Merge pull request #442 from Evert0x/master

Adding the right TTP's to all the signatures

modules/signatures/windows/antianalysis_detectfile.py

@@ -11,6 +11,7 @@ class AntiAnalysisDetectFile(Signature):
     categories = ["anti-analysis"]
     authors = ["KillerInstinct"]
     minimum = "2.0"
+    ttp = ["T1063"]
 
     file_indicators = [
         "[A-Za-z]:\\\\analysis",

modules/signatures/windows/antiav_avast_libs.py

@@ -22,6 +22,7 @@ class AvastDetectLibs(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
+    ttp = ["T1063"]
 
     filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"])
 

modules/signatures/windows/antiav_bitdefender_libs.py

@@ -22,6 +22,7 @@ class BitdefenderDetectLibs(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
+    ttp = ["T1063"]
 
     filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"])
 

modules/signatures/windows/antiav_detectfile.py

@@ -15,6 +15,7 @@ class AntiAVDetectFile(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
+    ttp = ["T1063"]
 
     file_indicators = [
         ".*\\\\AVAST\\ Software",

modules/signatures/windows/antiav_detectreg.py

@@ -11,6 +11,7 @@ class AntiAVDetectReg(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
+    ttp = ["T1063", "T1012"]
 
     reg_indicators = [
         ".*\\\\Software\\\\(Wow6432Node\\\\)?Avg",

modules/signatures/windows/antiav_servicestop.py

@@ -16,6 +16,7 @@ class AntiAVServiceStop(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
+    ttp = ["T1031", "T1089"]
     evented = True
 
     def __init__(self, *args, **kwargs):

modules/signatures/windows/antiav_srp.py

@@ -11,6 +11,7 @@ class AntiAVSRP(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
+    ttp = ["T1089"]
 
     regkeys_re = [
         ".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*",

modules/signatures/windows/antidbg_devices.py

@@ -22,6 +22,7 @@ class AntiDBGDevices(Signature):
     categories = ["anti-debug"]
     authors = ["nex"]
     minimum = "2.0"
+    ttp = ["T1083", "T1057"]
 
     indicators = [
         ".*SICE$",

modules/signatures/windows/antidbg_windows.py

@@ -22,6 +22,7 @@ class AntiDBGWindows(Signature):
     categories = ["anti-debug"]
     authors = ["nex", "KillerInstinct", "Brad Spengler"]
     minimum = "2.0"
+    ttp = ["T1057"]
 
     filter_categories = "ui",
 

modules/signatures/windows/antiemu_wine.py

@@ -22,6 +22,7 @@ class WineDetect(Signature):
     categories = ["anti-emulation"]
     authors = ["nex"]
     minimum = "2.0"
+    ttp = ["T1057"]
 
     filter_apinames = "LdrGetProcedureAddress",
 

modules/signatures/windows/antisandbox_clipboard.py

@@ -22,6 +22,7 @@ class AntisandboxClipboard(Signature):
     categories = ["anti-sandbox"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["T1115"]	
 
     filter_apinames = set(["GetClipboardData"])
 

modules/signatures/windows/antisandbox_cuckoo_files.py

@@ -22,6 +22,7 @@ class CuckooDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
+    ttp = ["T1083", "T1057"]
 
     file_indicators = [
         ".*\\\\agent\\.py$",

modules/signatures/windows/antisandbox_fortinet_files.py

@@ -22,6 +22,7 @@ class FortinetDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
+    ttp = ["T1083", "T1057"]
 
     files_re = [
         "C:\\\\tracer\\\\mdare32_0\\.sys",

modules/signatures/windows/antisandbox_idletime.py

@@ -11,6 +11,7 @@ class AntiSandboxIdleTime(Signature):
     categories = ["anti-sandbox"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
+    ttp = ["T1082"]
 
     filter_apinames = "NtQuerySystemInformation",
 

modules/signatures/windows/antisandbox_joe_anubis_files.py

@@ -22,6 +22,7 @@ class SandboxJoeAnubisDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["T1083", "T1057"]
 
     file_indicators = [
         "C:\\\\sample\\.exe",

modules/signatures/windows/antisandbox_sunbelt.py

@@ -11,6 +11,7 @@ class SunBeltSandboxDetect(Signature):
     categories = ["anti-vm"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
+    ttp = ["T1083", "T1057"]
 
     dlls_re = [
         ".*api_log(\\.dll)?$",

modules/signatures/windows/antisandbox_sunbelt_files.py

@@ -22,6 +22,7 @@ class SunbeltDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["T1083", "T1057"]
 
     file_indicators = [
         ".*\\\\SandboxStarter\\.exe$",

modules/signatures/windows/antisandbox_threattrack_files.py

@@ -22,6 +22,7 @@ class ThreatTrackDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
+    ttp = ["T1083", "T1057"]
 
