From 7ede62fbadda3fcf7379b65bb7b8d4f256558d05 Mon Sep 17 00:00:00 2001 From: Andrew Sillers Date: Wed, 11 Mar 2020 15:47:19 -0400 Subject: [PATCH 01/12] Update signatures to use MBC TTPs --- .../android/android_dangerous_permissions.py | 1 + .../signatures/android/android_dynamic_code.py | 1 + modules/signatures/android/android_native_code.py | 1 + .../signatures/android/android_reflection_code.py | 1 + .../signatures/android/application_deleted_app.py | 1 + .../android/application_executed_shell_command.py | 1 + .../android/application_installed_app.py | 1 + .../android/application_queried_account_info.py | 1 + .../android/application_queried_installed_apps.py | 1 + .../android/application_queried_phone_number.py | 1 + .../application_queried_private_information.py | 1 + .../android/application_recording_audio.py | 1 + .../application_registered_receiver_runtime.py | 1 + .../android/application_sent_sms_messages.py | 1 + .../android/application_stopped_processes.py | 1 + .../android/application_uses_location.py | 1 + .../android/application_using_the_camera.py | 1 + modules/signatures/cross/js_suspicious.py | 2 ++ modules/signatures/darwin/code_injection.py | 1 + modules/signatures/darwin/task_for_pid.py | 1 + modules/signatures/network/network_cnc_http.py | 1 + modules/signatures/network/network_irc.py | 1 + modules/signatures/network/p2p_cnc.py | 1 + modules/signatures/windows/allocates_rwx.py | 1 + .../signatures/windows/antianalysis_detectfile.py | 2 +- modules/signatures/windows/antiav_detectfile.py | 2 +- modules/signatures/windows/antiav_servicestop.py | 2 +- modules/signatures/windows/antiav_srp.py | 2 +- .../signatures/windows/antidbg_debuggercheck.py | 2 ++ modules/signatures/windows/antidbg_devices.py | 2 +- modules/signatures/windows/antidbg_windows.py | 2 +- modules/signatures/windows/antiemu_wine.py | 2 +- .../signatures/windows/antisandbox_clipboard.py | 2 +- .../windows/antisandbox_cuckoo_files.py | 2 +- modules/signatures/windows/antisandbox_file.py | 1 + .../signatures/windows/antisandbox_forehwnd.py | 1 + .../windows/antisandbox_fortinet_files.py | 2 +- .../signatures/windows/antisandbox_idletime.py | 2 +- .../windows/antisandbox_joe_anubis_files.py | 2 +- .../signatures/windows/antisandbox_mouse_hook.py | 1 + modules/signatures/windows/antisandbox_restart.py | 1 + modules/signatures/windows/antisandbox_sleep.py | 1 + modules/signatures/windows/antisandbox_sunbelt.py | 2 +- .../windows/antisandbox_sunbelt_files.py | 2 +- .../windows/antisandbox_threattrack_files.py | 2 +- modules/signatures/windows/antisandbox_unhook.py | 2 +- modules/signatures/windows/antivm_bochs_keys.py | 4 ++-- modules/signatures/windows/antivm_computername.py | 1 + modules/signatures/windows/antivm_disksize.py | 1 + modules/signatures/windows/antivm_generic_bios.py | 1 + modules/signatures/windows/antivm_generic_cpu.py | 2 +- modules/signatures/windows/antivm_generic_disk.py | 1 + .../signatures/windows/antivm_generic_firmware.py | 1 + modules/signatures/windows/antivm_generic_ide.py | 2 +- modules/signatures/windows/antivm_generic_scsi.py | 2 +- .../signatures/windows/antivm_generic_services.py | 2 +- modules/signatures/windows/antivm_hyperv_keys.py | 4 ++-- .../signatures/windows/antivm_memory_available.py | 2 +- .../signatures/windows/antivm_network_adapter.py | 1 + .../signatures/windows/antivm_parallels_keys.py | 2 +- .../signatures/windows/antivm_parallels_window.py | 2 +- .../signatures/windows/antivm_psuedo_device.py | 2 +- modules/signatures/windows/antivm_sandboxie.py | 2 +- modules/signatures/windows/antivm_vbox_acpi.py | 1 + modules/signatures/windows/antivm_vbox_devices.py | 1 + modules/signatures/windows/antivm_vbox_files.py | 2 +- modules/signatures/windows/antivm_vbox_keys.py | 2 +- .../signatures/windows/antivm_vbox_provname.py | 1 + modules/signatures/windows/antivm_vbox_window.py | 2 +- modules/signatures/windows/antivm_virtualpc.py | 1 + .../signatures/windows/antivm_virtualpc_magic.py | 1 + .../signatures/windows/antivm_virtualpc_window.py | 2 +- modules/signatures/windows/antivm_vmware_files.py | 2 +- .../signatures/windows/antivm_vmware_in_insn.py | 1 + modules/signatures/windows/antivm_vmware_keys.py | 2 +- .../signatures/windows/antivm_vmware_window.py | 2 +- modules/signatures/windows/antivm_vpc_keys.py | 2 +- modules/signatures/windows/antivm_xen_keys.py | 2 +- modules/signatures/windows/appinit.py | 2 +- modules/signatures/windows/bitcoin_opencl.py | 1 + modules/signatures/windows/bootconfig_modify.py | 2 +- modules/signatures/windows/bootkit.py | 2 +- modules/signatures/windows/browser_bho.py | 1 + modules/signatures/windows/browser_startpage.py | 1 + modules/signatures/windows/clears_logs.py | 2 +- modules/signatures/windows/clickfraud.py | 1 + modules/signatures/windows/cloud_dropbox.py | 1 + modules/signatures/windows/cloud_google.py | 1 + modules/signatures/windows/cloud_mediafire.py | 1 + modules/signatures/windows/cloud_mega.py | 1 + modules/signatures/windows/cloud_rapidshare.py | 1 + modules/signatures/windows/cloud_wetransfer.py | 1 + modules/signatures/windows/creates_exe.py | 4 ++-- modules/signatures/windows/creates_service.py | 2 +- modules/signatures/windows/credential_dump.py | 2 ++ modules/signatures/windows/deletes_executed.py | 2 +- modules/signatures/windows/disables_app.py | 2 +- .../signatures/windows/disables_browserwarn.py | 2 +- modules/signatures/windows/disables_security.py | 2 +- modules/signatures/windows/disables_sysrestore.py | 2 +- modules/signatures/windows/disables_wer.py | 2 +- .../signatures/windows/disables_windowsupdate.py | 2 +- modules/signatures/windows/dropper.py | 4 ++-- modules/signatures/windows/emoves_zoneid_ads.py | 2 +- modules/signatures/windows/exec_bitsadmin.py | 2 +- modules/signatures/windows/exec_waitfor.py | 1 + modules/signatures/windows/exploitation.py | 1 + modules/signatures/windows/has_authenticode.py | 1 + modules/signatures/windows/im_bittorrent_bleep.py | 1 + modules/signatures/windows/im_qq.py | 1 + modules/signatures/windows/infostealer_bitcoin.py | 3 ++- modules/signatures/windows/infostealer_browser.py | 2 +- .../windows/infostealer_browser_modifications.py | 10 +++++----- modules/signatures/windows/infostealer_ftp.py | 2 +- modules/signatures/windows/infostealer_im.py | 2 +- .../signatures/windows/infostealer_keylogger.py | 1 + modules/signatures/windows/infostealer_mail.py | 2 +- modules/signatures/windows/injection_explorer.py | 2 +- .../signatures/windows/injection_memorymodify.py | 1 + modules/signatures/windows/injection_runpe.py | 1 + modules/signatures/windows/injection_thread.py | 6 ++++-- .../signatures/windows/injection_writememory.py | 2 ++ .../signatures/windows/javascript_commandline.py | 2 +- modules/signatures/windows/locates_browser.py | 3 ++- modules/signatures/windows/locates_sniffer.py | 1 + modules/signatures/windows/maldoc.py | 1 + modules/signatures/windows/martians.py | 2 +- modules/signatures/windows/memdump_urls.py | 1 + modules/signatures/windows/mining.py | 1 + modules/signatures/windows/modifies_proxies.py | 8 ++++---- modules/signatures/windows/modifies_seccenter.py | 2 +- modules/signatures/windows/modifies_wallpaper.py | 1 + .../signatures/windows/network_service_mirc.py | 1 + modules/signatures/windows/office.py | 15 +++++++++------ modules/signatures/windows/packer_entropy.py | 2 +- modules/signatures/windows/packer_polymorphic.py | 2 +- modules/signatures/windows/packer_upx.py | 2 +- modules/signatures/windows/packer_vmprotect.py | 2 +- modules/signatures/windows/payload_download.py | 4 ++-- modules/signatures/windows/pe_features.py | 6 +++--- modules/signatures/windows/persistence_autorun.py | 2 +- .../signatures/windows/persistence_bootexecute.py | 2 +- .../windows/persistence_registry_fileless.py | 2 +- modules/signatures/windows/powershell.py | 11 ++++++----- modules/signatures/windows/powershell_reg.py | 2 +- modules/signatures/windows/ransomware_bcdedit.py | 2 +- .../windows/ransomware_fileextensions.py | 1 + .../windows/ransomware_filemodications.py | 4 ++++ modules/signatures/windows/ransomware_files.py | 1 + modules/signatures/windows/ransomware_message.py | 2 ++ .../signatures/windows/ransomware_recyclebin.py | 1 + .../signatures/windows/ransomware_shadowcopy.py | 1 + modules/signatures/windows/ransomware_wbadmin.py | 1 + modules/signatures/windows/reads_user_agent.py | 2 +- modules/signatures/windows/recon_checkip.py | 1 + modules/signatures/windows/recon_fingerprint.py | 1 + modules/signatures/windows/recon_programs.py | 4 ++-- modules/signatures/windows/recon_systeminfo.py | 1 + modules/signatures/windows/self_delete_bat.py | 2 +- modules/signatures/windows/shellcode.py | 1 + modules/signatures/windows/sniffer_winpcap.py | 1 + modules/signatures/windows/stealth_childproc.py | 1 + .../signatures/windows/stealth_hiddenextension.py | 2 +- modules/signatures/windows/stealth_hiddenfile.py | 2 +- modules/signatures/windows/stealth_hiddenicons.py | 2 +- .../windows/stealth_hidenotifications.py | 2 +- modules/signatures/windows/stops_service.py | 2 +- modules/signatures/windows/volatility_sig.py | 10 +++++----- modules/signatures/windows/wmi.py | 2 +- 169 files changed, 214 insertions(+), 117 deletions(-) diff --git a/modules/signatures/android/android_dangerous_permissions.py b/modules/signatures/android/android_dangerous_permissions.py index 4ac2d2f6e..d734f86dd 100644 --- a/modules/signatures/android/android_dangerous_permissions.py +++ b/modules/signatures/android/android_dangerous_permissions.py @@ -11,6 +11,7 @@ class AndroidDangerousPermissions(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["E1478"] def on_complete(self): manifest = self.get_results("apkinfo", {}).get("manifest", {}) diff --git a/modules/signatures/android/android_dynamic_code.py b/modules/signatures/android/android_dynamic_code.py index 111ba724f..a6702be03 100644 --- a/modules/signatures/android/android_dynamic_code.py +++ b/modules/signatures/android/android_dynamic_code.py @@ -11,6 +11,7 @@ class AndroidDynamicCode(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["E1129"] def on_complete(self): if self.get_apkinfo("static_method_calls").get("is_dynamic_code"): diff --git a/modules/signatures/android/android_native_code.py b/modules/signatures/android/android_native_code.py index 45ec3d5ae..7d61772a7 100644 --- a/modules/signatures/android/android_native_code.py +++ b/modules/signatures/android/android_native_code.py @@ -11,6 +11,7 @@ class AndroidNativeCode(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["E1203"] def on_complete(self): if self.get_apkinfo("static_method_calls").get("is_native_code"): diff --git a/modules/signatures/android/android_reflection_code.py b/modules/signatures/android/android_reflection_code.py index 14df01a04..64c73fb81 100644 --- a/modules/signatures/android/android_reflection_code.py +++ b/modules/signatures/android/android_reflection_code.py @@ -11,6 +11,7 @@ class AndroidReflectionCode(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["M0032"] def on_complete(self): if self.get_apkinfo("static_method_calls").get("is_reflection_code"): diff --git a/modules/signatures/android/application_deleted_app.py b/modules/signatures/android/application_deleted_app.py index d1a91460a..febeecc05 100644 --- a/modules/signatures/android/application_deleted_app.py +++ b/modules/signatures/android/application_deleted_app.py @@ -11,6 +11,7 @@ class AndroidDeletedApp(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["E1485"] def on_complete(self): if "android/app/ApplicationPackageManager->deletePackage" in self.get_droidmon(): diff --git a/modules/signatures/android/application_executed_shell_command.py b/modules/signatures/android/application_executed_shell_command.py index 6775716ef..5cefa78df 100644 --- a/modules/signatures/android/application_executed_shell_command.py +++ b/modules/signatures/android/application_executed_shell_command.py @@ -11,6 +11,7 @@ class AndroidShellCommands(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["T1059"] def on_complete(self): if self.get_droidmon("commands", []): diff --git a/modules/signatures/android/application_installed_app.py b/modules/signatures/android/application_installed_app.py index fc19dca96..efee86b0d 100644 --- a/modules/signatures/android/application_installed_app.py +++ b/modules/signatures/android/application_installed_app.py @@ -11,6 +11,7 @@ class AndroidInstalledApps(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["M0023"] def on_complete(self): if "android/app/ApplicationPackageManager->installPackage" in self.get_droidmon(): diff --git a/modules/signatures/android/application_queried_account_info.py b/modules/signatures/android/application_queried_account_info.py index 00acb7968..0c5fae662 100644 --- a/modules/signatures/android/application_queried_account_info.py +++ b/modules/signatures/android/application_queried_account_info.py @@ -11,6 +11,7 @@ class AndroidAccountInfo(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["T1087"] def on_complete(self): if "getAccounts" in self.get_droidmon("data_leak"): diff --git a/modules/signatures/android/application_queried_installed_apps.py b/modules/signatures/android/application_queried_installed_apps.py index 52d58c2a2..1d1b5ab77 100644 --- a/modules/signatures/android/application_queried_installed_apps.py +++ b/modules/signatures/android/application_queried_installed_apps.py @@ -11,6 +11,7 @@ class AndroidAppInfo(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["T1518"] def on_complete(self): if "getInstalledPackages" in self.get_droidmon("data_leak"): diff --git a/modules/signatures/android/application_queried_phone_number.py b/modules/signatures/android/application_queried_phone_number.py index 0700c3abe..428a8cb6f 100644 --- a/modules/signatures/android/application_queried_phone_number.py +++ b/modules/signatures/android/application_queried_phone_number.py @@ -11,6 +11,7 @@ class AndroidPhoneNumber(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["T1082"] def on_complete(self): if "getLine1Number" in self.get_droidmon("fingerprint"): diff --git a/modules/signatures/android/application_queried_private_information.py b/modules/signatures/android/application_queried_private_information.py index 13302246e..d40138321 100644 --- a/modules/signatures/android/application_queried_private_information.py +++ b/modules/signatures/android/application_queried_private_information.py @@ -11,6 +11,7 @@ class AndroidPrivateInfoQuery(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["T1409"] def on_complete(self): if "ContentResolver_queries" in self.get_droidmon(): diff --git a/modules/signatures/android/application_recording_audio.py b/modules/signatures/android/application_recording_audio.py index 4f7a4c576..710d76542 100644 --- a/modules/signatures/android/application_recording_audio.py +++ b/modules/signatures/android/application_recording_audio.py @@ -11,6 +11,7 @@ class AndroidAudio(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["T1123"] def on_complete(self): if "mediaRecorder" in self.get_droidmon("events"): diff --git a/modules/signatures/android/application_registered_receiver_runtime.py b/modules/signatures/android/application_registered_receiver_runtime.py index 153475e2d..e1e352ec9 100644 --- a/modules/signatures/android/application_registered_receiver_runtime.py +++ b/modules/signatures/android/application_registered_receiver_runtime.py @@ -11,6 +11,7 @@ class AndroidRegisteredReceiver(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["E1203"] def on_complete(self): if "registered_receivers" in self.get_droidmon(): diff --git a/modules/signatures/android/application_sent_sms_messages.py b/modules/signatures/android/application_sent_sms_messages.py index 09abc6217..ffe5b6d1f 100644 --- a/modules/signatures/android/application_sent_sms_messages.py +++ b/modules/signatures/android/application_sent_sms_messages.py @@ -11,6 +11,7 @@ class AndroidSMS(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["E1472"] def on_complete(self): if "sms" in self.get_droidmon(): diff --git a/modules/signatures/android/application_stopped_processes.py b/modules/signatures/android/application_stopped_processes.py index b683ec626..4f8bec601 100644 --- a/modules/signatures/android/application_stopped_processes.py +++ b/modules/signatures/android/application_stopped_processes.py @@ -11,6 +11,7 @@ class AndroidStopProcess(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["T1489"] def on_complete(self): if "killed_process" in self.get_droidmon(): diff --git a/modules/signatures/android/application_uses_location.py b/modules/signatures/android/application_uses_location.py index f42e074c2..24f35735a 100644 --- a/modules/signatures/android/application_uses_location.py +++ b/modules/signatures/android/application_uses_location.py @@ -11,6 +11,7 @@ class ApplicationUsesLocation(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["T1430"] def on_complete(self): if "location" in self.get_droidmon("data_leak"): diff --git a/modules/signatures/android/application_using_the_camera.py b/modules/signatures/android/application_using_the_camera.py index 08f6c5b24..1781ea62e 100644 --- a/modules/signatures/android/application_using_the_camera.py +++ b/modules/signatures/android/application_using_the_camera.py @@ -11,6 +11,7 @@ class AndroidCamera(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["T1429"] def on_complete(self): if "camera" in self.get_droidmon("events"): diff --git a/modules/signatures/cross/js_suspicious.py b/modules/signatures/cross/js_suspicious.py index 4516e28e3..a11a8e5bd 100644 --- a/modules/signatures/cross/js_suspicious.py +++ b/modules/signatures/cross/js_suspicious.py @@ -13,6 +13,7 @@ class SuspiciousJavascript(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1064"] filter_apinames = "COleScript_Compile", @@ -40,6 +41,7 @@ class AntiAnalysisJavascript(Signature): authors = ["Cuckoo Technologies"] minimum = "2.0" on_call_dispatch = True + ttp = ["M0013", "M0001"] filter_apinames = "ActiveXObjectFncObj_Construct", "CImgElement_put_src" diff --git a/modules/signatures/darwin/code_injection.py b/modules/signatures/darwin/code_injection.py index 9f7b64977..d6cd6c686 100644 --- a/modules/signatures/darwin/code_injection.py +++ b/modules/signatures/darwin/code_injection.py @@ -15,6 +15,7 @@ class DarwinCodeInjection(Signature): categories = ["injection"] authors = ["rodionovd"] minimum = "2.0" + ttp = ["E1055"] filter_apinames = [ "task_for_pid", diff --git a/modules/signatures/darwin/task_for_pid.py b/modules/signatures/darwin/task_for_pid.py index 224d68423..3d5af86b5 100644 --- a/modules/signatures/darwin/task_for_pid.py +++ b/modules/signatures/darwin/task_for_pid.py @@ -14,6 +14,7 @@ class TaskForPid(Signature): categories = ["injection"] authors = ["rodionovd"] minimum = "2.0" + ttp = ["T1057"] filter_apinames = ["task_for_pid"] diff --git a/modules/signatures/network/network_cnc_http.py b/modules/signatures/network/network_cnc_http.py index 134f54e8c..a8efcc39a 100644 --- a/modules/signatures/network/network_cnc_http.py +++ b/modules/signatures/network/network_cnc_http.py @@ -27,6 +27,7 @@ class NetworkHTTPPOST(Signature): categories = ["http", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1071", "M0030"] filter_analysistypes = set(["file"]) diff --git a/modules/signatures/network/network_irc.py b/modules/signatures/network/network_irc.py index e6d0e24bd..b4d8fba68 100644 --- a/modules/signatures/network/network_irc.py +++ b/modules/signatures/network/network_irc.py @@ -22,6 +22,7 @@ class NetworkIRC(Signature): categories = ["irc"] authors = ["nex"] minimum = "2.0" + ttp = ["T1102"] def on_complete(self): if self.get_net_irc(): diff --git a/modules/signatures/network/p2p_cnc.py b/modules/signatures/network/p2p_cnc.py index 66caf5a3e..75437a8ca 100644 --- a/modules/signatures/network/p2p_cnc.py +++ b/modules/signatures/network/p2p_cnc.py @@ -22,6 +22,7 @@ class P2PCnC(Signature): categories = ["p2p", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1094"] filter_analysistypes = set(["file"]) diff --git a/modules/signatures/windows/allocates_rwx.py b/modules/signatures/windows/allocates_rwx.py index d9a6a255e..84e943082 100644 --- a/modules/signatures/windows/allocates_rwx.py +++ b/modules/signatures/windows/allocates_rwx.py @@ -11,6 +11,7 @@ class AllocatesRWX(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["E1055"] filter_apinames = ( "NtAllocateVirtualMemory", "NtProtectVirtualMemory", diff --git a/modules/signatures/windows/antianalysis_detectfile.py b/modules/signatures/windows/antianalysis_detectfile.py index 60dadeadd..a1da72c37 100644 --- a/modules/signatures/windows/antianalysis_detectfile.py +++ b/modules/signatures/windows/antianalysis_detectfile.py @@ -11,7 +11,7 @@ class AntiAnalysisDetectFile(Signature): categories = ["anti-analysis"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["T1063"] + ttp = ["M0013"] file_indicators = [ "[A-Za-z]:\\\\analysis", diff --git a/modules/signatures/windows/antiav_detectfile.py b/modules/signatures/windows/antiav_detectfile.py index 54a6c7fdd..369a74a0f 100644 --- a/modules/signatures/windows/antiav_detectfile.py +++ b/modules/signatures/windows/antiav_detectfile.py @@ -15,7 +15,7 @@ class AntiAVDetectFile(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1063"] + ttp = ["T1063", "T1083"] file_indicators = [ ".