jsdet_cli/

ioc.rs

/// IOC (Indicator of Compromise) extraction from observations.
///
/// After detonation, the researcher wants:
/// - What C2 URLs were contacted?
/// - What data was exfiltrated?
/// - What decoded payloads were executed?
/// - What credential harvesting infrastructure was set up?
/// - What persistence mechanisms were installed?
///
/// This module extracts all of that from raw observations automatically.
///
use std::collections::HashSet;

use jsdet_core::Observation;

/// Extracted IOCs from a detonation.
#[derive(Debug, Default)]
pub struct IocReport {
    /// C2/exfiltration URLs contacted.
    pub c2_urls: Vec<C2Url>,
    /// Decoded payloads from eval(atob(...)) chains.
    pub decoded_payloads: Vec<DecodedPayload>,
    /// Credential harvesting infrastructure.
    pub credential_forms: Vec<CredentialForm>,
    /// Data exfiltrated (cookies, UA, etc.).
    pub exfiltrated_data: Vec<ExfilData>,
    /// Persistence mechanisms.
    pub persistence: Vec<Persistence>,
    /// Redirect chain.
    pub redirects: Vec<String>,
    /// All external domains referenced.
    pub domains: Vec<String>,
    /// Crypto wallet interactions.
    pub crypto_iocs: Vec<CryptoIoc>,
    /// Clipboard manipulation.
    pub clipboard_iocs: Vec<ClipboardIoc>,
}

#[derive(Debug)]
#[allow(dead_code)]
pub struct CryptoIoc {
    pub chain: String,
    pub method: String,
    pub addresses: Vec<String>,
    pub signing_method: Option<String>,
    pub observation_index: usize,
}

#[derive(Debug)]
#[allow(dead_code)]
pub struct ClipboardIoc {
    pub operation: String,
    pub content: Option<String>,
    pub observation_index: usize,
}

#[derive(Debug)]
#[allow(dead_code)]
pub struct C2Url {
    pub url: String,
    pub method: String,
    pub contains_encoded_data: bool,
    pub observation_index: usize,
}

#[derive(Debug)]
#[allow(dead_code)]
pub struct DecodedPayload {
    pub encoded: String,
    pub decoded: String,
    pub observation_index: usize,
}

#[derive(Debug)]
pub struct CredentialForm {
    pub action_url: String,
    pub fields: Vec<String>,
}

#[derive(Debug)]
pub struct ExfilData {
    pub data_type: String,
    pub encoding: String,
    pub destination: String,
}

#[derive(Debug)]
pub struct Persistence {
    pub mechanism: String,
    pub key: String,
    pub value: String,
}

/// Extract IOCs from observations.
pub fn extract_iocs(observations: &[Observation]) -> IocReport {
    let mut report = IocReport::default();
    let mut seen_urls = HashSet::new();
    let mut seen_domains = HashSet::new();
    let mut current_form_action = String::new();
    let mut current_form_fields = Vec::new();

    for (i, obs) in observations.iter().enumerate() {
        match obs {
            Observation::ApiCall { api, args, .. } => {
                let args_str: Vec<String> = args.iter().map(|a| a.to_string()).collect();
                let first_arg = parse_first_arg(args);

                // C2 URLs from fetch/XHR
                if (api == "fetch" || api.contains("xhr.send"))
                    && let Some(url) = &first_arg
                    && url.starts_with("http")
                    && seen_urls.insert(url.clone())
                {
                    let contains_encoded = url.contains("base64") || has_base64_segments(url);
                    report.c2_urls.push(C2Url {
                        url: url.clone(),
                        method: parse_second_arg(args).unwrap_or_else(|| "GET".into()),
                        contains_encoded_data: contains_encoded,
                        observation_index: i,
                    });
                    if let Some(domain) = extract_domain(url)
                        && seen_domains.insert(domain.clone())
                    {
                        report.domains.push(domain);
                    }