     files_re = [
         "C:\\\\cwsandbox",

modules/signatures/windows/antisandbox_unhook.py

@@ -22,6 +22,7 @@ class Unhook(Signature):
     categories = ["anti-sandbox"]
     authors = ["nex"]
     minimum = "2.0"
+    ttp = ["T1089"]
 
     filter_apinames = "__anomaly__",
 

modules/signatures/windows/antivirus_detection_cn.py

@@ -13,6 +13,7 @@ class AVDetectionChinaKey(Signature):
     families = ["china"]
     authors = ["RedSocks"]
     minimum = "2.0"
+    ttp = ["T1063", "T1012"]
 
     indicators = [
         ".*360Safe",

modules/signatures/windows/antivm_bochs_keys.py

@@ -22,6 +22,7 @@ class BochsDetectKeys(Signature):
     categories = ["anti-vm"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
+    ttp = ["T1057", "T1012"]
 
     regkeys_re = [
         ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS_.*",

modules/signatures/windows/antivm_generic_cpu.py

@@ -22,6 +22,7 @@ class AntiVMCPU(Signature):
     categories = ["anti-vm"]
     authors = ["Optiv"]
     minimum = "2.0"
+    ttp = ["T1082", "T1012"]
 
     regkeys_re = [
         ".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\.*\\\\ProcessorNameString",

modules/signatures/windows/antivm_generic_ide.py

@@ -22,6 +22,7 @@ class AntiVMIDE(Signature):
     categories = ["anti-vm"]
     authors = ["nex"]
     minimum = "2.0"
+    ttp = ["T1057", "T1012"]
 
     def on_complete(self):
         for regkey in self.check_key(pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE", regex=True, all=True):

modules/signatures/windows/antivm_generic_scsi.py

@@ -22,6 +22,7 @@ class AntiVMSCSI(Signature):
     categories = ["anti-vm"]
     authors = ["nex"]
     minimum = "2.0"
+    ttp = ["T1057", "T1012"]
 
     regkeys_re = [
         ".*\\\\HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port \\d+\\\\Scsi Bus \\d+\\\\Target Id \\d+\\\\Logical Unit Id \\d+\\\\Identifier",

modules/signatures/windows/antivm_generic_services.py

@@ -22,6 +22,7 @@ class AntiVMServices(Signature):
     categories = ["anti-vm"]
     authors = ["nex"]
     minimum = "2.0"
+    ttp = ["T1007"]
 
     filter_apinames = "EnumServicesStatusA", "EnumServicesStatusW"
 

modules/signatures/windows/antivm_hyperv_keys.py

@@ -22,7 +22,8 @@ class HyperVDetectKeys(Signature):
     categories = ["anti-vm"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
-
+    ttp = ["T1057", "T1012"]
+
     regkeys_re = [
         ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\Hyper_V_Gen_Counter_V1",
     ]

modules/signatures/windows/antivm_memory_available.py

@@ -22,6 +22,7 @@ class MemoryAvailable(Signature):
     categories = ["anti-vm"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["T1082"]
 
     filter_apinames = [
         "GlobalMemoryStatusEx", "GetPhysicallyInstalledSystemMemory",

modules/signatures/windows/antivm_parallels_keys.py

@@ -22,6 +22,7 @@ class ParallelsDetectKeys(Signature):
     categories = ["anti-vm"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
+    ttp = ["T1057", "T1012"]
 
     regkeys_re = [
         ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_1AB8&DEV_4000&SUBSYS_04001AB8&REV_00",

modules/signatures/windows/antivm_parallels_window.py

@@ -22,6 +22,7 @@ class ParallelsDetectWindow(Signature):
     categories = ["anti-vm"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["T1057"]
 
     filter_categories = "ui",
 

modules/signatures/windows/antivm_psuedo_device.py

@@ -22,6 +22,7 @@ class AntiVMSharedDevice(Signature):
     categories = ["anti-vm"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["T1082"]
 
     filter_apinames = "NtCreateFile",
 

modules/signatures/windows/antivm_sandboxie.py

@@ -11,6 +11,7 @@ class SandboxieDetect(Signature):
     categories = ["anti-vm"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
+    ttp = ["T1057"]
 
     mutexes_re = [
         ".*Sandboxie_SingleInstanceMutex_Control",

modules/signatures/windows/antivm_vbox_files.py

@@ -22,6 +22,7 @@ class VBoxDetectFiles(Signature):
     categories = ["anti-vm"]
     authors = ["nex"]
     minimum = "2.0"
+    ttp = ["T1083", "T1057"]
 
     indicators = [
         ".*VBoxDisp\\.dll",

modules/signatures/windows/antivm_vbox_keys.py

@@ -22,6 +22,7 @@ class VBoxDetectKeys(Signature):
     categories = ["anti-vm"]
     authors = ["nex", "Brad Spengler"]
     minimum = "2.0"
+    ttp = ["T1057", "T1012"]
 