*\\\\AVAST\\ Software", diff --git a/modules/signatures/windows/antiav_servicestop.py b/modules/signatures/windows/antiav_servicestop.py index da1a45695..d1787772a 100644 --- a/modules/signatures/windows/antiav_servicestop.py +++ b/modules/signatures/windows/antiav_servicestop.py @@ -16,7 +16,7 @@ class AntiAVServiceStop(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1031", "T1089"] + ttp = ["E1089"] evented = True def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/antiav_srp.py b/modules/signatures/windows/antiav_srp.py index f7256ae57..1720fb2af 100644 --- a/modules/signatures/windows/antiav_srp.py +++ b/modules/signatures/windows/antiav_srp.py @@ -11,7 +11,7 @@ class AntiAVSRP(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1089"] + ttp = ["E1089", "E1478"] regkeys_re = [ ".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*", diff --git a/modules/signatures/windows/antidbg_debuggercheck.py b/modules/signatures/windows/antidbg_debuggercheck.py index f7ffdadfd..1ce92c4df 100644 --- a/modules/signatures/windows/antidbg_debuggercheck.py +++ b/modules/signatures/windows/antidbg_debuggercheck.py @@ -23,6 +23,7 @@ class ChecksDebugger(Signature): categories = ["anti-debug"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["M0001"] filter_apinames = [ "CheckRemoteDebuggerPresent", @@ -42,6 +43,7 @@ class ChecksKernelDebugger(Signature): categories = ["anti-debug"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["M0001"] filter_apinames = [ "SystemKernelDebuggerInformation", diff --git a/modules/signatures/windows/antidbg_devices.py b/modules/signatures/windows/antidbg_devices.py index 567a57290..1b62a286e 100644 --- a/modules/signatures/windows/antidbg_devices.py +++ b/modules/signatures/windows/antidbg_devices.py @@ -22,7 +22,7 @@ class AntiDBGDevices(Signature): categories = ["anti-debug"] authors = ["nex"] minimum = "2.0" - ttp = ["T1083", "T1057"] + ttp = ["M0001", "M0013"] indicators = [ ".*SICE$", diff --git a/modules/signatures/windows/antidbg_windows.py b/modules/signatures/windows/antidbg_windows.py index 3dbef1548..ef0c34cc2 100644 --- a/modules/signatures/windows/antidbg_windows.py +++ b/modules/signatures/windows/antidbg_windows.py @@ -22,7 +22,7 @@ class AntiDBGWindows(Signature): categories = ["anti-debug"] authors = ["nex", "KillerInstinct", "Brad Spengler"] minimum = "2.0" - ttp = ["T1057"] + ttp = ["M0013"] filter_categories = "ui", diff --git a/modules/signatures/windows/antiemu_wine.py b/modules/signatures/windows/antiemu_wine.py index 08e55b864..d4818b9e6 100644 --- a/modules/signatures/windows/antiemu_wine.py +++ b/modules/signatures/windows/antiemu_wine.py @@ -22,7 +22,7 @@ class WineDetect(Signature): categories = ["anti-emulation"] authors = ["nex"] minimum = "2.0" - ttp = ["T1057"] + ttp = ["M0004"] filter_apinames = "LdrGetProcedureAddress", diff --git a/modules/signatures/windows/antisandbox_clipboard.py b/modules/signatures/windows/antisandbox_clipboard.py index 00a25d88f..67d144c18 100644 --- a/modules/signatures/windows/antisandbox_clipboard.py +++ b/modules/signatures/windows/antisandbox_clipboard.py @@ -22,7 +22,7 @@ class AntisandboxClipboard(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1115"] + ttp = ["M0007"] filter_apinames = set(["GetClipboardData"]) diff --git a/modules/signatures/windows/antisandbox_cuckoo_files.py b/modules/signatures/windows/antisandbox_cuckoo_files.py index c907f7505..17517192d 100644 --- a/modules/signatures/windows/antisandbox_cuckoo_files.py +++ b/modules/signatures/windows/antisandbox_cuckoo_files.py @@ -22,7 +22,7 @@ class CuckooDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["T1083", "T1057"] + ttp = ["M0007"] file_indicators = [ ".*\\\\agent\\.py$", diff --git a/modules/signatures/windows/antisandbox_file.py b/modules/signatures/windows/antisandbox_file.py index 59a7114af..cc1e0cd92 100644 --- a/modules/signatures/windows/antisandbox_file.py +++ b/modules/signatures/windows/antisandbox_file.py @@ -11,6 +11,7 @@ class AntiSandboxFile(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0007"] files_re = [ "[a-zA-Z]:\\\\sample\\.exe", diff --git a/modules/signatures/windows/antisandbox_forehwnd.py b/modules/signatures/windows/antisandbox_forehwnd.py index dd8e1ab2c..037b45c95 100644 --- a/modules/signatures/windows/antisandbox_forehwnd.py +++ b/modules/signatures/windows/antisandbox_forehwnd.py @@ -20,6 +20,7 @@ class AntiSandboxForegroundWindow(Signature): severity = 2 categories = ["anti-sandbox"] minimum = "2.0" + ttp = ["M0007"] references = [ "https://www.virusbtn.com/virusbulletin/archive/2015/09/vb201509-custom-packer.dkb", diff --git a/modules/signatures/windows/antisandbox_fortinet_files.py b/modules/signatures/windows/antisandbox_fortinet_files.py index bd4c27fa8..f7c8590c4 100644 --- a/modules/signatures/windows/antisandbox_fortinet_files.py +++ b/modules/signatures/windows/antisandbox_fortinet_files.py @@ -22,7 +22,7 @@ class FortinetDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["T1083", "T1057"] + ttp = ["M0007"] files_re = [ "C:\\\\tracer\\\\mdare32_0\\.sys", diff --git a/modules/signatures/windows/antisandbox_idletime.py b/modules/signatures/windows/antisandbox_idletime.py index f0e2421d4..80045495b 100644 --- a/modules/signatures/windows/antisandbox_idletime.py +++ b/modules/signatures/windows/antisandbox_idletime.py @@ -11,7 +11,7 @@ class AntiSandboxIdleTime(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1082"] + ttp = ["M0003"] filter_apinames = "NtQuerySystemInformation", diff --git a/modules/signatures/windows/antisandbox_joe_anubis_files.py b/modules/signatures/windows/antisandbox_joe_anubis_files.py index dc77a2c9a..b356382ff 100644 --- a/modules/signatures/windows/antisandbox_joe_anubis_files.py +++ b/modules/signatures/windows/antisandbox_joe_anubis_files.py @@ -22,7 +22,7 @@ class SandboxJoeAnubisDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1083", "T1057"] + ttp = ["M0007"] file_indicators = [ "C:\\\\sample\\.exe", diff --git a/modules/signatures/windows/antisandbox_mouse_hook.py b/modules/signatures/windows/antisandbox_mouse_hook.py index 8d5fd0964..2509efcc3 100644 --- a/modules/signatures/windows/antisandbox_mouse_hook.py +++ b/modules/signatures/windows/antisandbox_mouse_hook.py @@ -22,6 +22,7 @@ class HookMouse(Signature): categories = ["hooking", "anti-sandbox"] authors = ["nex"] minimum = "2.0" + ttp = ["M0007", "E1179"] filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW" diff --git a/modules/signatures/windows/antisandbox_restart.py b/modules/signatures/windows/antisandbox_restart.py index cd2f7db43..2a94ce0d3 100644 --- a/modules/signatures/windows/antisandbox_restart.py +++ b/modules/signatures/windows/antisandbox_restart.py @@ -12,6 +12,7 @@ class AntiSandboxRestart(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies", "Brad Spengler"] minimum = "2.0" + ttp = ["M0003"] filter_apinames = ( "InitiateSystemShutdownExW", "InitiateSystemShutdownExA", diff --git a/modules/signatures/windows/antisandbox_sleep.py b/modules/signatures/windows/antisandbox_sleep.py index f7a8d402e..cc5757a8b 100644 --- a/modules/signatures/windows/antisandbox_sleep.py +++ b/modules/signatures/windows/antisandbox_sleep.py @@ -22,6 +22,7 @@ class AntiSandboxSleep(Signature): categories = ["anti-sandbox"] authors = ["KillerInstinct"] minimum = "2.0" + ttp = ["M0003"] filter_apinames = "NtDelayExecution", diff --git a/modules/signatures/windows/antisandbox_sunbelt.py b/modules/signatures/windows/antisandbox_sunbelt.py index b0050df10..538011ef7 100644 --- a/modules/signatures/windows/antisandbox_sunbelt.py +++ b/modules/signatures/windows/antisandbox_sunbelt.py @@ -11,7 +11,7 @@ class SunBeltSandboxDetect(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1083", "T1057"] + ttp = ["M0007"] dlls_re = [ ".*api_log(\\.dll)?$", diff --git a/modules/signatures/windows/antisandbox_sunbelt_files.py b/modules/signatures/windows/antisandbox_sunbelt_files.py index 152b49d5d..e2af95b57 100644 --- a/modules/signatures/windows/antisandbox_sunbelt_files.py +++ b/modules/signatures/windows/antisandbox_sunbelt_files.py @@ -22,7 +22,7 @@ class SunbeltDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1083", "T1057"] + ttp = ["M0007"] file_indicators = [ ".*\\\\SandboxStarter\\.exe$", diff --git a/modules/signatures/windows/antisandbox_threattrack_files.py b/modules/signatures/windows/antisandbox_threattrack_files.py index d6ec58c80..14085d24e 100644 --- a/modules/signatures/windows/antisandbox_threattrack_files.py +++ b/modules/signatures/windows/antisandbox_threattrack_files.py @@ -22,7 +22,7 @@ class ThreatTrackDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["T1083", "T1057"] + ttp = ["M0007"] files_re = [ "C:\\\\cwsandbox", diff --git a/modules/signatures/windows/antisandbox_unhook.py b/modules/signatures/windows/antisandbox_unhook.py index 4144c5e66..3dab093ff 100644 --- a/modules/signatures/windows/antisandbox_unhook.py +++ b/modules/signatures/windows/antisandbox_unhook.py @@ -22,7 +22,7 @@ class Unhook(Signature): categories = ["anti-sandbox"] authors = ["nex"] minimum = "2.0" - ttp = ["T1089"] + ttp = ["M0003"] filter_apinames = "__anomaly__", diff --git a/modules/signatures/windows/antivm_bochs_keys.py b/modules/signatures/windows/antivm_bochs_keys.py index 02153d248..08f7787d2 100644 --- a/modules/signatures/windows/antivm_bochs_keys.py +++ b/modules/signatures/windows/antivm_bochs_keys.py @@ -16,13 +16,13 @@ from lib.cuckoo.common.abstracts import Signature class BochsDetectKeys(Signature): - name = "antivm_xen_keys" + name = "antivm_bochs_keys" description = "Detects Bochs through the presence of a registry key" severity = 3 categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["T1057", "T1012"] + ttp = ["M0009", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS_.*", diff --git a/modules/signatures/windows/antivm_computername.py b/modules/signatures/windows/antivm_computername.py index 269234615..e18739047 100644 --- a/modules/signatures/windows/antivm_computername.py +++ b/modules/signatures/windows/antivm_computername.py @@ -22,6 +22,7 @@ class AntiVMComputernameQuery(Signature): categories = ["AntiVM"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["M0009", "T1082"] filter_apinames = [ "GetComputerNameA", diff --git a/modules/signatures/windows/antivm_disksize.py b/modules/signatures/windows/antivm_disksize.py index b18099327..cccb3dea5 100644 --- a/modules/signatures/windows/antivm_disksize.py +++ b/modules/signatures/windows/antivm_disksize.py @@ -23,6 +23,7 @@ class AntiVMDiskSize(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True + ttp = ["M0009"] filter_apinames = [ "GetDiskFreeSpaceA", diff --git a/modules/signatures/windows/antivm_generic_bios.py b/modules/signatures/windows/antivm_generic_bios.py index 62a6b2167..a3f836dd1 100644 --- a/modules/signatures/windows/antivm_generic_bios.py +++ b/modules/signatures/windows/antivm_generic_bios.py @@ -22,6 +22,7 @@ class AntiVMBios(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" + ttp = ["M0009", "T1012"] regkeys_re = [ ".*SystemBiosVersion", diff --git a/modules/signatures/windows/antivm_generic_cpu.py b/modules/signatures/windows/antivm_generic_cpu.py index 7021f00ec..6aac61e7c 100644 --- a/modules/signatures/windows/antivm_generic_cpu.py +++ b/modules/signatures/windows/antivm_generic_cpu.py @@ -22,7 +22,7 @@ class AntiVMCPU(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1082", "T1012"] + ttp = ["M0009", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\.*\\\\ProcessorNameString", diff --git a/modules/signatures/windows/antivm_generic_disk.py b/modules/signatures/windows/antivm_generic_disk.py index 5f134f648..f1a7dca0b 100644 --- a/modules/signatures/windows/antivm_generic_disk.py +++ b/modules/signatures/windows/antivm_generic_disk.py @@ -22,6 +22,7 @@ class DiskInformation(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" + ttp = ["M0009", "T1012"] filter_apinames = [ "NtCreateFile", diff --git a/modules/signatures/windows/antivm_generic_firmware.py b/modules/signatures/windows/antivm_generic_firmware.py index 9ef14e698..044e5420a 100644 --- a/modules/signatures/windows/antivm_generic_firmware.py +++ b/modules/signatures/windows/antivm_generic_firmware.py @@ -11,6 +11,7 @@ class VMFirmware(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0009"] filter_apinames = "NtQuerySystemInformation", diff --git a/modules/signatures/windows/antivm_generic_ide.py b/modules/signatures/windows/antivm_generic_ide.py index 4b8d73a0b..243b19ef4 100644 --- a/modules/signatures/windows/antivm_generic_ide.py +++ b/modules/signatures/windows/antivm_generic_ide.py @@ -22,7 +22,7 @@ class AntiVMIDE(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["T1057", "T1012"] + ttp = ["M0009", "T1012"] def on_complete(self): for regkey in self.check_key(pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE", regex=True, all=True): diff --git a/modules/signatures/windows/antivm_generic_scsi.py b/modules/signatures/windows/antivm_generic_scsi.py index 8894b9fea..a1b37dfb0 100644 --- a/modules/signatures/windows/antivm_generic_scsi.py +++ b/modules/signatures/windows/antivm_generic_scsi.py @@ -22,7 +22,7 @@ class AntiVMSCSI(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["T1057", "T1012"] + ttp = ["M0009", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port \\d+\\\\Scsi Bus \\d+\\\\Target Id \\d+\\\\Logical Unit Id \\d+\\\\Identifier", diff --git a/modules/signatures/windows/antivm_generic_services.py b/modules/signatures/windows/antivm_generic_services.py index 30d28d32c..2c4dee4e5 100644 --- a/modules/signatures/windows/antivm_generic_services.py +++ b/modules/signatures/windows/antivm_generic_services.py @@ -22,7 +22,7 @@ class AntiVMServices(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["T1007"] + ttp = ["M0009", "T1007"] filter_apinames = "EnumServicesStatusA", "EnumServicesStatusW" diff --git a/modules/signatures/windows/antivm_hyperv_keys.py b/modules/signatures/windows/antivm_hyperv_keys.py index ed32d9953..b849ce101 100644 --- a/modules/signatures/windows/antivm_hyperv_keys.py +++ b/modules/signatures/windows/antivm_hyperv_keys.py @@ -22,8 +22,8 @@ class HyperVDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["T1057", "T1012"] - + ttp = ["M0009", "T1012"] + regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\Hyper_V_Gen_Counter_V1", ] diff --git a/modules/signatures/windows/antivm_memory_available.py b/modules/signatures/windows/antivm_memory_available.py index df9870dd7..6188d2626 100644 --- a/modules/signatures/windows/antivm_memory_available.py +++ b/modules/signatures/windows/antivm_memory_available.py @@ -22,7 +22,7 @@ class MemoryAvailable(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1082"] + ttp = ["M0009"] filter_apinames = [ "GlobalMemoryStatusEx", "GetPhysicallyInstalledSystemMemory", diff --git a/modules/signatures/windows/antivm_network_adapter.py b/modules/signatures/windows/antivm_network_adapter.py index 5b4520e92..c100741f8 100644 --- a/modules/signatures/windows/antivm_network_adapter.py +++ b/modules/signatures/windows/antivm_network_adapter.py @@ -22,6 +22,7 @@ class NetworkAdapters(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["M0009"] filter_apinames = set(["GetAdaptersAddresses"]) diff --git a/modules/signatures/windows/antivm_parallels_keys.py b/modules/signatures/windows/antivm_parallels_keys.py index da3a55904..a999bc23c 100644 --- a/modules/signatures/windows/antivm_parallels_keys.py +++ b/modules/signatures/windows/antivm_parallels_keys.py @@ -22,7 +22,7 @@ class ParallelsDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["T1057", "T1012"] + ttp = ["M0009", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_1AB8&DEV_4000&SUBSYS_04001AB8&REV_00", diff --git a/modules/signatures/windows/antivm_parallels_window.py b/modules/signatures/windows/antivm_parallels_window.py index ccc3eb10e..bede49429 100644 --- a/modules/signatures/windows/antivm_parallels_window.py +++ b/modules/signatures/windows/antivm_parallels_window.py @@ -22,7 +22,7 @@ class ParallelsDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1057"] + ttp = ["M0009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_psuedo_device.py b/modules/signatures/windows/antivm_psuedo_device.py index eab941247..e37a602b0 100644 --- a/modules/signatures/windows/antivm_psuedo_device.py +++ b/modules/signatures/windows/antivm_psuedo_device.py @@ -22,7 +22,7 @@ class AntiVMSharedDevice(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1082"] + ttp = ["M0009"] filter_apinames = "NtCreateFile", diff --git a/modules/signatures/windows/antivm_sandboxie.py b/modules/signatures/windows/antivm_sandboxie.py index 83524ad31..6f93b4032 100644 --- a/modules/signatures/windows/antivm_sandboxie.py +++ b/modules/signatures/windows/antivm_sandboxie.py @@ -11,7 +11,7 @@ class SandboxieDetect(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1057"] + ttp = ["M0009"] mutexes_re = [ ".*Sandboxie_SingleInstanceMutex_Control", diff --git a/modules/signatures/windows/antivm_vbox_acpi.py b/modules/signatures/windows/antivm_vbox_acpi.py index bbf3d4537..537455dec 100644 --- a/modules/signatures/windows/antivm_vbox_acpi.py +++ b/modules/signatures/windows/antivm_vbox_acpi.py @@ -22,6 +22,7 @@ class VBoxDetectACPI(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" + ttp = ["M0009", "T1012"] def on_complete(self): for regkey in self.check_key("HARDWARE\\\\ACPI\\\\.