From edc04b13c0b095ff69473164de25217f0cc412c7 Mon Sep 17 00:00:00 2001 From: Evert0x Date: Tue, 2 Apr 2019 19:36:25 +0200 Subject: [PATCH 1/2] Adding ttp codes 1/2 --- modules/signatures/windows/antianalysis_detectfile.py | 1 + modules/signatures/windows/antiav_avast_libs.py | 1 + modules/signatures/windows/antiav_bitdefender_libs.py | 1 + modules/signatures/windows/antiav_detectfile.py | 1 + modules/signatures/windows/antiav_detectreg.py | 1 + modules/signatures/windows/antiav_servicestop.py | 1 + modules/signatures/windows/antiav_srp.py | 1 + modules/signatures/windows/antidbg_devices.py | 1 + modules/signatures/windows/antidbg_windows.py | 1 + modules/signatures/windows/antiemu_wine.py | 1 + modules/signatures/windows/antisandbox_clipboard.py | 1 + modules/signatures/windows/antisandbox_cuckoo_files.py | 1 + modules/signatures/windows/antisandbox_fortinet_files.py | 1 + modules/signatures/windows/antisandbox_idletime.py | 1 + modules/signatures/windows/antisandbox_joe_anubis_files.py | 1 + modules/signatures/windows/antisandbox_sunbelt.py | 1 + modules/signatures/windows/antisandbox_sunbelt_files.py | 1 + .../signatures/windows/antisandbox_threattrack_files.py | 1 + modules/signatures/windows/antisandbox_unhook.py | 1 + modules/signatures/windows/antivm_bochs_keys.py | 1 + modules/signatures/windows/antivm_generic_ide.py | 1 + modules/signatures/windows/antivm_generic_scsi.py | 1 + modules/signatures/windows/antivm_generic_services.py | 1 + modules/signatures/windows/antivm_hyperv_keys.py | 3 ++- modules/signatures/windows/antivm_parallels_keys.py | 1 + modules/signatures/windows/antivm_psuedo_device.py | 1 + modules/signatures/windows/antivm_sandboxie.py | 1 + modules/signatures/windows/antivm_vbox_files.py | 1 + modules/signatures/windows/antivm_vbox_keys.py | 1 + modules/signatures/windows/antivm_vbox_window.py | 1 + modules/signatures/windows/antivm_virtualpc_window.py | 1 + modules/signatures/windows/antivm_vmware_files.py | 1 + modules/signatures/windows/antivm_vmware_keys.py | 1 + modules/signatures/windows/antivm_vpc_keys.py | 1 + modules/signatures/windows/antivm_xen_keys.py | 1 + modules/signatures/windows/appinit.py | 1 + modules/signatures/windows/applocker_bypass.py | 1 + modules/signatures/windows/bootconfig_modify.py | 2 +- modules/signatures/windows/bootkit.py | 2 +- modules/signatures/windows/browser_security.py | 1 + modules/signatures/windows/bypass_firewall.py | 2 +- modules/signatures/windows/clears_logs.py | 4 ++-- modules/signatures/windows/creates_hidden_file.py | 2 +- modules/signatures/windows/creates_largekey.py | 1 + modules/signatures/windows/creates_null_reg_entry.py | 2 +- modules/signatures/windows/creates_shortcut.py | 2 +- modules/signatures/windows/deletes_executed.py | 1 + modules/signatures/windows/disables_app.py | 1 + modules/signatures/windows/disables_browserwarn.py | 1 + modules/signatures/windows/disables_security.py | 1 + modules/signatures/windows/disables_sysrestore.py | 1 + modules/signatures/windows/disables_wer.py | 1 + modules/signatures/windows/disables_windowsupdate.py | 1 + modules/signatures/windows/dropper.py | 1 + modules/signatures/windows/exec_bitsadmin.py | 1 + modules/signatures/windows/infostealer_bitcoin.py | 1 + .../windows/infostealer_browser_modifications.py | 5 +++++ modules/signatures/windows/infostealer_clipboard.py | 1 + modules/signatures/windows/infostealer_ftp.py | 1 + modules/signatures/windows/infostealer_im.py | 1 + modules/signatures/windows/infostealer_mail.py | 1 + modules/signatures/windows/injection_explorer.py | 1 + modules/signatures/windows/injection_network_traffic.py | 1 + modules/signatures/windows/injection_thread.py | 1 + modules/signatures/windows/javascript_commandline.py | 1 + modules/signatures/windows/locker_cmd.py | 1 + modules/signatures/windows/locker_regedit.py | 1 + modules/signatures/windows/locker_taskmgr.py | 1 + modules/signatures/windows/modifies_certs.py | 1 + modules/signatures/windows/modifies_proxies.py | 4 ++++ modules/signatures/windows/modifies_seccenter.py | 1 + modules/signatures/windows/modifies_uac_notify.py | 1 + modules/signatures/windows/modifies_zoneid.py | 1 + modules/signatures/windows/multiple_ua.py | 1 + modules/signatures/windows/network_tor.py | 1 + modules/signatures/windows/network_tor_service.py | 1 + modules/signatures/windows/office.py | 7 +++++++ modules/signatures/windows/office_packager.py | 1 + modules/signatures/windows/packer_entropy.py | 1 + modules/signatures/windows/packer_polymorphic.py | 1 + modules/signatures/windows/packer_upx.py | 1 + modules/signatures/windows/packer_vmprotect.py | 1 + modules/signatures/windows/payload_download.py | 3 +++ modules/signatures/windows/pe_features.py | 2 ++ modules/signatures/windows/persistence_ads.py | 1 + modules/signatures/windows/persistence_autorun.py | 1 + modules/signatures/windows/persistence_bootexecute.py | 1 + .../signatures/windows/persistence_registry_fileless.py | 2 ++ modules/signatures/windows/powershell.py | 7 +++++++ modules/signatures/windows/powershell_reg.py | 1 + modules/signatures/windows/powerworm.py | 1 + modules/signatures/windows/process_interest.py | 2 ++ modules/signatures/windows/process_needed.py | 1 + modules/signatures/windows/ransomware_bcdedit.py | 1 + modules/signatures/windows/reads_user_agent.py | 1 + modules/signatures/windows/recon_programs.py | 2 ++ modules/signatures/windows/self_delete_bat.py | 1 + modules/signatures/windows/spreading_autoruninf.py | 1 + modules/signatures/windows/stealth_hiddenfile.py | 1 + modules/signatures/windows/stealth_hiddenicons.py | 1 + modules/signatures/windows/stealth_hidenotifications.py | 1 + modules/signatures/windows/stealth_systemprocname.py | 1 + modules/signatures/windows/stealth_window.py | 1 + modules/signatures/windows/stops_service.py | 1 + modules/signatures/windows/volatility_sig.py | 5 +++++ modules/signatures/windows/windows_utilities.py | 3 +++ modules/signatures/windows/wmi.py | 4 ++++ 107 files changed, 143 insertions(+), 9 deletions(-) diff --git a/modules/signatures/windows/antianalysis_detectfile.py b/modules/signatures/windows/antianalysis_detectfile.py index 72987f396..60dadeadd 100644 --- a/modules/signatures/windows/antianalysis_detectfile.py +++ b/modules/signatures/windows/antianalysis_detectfile.py @@ -11,6 +11,7 @@ class AntiAnalysisDetectFile(Signature): categories = ["anti-analysis"] authors = ["KillerInstinct"] minimum = "2.0" + ttp = ["T1063"] file_indicators = [ "[A-Za-z]:\\\\analysis", diff --git a/modules/signatures/windows/antiav_avast_libs.py b/modules/signatures/windows/antiav_avast_libs.py index 1331e956f..3b6427436 100644 --- a/modules/signatures/windows/antiav_avast_libs.py +++ b/modules/signatures/windows/antiav_avast_libs.py @@ -22,6 +22,7 @@ class AvastDetectLibs(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1063"] filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"]) diff --git a/modules/signatures/windows/antiav_bitdefender_libs.py b/modules/signatures/windows/antiav_bitdefender_libs.py index c3f51ae15..3d409d780 100644 --- a/modules/signatures/windows/antiav_bitdefender_libs.py +++ b/modules/signatures/windows/antiav_bitdefender_libs.py @@ -22,6 +22,7 @@ class BitdefenderDetectLibs(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1063"] filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"]) diff --git a/modules/signatures/windows/antiav_detectfile.py b/modules/signatures/windows/antiav_detectfile.py index d74c0d33a..54a6c7fdd 100644 --- a/modules/signatures/windows/antiav_detectfile.py +++ b/modules/signatures/windows/antiav_detectfile.py @@ -15,6 +15,7 @@ class AntiAVDetectFile(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1063"] file_indicators = [ ".*\\\\AVAST\\ Software", diff --git a/modules/signatures/windows/antiav_detectreg.py b/modules/signatures/windows/antiav_detectreg.py index c53405e37..57408f94a 100644 --- a/modules/signatures/windows/antiav_detectreg.py +++ b/modules/signatures/windows/antiav_detectreg.py @@ -11,6 +11,7 @@ class AntiAVDetectReg(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1063", "T1012"] reg_indicators = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Avg", diff --git a/modules/signatures/windows/antiav_servicestop.py b/modules/signatures/windows/antiav_servicestop.py index a289f4b31..da1a45695 100644 --- a/modules/signatures/windows/antiav_servicestop.py +++ b/modules/signatures/windows/antiav_servicestop.py @@ -16,6 +16,7 @@ class AntiAVServiceStop(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1031", "T1089"] evented = True def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/antiav_srp.py b/modules/signatures/windows/antiav_srp.py index 6e5c3695e..f7256ae57 100644 --- a/modules/signatures/windows/antiav_srp.py +++ b/modules/signatures/windows/antiav_srp.py @@ -11,6 +11,7 @@ class AntiAVSRP(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1089"] regkeys_re = [ ".