Update TTP

modules/signatures/windows/antianalysis_detectfile.py

@@ -11,7 +11,7 @@ class AntiAnalysisDetectFile(Signature):
     categories = ["anti-analysis"]
     authors = ["KillerInstinct"]
     minimum = "2.0"
-    ttp = ["T1063"]
+    ttp = ["T1518_001"]
 
     file_indicators = [
         "[A-Za-z]:\\\\analysis",

modules/signatures/windows/antiav_avast_libs.py

@@ -22,7 +22,7 @@ class AvastDetectLibs(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1063"]
+    ttp = ["T1518_001"]
 
     filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"])
 

modules/signatures/windows/antiav_bitdefender_libs.py

@@ -22,7 +22,7 @@ class BitdefenderDetectLibs(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1063"]
+    ttp = ["T1518_001"]
 
     filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"])
 

modules/signatures/windows/antiav_detectfile.py

@@ -15,7 +15,7 @@ class AntiAVDetectFile(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1063"]
+    ttp = ["T1518_001"]
 
     file_indicators = [
         ".*\\\\AVAST\\ Software",

modules/signatures/windows/antiav_detectreg.py

@@ -11,7 +11,7 @@ class AntiAVDetectReg(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1063", "T1012"]
+    ttp = ["T1518_001", "T1012"]
 
     reg_indicators = [
         ".*\\\\Software\\\\(Wow6432Node\\\\)?Avg",

modules/signatures/windows/antiav_servicestop.py

@@ -16,7 +16,7 @@ class AntiAVServiceStop(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1031", "T1089"]
+    ttp = ["T1543_003", "T1562_001"]
     evented = True
 
     def __init__(self, *args, **kwargs):

modules/signatures/windows/antiav_srp.py

@@ -11,7 +11,7 @@ class AntiAVSRP(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1089"]
+    ttp = ["T1562_001"]
 
     regkeys_re = [
         ".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*",

modules/signatures/windows/antisandbox_unhook.py

@@ -22,7 +22,7 @@ class Unhook(Signature):
     categories = ["anti-sandbox"]
     authors = ["nex"]
     minimum = "2.0"
-    ttp = ["T1089"]
+    ttp = ["T1562_001"]
 
     filter_apinames = "__anomaly__",
 

modules/signatures/windows/antivirus_detection_cn.py

@@ -13,7 +13,7 @@ class AVDetectionChinaKey(Signature):
     families = ["china"]
     authors = ["RedSocks"]
     minimum = "2.0"
-    ttp = ["T1063", "T1012"]
+    ttp = ["T1518_001", "T1012"]
 
     indicators = [
         ".*360Safe",

modules/signatures/windows/appinit.py

@@ -11,7 +11,7 @@ class InstallsAppInit(Signature):
     categories = ["persistence"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["T1103"]
+    ttp = ["T1546_010"]
 
     regkeys_re = [
         ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\Appinit_Dlls",

modules/signatures/windows/applocker_bypass.py

@@ -13,7 +13,7 @@ class AppLockerBypass(Signature):
     categories = ["applocker", "bypass"]
     authors = ["FDD", "Cuckoo Technologies"]
     minimum = "2.0.4"
-    ttp = ["T1086", "T1117"]
+    ttp = ["T1059_001", "T1218_010"]
 
     def on_yara(self, category, filepath, match):
         if match.name != "ApplockerBypass":

modules/signatures/windows/bootconfig_modify.py

@@ -22,7 +22,7 @@ class ModifiesBootConfig(Signature):
     categories = ["persistance", "ransomware"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1067"]
+    ttp = ["T1542_003"]
     filter_apinames = "ShellExecuteExW", "CreateProcessInternalW",
 
     def on_call(self, call, process):

modules/signatures/windows/bootkit.py

@@ -13,7 +13,7 @@ class Bootkit(Signature):
     authors = ["Optiv"]
     minimum = "2.0"
     evented = True
-    ttp = ["T1067"]
+    ttp = ["T1542_003"]
     BasicFileInformation = 4
 
     def __init__(self, *args, **kwargs):

modules/signatures/windows/browser_security.py

@@ -22,7 +22,7 @@ class BrowserSecurity(Signature):
     categories = ["browser", "clickfraud", "banker"]
     authors = ["Kevin Ross", "Optiv"]
     minimum = "2.0"
-    ttp = ["T1089"]
+    ttp = ["T1562_001"]
 
     regkeys_re = [
         ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Privacy\\\\EnableInPrivateMode",

modules/signatures/windows/bypass_firewall.py

@@ -24,7 +24,7 @@ class BypassFirewall(Signature):
     categories = ["bypass"]
     authors = ["Anderson Tamborim", "nex", "Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1031"]
+    ttp = ["T1543_003"]
     indicator = ".*\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\.*"
 
     def on_complete(self):