*vbox_", regex=True, all=True): diff --git a/modules/signatures/windows/antivm_vbox_devices.py b/modules/signatures/windows/antivm_vbox_devices.py index d6243e783..85af8a013 100644 --- a/modules/signatures/windows/antivm_vbox_devices.py +++ b/modules/signatures/windows/antivm_vbox_devices.py @@ -22,6 +22,7 @@ class VBoxDetectDevices(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" + ttp = ["M0009"] # TODO Might as well just do a generic ".*VBox.*" regex? indicators = [ diff --git a/modules/signatures/windows/antivm_vbox_files.py b/modules/signatures/windows/antivm_vbox_files.py index fe88a5723..c6231924d 100644 --- a/modules/signatures/windows/antivm_vbox_files.py +++ b/modules/signatures/windows/antivm_vbox_files.py @@ -22,7 +22,7 @@ class VBoxDetectFiles(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["T1083", "T1057"] + ttp = ["M0009"] indicators = [ ".*VBoxDisp\\.dll", diff --git a/modules/signatures/windows/antivm_vbox_keys.py b/modules/signatures/windows/antivm_vbox_keys.py index f129cb089..1b4ef2924 100644 --- a/modules/signatures/windows/antivm_vbox_keys.py +++ b/modules/signatures/windows/antivm_vbox_keys.py @@ -22,7 +22,7 @@ class VBoxDetectKeys(Signature): categories = ["anti-vm"] authors = ["nex", "Brad Spengler"] minimum = "2.0" - ttp = ["T1057", "T1012"] + ttp = ["M0009", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Oracle\\\\VirtualBox\\ Guest\\ Additions", diff --git a/modules/signatures/windows/antivm_vbox_provname.py b/modules/signatures/windows/antivm_vbox_provname.py index 88e51a15c..b31c6bedc 100644 --- a/modules/signatures/windows/antivm_vbox_provname.py +++ b/modules/signatures/windows/antivm_vbox_provname.py @@ -23,6 +23,7 @@ class VBoxDetectProvname(Signature): authors = ["Optiv"] minimum = "2.0" evented = True + ttp = ["M0009"] filter_apinames = "WNetGetProviderNameW", diff --git a/modules/signatures/windows/antivm_vbox_window.py b/modules/signatures/windows/antivm_vbox_window.py index c52d0d882..916985e17 100644 --- a/modules/signatures/windows/antivm_vbox_window.py +++ b/modules/signatures/windows/antivm_vbox_window.py @@ -22,7 +22,7 @@ class VBoxDetectWindow(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["T1057"] + ttp = ["M0009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_virtualpc.py b/modules/signatures/windows/antivm_virtualpc.py index 86884d3ff..e55c92aa0 100644 --- a/modules/signatures/windows/antivm_virtualpc.py +++ b/modules/signatures/windows/antivm_virtualpc.py @@ -11,6 +11,7 @@ class VirtualPCDetect(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0009"] mutexes_re = [ ".*MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex", diff --git a/modules/signatures/windows/antivm_virtualpc_magic.py b/modules/signatures/windows/antivm_virtualpc_magic.py index b29b0fcc8..4032b03a4 100644 --- a/modules/signatures/windows/antivm_virtualpc_magic.py +++ b/modules/signatures/windows/antivm_virtualpc_magic.py @@ -11,6 +11,7 @@ class VirtualPCIllegalInstruction(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0009"] filter_apinames = "__exception__", diff --git a/modules/signatures/windows/antivm_virtualpc_window.py b/modules/signatures/windows/antivm_virtualpc_window.py index f14dfbea8..830df7d5b 100644 --- a/modules/signatures/windows/antivm_virtualpc_window.py +++ b/modules/signatures/windows/antivm_virtualpc_window.py @@ -22,7 +22,7 @@ class VirtualPCDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1057"] + ttp = ["M0009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vmware_files.py b/modules/signatures/windows/antivm_vmware_files.py index 7ddad0548..e0265899e 100644 --- a/modules/signatures/windows/antivm_vmware_files.py +++ b/modules/signatures/windows/antivm_vmware_files.py @@ -11,7 +11,7 @@ class VMWareDetectFiles(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1083", "T1057"] + ttp = ["M0009"] files_re = [ ".*vmmouse\\.sys", diff --git a/modules/signatures/windows/antivm_vmware_in_insn.py b/modules/signatures/windows/antivm_vmware_in_insn.py index df9ab5ba2..b2cc477da 100644 --- a/modules/signatures/windows/antivm_vmware_in_insn.py +++ b/modules/signatures/windows/antivm_vmware_in_insn.py @@ -11,6 +11,7 @@ class VMWareInInstruction(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0009"] filter_apinames = "__exception__", diff --git a/modules/signatures/windows/antivm_vmware_keys.py b/modules/signatures/windows/antivm_vmware_keys.py index 5bfa55f3f..2c03c4a92 100644 --- a/modules/signatures/windows/antivm_vmware_keys.py +++ b/modules/signatures/windows/antivm_vmware_keys.py @@ -21,7 +21,7 @@ class VMWareDetectKeys(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies", "Optiv"] minimum = "2.0" - ttp = ["T1057", "T1012"] + ttp = ["M0009", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?VMWare,\\ Inc\..*", diff --git a/modules/signatures/windows/antivm_vmware_window.py b/modules/signatures/windows/antivm_vmware_window.py index 61115757d..98c1a213e 100644 --- a/modules/signatures/windows/antivm_vmware_window.py +++ b/modules/signatures/windows/antivm_vmware_window.py @@ -22,7 +22,7 @@ class VMwareDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1057"] + ttp = ["M0009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vpc_keys.py b/modules/signatures/windows/antivm_vpc_keys.py index ab229e84e..4f6c7c10b 100644 --- a/modules/signatures/windows/antivm_vpc_keys.py +++ b/modules/signatures/windows/antivm_vpc_keys.py @@ -22,7 +22,7 @@ class VPCDetectKeys(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1057", "T1012"] + ttp = ["M0009", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00", diff --git a/modules/signatures/windows/antivm_xen_keys.py b/modules/signatures/windows/antivm_xen_keys.py index 548bec659..5a19623d7 100644 --- a/modules/signatures/windows/antivm_xen_keys.py +++ b/modules/signatures/windows/antivm_xen_keys.py @@ -22,7 +22,7 @@ class XenDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["T1057", "T1012"] + ttp = ["M0009", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\XEN0000.*", diff --git a/modules/signatures/windows/appinit.py b/modules/signatures/windows/appinit.py index df2f6e144..925117789 100644 --- a/modules/signatures/windows/appinit.py +++ b/modules/signatures/windows/appinit.py @@ -11,7 +11,7 @@ class InstallsAppInit(Signature): categories = ["persistence"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1103"] + ttp = ["E1112", "T1103"] regkeys_re = [ ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\Appinit_Dlls", diff --git a/modules/signatures/windows/bitcoin_opencl.py b/modules/signatures/windows/bitcoin_opencl.py index 9c8fc1659..25b276781 100644 --- a/modules/signatures/windows/bitcoin_opencl.py +++ b/modules/signatures/windows/bitcoin_opencl.py @@ -22,6 +22,7 @@ class BitcoinOpenCL(Signature): categories = ["bitcoin"] authors = ["nex"] minimum = "2.0" + ttp = ["M0018"] def on_complete(self): filepath = self.check_file(pattern=".*OpenCL\.dll$", regex=True) diff --git a/modules/signatures/windows/bootconfig_modify.py b/modules/signatures/windows/bootconfig_modify.py index 0316a2fec..26de318ce 100644 --- a/modules/signatures/windows/bootconfig_modify.py +++ b/modules/signatures/windows/bootconfig_modify.py @@ -22,7 +22,7 @@ class ModifiesBootConfig(Signature): categories = ["persistance", "ransomware"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1067"] + ttp = ["M0028"] filter_apinames = "ShellExecuteExW", "CreateProcessInternalW", def on_call(self, call, process): diff --git a/modules/signatures/windows/bootkit.py b/modules/signatures/windows/bootkit.py index 5198de9c1..a94856601 100644 --- a/modules/signatures/windows/bootkit.py +++ b/modules/signatures/windows/bootkit.py @@ -13,7 +13,7 @@ class Bootkit(Signature): authors = ["Optiv"] minimum = "2.0" evented = True - ttp = ["T1067"] + ttp = ["M0028"] BasicFileInformation = 4 def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/browser_bho.py b/modules/signatures/windows/browser_bho.py index 618dccf1d..6ba003d85 100644 --- a/modules/signatures/windows/browser_bho.py +++ b/modules/signatures/windows/browser_bho.py @@ -11,6 +11,7 @@ class InstallsBHO(Signature): categories = ["browser"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1176","E1112"] regkeys_re = [ ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Browser\\ Helper\\ Objects", diff --git a/modules/signatures/windows/browser_startpage.py b/modules/signatures/windows/browser_startpage.py index e81e7d7e8..379e6ebab 100644 --- a/modules/signatures/windows/browser_startpage.py +++ b/modules/signatures/windows/browser_startpage.py @@ -22,6 +22,7 @@ class browser_startpage(Signature): categories = ["browser", "adware"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1478"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Main\\\\Start\\ Page", diff --git a/modules/signatures/windows/clears_logs.py b/modules/signatures/windows/clears_logs.py index cebbf28a4..d2f0a0fa9 100644 --- a/modules/signatures/windows/clears_logs.py +++ b/modules/signatures/windows/clears_logs.py @@ -43,7 +43,7 @@ class ClearPermissionEventLogs(Signature): categories = ["commands", "stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1222"] + ttp = ["T1070", "T1222"] utilities = [ "wevtutil sl", "wevtutil.exe sl" diff --git a/modules/signatures/windows/clickfraud.py b/modules/signatures/windows/clickfraud.py index 5666b175d..0f6fdcaef 100644 --- a/modules/signatures/windows/clickfraud.py +++ b/modules/signatures/windows/clickfraud.py @@ -11,6 +11,7 @@ class ClickfraudCookies(Signature): categories = ["clickfraud"] authors = ["Optiv"] minimum = "2.0" + ttp = ["E1472", "E1478"] filter_apinames = "InternetSetOptionA" diff --git a/modules/signatures/windows/cloud_dropbox.py b/modules/signatures/windows/cloud_dropbox.py index e272730b0..b02bf56f6 100644 --- a/modules/signatures/windows/cloud_dropbox.py +++ b/modules/signatures/windows/cloud_dropbox.py @@ -12,6 +12,7 @@ class DropBox(Signature): categories = ["cloud"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["T1135", "T1102"] domains = [ "dropbox.com", diff --git a/modules/signatures/windows/cloud_google.py b/modules/signatures/windows/cloud_google.py index 74b3ed56a..30648aa9f 100644 --- a/modules/signatures/windows/cloud_google.py +++ b/modules/signatures/windows/cloud_google.py @@ -11,6 +11,7 @@ class CloudGoogle(Signature): categories = ["cloud"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1105", "T1102"] domains = [ "docs.google.com", diff --git a/modules/signatures/windows/cloud_mediafire.py b/modules/signatures/windows/cloud_mediafire.py index 658556dfe..d5816a98c 100644 --- a/modules/signatures/windows/cloud_mediafire.py +++ b/modules/signatures/windows/cloud_mediafire.py @@ -12,6 +12,7 @@ class cloud_mediafire(Signature): categories = ["cloud"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["T1102"] ipaddrs = [ "205.196.120.6", diff --git a/modules/signatures/windows/cloud_mega.py b/modules/signatures/windows/cloud_mega.py index 7c06e1dc1..49517825a 100644 --- a/modules/signatures/windows/cloud_mega.py +++ b/modules/signatures/windows/cloud_mega.py @@ -12,6 +12,7 @@ class MegaUpload(Signature): categories = ["cloud"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["T1135", "T1102"] domains = [ "megaupload.com", diff --git a/modules/signatures/windows/cloud_rapidshare.py b/modules/signatures/windows/cloud_rapidshare.py index 6a596e88d..ae6b7e15e 100644 --- a/modules/signatures/windows/cloud_rapidshare.py +++ b/modules/signatures/windows/cloud_rapidshare.py @@ -12,6 +12,7 @@ class RapidShare(Signature): categories = ["recon"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["T1135", "T1102"] domains = [ "rapidshare.com", diff --git a/modules/signatures/windows/cloud_wetransfer.py b/modules/signatures/windows/cloud_wetransfer.py index 6a7709657..76593a190 100644 --- a/modules/signatures/windows/cloud_wetransfer.py +++ b/modules/signatures/windows/cloud_wetransfer.py @@ -12,6 +12,7 @@ class cloud_wetransfer(Signature): categories = ["cloud"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["T1102"] ipaddrs = [ "176.34.228.190", diff --git a/modules/signatures/windows/creates_exe.py b/modules/signatures/windows/creates_exe.py index 3bd0f5a06..4a2780b45 100644 --- a/modules/signatures/windows/creates_exe.py +++ b/modules/signatures/windows/creates_exe.py @@ -16,7 +16,7 @@ class CreatesExe(Signature): categories = ["generic"] authors = ["Cuckoo Developers"] minimum = "2.0" - ttp = ["T1129"] + ttp = ["T1105"] pattern = ( ".*\\.(bat|cmd|com|cpl|dll|exe|js|jse|lnk|msi|msh|msh1|msh2|mshxml|" @@ -37,7 +37,7 @@ class CreatesUserFolderEXE(Signature): families = ["persistance"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1129"] + ttp = ["T1105"] directories_re = [ "^[a-zA-Z]:\\\\Users\\\\[^\\\\]+\\\\AppData\\\\.*", diff --git a/modules/signatures/windows/creates_service.py b/modules/signatures/windows/creates_service.py index 1613d01dd..1c7727f4f 100644 --- a/modules/signatures/windows/creates_service.py +++ b/modules/signatures/windows/creates_service.py @@ -11,7 +11,7 @@ class CreatesService(Signature): categories = ["service", "persistence"] authors = ["Cuckoo Technologies", "Kevin Ross"] minimum = "2.0" - ttp = ["T1031"] + ttp = ["T1050"] filter_apinames = [ "CreateServiceA", "CreateServiceW", diff --git a/modules/signatures/windows/credential_dump.py b/modules/signatures/windows/credential_dump.py index 5249fb073..de5ffcf90 100644 --- a/modules/signatures/windows/credential_dump.py +++ b/modules/signatures/windows/credential_dump.py @@ -24,6 +24,7 @@ class CredentialDumpingLsass(Signature): minimum = "2.0" evented = True references = ["cyberwardog.blogspot.co.uk/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "cyberwardog.blogspot.co.uk/2017/04/chronicles-of-threat-hunter-hunting-for.html"] + ttp = ["T1003"] lsasspid = [] lsasshandle = [] @@ -61,6 +62,7 @@ class CredentialDumpingLsassAccess(Signature): minimum = "2.0" evented = True references = ["cyberwardog.blogspot.co.uk/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "cyberwardog.blogspot.co.uk/2017/04/chronicles-of-threat-hunter-hunting-for.html"] + ttp = ["T1003"] lsasspid = [] creddump = False diff --git a/modules/signatures/windows/deletes_executed.py b/modules/signatures/windows/deletes_executed.py index a0778aa38..e88c5a3ea 100644 --- a/modules/signatures/windows/deletes_executed.py +++ b/modules/signatures/windows/deletes_executed.py @@ -22,7 +22,7 @@ class DeletesExecutedFiles(Signature): categories = ["persistence", "stealth"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["T1070"] + ttp = ["E1007"] evented = True def on_complete(self): diff --git a/modules/signatures/windows/disables_app.py b/modules/signatures/windows/disables_app.py index 76f5b65f4..4c34b71d1 100644 --- a/modules/signatures/windows/disables_app.py +++ b/modules/signatures/windows/disables_app.py @@ -11,7 +11,7 @@ class DisablesAppLaunch(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1112"] + ttp = ["E1478", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun$", diff --git a/modules/signatures/windows/disables_browserwarn.py b/modules/signatures/windows/disables_browserwarn.py index 37da8be58..2cf789e55 100644 --- a/modules/signatures/windows/disables_browserwarn.py +++ b/modules/signatures/windows/disables_browserwarn.py @@ -11,7 +11,7 @@ class DisablesBrowserWarn(Signature): categories = ["generic", "banker", "clickfraud"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["T1089"] + ttp = ["E1089", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnBadCertRecving", diff --git a/modules/signatures/windows/disables_security.py b/modules/signatures/windows/disables_security.py index 3c6c5fc8b..52c51ff17 100644 --- a/modules/signatures/windows/disables_security.py +++ b/modules/signatures/windows/disables_security.py @@ -11,7 +11,7 @@ class DisablesSecurity(Signature): categories = ["anti-av"] authors = ["Cuckoo Technologies", "Brad Spengler"] minimum = "2.0" - ttp = ["T1089", "T1112"] + ttp = ["E1089"] regkeys_re = [ ("HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA", "attempts to disable user access control"), diff --git a/modules/signatures/windows/disables_sysrestore.py b/modules/signatures/windows/disables_sysrestore.py index a5c6d73b9..09f7fcf2b 100644 --- a/modules/signatures/windows/disables_sysrestore.py +++ b/modules/signatures/windows/disables_sysrestore.py @@ -12,7 +12,7 @@ class DisablesSystemRestore(Signature): categories = ["ransomware", "persistance"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1112"] + ttp = ["T1490", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR$", diff --git a/modules/signatures/windows/disables_wer.py b/modules/signatures/windows/disables_wer.py index 03971c8b8..9b29252a7 100644 --- a/modules/signatures/windows/disables_wer.py +++ b/modules/signatures/windows/disables_wer.py @@ -11,7 +11,7 @@ class DisablesWER(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1054", "T1112"] + ttp = ["E1054", "E1089", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ Error\\ Reporting\\\\Disabled$", diff --git a/modules/signatures/windows/disables_windowsupdate.py b/modules/signatures/windows/disables_windowsupdate.py index a1cf74f2e..6d148e673 100644 --- a/modules/signatures/windows/disables_windowsupdate.py +++ b/modules/signatures/windows/disables_windowsupdate.py @@ -11,7 +11,7 @@ class DisablesWindowsUpdate(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1112"] + ttp = ["E1089"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\(AU\\\\NoAutoUpdate|Auto\\ Update\\\\AUOptions)$", diff --git a/modules/signatures/windows/dropper.py b/modules/signatures/windows/dropper.py index 38a2b1ab9..9e0093446 100644 --- a/modules/signatures/windows/dropper.py +++ b/modules/signatures/windows/dropper.py @@ -22,7 +22,7 @@ class Dropper(Signature): categories = ["dropper"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1129"] + ttp = ["M0023", "E1105"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) @@ -59,7 +59,7 @@ class ExeAppData(Signature): categories = ["dropper", "persistence"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1129"] + ttp = ["M0023"] def on_complete(self): for dropped in self.get_results("dropped", []): diff --git a/modules/signatures/windows/emoves_zoneid_ads.py b/modules/signatures/windows/emoves_zoneid_ads.py index 6931ce2e7..2a0b49623 100644 --- a/modules/signatures/windows/emoves_zoneid_ads.py +++ b/modules/signatures/windows/emoves_zoneid_ads.py @@ -11,7 +11,7 @@ class RemovesZoneIdADS(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1070", "T1096"] + ttp = ["E1007"] def on_complete(self): for deletedfile in self.get_files(actions=["file_deleted"]): diff --git a/modules/signatures/windows/exec_bitsadmin.py b/modules/signatures/windows/exec_bitsadmin.py index 718539865..ca257dcce 100644 --- a/modules/signatures/windows/exec_bitsadmin.py +++ b/modules/signatures/windows/exec_bitsadmin.py @@ -13,7 +13,7 @@ class ExecBitsAdmin(Signature): categories = ["script", "dropper"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1197"] + ttp = ["T1197", "E1105"] def on_complete(self): lower = "".join(self.get_command_lines()).lower() diff --git a/modules/signatures/windows/exec_waitfor.py b/modules/signatures/windows/exec_waitfor.py index d68618b57..50c468294 100644 --- a/modules/signatures/windows/exec_waitfor.py +++ b/modules/signatures/windows/exec_waitfor.py @@ -13,6 +13,7 @@ class ExecWaitFor(Signature): categories = ["script", "bypass"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0003"] def on_complete(self): lower = "".join(self.get_command_lines()).lower() diff --git a/modules/signatures/windows/exploitation.py b/modules/signatures/windows/exploitation.py index 376aceec9..568d15a5f 100644 --- a/modules/signatures/windows/exploitation.py +++ b/modules/signatures/windows/exploitation.py @@ -214,6 +214,7 @@ class ShellcodeWriteProcessMemory(Signature): categories = ["exploit", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1055"] filter_apinames = critical_apinames diff --git a/modules/signatures/windows/has_authenticode.py b/modules/signatures/windows/has_authenticode.py index d0e99c2d2..aa662eb13 100644 --- a/modules/signatures/windows/has_authenticode.py +++ b/modules/signatures/windows/has_authenticode.py @@ -8,6 +8,7 @@ class HasAuthenticode(Signature): name = "has_authenticode" description = "This executable is signed" severity = 1 + ttp = ["T1116"] def on_complete(self): if self.get_results("static", {}).get("signature"): diff --git a/modules/signatures/windows/im_bittorrent_bleep.py b/modules/signatures/windows/im_bittorrent_bleep.py index 473e0e36e..df71ebd24 100644 --- a/modules/signatures/windows/im_bittorrent_bleep.py +++ b/modules/signatures/windows/im_bittorrent_bleep.py @@ -12,6 +12,7 @@ class im_btb(Signature): categories = ["im"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["T1102"] ipaddrs = [ "23.21.70.220", diff --git a/modules/signatures/windows/im_qq.py b/modules/signatures/windows/im_qq.py index f551c068f..d974c8d5c 100644 --- a/modules/signatures/windows/im_qq.py +++ b/modules/signatures/windows/im_qq.py @@ -12,6 +12,7 @@ class im_qq(Signature): categories = ["im"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["T1102"] ipaddrs = [ "183.60.18.111", diff --git a/modules/signatures/windows/infostealer_bitcoin.py b/modules/signatures/windows/infostealer_bitcoin.py index 34ab6d93b..0738982fa 100644 --- a/modules/signatures/windows/infostealer_bitcoin.py +++ b/modules/signatures/windows/infostealer_bitcoin.py @@ -11,7 +11,8 @@ class BitcoinWallet(Signature): categories = ["infostealer"] authors = ["Kevin Ross", "Optiv"] minimum = "2.0" - ttp = ["T1005"] + ttp = ["E1409"] + file_indicators = [ ".