                    // Check for exfiltrated data in URL
                    if url.contains("cookie") || url.contains("c=") {
                        report.exfiltrated_data.push(ExfilData {
                            data_type: "cookies".into(),
                            encoding: if has_base64_segments(url) {
                                "base64"
                            } else {
                                "plaintext"
                            }
                            .into(),
                            destination: url.clone(),
                        });
                    }
                    if url.contains("ua=") || url.contains("useragent") {
                        report.exfiltrated_data.push(ExfilData {
                            data_type: "user-agent".into(),
                            encoding: if has_base64_segments(url) {
                                "base64"
                            } else {
                                "plaintext"
                            }
                            .into(),
                            destination: url.clone(),
                        });
                    }
                }

                // Taint sink reached — confirmed vulnerability
                if api == "taint_sink_reached"
                    && let Some(sink) = &first_arg
                {
                    report.decoded_payloads.push(DecodedPayload {
                        encoded: format!("TAINT→{sink}"),
                        decoded: format!("User-controlled data reached {sink}()"),
                        observation_index: i,
                    });
                }

                // Decoded payloads from eval
                if (api == "eval" || api == "Function")
                    && let Some(code) = &first_arg
                    && !code.is_empty()
                    && code.len() > 5
                {
                    report.decoded_payloads.push(DecodedPayload {
                        encoded: format!("{api}(...)"),
                        decoded: code.clone(),
                        observation_index: i,
                    });
                }

                // Form action set
                if api.contains("setAttribute") {
                    let attr_name = parse_second_arg(args).unwrap_or_default();
                    let attr_value = parse_third_arg(args).unwrap_or_default();
                    if attr_name == "action" && attr_value.starts_with("http") {
                        current_form_action = attr_value.clone();
                        if let Some(domain) = extract_domain(&attr_value)
                            && seen_domains.insert(domain.clone())
                        {
                            report.domains.push(domain);
                        }
                    }
                    if attr_name == "type" {
                        current_form_fields.push(attr_value.clone());
                    }
                    if attr_name == "name" && !attr_value.is_empty() {
                        // Update the last field with its name
                        if let Some(last) = current_form_fields.last_mut() {
                            *last = format!("{} ({})", last, attr_value);
                        }
                    }
                }

                // Redirect
                if (api.contains("location.href.set")
                    || api.contains("location.assign")
                    || api.contains("location.replace"))
                    && let Some(url) = &first_arg
                    && url.starts_with("http")
                {
                    report.redirects.push(url.clone());
                    if let Some(domain) = extract_domain(url)
                        && seen_domains.insert(domain.clone())
                    {
                        report.domains.push(domain);
                    }
                }

                // Crypto wallet IOCs
                if api == "ethereum.request"
                    || api.starts_with("crypto.sign")
                    || api.starts_with("crypto.send")
                    || api.starts_with("crypto.solana")
                    || api.starts_with("crypto.chain")
                    || api == "solana.connect"
                {
                    let method = first_arg.clone().unwrap_or_default();
                    let chain = if api.contains("solana") {
                        "solana"
                    } else {
                        "ethereum"
                    };
                    let signing = if api.contains("sign") || api.contains("send_transaction") {
                        Some(method.clone())
                    } else {
                        None
                    };

                    // Extract wallet addresses from args
                    let mut addresses = Vec::new();
                    for arg_str in &args_str {
                        // Ethereum addresses: 0x + 40 hex chars
                        for word in arg_str.split(|c: char| !c.is_ascii_alphanumeric() && c != 'x')
                        {
                            if word.starts_with("0x")
                                && word.len() >= 42
                                && word[2..].chars().all(|c| c.is_ascii_hexdigit())
                            {
                                addresses.push(word.to_string());
                            }
                        }
                    }

                    report.crypto_iocs.push(CryptoIoc {
                        chain: chain.into(),
                        method,
                        addresses,
                        signing_method: signing,
                        observation_index: i,
                    });
                }

                // Clipboard IOCs
                if api.starts_with("clipboard.") {
                    let operation = if api.contains("write") {
                        "write"
                    } else {
                        "read"
                    };
                    report.clipboard_iocs.push(ClipboardIoc {
                        operation: operation.into(),
                        content: if operation == "write" {
                            first_arg.clone()
                        } else {
                            None
                        },
                        observation_index: i,
                    });
                }