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*", diff --git a/modules/signatures/windows/antidbg_devices.py b/modules/signatures/windows/antidbg_devices.py index c8618e9e2..567a57290 100644 --- a/modules/signatures/windows/antidbg_devices.py +++ b/modules/signatures/windows/antidbg_devices.py @@ -22,6 +22,7 @@ class AntiDBGDevices(Signature): categories = ["anti-debug"] authors = ["nex"] minimum = "2.0" + ttp = ["T1083", "T1057"] indicators = [ ".*SICE$", diff --git a/modules/signatures/windows/antidbg_windows.py b/modules/signatures/windows/antidbg_windows.py index a4627e0cd..3dbef1548 100644 --- a/modules/signatures/windows/antidbg_windows.py +++ b/modules/signatures/windows/antidbg_windows.py @@ -22,6 +22,7 @@ class AntiDBGWindows(Signature): categories = ["anti-debug"] authors = ["nex", "KillerInstinct", "Brad Spengler"] minimum = "2.0" + ttp = ["T1057"] filter_categories = "ui", diff --git a/modules/signatures/windows/antiemu_wine.py b/modules/signatures/windows/antiemu_wine.py index ff4258077..08e55b864 100644 --- a/modules/signatures/windows/antiemu_wine.py +++ b/modules/signatures/windows/antiemu_wine.py @@ -22,6 +22,7 @@ class WineDetect(Signature): categories = ["anti-emulation"] authors = ["nex"] minimum = "2.0" + ttp = ["T1057"] filter_apinames = "LdrGetProcedureAddress", diff --git a/modules/signatures/windows/antisandbox_clipboard.py b/modules/signatures/windows/antisandbox_clipboard.py index 294848edc..00a25d88f 100644 --- a/modules/signatures/windows/antisandbox_clipboard.py +++ b/modules/signatures/windows/antisandbox_clipboard.py @@ -22,6 +22,7 @@ class AntisandboxClipboard(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1115"] filter_apinames = set(["GetClipboardData"]) diff --git a/modules/signatures/windows/antisandbox_cuckoo_files.py b/modules/signatures/windows/antisandbox_cuckoo_files.py index cb0ab6afe..c907f7505 100644 --- a/modules/signatures/windows/antisandbox_cuckoo_files.py +++ b/modules/signatures/windows/antisandbox_cuckoo_files.py @@ -22,6 +22,7 @@ class CuckooDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" + ttp = ["T1083", "T1057"] file_indicators = [ ".*\\\\agent\\.py$", diff --git a/modules/signatures/windows/antisandbox_fortinet_files.py b/modules/signatures/windows/antisandbox_fortinet_files.py index 041c185c4..bd4c27fa8 100644 --- a/modules/signatures/windows/antisandbox_fortinet_files.py +++ b/modules/signatures/windows/antisandbox_fortinet_files.py @@ -22,6 +22,7 @@ class FortinetDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" + ttp = ["T1083", "T1057"] files_re = [ "C:\\\\tracer\\\\mdare32_0\\.sys", diff --git a/modules/signatures/windows/antisandbox_idletime.py b/modules/signatures/windows/antisandbox_idletime.py index 963fec101..f0e2421d4 100644 --- a/modules/signatures/windows/antisandbox_idletime.py +++ b/modules/signatures/windows/antisandbox_idletime.py @@ -11,6 +11,7 @@ class AntiSandboxIdleTime(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1082"] filter_apinames = "NtQuerySystemInformation", diff --git a/modules/signatures/windows/antisandbox_joe_anubis_files.py b/modules/signatures/windows/antisandbox_joe_anubis_files.py index 2b8d08f56..dc77a2c9a 100644 --- a/modules/signatures/windows/antisandbox_joe_anubis_files.py +++ b/modules/signatures/windows/antisandbox_joe_anubis_files.py @@ -22,6 +22,7 @@ class SandboxJoeAnubisDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1083", "T1057"] file_indicators = [ "C:\\\\sample\\.exe", diff --git a/modules/signatures/windows/antisandbox_sunbelt.py b/modules/signatures/windows/antisandbox_sunbelt.py index 348ce92b4..b0050df10 100644 --- a/modules/signatures/windows/antisandbox_sunbelt.py +++ b/modules/signatures/windows/antisandbox_sunbelt.py @@ -11,6 +11,7 @@ class SunBeltSandboxDetect(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1083", "T1057"] dlls_re = [ ".*api_log(\\.dll)?$", diff --git a/modules/signatures/windows/antisandbox_sunbelt_files.py b/modules/signatures/windows/antisandbox_sunbelt_files.py index 450a5539c..152b49d5d 100644 --- a/modules/signatures/windows/antisandbox_sunbelt_files.py +++ b/modules/signatures/windows/antisandbox_sunbelt_files.py @@ -22,6 +22,7 @@ class SunbeltDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1083", "T1057"] file_indicators = [ ".*\\\\SandboxStarter\\.exe$", diff --git a/modules/signatures/windows/antisandbox_threattrack_files.py b/modules/signatures/windows/antisandbox_threattrack_files.py index 7e3892bbe..d6ec58c80 100644 --- a/modules/signatures/windows/antisandbox_threattrack_files.py +++ b/modules/signatures/windows/antisandbox_threattrack_files.py @@ -22,6 +22,7 @@ class ThreatTrackDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" + ttp = ["T1083", "T1057"] files_re = [ "C:\\\\cwsandbox", diff --git a/modules/signatures/windows/antisandbox_unhook.py b/modules/signatures/windows/antisandbox_unhook.py index ab094ba31..4144c5e66 100644 --- a/modules/signatures/windows/antisandbox_unhook.py +++ b/modules/signatures/windows/antisandbox_unhook.py @@ -22,6 +22,7 @@ class Unhook(Signature): categories = ["anti-sandbox"] authors = ["nex"] minimum = "2.0" + ttp = ["T1089"] filter_apinames = "__anomaly__", diff --git a/modules/signatures/windows/antivm_bochs_keys.py b/modules/signatures/windows/antivm_bochs_keys.py index c34f778a4..02153d248 100644 --- a/modules/signatures/windows/antivm_bochs_keys.py +++ b/modules/signatures/windows/antivm_bochs_keys.py @@ -22,6 +22,7 @@ class BochsDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" + ttp = ["T1057", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS_.*", diff --git a/modules/signatures/windows/antivm_generic_ide.py b/modules/signatures/windows/antivm_generic_ide.py index 2bb5edb54..4b8d73a0b 100644 --- a/modules/signatures/windows/antivm_generic_ide.py +++ b/modules/signatures/windows/antivm_generic_ide.py @@ -22,6 +22,7 @@ class AntiVMIDE(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" + ttp = ["T1057", "T1012"] def on_complete(self): for regkey in self.check_key(pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE", regex=True, all=True): diff --git a/modules/signatures/windows/antivm_generic_scsi.py b/modules/signatures/windows/antivm_generic_scsi.py index 74f6c3299..8894b9fea 100644 --- a/modules/signatures/windows/antivm_generic_scsi.py +++ b/modules/signatures/windows/antivm_generic_scsi.py @@ -22,6 +22,7 @@ class AntiVMSCSI(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" + ttp = ["T1057", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port \\d+\\\\Scsi Bus \\d+\\\\Target Id \\d+\\\\Logical Unit Id \\d+\\\\Identifier", diff --git a/modules/signatures/windows/antivm_generic_services.py b/modules/signatures/windows/antivm_generic_services.py index f0c185ddf..30d28d32c 100644 --- a/modules/signatures/windows/antivm_generic_services.py +++ b/modules/signatures/windows/antivm_generic_services.py @@ -22,6 +22,7 @@ class AntiVMServices(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" + ttp = ["T1007"] filter_apinames = "EnumServicesStatusA", "EnumServicesStatusW" diff --git a/modules/signatures/windows/antivm_hyperv_keys.py b/modules/signatures/windows/antivm_hyperv_keys.py index a94640d84..ed32d9953 100644 --- a/modules/signatures/windows/antivm_hyperv_keys.py +++ b/modules/signatures/windows/antivm_hyperv_keys.py @@ -22,7 +22,8 @@ class HyperVDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - + ttp = ["T1057", "T1012"] + regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\Hyper_V_Gen_Counter_V1", ] diff --git a/modules/signatures/windows/antivm_parallels_keys.py b/modules/signatures/windows/antivm_parallels_keys.py index c5e436bae..da3a55904 100644 --- a/modules/signatures/windows/antivm_parallels_keys.py +++ b/modules/signatures/windows/antivm_parallels_keys.py @@ -22,6 +22,7 @@ class ParallelsDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" + ttp = ["T1057", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_1AB8&DEV_4000&SUBSYS_04001AB8&REV_00", diff --git a/modules/signatures/windows/antivm_psuedo_device.py b/modules/signatures/windows/antivm_psuedo_device.py index 71db01cdc..eab941247 100644 --- a/modules/signatures/windows/antivm_psuedo_device.py +++ b/modules/signatures/windows/antivm_psuedo_device.py @@ -22,6 +22,7 @@ class AntiVMSharedDevice(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1082"] filter_apinames = "NtCreateFile", diff --git a/modules/signatures/windows/antivm_sandboxie.py b/modules/signatures/windows/antivm_sandboxie.py index 1cbf446d9..83524ad31 100644 --- a/modules/signatures/windows/antivm_sandboxie.py +++ b/modules/signatures/windows/antivm_sandboxie.py @@ -11,6 +11,7 @@ class SandboxieDetect(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1057"] mutexes_re = [ ".