*\\\\wallet\.dat$", diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index 44932732c..1d82d05b4 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -22,7 +22,7 @@ class BrowserStealer(Signature): categories = ["infostealer"] authors = ["nex", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1081", "T1003", "T1005"] + ttp = ["T1503", "T1081", "T1003"] files_re = [ ".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\signons\\.sqlite$", diff --git a/modules/signatures/windows/infostealer_browser_modifications.py b/modules/signatures/windows/infostealer_browser_modifications.py index 5aba70115..5b924e38b 100644 --- a/modules/signatures/windows/infostealer_browser_modifications.py +++ b/modules/signatures/windows/infostealer_browser_modifications.py @@ -11,7 +11,7 @@ class DisablesSPDYFirefox(Signature): categories = ["infostealer", "banker"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1089"] + ttp = ["E1478"] filter_apinames = [ "NtWriteFile", @@ -32,7 +32,7 @@ class DisablesSPDYIE(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1089"] + ttp = ["E1478"] references = ["www.windows-security.org/65bb16b8e4a8cda95159541fcf31fcd7/allow-internet-explorer-to-use-the-spdy3-network-protocol"] filter_apinames = [ @@ -59,7 +59,7 @@ class DisablesSPDYChrome(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1089"] + ttp = ["E1478"] def on_complete(self): for cmdline in self.get_command_lines(): @@ -75,7 +75,7 @@ class ModifiesFirefoxConfiguration(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1089"] + ttp = ["E1478"] filter_apinames = [ "NtWriteFile", @@ -98,7 +98,7 @@ class DisablesIEHTTP2(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1089"] + ttp = ["E1478", "E1112"] http2keys = [ "enablehttp2tls", diff --git a/modules/signatures/windows/infostealer_ftp.py b/modules/signatures/windows/infostealer_ftp.py index aca2dcd60..72765d196 100644 --- a/modules/signatures/windows/infostealer_ftp.py +++ b/modules/signatures/windows/infostealer_ftp.py @@ -22,7 +22,7 @@ class FTPStealer(Signature): categories = ["infostealer"] authors = ["nex", "RedSocks", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1081", "T1003", "T1005"] + ttp = ["T1003", "T1081"] files_re = [ ".*\\\\CuteFTP\\\\sm\\.dat$", diff --git a/modules/signatures/windows/infostealer_im.py b/modules/signatures/windows/infostealer_im.py index bb1c81cbc..24d4b96f3 100644 --- a/modules/signatures/windows/infostealer_im.py +++ b/modules/signatures/windows/infostealer_im.py @@ -11,7 +11,7 @@ class IMStealer(Signature): categories = ["infostealer"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1081", "T1003", "T1005"] + ttp = ["T1003", "T1081"] file_indicators = [ ".*\\\\AIM\\\\aimx\.bin$", diff --git a/modules/signatures/windows/infostealer_keylogger.py b/modules/signatures/windows/infostealer_keylogger.py index 53b784f83..5a38b712a 100644 --- a/modules/signatures/windows/infostealer_keylogger.py +++ b/modules/signatures/windows/infostealer_keylogger.py @@ -23,6 +23,7 @@ class Keylogger(Signature): categories = ["generic"] authors = ["Thomas Birn", "nex"] minimum = "2.0" + ttp = ["T1056", "E1179"] filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW" diff --git a/modules/signatures/windows/infostealer_mail.py b/modules/signatures/windows/infostealer_mail.py index f82c48d32..582eb9ae9 100644 --- a/modules/signatures/windows/infostealer_mail.py +++ b/modules/signatures/windows/infostealer_mail.py @@ -11,7 +11,7 @@ class MailStealer(Signature): categories = ["infostealer"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1081", "T1003", "T1005"] + ttp = ["T1003", "T1081"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?IncrediMail" diff --git a/modules/signatures/windows/injection_explorer.py b/modules/signatures/windows/injection_explorer.py index 4a2349ff0..69a51c2d9 100644 --- a/modules/signatures/windows/injection_explorer.py +++ b/modules/signatures/windows/injection_explorer.py @@ -22,7 +22,7 @@ class InjectionExplorer(Signature): categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1055"] + ttp = ["E1055"] references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] filter_apinames = [ diff --git a/modules/signatures/windows/injection_memorymodify.py b/modules/signatures/windows/injection_memorymodify.py index 6f2e072e4..eb3202c37 100644 --- a/modules/signatures/windows/injection_memorymodify.py +++ b/modules/signatures/windows/injection_memorymodify.py @@ -23,6 +23,7 @@ class InjectionModifiesMemory(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] + ttp = ["E1055"] filter_apinames = [ "NtAllocateVirtualMemory", diff --git a/modules/signatures/windows/injection_runpe.py b/modules/signatures/windows/injection_runpe.py index 0c5a56743..3aeacb13f 100644 --- a/modules/signatures/windows/injection_runpe.py +++ b/modules/signatures/windows/injection_runpe.py @@ -26,6 +26,7 @@ class InjectionRunPE(Signature): categories = ["injection"] authors = ["glysbaysb", "Accuvant"] minimum = "2.0" + ttp = ["E1055"] filter_apinames = [ "CreateProcessInternalW", diff --git a/modules/signatures/windows/injection_thread.py b/modules/signatures/windows/injection_thread.py index 166184488..aa438c856 100644 --- a/modules/signatures/windows/injection_thread.py +++ b/modules/signatures/windows/injection_thread.py @@ -22,7 +22,7 @@ class InjectionCreateRemoteThread(Signature): categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1055"] + ttp = ["E1055"] references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] filter_apinames = [ @@ -53,6 +53,7 @@ class InjectionQueueApcThread(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] + ttp = ["E1055"] filter_apinames = [ "NtQueueApcThread", @@ -79,6 +80,7 @@ class ResumeThread(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] + ttp = ["E1055"] filter_apinames = [ "NtResumeThread", @@ -105,7 +107,7 @@ class NtSetContextThreadRemote(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] - + ttp = ["E1055"] filter_apinames = [ "NtSetContextThread", diff --git a/modules/signatures/windows/injection_writememory.py b/modules/signatures/windows/injection_writememory.py index 79fcaffd3..8c83e13e8 100644 --- a/modules/signatures/windows/injection_writememory.py +++ b/modules/signatures/windows/injection_writememory.py @@ -22,6 +22,7 @@ class InjectionWriteMemory(Signature): categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1055"] filter_apinames = [ "NtWriteVirtualmemory", @@ -55,6 +56,7 @@ class InjectionWriteMemoryEXE(Signature): categories = ["injection", "unpacking"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1055"] filter_apinames = [ "NtWriteVirtualmemory", diff --git a/modules/signatures/windows/javascript_commandline.py b/modules/signatures/windows/javascript_commandline.py index 442b622e1..302618c11 100644 --- a/modules/signatures/windows/javascript_commandline.py +++ b/modules/signatures/windows/javascript_commandline.py @@ -22,7 +22,7 @@ class JavaScriptCommandline(Signature): categories = ["javascript", "persistence", "downloader"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1059"] + ttp = ["T1064"] def on_complete(self): for cmdline in self.get_command_lines(): diff --git a/modules/signatures/windows/locates_browser.py b/modules/signatures/windows/locates_browser.py index a71defaec..c0c82bda7 100644 --- a/modules/signatures/windows/locates_browser.py +++ b/modules/signatures/windows/locates_browser.py @@ -9,7 +9,8 @@ class LocatesBrowser(Signature): description = "Tries to locate where the browsers are installed" severity = 1 authors = ["Cuckoo Technologies"] - minimum = "2.0" + minimum = "2.0 + ttp = ["T1518"] files_re = [ "C:\\\\Program\\ Files(\\ \\(x86\\))?\\\\Google\\\\Chrome\\\\Application", diff --git a/modules/signatures/windows/locates_sniffer.py b/modules/signatures/windows/locates_sniffer.py index 6871489b3..d363337b1 100644 --- a/modules/signatures/windows/locates_sniffer.py +++ b/modules/signatures/windows/locates_sniffer.py @@ -10,6 +10,7 @@ class LocatesSniffer(Signature): severity = 2 authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0013"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\App\\ Paths\\\\Wireshark.exe", diff --git a/modules/signatures/windows/maldoc.py b/modules/signatures/windows/maldoc.py index 75fa07017..165c16340 100644 --- a/modules/signatures/windows/maldoc.py +++ b/modules/signatures/windows/maldoc.py @@ -11,6 +11,7 @@ class MaliciousDocumentURLs(Signature): categories = ["downloader"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0023", "T1064"] filter_apinames = [ "InternetCrackUrlW", diff --git a/modules/signatures/windows/martians.py b/modules/signatures/windows/martians.py index a1276ac5f..669cf85f1 100644 --- a/modules/signatures/windows/martians.py +++ b/modules/signatures/windows/martians.py @@ -82,7 +82,7 @@ class MartianCommandProcess(Signature): categories = ["martian", "exploit", "dropper"] authors = ["Cuckoo Technologies", "Will Metcalf", "Kevin Ross"] minimum = "2.0" - ttp = ["T1059"] + ttp = ["T1059", "T1064"] whitelist_procs = [ "acrord32.exe", diff --git a/modules/signatures/windows/memdump_urls.py b/modules/signatures/windows/memdump_urls.py index 309d97a60..2100a0209 100644 --- a/modules/signatures/windows/memdump_urls.py +++ b/modules/signatures/windows/memdump_urls.py @@ -16,6 +16,7 @@ class ProcMemDumpURLs(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1188"] def on_complete(self): for procmem in self.get_results("procmemory", []): diff --git a/modules/signatures/windows/mining.py b/modules/signatures/windows/mining.py index 896394998..2dd4a1441 100644 --- a/modules/signatures/windows/mining.py +++ b/modules/signatures/windows/mining.py @@ -12,6 +12,7 @@ class miningpool(Signature): categories = ["mining"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["M0018"] ipaddrs = [ "144.76.102.176", diff --git a/modules/signatures/windows/modifies_proxies.py b/modules/signatures/windows/modifies_proxies.py index 5164ca35c..b8822fa98 100644 --- a/modules/signatures/windows/modifies_proxies.py +++ b/modules/signatures/windows/modifies_proxies.py @@ -22,7 +22,7 @@ class ModifiesProxyWPAD(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1040"] + ttp = ["T1040", "E1112"] evented = True filter_apinames = [ @@ -47,7 +47,7 @@ class ModifiesProxyOverride(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1040"] + ttp = ["T1040", "E1112"] evented = True filter_apinames = [ @@ -72,7 +72,7 @@ class ModifiesProxyAutoConfig(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1040"] + ttp = ["T1040", "E1112"] evented = True filter_apinames = [ @@ -97,7 +97,7 @@ class DisablesProxy(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1040"] + ttp = ["E1089", "E1112"] evented = True filter_apinames = [ diff --git a/modules/signatures/windows/modifies_seccenter.py b/modules/signatures/windows/modifies_seccenter.py index 8b9d3bd61..cfc12c1ad 100644 --- a/modules/signatures/windows/modifies_seccenter.py +++ b/modules/signatures/windows/modifies_seccenter.py @@ -11,7 +11,7 @@ class ModifySecurityCenterWarnings(Signature): categories = ["stealth"] authors = ["Kevin Ross", "Optiv"] minimum = "2.0" - ttp = ["T1031", "T1089"] + ttp = ["E1089", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\.*", diff --git a/modules/signatures/windows/modifies_wallpaper.py b/modules/signatures/windows/modifies_wallpaper.py index 1bd464274..3c9c469a7 100644 --- a/modules/signatures/windows/modifies_wallpaper.py +++ b/modules/signatures/windows/modifies_wallpaper.py @@ -22,6 +22,7 @@ class ModifiesDesktopWallpaper(Signature): categories = ["ransomware"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1478", "E1112"] regkeys_re = [ ".*\\\\Control\\ Panel\\\\Desktop\\\\Wallpaper", diff --git a/modules/signatures/windows/network_service_mirc.py b/modules/signatures/windows/network_service_mirc.py index 4b428935c..af1c6236e 100644 --- a/modules/signatures/windows/network_service_mirc.py +++ b/modules/signatures/windows/network_service_mirc.py @@ -13,6 +13,7 @@ class MircFile(Signature): families = ["mirc"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["T1418"] files_re = [ "C:\\mIRC\\mirc.ini", diff --git a/modules/signatures/windows/office.py b/modules/signatures/windows/office.py index 787489364..2ffb918bb 100644 --- a/modules/signatures/windows/office.py +++ b/modules/signatures/windows/office.py @@ -75,7 +75,7 @@ class OfficeCountDirectories(Signature): categories = ["vba"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1203"] + ttp = ["M0007", "T1083"] filter_apinames = "vbe6_Invoke", @@ -165,6 +165,7 @@ class OfficeRecentFiles(Signature): categories = ["vba"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0007", "T1083"] filter_apinames = "vbe6_Invoke", @@ -193,7 +194,7 @@ class OfficeIndirectCall(Signature): categories = ["office"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1203"] + ttp = ["T1064"] patterns = [ "CallByName[^\r\n;']*", @@ -240,6 +241,7 @@ class OfficePlatformDetect(Signature): categories = ["office"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1082", "T1064"] patterns = [ "#If\s+(?:Not\s+)?Win32", @@ -264,7 +266,7 @@ class DocumentClose(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1179"] + ttp = ["T1064"] def on_complete(self): office = self.get_results("static", {}).get("office", {}) @@ -280,7 +282,7 @@ class DocumentOpen(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1179"] + ttp = ["T1064"] def on_complete(self): office = self.get_results("static", {}).get("office", {}) @@ -296,6 +298,7 @@ class OfficeEpsStrings(Signature): categories = ["office"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["E1203"] keywords = [ "longjmp", "NtCreateEvent", "NtProtectVirtualMemory", @@ -316,7 +319,7 @@ class OfficeVulnerableGuid(Signature): categories = ["office"] authors = ["Niels Warnars @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1203"] + ttp = ["E1203"] bad_guids = { "BDD1F04B-858B-11D1-B16A-00C0F0283628": "CVE-2012-0158", @@ -350,7 +353,7 @@ class OfficeVulnModules(Signature): categories = ["office"] authors = ["Niels Warnars @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1203"] + ttp = ["E1203"] bad_modules = { "ogl.dll": "CVE-2013-3906", diff --git a/modules/signatures/windows/packer_entropy.py b/modules/signatures/windows/packer_entropy.py index 56de81e3a..02a148de5 100644 --- a/modules/signatures/windows/packer_entropy.py +++ b/modules/signatures/windows/packer_entropy.py @@ -22,7 +22,7 @@ class PackerEntropy(Signature): categories = ["packer"] authors = ["Robby Zeitfuchs", "nex"] minimum = "2.0" - ttp = ["T1045"] + ttp = ["E1045"] references = [ "http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", diff --git a/modules/signatures/windows/packer_polymorphic.py b/modules/signatures/windows/packer_polymorphic.py index 36ee92cfe..80e9b238d 100644 --- a/modules/signatures/windows/packer_polymorphic.py +++ b/modules/signatures/windows/packer_polymorphic.py @@ -20,7 +20,7 @@ class Polymorphic(Signature): categories = ["packer"] authors = ["lordr"] minimum = "2.0" - ttp = ["T1045"] + ttp = ["M0029"] def on_complete(self): if not HAVE_SSDEEP: diff --git a/modules/signatures/windows/packer_upx.py b/modules/signatures/windows/packer_upx.py index 34f507f10..c292f9f46 100644 --- a/modules/signatures/windows/packer_upx.py +++ b/modules/signatures/windows/packer_upx.py @@ -22,7 +22,7 @@ class UPXCompressed(Signature): categories = ["packer"] authors = ["Michael Boman", "nex"] minimum = "2.0" - ttp = ["T1045"] + ttp = ["E1045"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/packer_vmprotect.py b/modules/signatures/windows/packer_vmprotect.py index d921a29a5..a1a8ff0de 100644 --- a/modules/signatures/windows/packer_vmprotect.py +++ b/modules/signatures/windows/packer_vmprotect.py @@ -22,7 +22,7 @@ class VMPPacked(Signature): categories = ["packer"] authors = ["Jeremy Hedges"] minimum = "2.0" - ttp = ["T1045"] + ttp = ["E1045"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/payload_download.py b/modules/signatures/windows/payload_download.py index 6fe78140f..7bb021e32 100644 --- a/modules/signatures/windows/payload_download.py +++ b/modules/signatures/windows/payload_download.py @@ -23,7 +23,7 @@ class NetworkDocumentFile(Signature): categories = ["exploit", "downloader"] authors = ["Kevin Ross", "Will Metcalf"] minimum = "2.0" - ttp = ["T1071"] + ttp = ["M0023"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) @@ -107,7 +107,7 @@ class SuspiciousWriteEXE(Signature): categories = ["exploit", "downloader", "virus"] authors = ["Will Metcalf", "Kevin Ross"] minimum = "2.0" - ttp = ["T1129"] + ttp = ["M0023"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/pe_features.py b/modules/signatures/windows/pe_features.py index 083912f83..9321b9d23 100644 --- a/modules/signatures/windows/pe_features.py +++ b/modules/signatures/windows/pe_features.py @@ -13,7 +13,7 @@ class PEFeatures(Signature): categories = ["packer"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1045"] + ttp = ["E1045"] section_names = [ ".text", ".rdata", ".data", ".pdata", ".DATA", ".reloc", ".idata", @@ -45,7 +45,7 @@ class PEIDPacker(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1045"] + ttp = ["E1045"] def on_complete(self): if self.get_results("static", {}).get("peid_signatures", []): @@ -61,7 +61,7 @@ class PEUnknownResourceName(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1045"] + ttp = ["E1045"] names = [ "RT_ACCELERATOR", diff --git a/modules/signatures/windows/persistence_autorun.py b/modules/signatures/windows/persistence_autorun.py index b4d06c44a..bc45fea71 100644 --- a/modules/signatures/windows/persistence_autorun.py +++ b/modules/signatures/windows/persistence_autorun.py @@ -31,7 +31,7 @@ class Autorun(Signature): categories = ["persistence"] authors = ["Michael Boman", "nex", "securitykitten", "Cuckoo Technologies", "Optiv", "KillerInstinct", "Kevin Ross"] minimum = "2.0" - ttp = ["T1060", "T1053"] + ttp = ["E1060", "T1050", "E1112"] regkeys_re = [ ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\.