                // localStorage/sessionStorage persistence
                if api.contains("Storage.setItem") || api.contains("storage.set") {
                    let key = first_arg.unwrap_or_default();
                    let value = parse_second_arg(args).unwrap_or_default();
                    report.persistence.push(Persistence {
                        mechanism: if api.contains("local") {
                            "localStorage"
                        } else {
                            "sessionStorage"
                        }
                        .into(),
                        key,
                        value,
                    });
                }
            }

            Observation::NetworkRequest { url, method, .. } => {
                if seen_urls.insert(url.clone()) {
                    report.c2_urls.push(C2Url {
                        url: url.clone(),
                        method: method.clone(),
                        contains_encoded_data: has_base64_segments(url),
                        observation_index: i,
                    });
                }
            }

            _ => {}
        }
    }

    // Finalize credential form if we collected fields
    if !current_form_action.is_empty() || !current_form_fields.is_empty() {
        report.credential_forms.push(CredentialForm {
            action_url: current_form_action,
            fields: current_form_fields,
        });
    }

    report
}

impl IocReport {
    /// Format as a structured terminal report.
    pub fn format_text(&self) -> String {
        let mut out = String::new();
        let bold = "\x1b[1m";
        let red = "\x1b[91m";
        let yellow = "\x1b[33m";
        let cyan = "\x1b[36m";
        let dim = "\x1b[2m";
        let reset = "\x1b[0m";

        if self.is_empty() {
            return format!("{dim}No IOCs extracted.{reset}\n");
        }

        out.push_str(&format!("\n{bold}IOCs Extracted:{reset}\n"));

        if !self.c2_urls.is_empty() {
            out.push_str(&format!("  {red}{bold}C2/Exfiltration URLs:{reset}\n"));
            for c2 in &self.c2_urls {
                let encoded_marker = if c2.contains_encoded_data {
                    " [encoded data]"
                } else {
                    ""
                };
                out.push_str(&format!(
                    "    {red}{} {}{encoded_marker}{reset}\n",
                    c2.method, c2.url
                ));
            }
            out.push('\n');
        }

        if !self.decoded_payloads.is_empty() {
            out.push_str(&format!("  {yellow}{bold}Decoded Payloads:{reset}\n"));
            for payload in &self.decoded_payloads {
                let preview = if payload.decoded.len() > 120 {
                    format!("{}...", &payload.decoded[..120])
                } else {
                    payload.decoded.clone()
                };
                out.push_str(&format!(
                    "    {yellow}{} → {preview}{reset}\n",
                    payload.encoded
                ));
            }
            out.push('\n');
        }

        if !self.credential_forms.is_empty() {
            out.push_str(&format!("  {red}{bold}Credential Harvesting:{reset}\n"));
            for form in &self.credential_forms {
                if !form.action_url.is_empty() {
                    out.push_str(&format!(
                        "    {red}Form action: {}{reset}\n",
                        form.action_url
                    ));
                }
                for field in &form.fields {
                    out.push_str(&format!("    {red}Field: {field}{reset}\n"));
                }
            }
            out.push('\n');
        }

        if !self.exfiltrated_data.is_empty() {
            out.push_str(&format!("  {yellow}{bold}Exfiltrated Data:{reset}\n"));
            for exfil in &self.exfiltrated_data {
                out.push_str(&format!(
                    "    {yellow}{} ({}) → {}{reset}\n",
                    exfil.data_type,
                    exfil.encoding,
                    if exfil.destination.len() > 80 {
                        format!("{}...", &exfil.destination[..80])
                    } else {
                        exfil.destination.clone()
                    }
                ));
            }
            out.push('\n');
        }

        if !self.persistence.is_empty() {
            out.push_str(&format!("  {cyan}{bold}Persistence:{reset}\n"));
            for p in &self.persistence {
                out.push_str(&format!(
                    "    {cyan}{}.{} = {}{reset}\n",
                    p.mechanism, p.key, p.value
                ));
            }
            out.push('\n');
        }