*Sandboxie_SingleInstanceMutex_Control", diff --git a/modules/signatures/windows/antivm_vbox_files.py b/modules/signatures/windows/antivm_vbox_files.py index 102bd6a37..fe88a5723 100644 --- a/modules/signatures/windows/antivm_vbox_files.py +++ b/modules/signatures/windows/antivm_vbox_files.py @@ -22,6 +22,7 @@ class VBoxDetectFiles(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" + ttp = ["T1083", "T1057"] indicators = [ ".*VBoxDisp\\.dll", diff --git a/modules/signatures/windows/antivm_vbox_keys.py b/modules/signatures/windows/antivm_vbox_keys.py index f24096fe6..f129cb089 100644 --- a/modules/signatures/windows/antivm_vbox_keys.py +++ b/modules/signatures/windows/antivm_vbox_keys.py @@ -22,6 +22,7 @@ class VBoxDetectKeys(Signature): categories = ["anti-vm"] authors = ["nex", "Brad Spengler"] minimum = "2.0" + ttp = ["T1057", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Oracle\\\\VirtualBox\\ Guest\\ Additions", diff --git a/modules/signatures/windows/antivm_vbox_window.py b/modules/signatures/windows/antivm_vbox_window.py index eee3e9ac4..c52d0d882 100644 --- a/modules/signatures/windows/antivm_vbox_window.py +++ b/modules/signatures/windows/antivm_vbox_window.py @@ -22,6 +22,7 @@ class VBoxDetectWindow(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" + ttp = ["T1057"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_virtualpc_window.py b/modules/signatures/windows/antivm_virtualpc_window.py index fdac8246d..f14dfbea8 100644 --- a/modules/signatures/windows/antivm_virtualpc_window.py +++ b/modules/signatures/windows/antivm_virtualpc_window.py @@ -22,6 +22,7 @@ class VirtualPCDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1057"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vmware_files.py b/modules/signatures/windows/antivm_vmware_files.py index 74314b060..7ddad0548 100644 --- a/modules/signatures/windows/antivm_vmware_files.py +++ b/modules/signatures/windows/antivm_vmware_files.py @@ -11,6 +11,7 @@ class VMWareDetectFiles(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1083", "T1057"] files_re = [ ".*vmmouse\\.sys", diff --git a/modules/signatures/windows/antivm_vmware_keys.py b/modules/signatures/windows/antivm_vmware_keys.py index 9dc5c06cd..5bfa55f3f 100644 --- a/modules/signatures/windows/antivm_vmware_keys.py +++ b/modules/signatures/windows/antivm_vmware_keys.py @@ -21,6 +21,7 @@ class VMWareDetectKeys(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies", "Optiv"] minimum = "2.0" + ttp = ["T1057", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?VMWare,\\ Inc\..*", diff --git a/modules/signatures/windows/antivm_vpc_keys.py b/modules/signatures/windows/antivm_vpc_keys.py index 5d5da9c14..ab229e84e 100644 --- a/modules/signatures/windows/antivm_vpc_keys.py +++ b/modules/signatures/windows/antivm_vpc_keys.py @@ -22,6 +22,7 @@ class VPCDetectKeys(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1057", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00", diff --git a/modules/signatures/windows/antivm_xen_keys.py b/modules/signatures/windows/antivm_xen_keys.py index db6afc74c..548bec659 100644 --- a/modules/signatures/windows/antivm_xen_keys.py +++ b/modules/signatures/windows/antivm_xen_keys.py @@ -22,6 +22,7 @@ class XenDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" + ttp = ["T1057", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\XEN0000.*", diff --git a/modules/signatures/windows/appinit.py b/modules/signatures/windows/appinit.py index 3df2916be..df2f6e144 100644 --- a/modules/signatures/windows/appinit.py +++ b/modules/signatures/windows/appinit.py @@ -11,6 +11,7 @@ class InstallsAppInit(Signature): categories = ["persistence"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1103"] regkeys_re = [ ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\Appinit_Dlls", diff --git a/modules/signatures/windows/applocker_bypass.py b/modules/signatures/windows/applocker_bypass.py index b03620c1e..fb3ab9873 100644 --- a/modules/signatures/windows/applocker_bypass.py +++ b/modules/signatures/windows/applocker_bypass.py @@ -13,6 +13,7 @@ class AppLockerBypass(Signature): categories = ["applocker", "bypass"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1086", "T1117"] def on_yara(self, category, filepath, match): if match.name != "ApplockerBypass": diff --git a/modules/signatures/windows/bootconfig_modify.py b/modules/signatures/windows/bootconfig_modify.py index 4b7f0213b..0316a2fec 100644 --- a/modules/signatures/windows/bootconfig_modify.py +++ b/modules/signatures/windows/bootconfig_modify.py @@ -22,7 +22,7 @@ class ModifiesBootConfig(Signature): categories = ["persistance", "ransomware"] authors = ["Kevin Ross"] minimum = "2.0" - + ttp = ["T1067"] filter_apinames = "ShellExecuteExW", "CreateProcessInternalW", def on_call(self, call, process): diff --git a/modules/signatures/windows/bootkit.py b/modules/signatures/windows/bootkit.py index 559091357..5198de9c1 100644 --- a/modules/signatures/windows/bootkit.py +++ b/modules/signatures/windows/bootkit.py @@ -13,7 +13,7 @@ class Bootkit(Signature): authors = ["Optiv"] minimum = "2.0" evented = True - + ttp = ["T1067"] BasicFileInformation = 4 def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/browser_security.py b/modules/signatures/windows/browser_security.py index 37e34779a..8f57f53c4 100644 --- a/modules/signatures/windows/browser_security.py +++ b/modules/signatures/windows/browser_security.py @@ -22,6 +22,7 @@ class BrowserSecurity(Signature): categories = ["browser", "clickfraud", "banker"] authors = ["Kevin Ross", "Optiv"] minimum = "2.0" + ttp = ["T1089"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Privacy\\\\EnableInPrivateMode", diff --git a/modules/signatures/windows/bypass_firewall.py b/modules/signatures/windows/bypass_firewall.py index 0762d6c30..65ab6f150 100644 --- a/modules/signatures/windows/bypass_firewall.py +++ b/modules/signatures/windows/bypass_firewall.py @@ -24,7 +24,7 @@ class BypassFirewall(Signature): categories = ["bypass"] authors = ["Anderson Tamborim", "nex", "Kevin Ross"] minimum = "2.0" - + ttp = ["T1031"] indicator = ".*\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\.*" def on_complete(self): diff --git a/modules/signatures/windows/clears_logs.py b/modules/signatures/windows/clears_logs.py index 4eda26179..cebbf28a4 100644 --- a/modules/signatures/windows/clears_logs.py +++ b/modules/signatures/windows/clears_logs.py @@ -22,7 +22,7 @@ class ClearsEventLogs(Signature): categories = ["commands", "stealth"] authors = ["Kevin Ross"] minimum = "2.0" - + ttp = ["T1070"] utilities = [ "wevtutil cl", "wevtutil.exe cl" @@ -43,7 +43,7 @@ class ClearPermissionEventLogs(Signature): categories = ["commands", "stealth"] authors = ["Kevin Ross"] minimum = "2.0" - + ttp = ["T1222"] utilities = [ "wevtutil sl", "wevtutil.exe sl" diff --git a/modules/signatures/windows/creates_hidden_file.py b/modules/signatures/windows/creates_hidden_file.py index 11d8f58be..06e19c575 100644 --- a/modules/signatures/windows/creates_hidden_file.py +++ b/modules/signatures/windows/creates_hidden_file.py @@ -12,7 +12,7 @@ class CreatesHiddenFile(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - + ttp = ["T1158"] filter_apinames = "NtCreateFile", "SetFileAttributesW" def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/creates_largekey.py b/modules/signatures/windows/creates_largekey.py index e5f2e7fcb..68c1ca966 100644 --- a/modules/signatures/windows/creates_largekey.py +++ b/modules/signatures/windows/creates_largekey.py @@ -29,6 +29,7 @@ class CreatesLargeKey(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1112"] evented = True filter_apinames = set(["NtSetValueKey", "RegSetValueExA", "RegSetValueExW"]) diff --git a/modules/signatures/windows/creates_null_reg_entry.py b/modules/signatures/windows/creates_null_reg_entry.py index 135541b23..a196ce7bd 100644 --- a/modules/signatures/windows/creates_null_reg_entry.py +++ b/modules/signatures/windows/creates_null_reg_entry.py @@ -12,7 +12,7 @@ class CreatesNullRegistryEntry(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - + ttp = ["T1054", "T1112"] filter_apinames = ( "NtSetValueKey", "NtCreateKey", "RegCreateKeyExA", "RegCreateKeyExW", "RegSetValueExA", "RegSetValueExW", diff --git a/modules/signatures/windows/creates_shortcut.py b/modules/signatures/windows/creates_shortcut.py index 4d1e8b9f2..4abd31465 100644 --- a/modules/signatures/windows/creates_shortcut.py +++ b/modules/signatures/windows/creates_shortcut.py @@ -22,7 +22,7 @@ class CreatesShortcut(Signature): categories = ["persistance"] authors = ["Kevin Ross"] minimum = "2.0" - + ttp = ["T1023", "T1204"] files_re = [ ".