     regkeys_re = [
         ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Oracle\\\\VirtualBox\\ Guest\\ Additions",

modules/signatures/windows/antivm_vbox_window.py

@@ -22,6 +22,7 @@ class VBoxDetectWindow(Signature):
     categories = ["anti-vm"]
     authors = ["nex"]
     minimum = "2.0"
+    ttp = ["T1057"]
 
     filter_categories = "ui",
 

modules/signatures/windows/antivm_virtualpc_window.py

@@ -22,6 +22,7 @@ class VirtualPCDetectWindow(Signature):
     categories = ["anti-vm"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["T1057"]
 
     filter_categories = "ui",
 

modules/signatures/windows/antivm_vmware_files.py

@@ -11,6 +11,7 @@ class VMWareDetectFiles(Signature):
     categories = ["anti-vm"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
+    ttp = ["T1083", "T1057"]
 
     files_re = [
         ".*vmmouse\\.sys",

modules/signatures/windows/antivm_vmware_keys.py

@@ -21,6 +21,7 @@ class VMWareDetectKeys(Signature):
     categories = ["anti-vm"]
     authors = ["Cuckoo Technologies", "Optiv"]
     minimum = "2.0"
+    ttp = ["T1057", "T1012"]
 
     regkeys_re = [
         ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?VMWare,\\ Inc\..*",

modules/signatures/windows/antivm_vmware_window.py

@@ -22,6 +22,7 @@ class VMwareDetectWindow(Signature):
     categories = ["anti-vm"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["T1057"]
 
     filter_categories = "ui",
 

modules/signatures/windows/antivm_vpc_keys.py

@@ -22,6 +22,7 @@ class VPCDetectKeys(Signature):
     categories = ["anti-vm"]
     authors = ["Optiv"]
     minimum = "2.0"
+    ttp = ["T1057", "T1012"]
 
     regkeys_re = [
         ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00",

modules/signatures/windows/antivm_xen_keys.py

@@ -22,6 +22,7 @@ class XenDetectKeys(Signature):
     categories = ["anti-vm"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
+    ttp = ["T1057", "T1012"]
 
     regkeys_re = [
         ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\XEN0000.*",

modules/signatures/windows/appinit.py

@@ -11,6 +11,7 @@ class InstallsAppInit(Signature):
     categories = ["persistence"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
+    ttp = ["T1103"]
 
     regkeys_re = [
         ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\Appinit_Dlls",

modules/signatures/windows/applocker_bypass.py

@@ -13,6 +13,7 @@ class AppLockerBypass(Signature):
     categories = ["applocker", "bypass"]
     authors = ["FDD", "Cuckoo Technologies"]
     minimum = "2.0.4"
+    ttp = ["T1086", "T1117"]
 
     def on_yara(self, category, filepath, match):
         if match.name != "ApplockerBypass":

modules/signatures/windows/bootconfig_modify.py

@@ -22,7 +22,7 @@ class ModifiesBootConfig(Signature):
     categories = ["persistance", "ransomware"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-
+    ttp = ["T1067"]
     filter_apinames = "ShellExecuteExW", "CreateProcessInternalW",
 
     def on_call(self, call, process):

modules/signatures/windows/bootkit.py

@@ -13,7 +13,7 @@ class Bootkit(Signature):
     authors = ["Optiv"]
     minimum = "2.0"
     evented = True
-
+    ttp = ["T1067"]
     BasicFileInformation = 4
 
     def __init__(self, *args, **kwargs):

modules/signatures/windows/browser_security.py

@@ -22,6 +22,7 @@ class BrowserSecurity(Signature):
     categories = ["browser", "clickfraud", "banker"]
     authors = ["Kevin Ross", "Optiv"]
     minimum = "2.0"
+    ttp = ["T1089"]
 
     regkeys_re = [
         ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Privacy\\\\EnableInPrivateMode",

modules/signatures/windows/bypass_firewall.py

@@ -24,7 +24,7 @@ class BypassFirewall(Signature):
     categories = ["bypass"]
     authors = ["Anderson Tamborim", "nex", "Kevin Ross"]
     minimum = "2.0"
-
+    ttp = ["T1031"]
     indicator = ".*\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\.*"
 
     def on_complete(self):

modules/signatures/windows/clears_logs.py

@@ -22,7 +22,7 @@ class ClearsEventLogs(Signature):
     categories = ["commands", "stealth"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-
+    ttp = ["T1070"]
     utilities = [
         "wevtutil cl",
         "wevtutil.exe cl"
@@ -43,7 +43,7 @@ class ClearPermissionEventLogs(Signature):
     categories = ["commands", "stealth"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-
+    ttp = ["T1222"]
     utilities = [
         "wevtutil sl",
         "wevtutil.exe sl"