*", diff --git a/modules/signatures/windows/persistence_bootexecute.py b/modules/signatures/windows/persistence_bootexecute.py index 86b6c7582..2918d1ba1 100644 --- a/modules/signatures/windows/persistence_bootexecute.py +++ b/modules/signatures/windows/persistence_bootexecute.py @@ -23,7 +23,7 @@ class PersistenceBootexecute(Signature): authors = ["Brad Spengler"] minimum = "2.0" evented = True - ttp = ["T1060"] + ttp = ["E1060"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/persistence_registry_fileless.py b/modules/signatures/windows/persistence_registry_fileless.py index 9b00fb1c7..d01e3f699 100644 --- a/modules/signatures/windows/persistence_registry_fileless.py +++ b/modules/signatures/windows/persistence_registry_fileless.py @@ -23,7 +23,7 @@ class PersistenceRegistryJavaScript(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True - ttp = ["T1112"] + ttp = ["E1112"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) diff --git a/modules/signatures/windows/powershell.py b/modules/signatures/windows/powershell.py index f530625c2..bb28820ca 100644 --- a/modules/signatures/windows/powershell.py +++ b/modules/signatures/windows/powershell.py @@ -13,6 +13,7 @@ class SuspiciousPowershell(Signature): categories = ["script", "dropper", "downloader", "packer"] authors = ["Kevin Ross", "Cuckoo Technologies", "FDD"] minimum = "2.0" + ttp = ["T1086"] def on_complete(self): for cmdline in self.get_command_lines(): @@ -63,7 +64,7 @@ class AmsiBypass(Signature): categories = ["script", "malware", "powershell", "amsi"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086", "T1089"] + ttp = ["E1089"] def on_yara(self, category, filepath, match): if match.name != "PowershellAMSI": @@ -100,7 +101,7 @@ class PowershellDdiRc4(Signature): categories = ["script", "dropper", "downloader", "malware", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1112", "T1086"] + ttp = ["T1105", "T1086"] def on_yara(self, category, filepath, match): if match.name != "PowershellDdiRc4": @@ -129,7 +130,7 @@ class PowershellDFSP(Signature): categories = ["script", "dropper", "downloader", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1112", "T1086"] + ttp = ["T1105", "T1086"] def on_yara(self, category, filepath, match): if match.name != "PowershellDFSP": @@ -180,7 +181,7 @@ class PowershellDownload(Signature): categories = ["downloader"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1112", "T1086"] + ttp = ["T1086", "T1105"] filter_apinames = [ "recv", @@ -285,7 +286,7 @@ class PowershellUnicorn(Signature): categories = ["script", "dropper", "downloader", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086"] + ttp = ["T1086", "E1055"] def on_yara(self, category, filepath, match): if match.name != "UnicornGen": diff --git a/modules/signatures/windows/powershell_reg.py b/modules/signatures/windows/powershell_reg.py index d1a2bf611..69a6e888a 100644 --- a/modules/signatures/windows/powershell_reg.py +++ b/modules/signatures/windows/powershell_reg.py @@ -14,7 +14,7 @@ class PowershellRegAdd(Signature): categories = ["script", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086"] + ttp = ["E1112", "T1086"] def on_complete(self): lower = "".join(self.get_command_lines()).lower() diff --git a/modules/signatures/windows/ransomware_bcdedit.py b/modules/signatures/windows/ransomware_bcdedit.py index 0c0d269df..83a45552f 100644 --- a/modules/signatures/windows/ransomware_bcdedit.py +++ b/modules/signatures/windows/ransomware_bcdedit.py @@ -13,7 +13,7 @@ class RansomwareBcdedit(Signature): categories = ["ransomware"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1047"] + ttp = ["T1490"] indicator = ( "bcdedit.*/set.*(bootems|optionsedit|advancedoptions|bootstatuspolicy|recoveryenabled)" diff --git a/modules/signatures/windows/ransomware_fileextensions.py b/modules/signatures/windows/ransomware_fileextensions.py index 3cbf58a82..0ce066557 100644 --- a/modules/signatures/windows/ransomware_fileextensions.py +++ b/modules/signatures/windows/ransomware_fileextensions.py @@ -21,6 +21,7 @@ class RansomwareExtensions(Signature): severity = 3 categories = ["ransomware"] authors = ["Kevin Ross"] + ttp = ["E1486"] indicators = [ (".*\.(?:R5A|R4A)$", ["7ev3n"]), diff --git a/modules/signatures/windows/ransomware_filemodications.py b/modules/signatures/windows/ransomware_filemodications.py index 72aaf4247..9504bd52c 100644 --- a/modules/signatures/windows/ransomware_filemodications.py +++ b/modules/signatures/windows/ransomware_filemodications.py @@ -19,6 +19,7 @@ class RamsomwareFileMoves(Signature): severity = 3 categories = ["ransomware"] minimum = "2.0" + ttp = ["E1486"] filter_apinames = "MoveFileWithProgressW", "MoveFileWithProgressTransactedW" @@ -52,6 +53,7 @@ class RansomwareAppendsExtension(Signature): categories = ["ransomware"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1486"] filter_apinames = "MoveFileWithProgressW", "MoveFileWithProgressTransactedW" @@ -87,6 +89,7 @@ class RansomwareDroppedFiles(Signature): categories = ["ransomware"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1486"] def on_complete(self): count = 0 @@ -116,6 +119,7 @@ class RansomwareMassFileDelete(Signature): categories = ["ransomware", "wiper"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1488"] evented = True def on_complete(self): diff --git a/modules/signatures/windows/ransomware_files.py b/modules/signatures/windows/ransomware_files.py index 915cb63e9..9dcbfe5dc 100644 --- a/modules/signatures/windows/ransomware_files.py +++ b/modules/signatures/windows/ransomware_files.py @@ -23,6 +23,7 @@ class RansomwareFiles(Signature): categories = ["ransomware"] authors = ["KillerInstinct", "Cuckoo Technologies"] minimum = "2.0" + ttp = ["E1486"] indicators = [ (".*\\\\help_decrypt\.html$", ["CryptoWall"]), diff --git a/modules/signatures/windows/ransomware_message.py b/modules/signatures/windows/ransomware_message.py index 83e736218..5d09af303 100644 --- a/modules/signatures/windows/ransomware_message.py +++ b/modules/signatures/windows/ransomware_message.py @@ -43,6 +43,7 @@ class RansomwareMessage(Signature): categories = ["ransomware"] authors = ["Kevin Ross"] minimum = "2.0.4" + ttp = ["E1486"] whitelistprocs = [ "iexplore.exe", "firefox.exe", "chrome.exe", "safari.exe", @@ -70,6 +71,7 @@ class RansomwareMessageOCR(Signature): categories = ["ransomware", "ocr"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1486"] # NOTE: This requires OCR analysis to be correctly setup. # Enable in processing.conf after following this guide for Ubuntu or diff --git a/modules/signatures/windows/ransomware_recyclebin.py b/modules/signatures/windows/ransomware_recyclebin.py index 7777fac39..d591ec66b 100644 --- a/modules/signatures/windows/ransomware_recyclebin.py +++ b/modules/signatures/windows/ransomware_recyclebin.py @@ -11,6 +11,7 @@ class RansomwareRecyclebin(Signature): categories = ["ransomware"] authors = ["Optiv"] minimum = "2.0" + ttp = ["E1485"] def on_complete(self): for deleted in self.check_file("C:\\\\RECYCLER\\\\.*", actions=["file_deleted"], regex=True, all=True): diff --git a/modules/signatures/windows/ransomware_shadowcopy.py b/modules/signatures/windows/ransomware_shadowcopy.py index d5c976ed7..5580e4a98 100644 --- a/modules/signatures/windows/ransomware_shadowcopy.py +++ b/modules/signatures/windows/ransomware_shadowcopy.py @@ -13,6 +13,7 @@ class RansomwareShadowcopy(Signature): categories = ["ransomware"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1490"] cmdline_re = ( "wmic.*shadowcopy.*delete.*(/nointeractive)?", diff --git a/modules/signatures/windows/ransomware_wbadmin.py b/modules/signatures/windows/ransomware_wbadmin.py index ac81d06c9..281ba9a08 100644 --- a/modules/signatures/windows/ransomware_wbadmin.py +++ b/modules/signatures/windows/ransomware_wbadmin.py @@ -24,6 +24,7 @@ class RansomwareWbadmin(Signature): categories = ["ransomware"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1490"] cmdline_re = ( "wbadmin.*delete.*", diff --git a/modules/signatures/windows/reads_user_agent.py b/modules/signatures/windows/reads_user_agent.py index 1d0aac0da..9454c2dfd 100644 --- a/modules/signatures/windows/reads_user_agent.py +++ b/modules/signatures/windows/reads_user_agent.py @@ -12,7 +12,7 @@ class ReadsUserAgent(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - ttp = ["T1071"] + ttp = ["T1518", "T1082"] filter_apinames = "ObtainUserAgentString", "InternetOpenA", "InternetOpenW" diff --git a/modules/signatures/windows/recon_checkip.py b/modules/signatures/windows/recon_checkip.py index 7ab0562ed..426631834 100644 --- a/modules/signatures/windows/recon_checkip.py +++ b/modules/signatures/windows/recon_checkip.py @@ -22,6 +22,7 @@ class CheckIP(Signature): categories = ["recon"] authors = ["nex", "RedSocks"] minimum = "2.0" + ttp = ["T1016"] domains = [ "checkip.dyndns.com", diff --git a/modules/signatures/windows/recon_fingerprint.py b/modules/signatures/windows/recon_fingerprint.py index f0d6e54d7..5749cb936 100644 --- a/modules/signatures/windows/recon_fingerprint.py +++ b/modules/signatures/windows/recon_fingerprint.py @@ -22,6 +22,7 @@ class Fingerprint(Signature): categories = ["recon"] authors = ["nex"] minimum = "2.0" + ttp = ["T1082"] indicators = [ ".*\\\\MachineGuid$", diff --git a/modules/signatures/windows/recon_programs.py b/modules/signatures/windows/recon_programs.py index ca1a3fe9b..47625bfc6 100644 --- a/modules/signatures/windows/recon_programs.py +++ b/modules/signatures/windows/recon_programs.py @@ -11,7 +11,7 @@ class InstalledApps(Signature): categories = ["recon"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1012", "T1082"] + ttp = ["T1518"] filter_apinames = "RegQueryValueExA", "RegQueryValueExW" @@ -33,7 +33,7 @@ class QueriesInstalledApps(Signature): categories = ["recon"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1012"] + ttp = ["T1518"] filter_apinames = "RegOpenKeyExA", "RegOpenKeyExW" diff --git a/modules/signatures/windows/recon_systeminfo.py b/modules/signatures/windows/recon_systeminfo.py index a6e4e4b09..41de5bdab 100644 --- a/modules/signatures/windows/recon_systeminfo.py +++ b/modules/signatures/windows/recon_systeminfo.py @@ -24,6 +24,7 @@ class SystemInfo(Signature): categories = ["recon"] authors = ["nex"] minimum = "2.0" + ttp = ["T1016", "T1082"] def on_complete(self): for cmdline in self.get_command_lines(): diff --git a/modules/signatures/windows/self_delete_bat.py b/modules/signatures/windows/self_delete_bat.py index 0ffe40614..26df29256 100644 --- a/modules/signatures/windows/self_delete_bat.py +++ b/modules/signatures/windows/self_delete_bat.py @@ -13,7 +13,7 @@ class SelfDeleteBat(Signature): categories = ["trojan"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1070"] + ttp = ["E1007"] indicator = ( "@echo.*off.*" diff --git a/modules/signatures/windows/shellcode.py b/modules/signatures/windows/shellcode.py index d11929a0e..088628cf6 100644 --- a/modules/signatures/windows/shellcode.py +++ b/modules/signatures/windows/shellcode.py @@ -14,6 +14,7 @@ class MetasploitShellcode(Signature): categories = ["shellcode"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" + ttp = ["E1190"] def init(self): self.family = None diff --git a/modules/signatures/windows/sniffer_winpcap.py b/modules/signatures/windows/sniffer_winpcap.py index 55eb4d20f..a21a01f59 100644 --- a/modules/signatures/windows/sniffer_winpcap.py +++ b/modules/signatures/windows/sniffer_winpcap.py @@ -22,6 +22,7 @@ class InstallsWinpcap(Signature): categories = ["sniffer"] authors = ["Thomas Birn", "nex"] minimum = "2.0" + ttp = ["M0023", "T1040"] indicators = [ ".*\\\\packet\\.dll$", diff --git a/modules/signatures/windows/stealth_childproc.py b/modules/signatures/windows/stealth_childproc.py index 922b1d370..3436c507f 100644 --- a/modules/signatures/windows/stealth_childproc.py +++ b/modules/signatures/windows/stealth_childproc.py @@ -11,6 +11,7 @@ class StealthChildProc(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" + ttp = ["T1502"] filter_apinames = [ "NtCreateProcess", diff --git a/modules/signatures/windows/stealth_hiddenextension.py b/modules/signatures/windows/stealth_hiddenextension.py index 6bf3f9828..726a31cb5 100644 --- a/modules/signatures/windows/stealth_hiddenextension.py +++ b/modules/signatures/windows/stealth_hiddenextension.py @@ -22,7 +22,7 @@ class StealthHiddenExtension(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1158", "T1054"] + ttp = ["E1112", "E1478"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt$", diff --git a/modules/signatures/windows/stealth_hiddenfile.py b/modules/signatures/windows/stealth_hiddenfile.py index 7596cafc2..423b715ea 100644 --- a/modules/signatures/windows/stealth_hiddenfile.py +++ b/modules/signatures/windows/stealth_hiddenfile.py @@ -11,7 +11,7 @@ class StealthHiddenFile(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1158", "T1054"] + ttp = ["E1112", "E1478"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden$", diff --git a/modules/signatures/windows/stealth_hiddenicons.py b/modules/signatures/windows/stealth_hiddenicons.py index 85a12d3ff..366aab3cb 100644 --- a/modules/signatures/windows/stealth_hiddenicons.py +++ b/modules/signatures/windows/stealth_hiddenicons.py @@ -22,7 +22,7 @@ class StealthHiddenIcons(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1158", "T1054"] + ttp = ["E1112", "E1478"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideIcons$", diff --git a/modules/signatures/windows/stealth_hidenotifications.py b/modules/signatures/windows/stealth_hidenotifications.py index 1476dcd96..798a4f3e3 100644 --- a/modules/signatures/windows/stealth_hidenotifications.py +++ b/modules/signatures/windows/stealth_hidenotifications.py @@ -11,7 +11,7 @@ class StealthHideNotifications(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1054"] + ttp = ["E1054", "E1112"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth$", diff --git a/modules/signatures/windows/stops_service.py b/modules/signatures/windows/stops_service.py index ad45eaf64..221590087 100644 --- a/modules/signatures/windows/stops_service.py +++ b/modules/signatures/windows/stops_service.py @@ -13,7 +13,7 @@ class StopsService(Signature): categories = ["anti-av"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1031", "T1089"] + ttp = ["T1489", "E1112"] indicator = ( "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\services\\\\(.*)\\\\Start" diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py index 7e3f77712..5d0a8790a 100644 --- a/modules/signatures/windows/volatility_sig.py +++ b/modules/signatures/windows/volatility_sig.py @@ -11,7 +11,7 @@ class VolMalfind1(Signature): categories = ["generic"] authors = ["Thorsten Sick"] minimum = "2.0" - ttp = ["T1055"] + ttp = ["E1055"] def on_complete(self): pids = set() @@ -89,7 +89,7 @@ class VolSvcscan1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["T1031"] + ttp = ["E1089"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -107,7 +107,7 @@ class VolSvcscan2(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["T1031", "T1089"] + ttp = ["E1089"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -125,7 +125,7 @@ class VolSvcscan3(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["T1031"] + ttp = ["E1089"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -158,7 +158,7 @@ class VolHandles1(Signature): categories = ["generic"] authors = ["Thorsten Sick"] minimum = "2.0" - ttp = ["T1055"] + ttp = ["E1055"] def on_complete(self): threads = set() diff --git a/modules/signatures/windows/wmi.py b/modules/signatures/windows/wmi.py index 95204ae50..aa90f1120 100644 --- a/modules/signatures/windows/wmi.py +++ b/modules/signatures/windows/wmi.py @@ -53,7 +53,7 @@ class WMIAntiVM(Signature): categories = ["wmi", "anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1047"] + ttp = ["M0009", "T1047", "T1497"] antivm = [ "win32_processor", From 63ba322879ebb70cb4e9f1161e00faf0c36f2261 Mon Sep 17 00:00:00 2001 From: Emmanuelle Vargas-Gonzalez Date: Wed, 15 Apr 2020 15:30:02 -0400 Subject: [PATCH 02/12] Finish update signatures to use MBC TTPs upon second review --- .../android/application_aborted_broadcast_receiver.py | 1 + modules/signatures/cross/html_flash.py | 1 + modules/signatures/cross/js_eval.py | 1 + modules/signatures/cross/js_iframe.py | 1 + modules/signatures/network/network_cnc_http.py | 1 + modules/signatures/network/network_wscript.py | 1 + modules/signatures/windows/allocates_rwx.py | 1 + modules/signatures/windows/antivirus_detection_cn.py | 2 +- modules/signatures/windows/browser_bho.py | 2 +- modules/signatures/windows/browser_security.py | 2 +- modules/signatures/windows/bypass_firewall.py | 2 +- modules/signatures/windows/cloud_dropbox.py | 2 +- modules/signatures/windows/cloud_google.py | 2 +- modules/signatures/windows/cloudflare.py | 1 + modules/signatures/windows/creates_largekey.py | 2 +- modules/signatures/windows/creates_null_reg_entry.py | 2 +- modules/signatures/windows/exploitation.py | 7 +++++++ modules/signatures/windows/injection_network_traffic.py | 2 +- modules/signatures/windows/locates_browser.py | 2 +- modules/signatures/windows/locker_cmd.py | 2 +- modules/signatures/windows/locker_regedit.py | 2 +- modules/signatures/windows/locker_taskmgr.py | 2 +- modules/signatures/windows/memdump_urls.py | 2 ++ modules/signatures/windows/modifies_certs.py | 2 +- modules/signatures/windows/modifies_uac_notify.py | 2 +- modules/signatures/windows/moves_self.py | 1 + modules/signatures/windows/office.py | 4 ++++ modules/signatures/windows/office_packager.py | 2 +- modules/signatures/windows/payload_download.py | 4 ++-- .../signatures/windows/persistence_registry_fileless.py | 4 ++-- modules/signatures/windows/powershell.py | 4 ++-- modules/signatures/windows/privileges.py | 1 + modules/signatures/windows/raises_exception.py | 2 ++ modules/signatures/windows/volatility_sig.py | 4 ++++ modules/signatures/windows/windows_console.py | 1 + 35 files changed, 52 insertions(+), 22 deletions(-) diff --git a/modules/signatures/android/application_aborted_broadcast_receiver.py b/modules/signatures/android/application_aborted_broadcast_receiver.py index 679dec597..7859fad90 100644 --- a/modules/signatures/android/application_aborted_broadcast_receiver.py +++ b/modules/signatures/android/application_aborted_broadcast_receiver.py @@ -11,6 +11,7 @@ class