*\\.lnk$", ] diff --git a/modules/signatures/windows/deletes_executed.py b/modules/signatures/windows/deletes_executed.py index af6b28539..a0778aa38 100644 --- a/modules/signatures/windows/deletes_executed.py +++ b/modules/signatures/windows/deletes_executed.py @@ -22,6 +22,7 @@ class DeletesExecutedFiles(Signature): categories = ["persistence", "stealth"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" + ttp = ["T1070"] evented = True def on_complete(self): diff --git a/modules/signatures/windows/disables_app.py b/modules/signatures/windows/disables_app.py index bc29f8038..76f5b65f4 100644 --- a/modules/signatures/windows/disables_app.py +++ b/modules/signatures/windows/disables_app.py @@ -11,6 +11,7 @@ class DisablesAppLaunch(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun$", diff --git a/modules/signatures/windows/disables_browserwarn.py b/modules/signatures/windows/disables_browserwarn.py index 3fb78acea..37da8be58 100644 --- a/modules/signatures/windows/disables_browserwarn.py +++ b/modules/signatures/windows/disables_browserwarn.py @@ -11,6 +11,7 @@ class DisablesBrowserWarn(Signature): categories = ["generic", "banker", "clickfraud"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" + ttp = ["T1089"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnBadCertRecving", diff --git a/modules/signatures/windows/disables_security.py b/modules/signatures/windows/disables_security.py index 03d4585b6..3c6c5fc8b 100644 --- a/modules/signatures/windows/disables_security.py +++ b/modules/signatures/windows/disables_security.py @@ -11,6 +11,7 @@ class DisablesSecurity(Signature): categories = ["anti-av"] authors = ["Cuckoo Technologies", "Brad Spengler"] minimum = "2.0" + ttp = ["T1089", "T1112"] regkeys_re = [ ("HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA", "attempts to disable user access control"), diff --git a/modules/signatures/windows/disables_sysrestore.py b/modules/signatures/windows/disables_sysrestore.py index 0dbd90510..a5c6d73b9 100644 --- a/modules/signatures/windows/disables_sysrestore.py +++ b/modules/signatures/windows/disables_sysrestore.py @@ -12,6 +12,7 @@ class DisablesSystemRestore(Signature): categories = ["ransomware", "persistance"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR$", diff --git a/modules/signatures/windows/disables_wer.py b/modules/signatures/windows/disables_wer.py index efa9fe4f3..03971c8b8 100644 --- a/modules/signatures/windows/disables_wer.py +++ b/modules/signatures/windows/disables_wer.py @@ -11,6 +11,7 @@ class DisablesWER(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1054", "T1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ Error\\ Reporting\\\\Disabled$", diff --git a/modules/signatures/windows/disables_windowsupdate.py b/modules/signatures/windows/disables_windowsupdate.py index ae9c3d271..a1cf74f2e 100644 --- a/modules/signatures/windows/disables_windowsupdate.py +++ b/modules/signatures/windows/disables_windowsupdate.py @@ -11,6 +11,7 @@ class DisablesWindowsUpdate(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\(AU\\\\NoAutoUpdate|Auto\\ Update\\\\AUOptions)$", diff --git a/modules/signatures/windows/dropper.py b/modules/signatures/windows/dropper.py index 4a45a3b9f..08e95b6ca 100644 --- a/modules/signatures/windows/dropper.py +++ b/modules/signatures/windows/dropper.py @@ -22,6 +22,7 @@ class Dropper(Signature): categories = ["dropper"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1129"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/exec_bitsadmin.py b/modules/signatures/windows/exec_bitsadmin.py index 09303a956..718539865 100644 --- a/modules/signatures/windows/exec_bitsadmin.py +++ b/modules/signatures/windows/exec_bitsadmin.py @@ -13,6 +13,7 @@ class ExecBitsAdmin(Signature): categories = ["script", "dropper"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1197"] def on_complete(self): lower = "".join(self.get_command_lines()).lower() diff --git a/modules/signatures/windows/infostealer_bitcoin.py b/modules/signatures/windows/infostealer_bitcoin.py index ea5d8b4d3..34ab6d93b 100644 --- a/modules/signatures/windows/infostealer_bitcoin.py +++ b/modules/signatures/windows/infostealer_bitcoin.py @@ -11,6 +11,7 @@ class BitcoinWallet(Signature): categories = ["infostealer"] authors = ["Kevin Ross", "Optiv"] minimum = "2.0" + ttp = ["T1005"] file_indicators = [ ".*\\\\wallet\.dat$", diff --git a/modules/signatures/windows/infostealer_browser_modifications.py b/modules/signatures/windows/infostealer_browser_modifications.py index 095ad6ec9..5aba70115 100644 --- a/modules/signatures/windows/infostealer_browser_modifications.py +++ b/modules/signatures/windows/infostealer_browser_modifications.py @@ -11,6 +11,7 @@ class DisablesSPDYFirefox(Signature): categories = ["infostealer", "banker"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1089"] filter_apinames = [ "NtWriteFile", @@ -31,6 +32,7 @@ class DisablesSPDYIE(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1089"] references = ["www.windows-security.org/65bb16b8e4a8cda95159541fcf31fcd7/allow-internet-explorer-to-use-the-spdy3-network-protocol"] filter_apinames = [ @@ -57,6 +59,7 @@ class DisablesSPDYChrome(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1089"] def on_complete(self): for cmdline in self.get_command_lines(): @@ -72,6 +75,7 @@ class ModifiesFirefoxConfiguration(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1089"] filter_apinames = [ "NtWriteFile", @@ -94,6 +98,7 @@ class DisablesIEHTTP2(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1089"] http2keys = [ "enablehttp2tls", diff --git a/modules/signatures/windows/infostealer_clipboard.py b/modules/signatures/windows/infostealer_clipboard.py index d183e7881..22cd4e0e6 100644 --- a/modules/signatures/windows/infostealer_clipboard.py +++ b/modules/signatures/windows/infostealer_clipboard.py @@ -22,6 +22,7 @@ class InfoStealerClipboard(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1115"] filter_apinames = set(["AddClipboardFormatListener", "SetClipboardViewer"]) diff --git a/modules/signatures/windows/infostealer_ftp.py b/modules/signatures/windows/infostealer_ftp.py index e03d267f2..aca2dcd60 100644 --- a/modules/signatures/windows/infostealer_ftp.py +++ b/modules/signatures/windows/infostealer_ftp.py @@ -22,6 +22,7 @@ class FTPStealer(Signature): categories = ["infostealer"] authors = ["nex", "RedSocks", "Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1081", "T1003", "T1005"] files_re = [ ".*\\\\CuteFTP\\\\sm\\.dat$", diff --git a/modules/signatures/windows/infostealer_im.py b/modules/signatures/windows/infostealer_im.py index 5b4e496e3..bb1c81cbc 100644 --- a/modules/signatures/windows/infostealer_im.py +++ b/modules/signatures/windows/infostealer_im.py @@ -11,6 +11,7 @@ class IMStealer(Signature): categories = ["infostealer"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1081", "T1003", "T1005"] file_indicators = [ ".*\\\\AIM\\\\aimx\.bin$", diff --git a/modules/signatures/windows/infostealer_mail.py b/modules/signatures/windows/infostealer_mail.py index 108730cdd..f82c48d32 100644 --- a/modules/signatures/windows/infostealer_mail.py +++ b/modules/signatures/windows/infostealer_mail.py @@ -11,6 +11,7 @@ class MailStealer(Signature): categories = ["infostealer"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1081", "T1003", "T1005"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?IncrediMail" diff --git a/modules/signatures/windows/injection_explorer.py b/modules/signatures/windows/injection_explorer.py index d3102000a..4a2349ff0 100644 --- a/modules/signatures/windows/injection_explorer.py +++ b/modules/signatures/windows/injection_explorer.py @@ -22,6 +22,7 @@ class InjectionExplorer(Signature): categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1055"] references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] filter_apinames = [ diff --git a/modules/signatures/windows/injection_network_traffic.py b/modules/signatures/windows/injection_network_traffic.py index aebd9f01e..2d99e6b13 100644 --- a/modules/signatures/windows/injection_network_traffic.py +++ b/modules/signatures/windows/injection_network_traffic.py @@ -21,6 +21,7 @@ class InjectionNetworkTraffic(Signature): categories = ["injection", "cnc", "stealth"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1071"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/injection_thread.py b/modules/signatures/windows/injection_thread.py index ff1c54574..166184488 100644 --- a/modules/signatures/windows/injection_thread.py +++ b/modules/signatures/windows/injection_thread.py @@ -22,6 +22,7 @@ class InjectionCreateRemoteThread(Signature): categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1055"] references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] filter_apinames = [ diff --git a/modules/signatures/windows/javascript_commandline.py b/modules/signatures/windows/javascript_commandline.py index 900a38e10..442b622e1 100644 --- a/modules/signatures/windows/javascript_commandline.py +++ b/modules/signatures/windows/javascript_commandline.py @@ -22,6 +22,7 @@ class JavaScriptCommandline(Signature): categories = ["javascript", "persistence", "downloader"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1059"] def on_complete(self): for cmdline in self.get_command_lines(): diff --git a/modules/signatures/windows/locker_cmd.py b/modules/signatures/windows/locker_cmd.py index 1abca5f41..0f442a19c 100644 --- a/modules/signatures/windows/locker_cmd.py +++ b/modules/signatures/windows/locker_cmd.py @@ -11,6 +11,7 @@ class DisableCmd(Signature): categories = ["locker"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1112"] indicator = ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion" \ "\\\\Policies\\\\System\\DisableCmd$" diff --git a/modules/signatures/windows/locker_regedit.py b/modules/signatures/windows/locker_regedit.py index e0e9b8cc7..edcdb72a5 100644 --- a/modules/signatures/windows/locker_regedit.py +++ b/modules/signatures/windows/locker_regedit.py @@ -22,6 +22,7 @@ class DisableRegedit(Signature): categories = ["locker"] authors = ["Thomas Birn", "nex"] minimum = "2.0" + ttp = ["T1112"] indicator = ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion" \ "\\\\Policies\\\\System\\DisableRegistryTools$" diff --git a/modules/signatures/windows/locker_taskmgr.py b/modules/signatures/windows/locker_taskmgr.py index 536742733..958600a6f 100644 --- a/modules/signatures/windows/locker_taskmgr.py +++ b/modules/signatures/windows/locker_taskmgr.py @@ -22,6 +22,7 @@ class DisableTaskMgr(Signature): categories = ["locker"] authors = ["Thomas Birn", "nex"] minimum = "2.0" + ttp = ["T1112"] indicator = ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion" \ "\\\\Policies\\\\System\\\\DisableTaskMgr$" diff --git a/modules/signatures/windows/modifies_certs.py b/modules/signatures/windows/modifies_certs.py index 347433b3c..851021b92 100644 --- a/modules/signatures/windows/modifies_certs.py +++ b/modules/signatures/windows/modifies_certs.py @@ -22,6 +22,7 @@ class ModifiesCertificates(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\SystemCertificates\\\\.*\\\\Certificates\\\\.*", diff --git a/modules/signatures/windows/modifies_proxies.py b/modules/signatures/windows/modifies_proxies.py index 9297316ad..5164ca35c 100644 --- a/modules/signatures/windows/modifies_proxies.py +++ b/modules/signatures/windows/modifies_proxies.py @@ -22,6 +22,7 @@ class ModifiesProxyWPAD(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1040"] evented = True filter_apinames = [ @@ -46,6 +47,7 @@ class ModifiesProxyOverride(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1040"] evented = True filter_apinames = [ @@ -70,6 +72,7 @@ class ModifiesProxyAutoConfig(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1040"] evented = True filter_apinames = [ @@ -94,6 +97,7 @@ class DisablesProxy(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1040"] evented = True filter_apinames = [ diff --git a/modules/signatures/windows/modifies_seccenter.py b/modules/signatures/windows/modifies_seccenter.py index a0d3639df..8b9d3bd61 100644 --- a/modules/signatures/windows/modifies_seccenter.py +++ b/modules/signatures/windows/modifies_seccenter.py @@ -11,6 +11,7 @@ class ModifySecurityCenterWarnings(Signature): categories = ["stealth"] authors = ["Kevin Ross", "Optiv"] minimum = "2.0" + ttp = ["T1031", "T1089"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\.*", diff --git a/modules/signatures/windows/modifies_uac_notify.py b/modules/signatures/windows/modifies_uac_notify.py index ba01d4bf2..61b12c477 100644 --- a/modules/signatures/windows/modifies_uac_notify.py +++ b/modules/signatures/windows/modifies_uac_notify.py @@ -11,6 +11,7 @@ class ModifiesUACNotify(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1088"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin", diff --git a/modules/signatures/windows/modifies_zoneid.py b/modules/signatures/windows/modifies_zoneid.py index e1ccb06e1..d864ee4b7 100644 --- a/modules/signatures/windows/modifies_zoneid.py +++ b/modules/signatures/windows/modifies_zoneid.py @@ -23,6 +23,7 @@ class ZoneID(Signature): categories = [""] authors = ["nex"] minimum = "2.0" + ttp = ["T1070", "T1096"] filter_apinames = "NtCreateFile", "NtWriteFile" diff --git a/modules/signatures/windows/multiple_ua.py b/modules/signatures/windows/multiple_ua.py index e6099b2a8..e1ed47061 100644 --- a/modules/signatures/windows/multiple_ua.py +++ b/modules/signatures/windows/multiple_ua.py @@ -23,6 +23,7 @@ class Multiple_UA(Signature): authors = ["KillerInstinct"] minimum = "2.0" evented = True + ttp = ["T1071"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/network_tor.py b/modules/signatures/windows/network_tor.py index 878f15414..a0924b9a1 100644 --- a/modules/signatures/windows/network_tor.py +++ b/modules/signatures/windows/network_tor.py @@ -22,6 +22,7 @@ class Tor(Signature): categories = ["network", "anonimity", "tor"] authors = ["nex"] minimum = "2.0" + ttp = ["T1188"] filter_apinames = "CreateServiceA", "CreateServiceW" diff --git a/modules/signatures/windows/network_tor_service.py b/modules/signatures/windows/network_tor_service.py index 9b18880a4..933537997 100644 --- a/modules/signatures/windows/network_tor_service.py +++ b/modules/signatures/windows/network_tor_service.py @@ -22,6 +22,7 @@ class TorHiddenService(Signature): categories = ["network", "anonimity", "tor"] authors = ["nex"] minimum = "2.0" + ttp = ["T1188"] indicators = [ ".*\\\\tor\\\\hidden_service\\\\private_key$", diff --git a/modules/signatures/windows/office.py b/modules/signatures/windows/office.py index b0425fe3b..1b0eaab39 100644 --- a/modules/signatures/windows/office.py +++ b/modules/signatures/windows/office.py @@ -22,6 +22,7 @@ class OfficeCreateObject(Signature): categories = ["vba"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1203"] filter_apinames = "vbe6_CreateObject", "vbe6_GetObject" @@ -74,6 +75,7 @@ class OfficeCountDirectories(Signature): categories = ["vba"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1203"] filter_apinames = "vbe6_Invoke", @@ -137,6 +139,7 @@ class OfficeHttpRequest(Signature): categories = ["vba"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1203", "T1071"] filter_apinames = "vbe6_Invoke", @@ -190,6 +193,7 @@ class OfficeIndirectCall(Signature): categories = ["office"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1203"] patterns = [ "CallByName[^\r\n;']*", @@ -260,6 +264,7 @@ class DocumentClose(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1179"] def on_complete(self): office = self.get_results("static", {}).get("office", {}) @@ -275,6 +280,7 @@ class DocumentOpen(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1179"] def on_complete(self): office = self.get_results("static", {}).get("office", {}) @@ -310,6 +316,7 @@ class OfficeVulnerableGuid(Signature): categories = ["office"] authors = ["Niels Warnars @ Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1203"] bad_guids = { "BDD1F04B-858B-11D1-B16A-00C0F0283628": "CVE-2012-0158", diff --git a/modules/signatures/windows/office_packager.py b/modules/signatures/windows/office_packager.py index 55cdee373..912eb2149 100644 --- a/modules/signatures/windows/office_packager.py +++ b/modules/signatures/windows/office_packager.py @@ -22,6 +22,7 @@ class OfficePackager(Signature): categories = ["dropper", "office"] authors = ["nex"] minimum = "2.0" + ttp = ["T1203"] filter_apinames = [ "CreateProcessInternalW", diff --git a/modules/signatures/windows/packer_entropy.py b/modules/signatures/windows/packer_entropy.py index b06338fa9..56de81e3a 100644 --- a/modules/signatures/windows/packer_entropy.py +++ b/modules/signatures/windows/packer_entropy.py @@ -22,6 +22,7 @@ class PackerEntropy(Signature): categories = ["packer"] authors = ["Robby Zeitfuchs", "nex"] minimum = "2.0" + ttp = ["T1045"] references = [ "http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", diff --git a/modules/signatures/windows/packer_polymorphic.py b/modules/signatures/windows/packer_polymorphic.py index 866317a9f..36ee92cfe 100644 --- a/modules/signatures/windows/packer_polymorphic.py +++ b/modules/signatures/windows/packer_polymorphic.py @@ -20,6 +20,7 @@ class Polymorphic(Signature): categories = ["packer"] authors = ["lordr"] minimum = "2.0" + ttp = ["T1045"] def on_complete(self): if not HAVE_SSDEEP: diff --git a/modules/signatures/windows/packer_upx.py b/modules/signatures/windows/packer_upx.py index 50c721c67..34f507f10 100644 --- a/modules/signatures/windows/packer_upx.py +++ b/modules/signatures/windows/packer_upx.py @@ -22,6 +22,7 @@ class UPXCompressed(Signature): categories = ["packer"] authors = ["Michael Boman", "nex"] minimum = "2.0" + ttp = ["T1045"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/packer_vmprotect.py b/modules/signatures/windows/packer_vmprotect.py index 1704f5453..d921a29a5 100644 --- a/modules/signatures/windows/packer_vmprotect.py +++ b/modules/signatures/windows/packer_vmprotect.py @@ -22,6 +22,7 @@ class VMPPacked(Signature): categories = ["packer"] authors = ["Jeremy Hedges"] minimum = "2.0" + ttp = ["T1045"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/payload_download.py b/modules/signatures/windows/payload_download.py index 0a0e6f524..6fe78140f 100644 --- a/modules/signatures/windows/payload_download.py +++ b/modules/signatures/windows/payload_download.py @@ -23,6 +23,7 @@ class NetworkDocumentFile(Signature): categories = ["exploit", "downloader"] authors = ["Kevin Ross", "Will Metcalf"] minimum = "2.0" + ttp = ["T1071"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) @@ -65,6 +66,7 @@ class NetworkEXE(Signature): categories = ["exploit", "downloader"] authors = ["Kevin Ross", "Will Metcalf"] minimum = "2.0" + ttp = ["T1129"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) @@ -105,6 +107,7 @@ class SuspiciousWriteEXE(Signature): categories = ["exploit", "downloader", "virus"] authors = ["Will Metcalf", "Kevin Ross"] minimum = "2.0" + ttp = ["T1129"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/pe_features.py b/modules/signatures/windows/pe_features.py index 3918403b1..b0ea13cee 100644 --- a/modules/signatures/windows/pe_features.py +++ b/modules/signatures/windows/pe_features.py @@ -13,6 +13,7 @@ class PEFeatures(Signature): categories = ["packer"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1045"] section_names = [ ".text", ".rdata", ".data", ".pdata", ".DATA", ".reloc", ".idata", @@ -44,6 +45,7 @@ class PEIDPacker(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1045"] def on_complete(self): if self.get_results("static", {}).get("peid_signatures", []): diff --git a/modules/signatures/windows/persistence_ads.py b/modules/signatures/windows/persistence_ads.py index dd52ab476..c668f7d61 100644 --- a/modules/signatures/windows/persistence_ads.py +++ b/modules/signatures/windows/persistence_ads.py @@ -27,6 +27,7 @@ class ADS(Signature): categories = ["persistence", "ads"] authors = ["nex", "Optiv"] minimum = "2.0" + ttp = ["T1096"] def on_complete(self): for filepath in self.get_files(): diff --git a/modules/signatures/windows/persistence_autorun.py b/modules/signatures/windows/persistence_autorun.py index c3d4acfa7..16de51a35 100644 --- a/modules/signatures/windows/persistence_autorun.py +++ b/modules/signatures/windows/persistence_autorun.py @@ -31,6 +31,7 @@ class Autorun(Signature): categories = ["persistence"] authors = ["Michael Boman", "nex", "securitykitten", "Cuckoo Technologies", "Optiv", "KillerInstinct", "Kevin Ross"] minimum = "2.0" + ttp = ["T1060"] regkeys_re = [ ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\.*", diff --git a/modules/signatures/windows/persistence_bootexecute.py b/modules/signatures/windows/persistence_bootexecute.py index 66826c3cd..86b6c7582 100644 --- a/modules/signatures/windows/persistence_bootexecute.py +++ b/modules/signatures/windows/persistence_bootexecute.py @@ -23,6 +23,7 @@ class PersistenceBootexecute(Signature): authors = ["Brad Spengler"] minimum = "2.0" evented = True + ttp = ["T1060"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/persistence_registry_fileless.py b/modules/signatures/windows/persistence_registry_fileless.py index dafd47d88..cef81c375 100644 --- a/modules/signatures/windows/persistence_registry_fileless.py +++ b/modules/signatures/windows/persistence_registry_fileless.py @@ -44,6 +44,7 @@ class PersistenceRegistryEXE(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True + ttp = ["T1112"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) @@ -65,6 +66,7 @@ class PersistenceRegistryPowershell(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True + ttp = ["T1112"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) diff --git a/modules/signatures/windows/powershell.py b/modules/signatures/windows/powershell.py index 90929107d..ff6aa5858 100644 --- a/modules/signatures/windows/powershell.py +++ b/modules/signatures/windows/powershell.py @@ -63,6 +63,7 @@ class AmsiBypass(Signature): categories = ["script", "malware", "powershell", "amsi"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1086", "T1089"] def on_yara(self, category, filepath, match): if match.name != "PowershellAMSI": @@ -98,6 +99,7 @@ class PowershellDdiRc4(Signature): categories = ["script", "dropper", "downloader", "malware", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1112", "T1086"] def on_yara(self, category, filepath, match): if match.name != "PowershellDdiRc4": @@ -126,6 +128,7 @@ class PowershellDFSP(Signature): categories = ["script", "dropper", "downloader", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1112", "T1086"] def on_yara(self, category, filepath, match): if match.name != "PowershellDFSP": @@ -175,6 +178,7 @@ class PowershellDownload(Signature): categories = ["downloader"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1112", "T1086"] filter_apinames = [ "recv", @@ -197,6 +201,7 @@ class PowershellEmpire(Signature): categories = ["script", "dropper", "downloader", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1086"] def on_yara(self, category, filepath, match): if match.name != "PowershellEmpire": @@ -256,6 +261,7 @@ class PowershellCcDns(Signature): categories = ["script", "bot", "dns", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1086", "T1071"] def on_yara(self, category, filepath, match): if match.name != "PowershellCcDns": @@ -275,6 +281,7 @@ class PowershellUnicorn(Signature): categories = ["script", "dropper", "downloader", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1086"] def on_yara(self, category, filepath, match): if match.name != "UnicornGen": diff --git a/modules/signatures/windows/powershell_reg.py b/modules/signatures/windows/powershell_reg.py index 3dc4cf5c4..d1a2bf611 100644 --- a/modules/signatures/windows/powershell_reg.py +++ b/modules/signatures/windows/powershell_reg.py @@ -14,6 +14,7 @@ class PowershellRegAdd(Signature): categories = ["script", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1086"] def on_complete(self): lower = "".join(self.get_command_lines()).lower() diff --git a/modules/signatures/windows/powerworm.py b/modules/signatures/windows/powerworm.py index 8b7db377b..495379057 100644 --- a/modules/signatures/windows/powerworm.py +++ b/modules/signatures/windows/powerworm.py @@ -11,6 +11,7 @@ class Powerworm(Signature): categories = ["script", "malware", "powershell", "worm"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1086"] def on_yara(self, category, filepath, match): if match.name != "PowerWorm": diff --git a/modules/signatures/windows/process_interest.py b/modules/signatures/windows/process_interest.py index 6e681c416..8fd8d2fef 100644 --- a/modules/signatures/windows/process_interest.py +++ b/modules/signatures/windows/process_interest.py @@ -23,6 +23,7 @@ class ProcessInterest(Signature): authors = ["Optiv", "Kevin Ross"] minimum = "2.0" evented = True + ttp = ["T1057"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) @@ -86,6 +87,7 @@ class InjectionProcessSearch(Signature): categories = ["generic"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1057"] pids = [] diff --git a/modules/signatures/windows/process_needed.py b/modules/signatures/windows/process_needed.py index cc5cc9f33..6c02498eb 100644 --- a/modules/signatures/windows/process_needed.py +++ b/modules/signatures/windows/process_needed.py @@ -23,6 +23,7 @@ class ProcessNeeded(Signature): authors = ["Optiv"] minimum = "2.0" evented = True + ttp = ["T1057"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/ransomware_bcdedit.py b/modules/signatures/windows/ransomware_bcdedit.py index 14734396a..0c0d269df 100644 --- a/modules/signatures/windows/ransomware_bcdedit.py +++ b/modules/signatures/windows/ransomware_bcdedit.py @@ -13,6 +13,7 @@ class RansomwareBcdedit(Signature): categories = ["ransomware"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1047"] indicator = ( "bcdedit.*/set.