modules/signatures/windows/creates_hidden_file.py

@@ -12,7 +12,7 @@ class CreatesHiddenFile(Signature):
     severity = 2
     categories = ["stealth"]
     minimum = "2.0"
-    ttp = ["T1158"]
+    ttp = ["T1564_001"]
     filter_apinames = "NtCreateFile", "SetFileAttributesW"
 
     def __init__(self, *args, **kwargs):

modules/signatures/windows/creates_null_reg_entry.py

@@ -12,7 +12,7 @@ class CreatesNullRegistryEntry(Signature):
     severity = 2
     categories = ["stealth"]
     minimum = "2.0"
-    ttp = ["T1054", "T1112"]
+    ttp = ["T1562_006", "T1112"]
     filter_apinames = (
         "NtSetValueKey", "NtCreateKey", "RegCreateKeyExA",
         "RegCreateKeyExW", "RegSetValueExA", "RegSetValueExW",

modules/signatures/windows/creates_service.py

@@ -11,7 +11,7 @@ class CreatesService(Signature):
     categories = ["service", "persistence"]
     authors = ["Cuckoo Technologies", "Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1031"]
+    ttp = ["T1543_003"]
 
     filter_apinames = [
         "CreateServiceA", "CreateServiceW",

modules/signatures/windows/disables_browserwarn.py

@@ -11,7 +11,7 @@ class DisablesBrowserWarn(Signature):
     categories = ["generic", "banker", "clickfraud"]
     authors = ["Optiv", "Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1089"]
+    ttp = ["T1562_001"]
 
     regkeys_re = [
         ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnBadCertRecving",

modules/signatures/windows/disables_security.py

@@ -11,7 +11,7 @@ class DisablesSecurity(Signature):
     categories = ["anti-av"]
     authors = ["Cuckoo Technologies", "Brad Spengler"]
     minimum = "2.0"
-    ttp = ["T1089", "T1112"]
+    ttp = ["T1562_001", "T1112"]
 
     regkeys_re = [
         ("HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA", "attempts to disable user access control"),

modules/signatures/windows/disables_wer.py

@@ -11,7 +11,7 @@ class DisablesWER(Signature):
     categories = ["stealth"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1054", "T1112"]
+    ttp = ["T1562_006", "T1112"]
 
     regkeys_re = [
         ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ Error\\ Reporting\\\\Disabled$",

modules/signatures/windows/emoves_zoneid_ads.py

@@ -11,7 +11,7 @@ class RemovesZoneIdADS(Signature):
     categories = ["generic"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1070", "T1096"]
+    ttp = ["T1070", "T1564_004"]
 
     def on_complete(self):
         for deletedfile in self.get_files(actions=["file_deleted"]):

modules/signatures/windows/generic_metrics.py

@@ -0,0 +1,48 @@
+# Copyright (C) 2010-2013 Claudio Guarnieri.
+# Copyright (C) 2014-2016 Cuckoo Foundation.
+# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
+# See the file 'docs/LICENSE' for copying permission.
+
+from cuckoo.common.abstracts import Signature
+
+class SystemMetrics(Signature):
+    name = "generic_metrics"
+    description = "Uses GetSystemMetrics"
+    severity = 2
+    categories = ["generic"]
+    authors = ["Cuckoo Developers"]
+    minimum = "2.0"
+
+    # Evented signatures can specify filters that reduce the amount of
+    # API calls that are streamed in. One can filter Process name, API
+    # name/identifier and category.
+    filter_processnames = ()
+    filter_apinames = "GetSystemMetrics",
+    filter_categories = ()
+
+    # This is a signature template. It should be used as a skeleton for
+    # creating custom signatures, therefore is disabled by default.
+    # The on_call function is used in "evented" signatures.
+    # These use a more efficient way of processing logged API calls.
+    enabled = False
+
+    def stop(self):
+        # In the stop method one can implement any cleanup code and
+        #  decide one last time if this signature matches or not.
+        #  Return True in case it matches.
+        return False
+
+    # This method will be called for every logged API call by the loop
+    # in the RunSignatures plugin. The return value determines the "state"
+    # of this signature. True means the signature matched and False means
+    # it can't match anymore. Both of which stop streaming in API calls.
+    # Returning None keeps the signature active and will continue.
+    def on_call(self, call, pid, tid):
+        # This check would in reality not be needed as we already make use
+        # of filter_apinames above.
+        if call["api"] == "GetSystemMetrics":
+            # Signature matched, return True.
+            return True
+
+        # continue
+        return None

modules/signatures/windows/infostealer_browser.py

@@ -22,7 +22,7 @@ class BrowserStealer(Signature):
     categories = ["infostealer"]
     authors = ["nex", "Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["T1081", "T1003", "T1005"]
+    ttp = ["T1552_001", "T1003", "T1005"]
 
     files_re = [
         ".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\signons\\.sqlite$",

modules/signatures/windows/infostealer_browser_modifications.py

@@ -11,7 +11,7 @@ class DisablesSPDYFirefox(Signature):
     categories = ["infostealer", "banker"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1089"]
+    ttp = ["T1562_001"]
 