AndroidAbortBroadcast(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" + ttp = ["E1054"] def on_complete(self): if "abortBroadcast" in self.get_droidmon("events", []): diff --git a/modules/signatures/cross/html_flash.py b/modules/signatures/cross/html_flash.py index cf86113fb..fe0381b80 100644 --- a/modules/signatures/cross/html_flash.py +++ b/modules/signatures/cross/html_flash.py @@ -17,6 +17,7 @@ class HtmlFlash(Signature): categories = ["exploit"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["E1203"] filter_apinames = "CElement_put_innerHTML", diff --git a/modules/signatures/cross/js_eval.py b/modules/signatures/cross/js_eval.py index 77039eb60..19a38b44b 100644 --- a/modules/signatures/cross/js_eval.py +++ b/modules/signatures/cross/js_eval.py @@ -11,6 +11,7 @@ class EvalJS(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1064"] filter_apinames = "COleScript_Compile", diff --git a/modules/signatures/cross/js_iframe.py b/modules/signatures/cross/js_iframe.py index 4ef197224..af96aa8c6 100644 --- a/modules/signatures/cross/js_iframe.py +++ b/modules/signatures/cross/js_iframe.py @@ -13,6 +13,7 @@ class JsIframe(Signature): categories = ["obfuscation"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1064"] filter_apinames = "CIFrameElement_CreateElement", diff --git a/modules/signatures/network/network_cnc_http.py b/modules/signatures/network/network_cnc_http.py index a8efcc39a..1d9c1f986 100644 --- a/modules/signatures/network/network_cnc_http.py +++ b/modules/signatures/network/network_cnc_http.py @@ -58,6 +58,7 @@ class NetworkCnCHTTP(Signature): categories = ["http", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1071", "M0030"] filter_analysistypes = set(["file"]) diff --git a/modules/signatures/network/network_wscript.py b/modules/signatures/network/network_wscript.py index 66a7fdc96..bb359c49c 100644 --- a/modules/signatures/network/network_wscript.py +++ b/modules/signatures/network/network_wscript.py @@ -22,6 +22,7 @@ class WscriptDownloader(Signature): categories = ["downloader"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1064", "T1105"] filter_apinames = [ "InternetCrackUrlW", diff --git a/modules/signatures/windows/allocates_rwx.py b/modules/signatures/windows/allocates_rwx.py index 84e943082..7a13f9009 100644 --- a/modules/signatures/windows/allocates_rwx.py +++ b/modules/signatures/windows/allocates_rwx.py @@ -35,6 +35,7 @@ class AllocatesExecuteRemoteProccess(Signature): categories = ["injection", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1055"] filter_apinames = "NtAllocateVirtualMemory", "NtProtectVirtualMemory" process_handles = ["0xffffffff", "0xffffffffffffffff"] diff --git a/modules/signatures/windows/antivirus_detection_cn.py b/modules/signatures/windows/antivirus_detection_cn.py index 72c5d3dce..bd66ae82f 100644 --- a/modules/signatures/windows/antivirus_detection_cn.py +++ b/modules/signatures/windows/antivirus_detection_cn.py @@ -13,7 +13,7 @@ class AVDetectionChinaKey(Signature): families = ["china"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["T1063", "T1012"] + ttp = ["T1012", "T1063"] indicators = [ ".*360Safe", diff --git a/modules/signatures/windows/browser_bho.py b/modules/signatures/windows/browser_bho.py index 6ba003d85..7c7db0ca9 100644 --- a/modules/signatures/windows/browser_bho.py +++ b/modules/signatures/windows/browser_bho.py @@ -11,7 +11,7 @@ class InstallsBHO(Signature): categories = ["browser"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1176","E1112"] + ttp = ["T1176", "E1112"] regkeys_re = [ ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Browser\\ Helper\\ Objects", diff --git a/modules/signatures/windows/browser_security.py b/modules/signatures/windows/browser_security.py index 8f57f53c4..2ec99f9a1 100644 --- a/modules/signatures/windows/browser_security.py +++ b/modules/signatures/windows/browser_security.py @@ -22,7 +22,7 @@ class BrowserSecurity(Signature): categories = ["browser", "clickfraud", "banker"] authors = ["Kevin Ross", "Optiv"] minimum = "2.0" - ttp = ["T1089"] + ttp = ["E1112", "E1478"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Privacy\\\\EnableInPrivateMode", diff --git a/modules/signatures/windows/bypass_firewall.py b/modules/signatures/windows/bypass_firewall.py index 65ab6f150..4d94e9b8b 100644 --- a/modules/signatures/windows/bypass_firewall.py +++ b/modules/signatures/windows/bypass_firewall.py @@ -24,7 +24,7 @@ class BypassFirewall(Signature): categories = ["bypass"] authors = ["Anderson Tamborim", "nex", "Kevin Ross"] minimum = "2.0" - ttp = ["T1031"] + ttp = ["E1089", "E1478"] indicator = ".*\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\.*" def on_complete(self): diff --git a/modules/signatures/windows/cloud_dropbox.py b/modules/signatures/windows/cloud_dropbox.py index b02bf56f6..de3476812 100644 --- a/modules/signatures/windows/cloud_dropbox.py +++ b/modules/signatures/windows/cloud_dropbox.py @@ -12,7 +12,7 @@ class DropBox(Signature): categories = ["cloud"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["T1135", "T1102"] + ttp = ["T1102", "T1135"] domains = [ "dropbox.com", diff --git a/modules/signatures/windows/cloud_google.py b/modules/signatures/windows/cloud_google.py index 30648aa9f..8b30cc346 100644 --- a/modules/signatures/windows/cloud_google.py +++ b/modules/signatures/windows/cloud_google.py @@ -11,7 +11,7 @@ class CloudGoogle(Signature): categories = ["cloud"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1105", "T1102"] + ttp = ["T1102", "T1105"] domains = [ "docs.google.com", diff --git a/modules/signatures/windows/cloudflare.py b/modules/signatures/windows/cloudflare.py index 9620dcd18..8175c4f54 100644 --- a/modules/signatures/windows/cloudflare.py +++ b/modules/signatures/windows/cloudflare.py @@ -12,6 +12,7 @@ class CloudFlare(Signature): categories = ["Cloudflare"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["T1049"] domains = [ "cloudflare.com", diff --git a/modules/signatures/windows/creates_largekey.py b/modules/signatures/windows/creates_largekey.py index 68c1ca966..aa57705d5 100644 --- a/modules/signatures/windows/creates_largekey.py +++ b/modules/signatures/windows/creates_largekey.py @@ -29,7 +29,7 @@ class CreatesLargeKey(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1112"] + ttp = ["M0040", "E1112"] evented = True filter_apinames = set(["NtSetValueKey", "RegSetValueExA", "RegSetValueExW"]) diff --git a/modules/signatures/windows/creates_null_reg_entry.py b/modules/signatures/windows/creates_null_reg_entry.py index a196ce7bd..2834b031a 100644 --- a/modules/signatures/windows/creates_null_reg_entry.py +++ b/modules/signatures/windows/creates_null_reg_entry.py @@ -12,7 +12,7 @@ class CreatesNullRegistryEntry(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - ttp = ["T1054", "T1112"] + ttp = ["E1054", "E1112"] filter_apinames = ( "NtSetValueKey", "NtCreateKey", "RegCreateKeyExA", "RegCreateKeyExW", "RegSetValueExA", "RegSetValueExW", diff --git a/modules/signatures/windows/exploitation.py b/modules/signatures/windows/exploitation.py index 568d15a5f..1361b8fe6 100644 --- a/modules/signatures/windows/exploitation.py +++ b/modules/signatures/windows/exploitation.py @@ -103,6 +103,7 @@ class StackPivot(Signature): categories = ["exploit", "rop"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" + ttp = ["E1203"] filter_apinames = critical_apinames @@ -266,7 +267,10 @@ class StackPivotShellcodeAPIs(Signature): categories = ["exploit", "rop", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1203"] + evented = True + def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.ignore = False @@ -304,7 +308,10 @@ class StackPivotShellcodeCreateProcess(Signature): categories = ["exploit", "rop", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1203"] + evented = True + def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.ignore = False diff --git a/modules/signatures/windows/injection_network_traffic.py b/modules/signatures/windows/injection_network_traffic.py index 2d99e6b13..25e68663c 100644 --- a/modules/signatures/windows/injection_network_traffic.py +++ b/modules/signatures/windows/injection_network_traffic.py @@ -21,7 +21,7 @@ class InjectionNetworkTraffic(Signature): categories = ["injection", "cnc", "stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1071"] + ttp = ["E1055"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/locates_browser.py b/modules/signatures/windows/locates_browser.py index c0c82bda7..4b4f69801 100644 --- a/modules/signatures/windows/locates_browser.py +++ b/modules/signatures/windows/locates_browser.py @@ -9,7 +9,7 @@ class LocatesBrowser(Signature): description = "Tries to locate where the browsers are installed" severity = 1 authors = ["Cuckoo Technologies"] - minimum = "2.0 + minimum = "2.0" ttp = ["T1518"] files_re = [ diff --git a/modules/signatures/windows/locker_cmd.py b/modules/signatures/windows/locker_cmd.py index 0f442a19c..80ef49463 100644 --- a/modules/signatures/windows/locker_cmd.py +++ b/modules/signatures/windows/locker_cmd.py @@ -11,7 +11,7 @@ class DisableCmd(Signature): categories = ["locker"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1112"] + ttp = ["T1499", "E1112"] indicator = ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion" \ "\\\\Policies\\\\System\\DisableCmd$" diff --git a/modules/signatures/windows/locker_regedit.py b/modules/signatures/windows/locker_regedit.py index edcdb72a5..8190a611f 100644 --- a/modules/signatures/windows/locker_regedit.py +++ b/modules/signatures/windows/locker_regedit.py @@ -22,7 +22,7 @@ class DisableRegedit(Signature): categories = ["locker"] authors = ["Thomas Birn", "nex"] minimum = "2.0" - ttp = ["T1112"] + ttp = ["T1499", "E1112"] indicator = ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion" \ "\\\\Policies\\\\System\\DisableRegistryTools$" diff --git a/modules/signatures/windows/locker_taskmgr.py b/modules/signatures/windows/locker_taskmgr.py index 958600a6f..a2784f54c 100644 --- a/modules/signatures/windows/locker_taskmgr.py +++ b/modules/signatures/windows/locker_taskmgr.py @@ -22,7 +22,7 @@ class DisableTaskMgr(Signature): categories = ["locker"] authors = ["Thomas Birn", "nex"] minimum = "2.0" - ttp = ["T1112"] + ttp = ["T1499", "E1112"] indicator = ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion" \ "\\\\Policies\\\\System\\\\DisableTaskMgr$" diff --git a/modules/signatures/windows/memdump_urls.py b/modules/signatures/windows/memdump_urls.py index 2100a0209..ae8c5cbb9 100644 --- a/modules/signatures/windows/memdump_urls.py +++ b/modules/signatures/windows/memdump_urls.py @@ -32,6 +32,7 @@ class ProcMemDumpTorURLs(Signature): categories = ["unpacking", "ransomware", "c2"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1188"] def on_complete(self): # List based on https://github.com/cuckoosandbox/community/blob/master/modules/signatures/network/network_torgateway.py @@ -77,6 +78,7 @@ class ProcMemDumpIPURLs(Signature): categories = ["unpacking", "c2"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["M0030"] def on_complete(self): ip = re.compile("^(http|https)\:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") diff --git a/modules/signatures/windows/modifies_certs.py b/modules/signatures/windows/modifies_certs.py index 851021b92..9ae332247 100644 --- a/modules/signatures/windows/modifies_certs.py +++ b/modules/signatures/windows/modifies_certs.py @@ -22,7 +22,7 @@ class ModifiesCertificates(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1112"] + ttp = ["T1130", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\SystemCertificates\\\\.*\\\\Certificates\\\\.*", diff --git a/modules/signatures/windows/modifies_uac_notify.py b/modules/signatures/windows/modifies_uac_notify.py index 61b12c477..376ab765f 100644 --- a/modules/signatures/windows/modifies_uac_notify.py +++ b/modules/signatures/windows/modifies_uac_notify.py @@ -11,7 +11,7 @@ class ModifiesUACNotify(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1088"] + ttp = ["T1088", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin", diff --git a/modules/signatures/windows/moves_self.py b/modules/signatures/windows/moves_self.py index 067f27cc8..e87329f11 100644 --- a/modules/signatures/windows/moves_self.py +++ b/modules/signatures/windows/moves_self.py @@ -11,6 +11,7 @@ class MovesSelf(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" + ttp = ["E1158"] filter_apinames = ( "MoveFileWithProgressW", "MoveFileWithProgressTransactedW", diff --git a/modules/signatures/windows/office.py b/modules/signatures/windows/office.py index 2ffb918bb..69ad4d464 100644 --- a/modules/signatures/windows/office.py +++ b/modules/signatures/windows/office.py @@ -58,6 +58,7 @@ class OfficeCheckProjectName(Signature): categories = ["vba"] authors = ["FDD", "Cuckoo Sandbox"] minimum = "2.0" + ttp = ["M0038", "M0007"] filter_apinames = "vbe6_Invoke", @@ -93,6 +94,7 @@ class OfficeCheckVersion(Signature): categories = ["vba"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0009", "T1518"] filter_apinames = "vbe6_Invoke", @@ -116,6 +118,7 @@ class OfficeCheckWindow(Signature): categories = ["vba"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0009", "T1010"] filter_apinames = "vbe6_Invoke", @@ -218,6 +221,7 @@ class OfficeCheckName(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" + ttp = ["M0038", "M0007", "T1064"] patterns = [ "[^\n\r;']*Me.Name[^\n\r;']*", diff --git a/modules/signatures/windows/office_packager.py b/modules/signatures/windows/office_packager.py index 912eb2149..6b2d4bf88 100644 --- a/modules/signatures/windows/office_packager.py +++ b/modules/signatures/windows/office_packager.py @@ -22,7 +22,7 @@ class OfficePackager(Signature): categories = ["dropper", "office"] authors = ["nex"] minimum = "2.0" - ttp = ["T1203"] + ttp = ["E1203"] filter_apinames = [ "CreateProcessInternalW", diff --git a/modules/signatures/windows/payload_download.py b/modules/signatures/windows/payload_download.py index 7bb021e32..ec679ee5f 100644 --- a/modules/signatures/windows/payload_download.py +++ b/modules/signatures/windows/payload_download.py @@ -23,7 +23,7 @@ class NetworkDocumentFile(Signature): categories = ["exploit", "downloader"] authors = ["Kevin Ross", "Will Metcalf"] minimum = "2.0" - ttp = ["M0023"] + ttp = ["T1071", "T1105"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) @@ -66,7 +66,7 @@ class NetworkEXE(Signature): categories = ["exploit", "downloader"] authors = ["Kevin Ross", "Will Metcalf"] minimum = "2.0" - ttp = ["T1129"] + ttp = ["M0023"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/persistence_registry_fileless.py b/modules/signatures/windows/persistence_registry_fileless.py index d01e3f699..cdd0558a5 100644 --- a/modules/signatures/windows/persistence_registry_fileless.py +++ b/modules/signatures/windows/persistence_registry_fileless.py @@ -45,7 +45,7 @@ class PersistenceRegistryEXE(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True - ttp = ["T1112"] + ttp = ["M0040", "E1112"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) @@ -67,7 +67,7 @@ class PersistenceRegistryPowershell(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True - ttp = ["T1112"] + ttp = ["E1112", "T1086"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) diff --git a/modules/signatures/windows/powershell.py b/modules/signatures/windows/powershell.py index bb28820ca..c9f3053ea 100644 --- a/modules/signatures/windows/powershell.py +++ b/modules/signatures/windows/powershell.py @@ -149,7 +149,7 @@ class PowershellDI(Signature): categories = ["script", "dropper", "downloader", "malware", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086"] + ttp = ["T1086", "T1105"] def on_yara(self, category, filepath, match): if match.name != "PowershellDI": @@ -246,7 +246,7 @@ class PowershellRequest(Signature): categories = ["downloader"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1086", "T1071"] + ttp = ["T1086"] filter_apinames = [ "send", diff --git a/modules/signatures/windows/privileges.py b/modules/signatures/windows/privileges.py index 1c8c8cbe9..933830848 100644 --- a/modules/signatures/windows/privileges.py +++ b/modules/signatures/windows/privileges.py @@ -21,6 +21,7 @@ class PrivilegeLUIDCheck(Signature): categories = ["privileges"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1134"] filter_apinames = [ "LookupPrivilegeValueA", diff --git a/modules/signatures/windows/raises_exception.py b/modules/signatures/windows/raises_exception.py index ef44fe8ef..05c98dbbb 100644 --- a/modules/signatures/windows/raises_exception.py +++ b/modules/signatures/windows/raises_exception.py @@ -10,6 +10,7 @@ class RaisesException(Signature): severity = 1 authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["T1082"] filter_apinames = "__exception__", @@ -52,6 +53,7 @@ class ApplicationExceptionCrash(Signature): categories = ["exploit", "crash"] authors = ["Cuckoo Technologies", "Kevin Ross"] minimum = "2.0" + ttp = ["T1082"] filter_apinames = "__exception__", diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py index 5d0a8790a..c6f356fa4 100644 --- a/modules/signatures/windows/volatility_sig.py +++ b/modules/signatures/windows/volatility_sig.py @@ -31,6 +31,7 @@ class VolLdrModules1(Signature): categories = ["generic"] authors = ["Thorsten Sick"] minimum = "2.0" + ttp = ["E1055"] # http://mnin.blogspot.de/2011/06/examining-stuxnets-footprint-in-memory.html @@ -53,6 +54,7 @@ class VolLdrModules2(Signature): categories = ["generic"] authors = ["Thorsten Sick"] minimum = "2.0" + ttp = ["E1105"] # http://mnin.blogspot.de/2011/06/examining-stuxnets-footprint-in-memory.html @@ -71,6 +73,7 @@ class VolDevicetree1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" + ttp = ["E1215"] # http://mnin.blogspot.de/2011/10/zeroaccess-volatility-and-kernel-timers.html @@ -143,6 +146,7 @@ class VolModscan1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" + ttp = ["E1215"] def on_complete(self): for row in self.get_volatility("modscan").get("data", []): diff --git a/modules/signatures/windows/windows_console.py b/modules/signatures/windows/windows_console.py index 94663455f..c4d061298 100644 --- a/modules/signatures/windows/windows_console.py +++ b/modules/signatures/windows/windows_console.py @@ -22,6 +22,7 @@ class ConsoleOutput(Signature): categories = ["command"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["T1059"] filter_apinames = [ "WriteConsoleA", From f2fc88e5ff2def07fdb8a1d3624557b792b5d321 Mon Sep 17 00:00:00 2001 From: "Beck, Desiree A" Date: Wed, 15 Apr 2020 16:20:51 -0400 Subject: [PATCH 03/12] Update README.md with mapping info --- README.md | 133 ++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 95 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index 90eaee17b..881665599 100644 --- a/README.md +++ b/README.md @@ -1,50 +1,107 @@ -Community Repository -==================== +# Cuckoo Community Signature-MBC Mappings # -This is an open repository dedicated to **contributions from the commmunity**. -Here you are able to submit the custom modules that you wrote for your Cuckoo -Sandbox setup and that you want to share with the rest of the community. +The MBC team has mapped [Cuckoo community signatures](https://github.com/cuckoosandbox/community) into MBC. Of the 560+ signatures available in the community repository, approximately 275 are appropriate for mapping into MBC (the others are anti-virus related