        if !self.redirects.is_empty() {
            out.push_str(&format!("  {yellow}{bold}Redirects:{reset}\n"));
            for r in &self.redirects {
                out.push_str(&format!("    {yellow}→ {r}{reset}\n"));
            }
            out.push('\n');
        }

        if !self.crypto_iocs.is_empty() {
            out.push_str(&format!("  {red}{bold}Crypto Wallet IOCs:{reset}\n"));
            for ioc in &self.crypto_iocs {
                let signing = ioc.signing_method.as_deref().unwrap_or("—");
                out.push_str(&format!(
                    "    {red}[{}] {}: signing={signing}{reset}\n",
                    ioc.chain, ioc.method
                ));
                for addr in &ioc.addresses {
                    out.push_str(&format!("      {red}Address: {addr}{reset}\n"));
                }
            }
            out.push('\n');
        }

        if !self.clipboard_iocs.is_empty() {
            out.push_str(&format!("  {yellow}{bold}Clipboard IOCs:{reset}\n"));
            for ioc in &self.clipboard_iocs {
                let content = ioc.content.as_deref().unwrap_or("(read)");
                out.push_str(&format!(
                    "    {yellow}{}: {content}{reset}\n",
                    ioc.operation
                ));
            }
            out.push('\n');
        }

        if !self.domains.is_empty() {
            out.push_str(&format!(
                "  {dim}Domains: {}{reset}\n",
                self.domains.join(", ")
            ));
        }

        out
    }

    pub fn is_empty(&self) -> bool {
        self.c2_urls.is_empty()
            && self.decoded_payloads.is_empty()
            && self.credential_forms.is_empty()
            && self.exfiltrated_data.is_empty()
            && self.persistence.is_empty()
            && self.redirects.is_empty()
            && self.crypto_iocs.is_empty()
            && self.clipboard_iocs.is_empty()
    }
}

fn parse_first_arg(args: &[jsdet_core::observation::Value]) -> Option<String> {
    args.first().and_then(|v| match v {
        jsdet_core::observation::Value::String(s, _) => {
            if s.starts_with('[') {
                serde_json::from_str::<Vec<String>>(s)
                    .ok()
                    .and_then(|arr| arr.into_iter().next())
            } else {
                Some(s.clone())
            }
        }
        _ => Some(v.to_string()),
    })
}

fn parse_second_arg(args: &[jsdet_core::observation::Value]) -> Option<String> {
    args.first().and_then(|v| match v {
        jsdet_core::observation::Value::String(s, _) if s.starts_with('[') => {
            serde_json::from_str::<Vec<String>>(s)
                .ok()
                .and_then(|arr| arr.into_iter().nth(1))
        }
        _ => args.get(1).map(|v| v.to_string()),
    })
}

fn parse_third_arg(args: &[jsdet_core::observation::Value]) -> Option<String> {
    args.first().and_then(|v| match v {
        jsdet_core::observation::Value::String(s, _) if s.starts_with('[') => {
            serde_json::from_str::<Vec<String>>(s)
                .ok()
                .and_then(|arr| arr.into_iter().nth(2))
        }
        _ => args.get(2).map(|v| v.to_string()),
    })
}

fn extract_domain(url: &str) -> Option<String> {
    let after_scheme = url.split("://").nth(1)?;
    let host = after_scheme.split('/').next()?;
    let host = host.split(':').next()?;
    if host.is_empty() || host == "127.0.0.1" || host == "localhost" {
        None
    } else {
        Some(host.to_string())
    }
}

fn has_base64_segments(url: &str) -> bool {
    // Check for long base64-like segments in URL parameters
    if let Some(query) = url.split('?').nth(1) {
        for param in query.split('&') {
            if let Some(value) = param.split('=').nth(1)
                && value.len() > 20
                && value
                    .chars()
                    .all(|c| c.is_ascii_alphanumeric() || c == '+' || c == '/' || c == '=')
            {
                return true;
            }
        }
    }
    false
}