*(bootems|optionsedit|advancedoptions|bootstatuspolicy|recoveryenabled)" diff --git a/modules/signatures/windows/reads_user_agent.py b/modules/signatures/windows/reads_user_agent.py index 7dd7b5384..1d0aac0da 100644 --- a/modules/signatures/windows/reads_user_agent.py +++ b/modules/signatures/windows/reads_user_agent.py @@ -12,6 +12,7 @@ class ReadsUserAgent(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" + ttp = ["T1071"] filter_apinames = "ObtainUserAgentString", "InternetOpenA", "InternetOpenW" diff --git a/modules/signatures/windows/recon_programs.py b/modules/signatures/windows/recon_programs.py index b8959f269..ca1a3fe9b 100644 --- a/modules/signatures/windows/recon_programs.py +++ b/modules/signatures/windows/recon_programs.py @@ -11,6 +11,7 @@ class InstalledApps(Signature): categories = ["recon"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1012", "T1082"] filter_apinames = "RegQueryValueExA", "RegQueryValueExW" @@ -32,6 +33,7 @@ class QueriesInstalledApps(Signature): categories = ["recon"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1012"] filter_apinames = "RegOpenKeyExA", "RegOpenKeyExW" diff --git a/modules/signatures/windows/self_delete_bat.py b/modules/signatures/windows/self_delete_bat.py index 34c8f4432..0ffe40614 100644 --- a/modules/signatures/windows/self_delete_bat.py +++ b/modules/signatures/windows/self_delete_bat.py @@ -13,6 +13,7 @@ class SelfDeleteBat(Signature): categories = ["trojan"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1070"] indicator = ( "@echo.*off.*" diff --git a/modules/signatures/windows/spreading_autoruninf.py b/modules/signatures/windows/spreading_autoruninf.py index c730917a5..90f7524ac 100644 --- a/modules/signatures/windows/spreading_autoruninf.py +++ b/modules/signatures/windows/spreading_autoruninf.py @@ -22,6 +22,7 @@ class CreatesAutorunInf(Signature): categories = ["spreading"] authors = ["Thomas Birn", "nex"] minimum = "2.0" + ttp = ["T1091"] def on_complete(self): filepath = self.check_file(pattern=".*\\\\autorun\\.inf$", regex=True) diff --git a/modules/signatures/windows/stealth_hiddenfile.py b/modules/signatures/windows/stealth_hiddenfile.py index 1463e1e9a..7596cafc2 100644 --- a/modules/signatures/windows/stealth_hiddenfile.py +++ b/modules/signatures/windows/stealth_hiddenfile.py @@ -11,6 +11,7 @@ class StealthHiddenFile(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1158", "T1054"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden$", diff --git a/modules/signatures/windows/stealth_hiddenicons.py b/modules/signatures/windows/stealth_hiddenicons.py index a4c7e4381..85a12d3ff 100644 --- a/modules/signatures/windows/stealth_hiddenicons.py +++ b/modules/signatures/windows/stealth_hiddenicons.py @@ -22,6 +22,7 @@ class StealthHiddenIcons(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1158", "T1054"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideIcons$", diff --git a/modules/signatures/windows/stealth_hidenotifications.py b/modules/signatures/windows/stealth_hidenotifications.py index c8fc63102..1476dcd96 100644 --- a/modules/signatures/windows/stealth_hidenotifications.py +++ b/modules/signatures/windows/stealth_hidenotifications.py @@ -11,6 +11,7 @@ class StealthHideNotifications(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1054"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth$", diff --git a/modules/signatures/windows/stealth_systemprocname.py b/modules/signatures/windows/stealth_systemprocname.py index 72b4c029d..96a0d9ad0 100644 --- a/modules/signatures/windows/stealth_systemprocname.py +++ b/modules/signatures/windows/stealth_systemprocname.py @@ -22,6 +22,7 @@ class StealthSystemProcName(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1036"] filter_apinames = "CreateProcessInternalW", "ShellExecuteExW", diff --git a/modules/signatures/windows/stealth_window.py b/modules/signatures/windows/stealth_window.py index 52e8e7e24..245d5c2db 100644 --- a/modules/signatures/windows/stealth_window.py +++ b/modules/signatures/windows/stealth_window.py @@ -27,6 +27,7 @@ class Hidden_Window(Signature): categories = ["stealth"] authors = ["KillerInstinct"] minimum = "2.0" + ttp = ["T1143"] filter_apinames = set(["ShellExecuteExW", "CreateProcessInternalW"]) diff --git a/modules/signatures/windows/stops_service.py b/modules/signatures/windows/stops_service.py index 0b786f149..ad45eaf64 100644 --- a/modules/signatures/windows/stops_service.py +++ b/modules/signatures/windows/stops_service.py @@ -13,6 +13,7 @@ class StopsService(Signature): categories = ["anti-av"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1031", "T1089"] indicator = ( "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\services\\\\(.*)\\\\Start" diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py index 2fe8fcbfb..7e3f77712 100644 --- a/modules/signatures/windows/volatility_sig.py +++ b/modules/signatures/windows/volatility_sig.py @@ -11,6 +11,7 @@ class VolMalfind1(Signature): categories = ["generic"] authors = ["Thorsten Sick"] minimum = "2.0" + ttp = ["T1055"] def on_complete(self): pids = set() @@ -88,6 +89,7 @@ class VolSvcscan1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" + ttp = ["T1031"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -105,6 +107,7 @@ class VolSvcscan2(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" + ttp = ["T1031", "T1089"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -122,6 +125,7 @@ class VolSvcscan3(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" + ttp = ["T1031"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -154,6 +158,7 @@ class VolHandles1(Signature): categories = ["generic"] authors = ["Thorsten Sick"] minimum = "2.0" + ttp = ["T1055"] def on_complete(self): threads = set() diff --git a/modules/signatures/windows/windows_utilities.py b/modules/signatures/windows/windows_utilities.py index 4af13f7da..80645ae0b 100644 --- a/modules/signatures/windows/windows_utilities.py +++ b/modules/signatures/windows/windows_utilities.py @@ -150,6 +150,7 @@ class UsesWindowsUtilities(Signature): categories = ["commands", "lateral"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1053"] references = ["http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"] def on_complete(self): @@ -200,6 +201,7 @@ class AddsUser(Signature): categories = ["commands"] authors = ["Kevin"] minimum = "2.0" + ttp = ["T1136"] def on_complete(self): for cmdline in self.get_command_lines(): @@ -215,6 +217,7 @@ class AddsUserAdmin(Signature): categories = ["commands"] authors = ["Kevin"] minimum = "2.0" + ttp = ["T1098"] def on_complete(self): for cmdline in self.get_command_lines(): diff --git a/modules/signatures/windows/wmi.py b/modules/signatures/windows/wmi.py index ac3f7e802..72411bd9b 100644 --- a/modules/signatures/windows/wmi.py +++ b/modules/signatures/windows/wmi.py @@ -13,6 +13,7 @@ class HasWMI(Signature): categories = ["wmi"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1047"] blacklist = "(AntivirusProduct|FirewallProduct)" @@ -32,6 +33,7 @@ class Win32ProcessCreate(Signature): categories = ["wmi"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1047"] filter_apinames = [ "IWbemServices_ExecMethod", @@ -51,6 +53,7 @@ class WMIAntiVM(Signature): categories = ["wmi", "anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1047"] antivm = [ "win32_processor", @@ -98,6 +101,7 @@ class WMIService(Signature): categories = ["persistance"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1047"] persistance = [ "win32_service", From b1031e785f91585b45cf691b95ba2bc2d7973264 Mon Sep 17 00:00:00 2001 From: Evert0x Date: Tue, 2 Apr 2019 20:01:36 +0200 Subject: [PATCH 2/2] Adding ttp codes 2/2 --- modules/signatures/windows/antivirus_detection_cn.py | 1 + modules/signatures/windows/antivm_generic_cpu.py | 1 + modules/signatures/windows/antivm_memory_available.py | 1 + modules/signatures/windows/antivm_parallels_window.py | 1 + modules/signatures/windows/antivm_vmware_window.py | 1 + modules/signatures/windows/creates_exe.py | 2 ++ modules/signatures/windows/creates_service.py | 1 + modules/signatures/windows/dropper.py | 1 + modules/signatures/windows/emoves_zoneid_ads.py | 1 + modules/signatures/windows/infostealer_browser.py | 1 + modules/signatures/windows/martians.py | 1 + modules/signatures/windows/office.py | 1 + modules/signatures/windows/pe_features.py | 1 + modules/signatures/windows/persistence_autorun.py | 2 +- modules/signatures/windows/persistence_registry_fileless.py | 1 + modules/signatures/windows/powerfun.py | 1 + modules/signatures/windows/powershell.py | 4 ++++ modules/signatures/windows/stealth_hiddenextension.py | 1 + modules/signatures/windows/wmi.py | 1 + 19 files changed, 23 insertions(+), 1 deletion(-) diff --git a/modules/signatures/windows/antivirus_detection_cn.py b/modules/signatures/windows/antivirus_detection_cn.py index d5f9dcc6c..72c5d3dce 100644 --- a/modules/signatures/windows/antivirus_detection_cn.py +++ b/modules/signatures/windows/antivirus_detection_cn.py @@ -13,6 +13,7 @@ class AVDetectionChinaKey(Signature): families = ["china"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["T1063", "T1012"] indicators = [ ".