signatures that identify specific threats). -We believe that there's high value and potential in the malware research -community to be more transparent and cooperative and this wants to be an -initiative to support it. +Approximately 140 of the signatures were already mapped into ATT&CK. We added new signatures, possible because MBC includes malware-related behaviors that ATT&CK doesn't. We also revised 80 of the ATT&CK mappings according to MBC's malware-focused content. -We have recently started a [changelog](CHANGELOG.md) with documentation on -recent changes. We expect this to grow overtime! +Below, we explain how these signatures are used. We begin with an example Python signature and then show report output. -How to use it -------------- +Example Cuckoo Signature +------------------------ -You will find that all the directories here share the same structure of our -latest Cuckoo Sandbox release. Potentially you could just download the whole -repository and extract it in Cuckoo's root directory, but we suggest you to -manually take care of copying just the modules you are interested in. +This signature example (antisandbox_sleep.py) was not mapped to an ATT&CK technique. We map it to **Dynamic Analysis Evasion [M0003]** as shown below (see the ttp variable). -Cuckoo also provides an utility to automatically download and install -latest modules. You can do so by running the `cuckoo community` command. +```python +from lib.cuckoo.common.abstracts import Signature + +class AntiSandboxSleep(Signature): + name = "antisandbox_sleep" + description = "A process attempted to delay the analysis task." + severity = 2 + categories = ["anti-sandbox"] + authors = ["KillerInstinct"] + minimum = "2.0" + ttp = ["M0003"] + + filter_apinames = "NtDelayExecution", + + whitelist = [ + "dwm.exe", + "adobearm.exe", + "iexplore.exe", + "acrord32.exe", + "winword.exe", + "excel.exe", + ] + + def init(self): + self.sleeps = {} + + def on_call(self, call, process): + procname = process["process_name"] + if procname not in self.sleeps: + self.sleeps[procname] = { + "attempt": 0, + "actual": 0, + } + + milliseconds = call["arguments"]["milliseconds"] + + self.sleeps[procname]["attempt"] += milliseconds -Being a community-driven repository we, as the Cuckoo Sandbox developers, -do not take any responsibility for the validity of the code submitted. -We will try to keep this place in order, but we can't guarantee the -quality of the modules here available and therefore do not provide any -assistance on eventual malfunctions. + if not call["arguments"]["skipped"]: + self.sleeps[procname]["actual"] += milliseconds -Contributing ------------- + def on_complete(self): + for process_name, info in self.sleeps.items(): + if process_name.lower() in self.whitelist: + continue -If you have one or more Signatures you'd like to share, please make a pull -request and we'll take care of it eventually. + if info["attempt"] >= 120000: + attempted = info["attempt"] / 1000 + actual = info["actual"] / 1000 + self.mark(description="%s tried to sleep %s seconds, actually delayed analysis time by %s seconds" % (process_name, attempted, actual)) -Before submitting your request make sure that: -* You take a look at the [community guidelines](https://cuckoo.sh/docs/introduction/community.html) -* Your code is working. -* Your code is unique: don't reinvent the wheel and check whether someone already provided a similar solution. -* Your code is relevant to the project and actually adds some value. -* Your code is placed in the correct directory. + if info["attempt"] >= 1200000: + self.severity = 3 -There are many factors that make it easier for us to merge your pull request. -Inclusion of `sample hashes`, before and after results, and tested -environment(s) really help us with evaluating your potential contributions, -and as such make the merge it more quickly. + return self.has_marks() +``` -We take the discretion to approve or reject submissions at our will. +Cuckoo Reports +-------------- + +The signature section of a Cuckoo report specifies associated MBC behavior as shown in the example below (Dynamic Analysis Evasion [M0003] behavior is shown). + +```json +"signatures": [ + { + "families": [], + "description": "A process attempted to delay the analysis task.", + "severity": 1, + "ttp": { + "M0003": { + "short": "Dynamic Analysis Evasion", + "long": "Malware may obstruct dynamic analysis in a sandbox, emulator, or virtual " + } + }, + "markcount": 1, + "references": "...", + "marks": "...", + "name": "antisandbox_sleep" + } +] +``` + +How to Use the Repository +------------------------- + +The open repository is dedicated to contributions from the commmunity. +Users can submit custom modules for sharing with the rest of the community. Please see the [Cuckoo community signatures](https://github.com/cuckoosandbox/community) for more information. + +All the directories here share the same structure as the +latest Cuckoo Sandbox release. While it's possible to download the whole +repository and extract it in Cuckoo's root directory, it is suggested that only the modules of interest are copied. + +Cuckoo also provides an utility to automatically download and install +latest modules. You can do so by running the `cuckoo community` command. \ No newline at end of file From 38ce54504ba6066a1376a939d0f40a15138a1a42 Mon Sep 17 00:00:00 2001 From: "Beck, Desiree A" Date: Wed, 15 Apr 2020 16:24:34 -0400 Subject: [PATCH 04/12] update --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 881665599..59f7105d1 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ The MBC team has mapped [Cuckoo community signatures](https://github.com/cuckoos Approximately 140 of the signatures were already mapped into ATT&CK. We added new signatures, possible because MBC includes malware-related behaviors that ATT&CK doesn't. We also revised 80 of the ATT&CK mappings according to MBC's malware-focused content. -Below, we explain how these signatures are used. We begin with an example Python signature and then show report output. +Below, we explain how these signatures are used. We begin with an example Python signature and then show report output. We end with information on how to use the signature repository. Example Cuckoo Signature ------------------------ @@ -96,8 +96,8 @@ The signature section of a Cuckoo report specifies associated MBC behavior as sh How to Use the Repository ------------------------- -The open repository is dedicated to contributions from the commmunity. -Users can submit custom modules for sharing with the rest of the community. Please see the [Cuckoo community signatures](https://github.com/cuckoosandbox/community) for more information. +The [Cuckoo community repository](https://github.com/cuckoosandbox/community) is open and dedicated to contributions from the commmunity. +Users can submit custom modules for sharing with the rest of the community. All the directories here share the same structure as the latest Cuckoo Sandbox release. While it's possible to download the whole From 2edf99e55b3f5b9256ed4b0345fa505f99b2a043 Mon Sep 17 00:00:00 2001 From: "Beck, Desiree A" Date: Wed, 15 Apr 2020 16:27:03 -0400 Subject: [PATCH 05/12] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 59f7105d1..c643b360e 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ # Cuckoo Community Signature-MBC Mappings # -The MBC team has mapped [Cuckoo community signatures](https://github.com/cuckoosandbox/community) into MBC. Of the 560+ signatures available in the community repository, approximately 275 are appropriate for mapping into MBC (the others are anti-virus related signatures that identify specific threats). +The MBC team has mapped [Cuckoo community signatures](https://github.com/cuckoosandbox/community) into MBC. Of the 560+ signatures available, approximately 275 are appropriate for mapping into MBC (the others are anti-virus related signatures that identify specific threats). -Approximately 140 of the signatures were already mapped into ATT&CK. We added new signatures, possible because MBC includes malware-related behaviors that ATT&CK doesn't. We also revised 80 of the ATT&CK mappings according to MBC's malware-focused content. +Approximately 140 of the signatures were already mapped into ATT&CK. We added new signatures, which was possible because MBC includes malware-related behaviors that ATT&CK doesn't. We also used MBC's malware-focused content to revise 80 of the existing ATT&CK mappings. -Below, we explain how these signatures are used. We begin with an example Python signature and then show report output. We end with information on how to use the signature repository. +Below, we explain how these signatures are used. We begin with an example Python signature and then show example Cuckoo report output. We conclude with information on using the signature repository. Example Cuckoo Signature ------------------------ From f734c7d7452d926a8485e51e1d6718783eb2cf81 Mon Sep 17 00:00:00 2001 From: Emmanuelle Vargas-Gonzalez Date: Wed, 15 Apr 2020 18:27:04 -0400 Subject: [PATCH 06/12] fix typos while updating ttp fields - update README.md --- README.md | 55 +++---------------- .../signatures/network/network_torgateway.py | 1 + modules/signatures/windows/antivm_disksize.py | 3 +- .../windows/antivm_vbox_provname.py | 3 +- .../signatures/windows/applocker_bypass.py | 2 +- .../signatures/windows/browser_security.py | 2 +- modules/signatures/windows/bypass_firewall.py | 2 +- modules/signatures/windows/clears_logs.py | 2 +- modules/signatures/windows/cloud_dropbox.py | 2 +- modules/signatures/windows/cloud_google.py | 2 +- .../signatures/windows/creates_hidden_file.py | 2 +- modules/signatures/windows/volatility_sig.py | 2 +- 12 files changed, 20 insertions(+), 58 deletions(-) diff --git a/README.md b/README.md index c643b360e..3da7dba19 100644 --- a/README.md +++ b/README.md @@ -22,50 +22,7 @@ class AntiSandboxSleep(Signature): authors = ["KillerInstinct"] minimum = "2.0" ttp = ["M0003"] - - filter_apinames = "NtDelayExecution", - - whitelist = [ - "dwm.exe", - "adobearm.exe", - "iexplore.exe", - "acrord32.exe", - "winword.exe", - "excel.exe", - ] - - def init(self): - self.sleeps = {} - - def on_call(self, call, process): - procname = process["process_name"] - if procname not in self.sleeps: - self.sleeps[procname] = { - "attempt": 0, - "actual": 0, - } - - milliseconds = call["arguments"]["milliseconds"] - - self.sleeps[procname]["attempt"] += milliseconds - - if not call["arguments"]["skipped"]: - self.sleeps[procname]["actual"] += milliseconds - - def on_complete(self): - for process_name, info in self.sleeps.items(): - if process_name.lower() in self.whitelist: - continue - - if info["attempt"] >= 120000: - attempted = info["attempt"] / 1000 - actual = info["actual"] / 1000 - self.mark(description="%s tried to sleep %s seconds, actually delayed analysis time by %s seconds" % (process_name, attempted, actual)) - - if info["attempt"] >= 1200000: - self.severity = 3 - - return self.has_marks() + ... ``` Cuckoo Reports @@ -74,8 +31,9 @@ Cuckoo Reports The signature section of a Cuckoo report specifies associated MBC behavior as shown in the example below (Dynamic Analysis Evasion [M0003] behavior is shown). ```json -"signatures": [ - { +{ + "signatures": [ + { "families": [], "description": "A process attempted to delay the analysis task.", "severity": 1, @@ -89,8 +47,9 @@ The signature section of a Cuckoo report specifies associated MBC behavior as sh "references": "...", "marks": "...", "name": "antisandbox_sleep" - } -] + } + ] +} ``` How to Use the Repository diff --git a/modules/signatures/network/network_torgateway.py b/modules/signatures/network/network_torgateway.py index 77bfaf27f..5455d80fd 100644 --- a/modules/signatures/network/network_torgateway.py +++ b/modules/signatures/network/network_torgateway.py @@ -22,6 +22,7 @@ class TorGateway(Signature): categories = ["network"] authors = ["nex", "Optiv"] minimum = "2.0" + ttp = ["T1188"] domains_re = [ ".*\\.tor2web\\.[a-z]{2,20}$", diff --git a/modules/signatures/windows/antivm_disksize.py b/modules/signatures/windows/antivm_disksize.py index cccb3dea5..ab32c02df 100644 --- a/modules/signatures/windows/antivm_disksize.py +++ b/modules/signatures/windows/antivm_disksize.py @@ -22,9 +22,10 @@ class AntiVMDiskSize(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - evented = True ttp = ["M0009"] + evented = True + filter_apinames = [ "GetDiskFreeSpaceA", "GetDiskFreeSpaceW", diff --git a/modules/signatures/windows/antivm_vbox_provname.py b/modules/signatures/windows/antivm_vbox_provname.py index b31c6bedc..42b87f794 100644 --- a/modules/signatures/windows/antivm_vbox_provname.py +++ b/modules/signatures/windows/antivm_vbox_provname.py @@ -22,9 +22,10 @@ class VBoxDetectProvname(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - evented = True ttp = ["M0009"] + evented = True + filter_apinames = "WNetGetProviderNameW", def on_call(self, call, process): diff --git a/modules/signatures/windows/applocker_bypass.py b/modules/signatures/windows/applocker_bypass.py index fb3ab9873..c8a1a8845 100644 --- a/modules/signatures/windows/applocker_bypass.py +++ b/modules/signatures/windows/applocker_bypass.py @@ -13,7 +13,7 @@ class AppLockerBypass(Signature): categories = ["applocker", "bypass"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086", "T1117"] + ttp = ["T1117", "T1086"] def on_yara(self, category, filepath, match): if match.name != "ApplockerBypass": diff --git a/modules/signatures/windows/browser_security.py b/modules/signatures/windows/browser_security.py index 2ec99f9a1..663ed8e0b 100644 --- a/modules/signatures/windows/browser_security.py +++ b/modules/signatures/windows/browser_security.py @@ -22,7 +22,7 @@ class BrowserSecurity(Signature): categories = ["browser", "clickfraud", "banker"] authors = ["Kevin Ross", "Optiv"] minimum = "2.0" - ttp = ["E1112", "E1478"] + ttp = ["E1478", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Privacy\\\\EnableInPrivateMode", diff --git a/modules/signatures/windows/bypass_firewall.py b/modules/signatures/windows/bypass_firewall.py index 4d94e9b8b..281073c56 100644 --- a/modules/signatures/windows/bypass_firewall.py +++ b/modules/signatures/windows/bypass_firewall.py @@ -24,7 +24,7 @@ class BypassFirewall(Signature): categories = ["bypass"] authors = ["Anderson Tamborim", "nex", "Kevin Ross"] minimum = "2.0" - ttp = ["E1089", "E1478"] + ttp = ["E1478", "E1089"] indicator = ".*\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\.*" def on_complete(self): diff --git a/modules/signatures/windows/clears_logs.py b/modules/signatures/windows/clears_logs.py index d2f0a0fa9..8943e1f0d 100644 --- a/modules/signatures/windows/clears_logs.py +++ b/modules/signatures/windows/clears_logs.py @@ -43,7 +43,7 @@ class ClearPermissionEventLogs(Signature): categories = ["commands", "stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1070", "T1222"] + ttp = ["T1222", "T1070"] utilities = [ "wevtutil sl", "wevtutil.exe sl" diff --git a/modules/signatures/windows/cloud_dropbox.py b/modules/signatures/windows/cloud_dropbox.py index de3476812..b02bf56f6 100644 --- a/modules/signatures/windows/cloud_dropbox.py +++ b/modules/signatures/windows/cloud_dropbox.py @@ -12,7 +12,7 @@ class DropBox(Signature): categories = ["cloud"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["T1102", "T1135"] + ttp = ["T1135", "T1102"] domains = [ "dropbox.com", diff --git a/modules/signatures/windows/cloud_google.py b/modules/signatures/windows/cloud_google.py index 8b30cc346..30648aa9f 100644 --- a/modules/signatures/windows/cloud_google.py +++ b/modules/signatures/windows/cloud_google.py @@ -11,7 +11,7 @@ class CloudGoogle(Signature): categories = ["cloud"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1102", "T1105"] + ttp = ["T1105", "T1102"] domains = [ "docs.google.com", diff --git a/modules/signatures/windows/creates_hidden_file.py b/modules/signatures/windows/creates_hidden_file.py index 06e19c575..27acc6b3b 100644 --- a/modules/signatures/windows/creates_hidden_file.py +++ b/modules/signatures/windows/creates_hidden_file.py @@ -12,7 +12,7 @@ class CreatesHiddenFile(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - ttp = ["T1158"] + ttp = ["E1158"] filter_apinames = "NtCreateFile", "SetFileAttributesW" def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py index c6f356fa4..de2e148af 100644 --- a/modules/signatures/windows/volatility_sig.py +++ b/modules/signatures/windows/volatility_sig.py @@ -54,7 +54,7 @@ class VolLdrModules2(Signature): categories = ["generic"] authors = ["Thorsten Sick"] minimum = "2.0" - ttp = ["E1105"] + ttp = ["E1055"] # http://mnin.blogspot.de/2011/06/examining-stuxnets-footprint-in-memory.html From f0e7a71fbd4b66a515313aae169cc5d3e2f3c32d Mon Sep 17 00:00:00 2001 From: Desiree Beck Date: Wed, 5 Aug 2020 14:30:20 -0400 Subject: [PATCH 07/12] updated mapping for MBC v2.0 --- .../android/android_dynamic_code.py | 2 +- .../application_aborted_broadcast_receiver.py | 2 +- .../android/application_deleted_app.py | 2 +- .../application_executed_shell_command.py | 2 +- modules/signatures/cross/js_eval.py | 2 +- modules/signatures/cross/js_iframe.py | 2 +- modules/signatures/cross/js_suspicious.py | 4 ++-- modules/signatures/network/dns_cnc.py | 1 + modules/signatures/network/dns_tld.py | 1 + modules/signatures/network/network_bind.py | 1 + .../signatures/network/network_cnc_http.py | 4 ++-- modules/signatures/network/network_dyndns.py | 1 + modules/signatures/network/network_http.py | 1 + modules/signatures/network/network_icmp.py | 1 + modules/signatures/network/network_smtp.py | 1 + .../signatures/network/network_torgateway.py | 2 +- modules/signatures/network/network_wscript.py | 2 +- modules/signatures/network/p2p_cnc.py | 2 +- modules/signatures/windows/allocates_rwx.py | 2 +- .../windows/antianalysis_detectfile.py | 2 +- .../signatures/windows/antiav_avast_libs.py | 2 +- .../windows/antiav_bitdefender_libs.py | 2 +- .../signatures/windows/antiav_detectfile.py | 2 +- .../signatures/windows/antiav_detectreg.py | 2 +- .../signatures/windows/antiav_servicestop.py | 2 +- modules/signatures/windows/antiav_srp.py | 2 +- modules/signatures/windows/antidbg_windows.py | 2 +- .../windows/antisandbox_clipboard.py | 2 +- .../windows/antisandbox_cuckoo_files.py | 2 +- .../signatures/windows/antisandbox_file.py | 2 +- .../windows/antisandbox_forehwnd.py | 2 +- .../windows/antisandbox_fortinet_files.py | 2 +- .../windows/antisandbox_idletime.py | 2 +- .../windows/antisandbox_joe_anubis_files.py | 2 +- .../windows/antisandbox_mouse_hook.py | 2 +- .../signatures/windows/antisandbox_restart.py | 2 +- .../signatures/windows/antisandbox_sleep.py | 2 +- .../windows/antisandbox_sunbelt_files.py | 2 +- .../windows/antisandbox_threattrack_files.py | 2 +- .../signatures/windows/antisandbox_unhook.py | 2 +- .../windows/antivirus_detection_cn.py | 2 +- .../signatures/windows/antivm_bochs_keys.py | 2 +- modules/signatures/windows/antivm_disksize.py | 2 +- .../signatures/windows/antivm_generic_bios.py | 2 +- .../signatures/windows/antivm_generic_cpu.py | 2 +- .../signatures/windows/antivm_generic_disk.py | 2 +- .../windows/antivm_generic_firmware.py | 2 +- .../signatures/windows/antivm_generic_ide.py | 2 +- .../signatures/windows/antivm_generic_scsi.py | 2 +- .../windows/antivm_generic_services.py | 