     filter_apinames = [
         "NtWriteFile",
@@ -32,7 +32,7 @@ class DisablesSPDYIE(Signature):
     categories = ["infostealer", "banker"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1089"]
+    ttp = ["T1562_001"]
     references = ["www.windows-security.org/65bb16b8e4a8cda95159541fcf31fcd7/allow-internet-explorer-to-use-the-spdy3-network-protocol"]
 
     filter_apinames = [
@@ -59,7 +59,7 @@ class DisablesSPDYChrome(Signature):
     categories = ["infostealer", "banker"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1089"]
+    ttp = ["T1562_001"]
 
     def on_complete(self):
         for cmdline in self.get_command_lines():
@@ -75,7 +75,7 @@ class ModifiesFirefoxConfiguration(Signature):
     categories = ["infostealer", "banker"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1089"]
+    ttp = ["T1562_001"]
 
     filter_apinames = [
         "NtWriteFile",
@@ -98,7 +98,7 @@ class DisablesIEHTTP2(Signature):
     categories = ["infostealer", "banker"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1089"]
+    ttp = ["T1562_001"]
 
     http2keys = [
         "enablehttp2tls",

modules/signatures/windows/infostealer_ftp.py

@@ -22,7 +22,7 @@ class FTPStealer(Signature):
     categories = ["infostealer"]
     authors = ["nex", "RedSocks", "Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["T1081", "T1003", "T1005"]
+    ttp = ["T1552_001", "T1003", "T1005"]
 
     files_re = [
         ".*\\\\CuteFTP\\\\sm\\.dat$",

modules/signatures/windows/infostealer_im.py

@@ -11,7 +11,7 @@ class IMStealer(Signature):
     categories = ["infostealer"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1081", "T1003", "T1005"]
+    ttp = ["T1552_001", "T1003", "T1005"]
 
     file_indicators = [
          ".*\\\\AIM\\\\aimx\.bin$",

modules/signatures/windows/infostealer_mail.py

@@ -11,7 +11,7 @@ class MailStealer(Signature):
     categories = ["infostealer"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["T1081", "T1003", "T1005"]
+    ttp = ["T1552_001", "T1003", "T1005"]
 
     regkeys_re = [
         ".*\\\\Software\\\\(Wow6432Node\\\\)?IncrediMail"

modules/signatures/windows/injection_explorer.py

@@ -22,7 +22,7 @@ class InjectionExplorer(Signature):
     categories = ["injection"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1055"]
+    ttp = ["T1055_011"]
     references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"]
 
     filter_apinames = [

modules/signatures/windows/injection_thread.py

@@ -22,7 +22,7 @@ class InjectionCreateRemoteThread(Signature):
     categories = ["injection"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1055"]
+    ttp = ["T1055_005"]
     references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"]
 
     filter_apinames = [

modules/signatures/windows/javascript_commandline.py

@@ -22,7 +22,7 @@ class JavaScriptCommandline(Signature):
     categories = ["javascript", "persistence", "downloader"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1059"]
+    ttp = ["T1059_007"]
 
     def on_complete(self):
         for cmdline in self.get_command_lines():

modules/signatures/windows/martians.py

@@ -82,7 +82,7 @@ class MartianCommandProcess(Signature):
     categories = ["martian", "exploit", "dropper"]
     authors = ["Cuckoo Technologies", "Will Metcalf", "Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1059"]
+    ttp = ["T1059_001","T1059_003"]
 
     safelist_procs = [
         "acrord32.exe",

modules/signatures/windows/modifies_seccenter.py

@@ -11,7 +11,7 @@ class ModifySecurityCenterWarnings(Signature):
     categories = ["stealth"]
     authors = ["Kevin Ross", "Optiv"]
     minimum = "2.0"
-    ttp = ["T1031", "T1089"]
+    ttp = ["T1543_003", "T1562_001"]
 
     regkeys_re = [
         ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\.*",

modules/signatures/windows/modifies_uac_notify.py

@@ -11,7 +11,7 @@ class ModifiesUACNotify(Signature):
     categories = ["stealth"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1088"]
+    ttp = ["T1548_002"]
 
     regkeys_re = [
         ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin",

modules/signatures/windows/modifies_zoneid.py

@@ -23,7 +23,7 @@ class ZoneID(Signature):
     categories = [""]
     authors = ["nex"]
     minimum = "2.0"
-    ttp = ["T1070", "T1096"]
+    ttp = ["T1070", "T1564_004"]
 
     filter_apinames = "NtCreateFile", "NtWriteFile"
 

modules/signatures/windows/multiple_ua.py

@@ -23,7 +23,7 @@ class Multiple_UA(Signature):
     authors = ["KillerInstinct"]
     minimum = "2.0"
     evented = True
-    ttp = ["T1071"]
+    ttp = ["T1071_001"]
 
     def __init__(self, *args, **kwargs):
         Signature.__init__(self, *args, **kwargs)