09-30-2024 03:51 AM

Hi All,

IS it possible to convert BYTE to a STRING in Yara L.

Getting error :- Validating intermediate representation: expect type [string], got type bytes for "Factory(e.udm.principal.process.commmand_line)

Use case convert input hex string to base64 and base64 to readable format

jstoner

Based on the screenshot and what you are looking to do, I'm not sure if you need to do that.

The process.command_line field is a string so even if there is hex within it, you would need to break it out into a placeholder variable before running an conversions on it. Below is a blog where i use base64 decode with encoded powershell but i also use re.regex in this example to extract the base64 and then decode it.

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-The-Replacements/ba-p/72...

View solution in original post

jstoner

Based on the screenshot and what you are looking to do, I'm not sure if you need to do that.

The process.command_line field is a string so even if there is hex within it, you would need to break it out into a placeholder variable before running an conversions on it. Below is a blog where i use base64 decode with encoded powershell but i also use re.regex in this example to extract the base64 and then decode it.

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-The-Replacements/ba-p/72...

Mufa_shah

@jstoner Thanks for the links , The below approach works if anything is HEX need to converted redable format or to use in filter condition

Example

Input string => "E4B88AE6B5B72BE4B8ADE59C8B"
Expected output string => "%E4%B8%8A%E6%B5%B7%2B%E4%B8%AD%E5%9C%8B"

$command_line = strings.url_decode(re.replace($e.principal.process.command_line, /(..)/, /%\1/))

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

Convert BYTE to STRING