*360Safe", diff --git a/modules/signatures/windows/antivm_generic_cpu.py b/modules/signatures/windows/antivm_generic_cpu.py index e9e7d1955..7021f00ec 100644 --- a/modules/signatures/windows/antivm_generic_cpu.py +++ b/modules/signatures/windows/antivm_generic_cpu.py @@ -22,6 +22,7 @@ class AntiVMCPU(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1082", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\.*\\\\ProcessorNameString", diff --git a/modules/signatures/windows/antivm_memory_available.py b/modules/signatures/windows/antivm_memory_available.py index d549ee31c..df9870dd7 100644 --- a/modules/signatures/windows/antivm_memory_available.py +++ b/modules/signatures/windows/antivm_memory_available.py @@ -22,6 +22,7 @@ class MemoryAvailable(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1082"] filter_apinames = [ "GlobalMemoryStatusEx", "GetPhysicallyInstalledSystemMemory", diff --git a/modules/signatures/windows/antivm_parallels_window.py b/modules/signatures/windows/antivm_parallels_window.py index f30ca0b3c..ccc3eb10e 100644 --- a/modules/signatures/windows/antivm_parallels_window.py +++ b/modules/signatures/windows/antivm_parallels_window.py @@ -22,6 +22,7 @@ class ParallelsDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1057"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vmware_window.py b/modules/signatures/windows/antivm_vmware_window.py index 3b7745abd..61115757d 100644 --- a/modules/signatures/windows/antivm_vmware_window.py +++ b/modules/signatures/windows/antivm_vmware_window.py @@ -22,6 +22,7 @@ class VMwareDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1057"] filter_categories = "ui", diff --git a/modules/signatures/windows/creates_exe.py b/modules/signatures/windows/creates_exe.py index 91fb51578..3bd0f5a06 100644 --- a/modules/signatures/windows/creates_exe.py +++ b/modules/signatures/windows/creates_exe.py @@ -16,6 +16,7 @@ class CreatesExe(Signature): categories = ["generic"] authors = ["Cuckoo Developers"] minimum = "2.0" + ttp = ["T1129"] pattern = ( ".*\\.(bat|cmd|com|cpl|dll|exe|js|jse|lnk|msi|msh|msh1|msh2|mshxml|" @@ -36,6 +37,7 @@ class CreatesUserFolderEXE(Signature): families = ["persistance"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1129"] directories_re = [ "^[a-zA-Z]:\\\\Users\\\\[^\\\\]+\\\\AppData\\\\.*", diff --git a/modules/signatures/windows/creates_service.py b/modules/signatures/windows/creates_service.py index 56556353c..1613d01dd 100644 --- a/modules/signatures/windows/creates_service.py +++ b/modules/signatures/windows/creates_service.py @@ -11,6 +11,7 @@ class CreatesService(Signature): categories = ["service", "persistence"] authors = ["Cuckoo Technologies", "Kevin Ross"] minimum = "2.0" + ttp = ["T1031"] filter_apinames = [ "CreateServiceA", "CreateServiceW", diff --git a/modules/signatures/windows/dropper.py b/modules/signatures/windows/dropper.py index 08e95b6ca..38a2b1ab9 100644 --- a/modules/signatures/windows/dropper.py +++ b/modules/signatures/windows/dropper.py @@ -59,6 +59,7 @@ class ExeAppData(Signature): categories = ["dropper", "persistence"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1129"] def on_complete(self): for dropped in self.get_results("dropped", []): diff --git a/modules/signatures/windows/emoves_zoneid_ads.py b/modules/signatures/windows/emoves_zoneid_ads.py index 72d65ddb7..6931ce2e7 100644 --- a/modules/signatures/windows/emoves_zoneid_ads.py +++ b/modules/signatures/windows/emoves_zoneid_ads.py @@ -11,6 +11,7 @@ class RemovesZoneIdADS(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1070", "T1096"] def on_complete(self): for deletedfile in self.get_files(actions=["file_deleted"]): diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index 19d6b82a1..44932732c 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -22,6 +22,7 @@ class BrowserStealer(Signature): categories = ["infostealer"] authors = ["nex", "Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1081", "T1003", "T1005"] files_re = [ ".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\signons\\.sqlite$", diff --git a/modules/signatures/windows/martians.py b/modules/signatures/windows/martians.py index 16140f4cc..a1276ac5f 100644 --- a/modules/signatures/windows/martians.py +++ b/modules/signatures/windows/martians.py @@ -82,6 +82,7 @@ class MartianCommandProcess(Signature): categories = ["martian", "exploit", "dropper"] authors = ["Cuckoo Technologies", "Will Metcalf", "Kevin Ross"] minimum = "2.0" + ttp = ["T1059"] whitelist_procs = [ "acrord32.exe", diff --git a/modules/signatures/windows/office.py b/modules/signatures/windows/office.py index 1b0eaab39..787489364 100644 --- a/modules/signatures/windows/office.py +++ b/modules/signatures/windows/office.py @@ -350,6 +350,7 @@ class OfficeVulnModules(Signature): categories = ["office"] authors = ["Niels Warnars @ Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1203"] bad_modules = { "ogl.dll": "CVE-2013-3906", diff --git a/modules/signatures/windows/pe_features.py b/modules/signatures/windows/pe_features.py index b0ea13cee..083912f83 100644 --- a/modules/signatures/windows/pe_features.py +++ b/modules/signatures/windows/pe_features.py @@ -61,6 +61,7 @@ class PEUnknownResourceName(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1045"] names = [ "RT_ACCELERATOR", diff --git a/modules/signatures/windows/persistence_autorun.py b/modules/signatures/windows/persistence_autorun.py index 16de51a35..b4d06c44a 100644 --- a/modules/signatures/windows/persistence_autorun.py +++ b/modules/signatures/windows/persistence_autorun.py @@ -31,7 +31,7 @@ class Autorun(Signature): categories = ["persistence"] authors = ["Michael Boman", "nex", "securitykitten", "Cuckoo Technologies", "Optiv", "KillerInstinct", "Kevin Ross"] minimum = "2.0" - ttp = ["T1060"] + ttp = ["T1060", "T1053"] regkeys_re = [ ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\.*", diff --git a/modules/signatures/windows/persistence_registry_fileless.py b/modules/signatures/windows/persistence_registry_fileless.py index cef81c375..9b00fb1c7 100644 --- a/modules/signatures/windows/persistence_registry_fileless.py +++ b/modules/signatures/windows/persistence_registry_fileless.py @@ -23,6 +23,7 @@ class PersistenceRegistryJavaScript(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True + ttp = ["T1112"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) diff --git a/modules/signatures/windows/powerfun.py b/modules/signatures/windows/powerfun.py index 52898ed3b..c65c8b59e 100644 --- a/modules/signatures/windows/powerfun.py +++ b/modules/signatures/windows/powerfun.py @@ -11,6 +11,7 @@ class Powerfun(Signature): categories = ["script", "malware", "injector"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1086"] def on_yara(self, category, filepath, match): if match.name != "Powerfun": diff --git a/modules/signatures/windows/powershell.py b/modules/signatures/windows/powershell.py index ff6aa5858..f530625c2 100644 --- a/modules/signatures/windows/powershell.py +++ b/modules/signatures/windows/powershell.py @@ -81,6 +81,7 @@ class PowershellBitsTransfer(Signature): categories = ["script", "dropper", "downloader", "malware", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1197"] def on_yara(self, category, filepath, match): if match.name != "PowershellBitsTransfer": @@ -147,6 +148,7 @@ class PowershellDI(Signature): categories = ["script", "dropper", "downloader", "malware", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1086"] def on_yara(self, category, filepath, match): if match.name != "PowershellDI": @@ -219,6 +221,7 @@ class PowershellMeterpreter(Signature): categories = ["script", "meterpreter", "powershell", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["T1086"] def on_yara(self, category, filepath, match): if match.name != "PowershellMeterpreter": @@ -242,6 +245,7 @@ class PowershellRequest(Signature): categories = ["downloader"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1086", "T1071"] filter_apinames = [ "send", diff --git a/modules/signatures/windows/stealth_hiddenextension.py b/modules/signatures/windows/stealth_hiddenextension.py index ea1c1aba6..6bf3f9828 100644 --- a/modules/signatures/windows/stealth_hiddenextension.py +++ b/modules/signatures/windows/stealth_hiddenextension.py @@ -22,6 +22,7 @@ class StealthHiddenExtension(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1158", "T1054"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt$", diff --git a/modules/signatures/windows/wmi.py b/modules/signatures/windows/wmi.py index 72411bd9b..95204ae50 100644 --- a/modules/signatures/windows/wmi.py +++ b/modules/signatures/windows/wmi.py @@ -81,6 +81,7 @@ class WMIPersistance(Signature): categories = ["persistance"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1047"] persistance = [ "win32_startupcommand",