2 +- .../signatures/windows/antivm_hyperv_keys.py | 2 +- .../windows/antivm_memory_available.py | 2 +- .../windows/antivm_network_adapter.py | 2 +- .../windows/antivm_parallels_keys.py | 2 +- .../windows/antivm_parallels_window.py | 2 +- .../signatures/windows/antivm_vbox_acpi.py | 2 +- .../signatures/windows/antivm_vbox_files.py | 2 +- .../signatures/windows/antivm_vbox_keys.py | 2 +- .../windows/antivm_vbox_provname.py | 2 +- .../signatures/windows/antivm_vbox_window.py | 2 +- .../windows/antivm_virtualpc_window.py | 2 +- .../signatures/windows/antivm_vmware_files.py | 2 +- .../signatures/windows/antivm_vmware_keys.py | 2 +- .../windows/antivm_vmware_window.py | 2 +- modules/signatures/windows/antivm_vpc_keys.py | 2 +- modules/signatures/windows/antivm_xen_keys.py | 2 +- modules/signatures/windows/appinit.py | 2 +- .../signatures/windows/applocker_bypass.py | 2 +- modules/signatures/windows/bitcoin_opencl.py | 2 +- .../signatures/windows/bootconfig_modify.py | 2 +- modules/signatures/windows/bootkit.py | 2 +- modules/signatures/windows/bypass_firewall.py | 2 +- modules/signatures/windows/clears_logs.py | 2 +- modules/signatures/windows/cloud_google.py | 2 +- modules/signatures/windows/creates_doc.py | 1 + modules/signatures/windows/creates_exe.py | 4 ++-- .../signatures/windows/creates_hidden_file.py | 2 +- .../signatures/windows/creates_largekey.py | 2 +- .../windows/creates_null_reg_entry.py | 2 +- modules/signatures/windows/creates_service.py | 2 +- .../signatures/windows/creates_shortcut.py | 2 +- modules/signatures/windows/credential_dump.py | 4 ++-- modules/signatures/windows/crypto_apis.py | 1 + .../signatures/windows/deletes_executed.py | 2 +- .../windows/disables_browserwarn.py | 2 +- .../signatures/windows/disables_security.py | 2 +- modules/signatures/windows/disables_wer.py | 2 +- .../windows/disables_windowsupdate.py | 2 +- .../signatures/windows/dns_dyndns_provider.py | 1 + .../windows/dns_freehosting_domain.py | 1 + modules/signatures/windows/driver_load.py | 1 + modules/signatures/windows/dropper.py | 2 +- .../signatures/windows/emoves_zoneid_ads.py | 2 +- modules/signatures/windows/exec_waitfor.py | 2 +- modules/signatures/windows/exploitation.py | 9 ++++--- .../signatures/windows/has_authenticode.py | 2 +- .../signatures/windows/infostealer_browser.py | 2 +- modules/signatures/windows/infostealer_ftp.py | 2 +- modules/signatures/windows/infostealer_im.py | 2 +- .../windows/infostealer_keylogger.py | 2 +- .../signatures/windows/infostealer_mail.py | 2 +- .../signatures/windows/injection_explorer.py | 2 +- .../windows/injection_memorymodify.py | 2 +- .../signatures/windows/injection_thread.py | 6 ++--- .../windows/injection_writememory.py | 4 ++-- .../windows/javascript_commandline.py | 2 +- modules/signatures/windows/maldoc.py | 2 +- modules/signatures/windows/martians.py | 2 +- modules/signatures/windows/memdump_urls.py | 3 +-- modules/signatures/windows/mining.py | 2 +- modules/signatures/windows/modifies_certs.py | 2 +- .../signatures/windows/modifies_proxies.py | 2 +- .../signatures/windows/modifies_seccenter.py | 2 +- .../signatures/windows/modifies_uac_notify.py | 2 +- modules/signatures/windows/modifies_zoneid.py | 2 +- modules/signatures/windows/moves_self.py | 2 +- .../signatures/windows/network_rdp_mutex.py | 1 + modules/signatures/windows/network_tor.py | 2 +- .../signatures/windows/network_tor_service.py | 2 +- modules/signatures/windows/office.py | 22 ++++++++--------- modules/signatures/windows/packer_entropy.py | 2 +- modules/signatures/windows/packer_upx.py | 2 +- .../signatures/windows/packer_vmprotect.py | 2 +- .../signatures/windows/payload_download.py | 2 +- modules/signatures/windows/pe_features.py | 6 ++--- modules/signatures/windows/persistence_ads.py | 2 +- .../signatures/windows/persistence_autorun.py | 2 +- .../windows/persistence_bootexecute.py | 2 +- .../windows/persistence_registry_fileless.py | 4 ++-- modules/signatures/windows/powerfun.py | 2 +- modules/signatures/windows/powershell.py | 24 +++++++++---------- modules/signatures/windows/powershell_reg.py | 2 +- modules/signatures/windows/powerworm.py | 2 +- modules/signatures/windows/protection_rx.py | 1 + .../windows/ransomware_filemodications.py | 4 ++-- .../signatures/windows/ransomware_files.py | 2 +- .../windows/ransomware_recyclebin.py | 2 +- modules/signatures/windows/self_delete_bat.py | 2 +- modules/signatures/windows/smtp_gmail.py | 1 + modules/signatures/windows/smtp_live.py | 1 + modules/signatures/windows/smtp_mailru.py | 1 + modules/signatures/windows/smtp_yahoo.py | 1 + .../signatures/windows/stealth_childproc.py | 2 +- .../windows/stealth_hidenotifications.py | 2 +- modules/signatures/windows/stealth_window.py | 2 +- .../signatures/windows/suspicious_process.py | 1 + .../signatures/windows/terminates_process.py | 1 + modules/signatures/windows/volatility_sig.py | 10 ++++---- .../signatures/windows/windows_utilities.py | 4 +++- modules/signatures/windows/wmi.py | 2 +- 150 files changed, 193 insertions(+), 169 deletions(-) diff --git a/modules/signatures/android/android_dynamic_code.py b/modules/signatures/android/android_dynamic_code.py index a6702be03..597089036 100644 --- a/modules/signatures/android/android_dynamic_code.py +++ b/modules/signatures/android/android_dynamic_code.py @@ -11,7 +11,7 @@ class AndroidDynamicCode(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["E1129"] + ttp = ["T1129"] def on_complete(self): if self.get_apkinfo("static_method_calls").get("is_dynamic_code"): diff --git a/modules/signatures/android/application_aborted_broadcast_receiver.py b/modules/signatures/android/application_aborted_broadcast_receiver.py index 7859fad90..db52dcb49 100644 --- a/modules/signatures/android/application_aborted_broadcast_receiver.py +++ b/modules/signatures/android/application_aborted_broadcast_receiver.py @@ -11,7 +11,7 @@ class AndroidAbortBroadcast(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["E1054"] + ttp = ["S0006"] def on_complete(self): if "abortBroadcast" in self.get_droidmon("events", []): diff --git a/modules/signatures/android/application_deleted_app.py b/modules/signatures/android/application_deleted_app.py index febeecc05..e90239683 100644 --- a/modules/signatures/android/application_deleted_app.py +++ b/modules/signatures/android/application_deleted_app.py @@ -11,7 +11,7 @@ class AndroidDeletedApp(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["E1485"] + ttp = ["E1485.m03"] def on_complete(self): if "android/app/ApplicationPackageManager->deletePackage" in self.get_droidmon(): diff --git a/modules/signatures/android/application_executed_shell_command.py b/modules/signatures/android/application_executed_shell_command.py index 5cefa78df..101c396e3 100644 --- a/modules/signatures/android/application_executed_shell_command.py +++ b/modules/signatures/android/application_executed_shell_command.py @@ -11,7 +11,7 @@ class AndroidShellCommands(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["T1059"] + ttp = ["E1059"] def on_complete(self): if self.get_droidmon("commands", []): diff --git a/modules/signatures/cross/js_eval.py b/modules/signatures/cross/js_eval.py index 19a38b44b..87ee8b49a 100644 --- a/modules/signatures/cross/js_eval.py +++ b/modules/signatures/cross/js_eval.py @@ -11,7 +11,7 @@ class EvalJS(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["T1059.007"] filter_apinames = "COleScript_Compile", diff --git a/modules/signatures/cross/js_iframe.py b/modules/signatures/cross/js_iframe.py index af96aa8c6..29057b476 100644 --- a/modules/signatures/cross/js_iframe.py +++ b/modules/signatures/cross/js_iframe.py @@ -13,7 +13,7 @@ class JsIframe(Signature): categories = ["obfuscation"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["T1059"] filter_apinames = "CIFrameElement_CreateElement", diff --git a/modules/signatures/cross/js_suspicious.py b/modules/signatures/cross/js_suspicious.py index a11a8e5bd..a178c09d0 100644 --- a/modules/signatures/cross/js_suspicious.py +++ b/modules/signatures/cross/js_suspicious.py @@ -13,7 +13,7 @@ class SuspiciousJavascript(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["E1059.007"] filter_apinames = "COleScript_Compile", @@ -41,7 +41,7 @@ class AntiAnalysisJavascript(Signature): authors = ["Cuckoo Technologies"] minimum = "2.0" on_call_dispatch = True - ttp = ["M0013", "M0001"] + ttp = ["M0013", "M0009"] filter_apinames = "ActiveXObjectFncObj_Construct", "CImgElement_put_src" diff --git a/modules/signatures/network/dns_cnc.py b/modules/signatures/network/dns_cnc.py index c7b9baba4..6ef7b1816 100644 --- a/modules/signatures/network/dns_cnc.py +++ b/modules/signatures/network/dns_cnc.py @@ -22,6 +22,7 @@ class NetworkDNSTXTLookup(Signature): categories = ["dns", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["X0011"] whitelist = [ "google.com", diff --git a/modules/signatures/network/dns_tld.py b/modules/signatures/network/dns_tld.py index e86cd63ac..fe9d66e30 100644 --- a/modules/signatures/network/dns_tld.py +++ b/modules/signatures/network/dns_tld.py @@ -12,6 +12,7 @@ class Suspicious_TLD(Signature): categories = ["tldwatch", "network"] authors = ["RedSocks", "Kevin Ross"] minimum = "2.0" + ttp = ["X0011.004"] domains_re = [ (".*\\.by$", "Belarus domain TLD"), diff --git a/modules/signatures/network/network_bind.py b/modules/signatures/network/network_bind.py index b326a976a..2286f4f72 100644 --- a/modules/signatures/network/network_bind.py +++ b/modules/signatures/network/network_bind.py @@ -22,6 +22,7 @@ class NetworkBIND(Signature): categories = ["bind"] authors = ["nex", "Accuvant"] minimum = "2.0" + ttp = ["X0001.002"] filter_apinames = "bind", "listen", "accept" diff --git a/modules/signatures/network/network_cnc_http.py b/modules/signatures/network/network_cnc_http.py index 1d9c1f986..ef489f636 100644 --- a/modules/signatures/network/network_cnc_http.py +++ b/modules/signatures/network/network_cnc_http.py @@ -27,7 +27,7 @@ class NetworkHTTPPOST(Signature): categories = ["http", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1071", "M0030"] + ttp = ["X0002.005"] filter_analysistypes = set(["file"]) @@ -58,7 +58,7 @@ class NetworkCnCHTTP(Signature): categories = ["http", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1071", "M0030"] + ttp = ["T1071.001", "M0030"] filter_analysistypes = set(["file"]) diff --git a/modules/signatures/network/network_dyndns.py b/modules/signatures/network/network_dyndns.py index 75c450c2c..0ea614336 100644 --- a/modules/signatures/network/network_dyndns.py +++ b/modules/signatures/network/network_dyndns.py @@ -12,6 +12,7 @@ class NetworkDynDNS(Signature): categories = ["dyndns"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0011.003"] domains_re = [ ".*\\.no-ip\\.", diff --git a/modules/signatures/network/network_http.py b/modules/signatures/network/network_http.py index c9bcd5bb0..cb4b92e44 100644 --- a/modules/signatures/network/network_http.py +++ b/modules/signatures/network/network_http.py @@ -22,6 +22,7 @@ class NetworkHTTP(Signature): categories = ["http"] authors = ["nex"] minimum = "2.0" + ttp = ["X0002.003"] host_whitelist = [ "www.msftncsi.com" diff --git a/modules/signatures/network/network_icmp.py b/modules/signatures/network/network_icmp.py index 8df886b5a..45f435768 100644 --- a/modules/signatures/network/network_icmp.py +++ b/modules/signatures/network/network_icmp.py @@ -22,6 +22,7 @@ class NetworkICMP(Signature): categories = ["icmp"] authors = ["David Maciejak"] minimum = "2.0" + ttp = ["X0014.001"] def on_complete(self): if self.get_net_icmp(): diff --git a/modules/signatures/network/network_smtp.py b/modules/signatures/network/network_smtp.py index c42edea74..d795381ad 100644 --- a/modules/signatures/network/network_smtp.py +++ b/modules/signatures/network/network_smtp.py @@ -22,6 +22,7 @@ class NetworkSMTP(Signature): categories = ["smtp", "spam"] authors = ["nex", "RicoVZ"] minimum = "2.0.0" + ttp = ["S0012.002"] def on_complete(self): for s in getattr(self, "get_net_smtp_ex", lambda: [])(): diff --git a/modules/signatures/network/network_torgateway.py b/modules/signatures/network/network_torgateway.py index 5455d80fd..051869351 100644 --- a/modules/signatures/network/network_torgateway.py +++ b/modules/signatures/network/network_torgateway.py @@ -22,7 +22,7 @@ class TorGateway(Signature): categories = ["network"] authors = ["nex", "Optiv"] minimum = "2.0" - ttp = ["T1188"] + ttp = ["T1090.003"] domains_re = [ ".*\\.tor2web\\.[a-z]{2,20}$", diff --git a/modules/signatures/network/network_wscript.py b/modules/signatures/network/network_wscript.py index bb359c49c..958c1e32b 100644 --- a/modules/signatures/network/network_wscript.py +++ b/modules/signatures/network/network_wscript.py @@ -22,7 +22,7 @@ class WscriptDownloader(Signature): categories = ["downloader"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1064", "T1105"] + ttp = ["T1059", "E1105"] filter_apinames = [ "InternetCrackUrlW", diff --git a/modules/signatures/network/p2p_cnc.py b/modules/signatures/network/p2p_cnc.py index 75437a8ca..1d445919b 100644 --- a/modules/signatures/network/p2p_cnc.py +++ b/modules/signatures/network/p2p_cnc.py @@ -22,7 +22,7 @@ class P2PCnC(Signature): categories = ["p2p", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1094"] + ttp = ["T1095"] filter_analysistypes = set(["file"]) diff --git a/modules/signatures/windows/allocates_rwx.py b/modules/signatures/windows/allocates_rwx.py index 7a13f9009..54bcbd414 100644 --- a/modules/signatures/windows/allocates_rwx.py +++ b/modules/signatures/windows/allocates_rwx.py @@ -11,7 +11,7 @@ class AllocatesRWX(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1055"] + ttp = ["X0007"] filter_apinames = ( "NtAllocateVirtualMemory", "NtProtectVirtualMemory", diff --git a/modules/signatures/windows/antianalysis_detectfile.py b/modules/signatures/windows/antianalysis_detectfile.py index a1da72c37..78ab24ea0 100644 --- a/modules/signatures/windows/antianalysis_detectfile.py +++ b/modules/signatures/windows/antianalysis_detectfile.py @@ -11,7 +11,7 @@ class AntiAnalysisDetectFile(Signature): categories = ["anti-analysis"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["M0013"] + ttp = ["M0013.008"] file_indicators = [ "[A-Za-z]:\\\\analysis", diff --git a/modules/signatures/windows/antiav_avast_libs.py b/modules/signatures/windows/antiav_avast_libs.py index 3b6427436..867fc05bb 100644 --- a/modules/signatures/windows/antiav_avast_libs.py +++ b/modules/signatures/windows/antiav_avast_libs.py @@ -22,7 +22,7 @@ class AvastDetectLibs(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1063"] + ttp = ["T1518.001"] filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"]) diff --git a/modules/signatures/windows/antiav_bitdefender_libs.py b/modules/signatures/windows/antiav_bitdefender_libs.py index 3d409d780..d383bd4b8 100644 --- a/modules/signatures/windows/antiav_bitdefender_libs.py +++ b/modules/signatures/windows/antiav_bitdefender_libs.py @@ -22,7 +22,7 @@ class BitdefenderDetectLibs(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1063"] + ttp = ["T1518.001"] filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"]) diff --git a/modules/signatures/windows/antiav_detectfile.py b/modules/signatures/windows/antiav_detectfile.py index 369a74a0f..2a7df93d8 100644 --- a/modules/signatures/windows/antiav_detectfile.py +++ b/modules/signatures/windows/antiav_detectfile.py @@ -15,7 +15,7 @@ class AntiAVDetectFile(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1063", "T1083"] + ttp = ["T1518.001", "T1083"] file_indicators = [ ".*\\\\AVAST\\ Software", diff --git a/modules/signatures/windows/antiav_detectreg.py b/modules/signatures/windows/antiav_detectreg.py index 57408f94a..51d66a46d 100644 --- a/modules/signatures/windows/antiav_detectreg.py +++ b/modules/signatures/windows/antiav_detectreg.py @@ -11,7 +11,7 @@ class AntiAVDetectReg(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1063", "T1012"] + ttp = ["T1518.001", "T1012"] reg_indicators = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Avg", diff --git a/modules/signatures/windows/antiav_servicestop.py b/modules/signatures/windows/antiav_servicestop.py index d1787772a..ca1d6dd74 100644 --- a/modules/signatures/windows/antiav_servicestop.py +++ b/modules/signatures/windows/antiav_servicestop.py @@ -16,7 +16,7 @@ class AntiAVServiceStop(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] evented = True def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/antiav_srp.py b/modules/signatures/windows/antiav_srp.py index 1720fb2af..c4e4d2198 100644 --- a/modules/signatures/windows/antiav_srp.py +++ b/modules/signatures/windows/antiav_srp.py @@ -11,7 +11,7 @@ class AntiAVSRP(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["E1089", "E1478"] + ttp = ["S0004.005", "E1478"] regkeys_re = [ ".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*", diff --git a/modules/signatures/windows/antidbg_windows.py b/modules/signatures/windows/antidbg_windows.py index ef0c34cc2..9b36d1f6d 100644 --- a/modules/signatures/windows/antidbg_windows.py +++ b/modules/signatures/windows/antidbg_windows.py @@ -22,7 +22,7 @@ class AntiDBGWindows(Signature): categories = ["anti-debug"] authors = ["nex", "KillerInstinct", "Brad Spengler"] minimum = "2.0" - ttp = ["M0013"] + ttp = ["M0013.009", "M0001.004"] filter_categories = "ui", diff --git a/modules/signatures/windows/antisandbox_clipboard.py b/modules/signatures/windows/antisandbox_clipboard.py index 67d144c18..02d799750 100644 --- a/modules/signatures/windows/antisandbox_clipboard.py +++ b/modules/signatures/windows/antisandbox_clipboard.py @@ -22,7 +22,7 @@ class AntisandboxClipboard(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.001"] filter_apinames = set(["GetClipboardData"]) diff --git a/modules/signatures/windows/antisandbox_cuckoo_files.py b/modules/signatures/windows/antisandbox_cuckoo_files.py index 17517192d..b42d78b15 100644 --- a/modules/signatures/windows/antisandbox_cuckoo_files.py +++ b/modules/signatures/windows/antisandbox_cuckoo_files.py @@ -22,7 +22,7 @@ class CuckooDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] file_indicators = [ ".*\\\\agent\\.py$", diff --git a/modules/signatures/windows/antisandbox_file.py b/modules/signatures/windows/antisandbox_file.py index cc1e0cd92..9d03412f3 100644 --- a/modules/signatures/windows/antisandbox_file.py +++ b/modules/signatures/windows/antisandbox_file.py @@ -11,7 +11,7 @@ class AntiSandboxFile(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] files_re = [ "[a-zA-Z]:\\\\sample\\.exe", diff --git a/modules/signatures/windows/antisandbox_forehwnd.py b/modules/signatures/windows/antisandbox_forehwnd.py index 037b45c95..d87f6da86 100644 --- a/modules/signatures/windows/antisandbox_forehwnd.py +++ b/modules/signatures/windows/antisandbox_forehwnd.py @@ -20,7 +20,7 @@ class AntiSandboxForegroundWindow(Signature): severity = 2 categories = ["anti-sandbox"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.003"] references = [ "https://www.virusbtn.com/virusbulletin/archive/2015/09/vb201509-custom-packer.dkb", diff --git a/modules/signatures/windows/antisandbox_fortinet_files.py b/modules/signatures/windows/antisandbox_fortinet_files.py index f7c8590c4..cbdfcc266 100644 --- a/modules/signatures/windows/antisandbox_fortinet_files.py +++ b/modules/signatures/windows/antisandbox_fortinet_files.py @@ -22,7 +22,7 @@ class FortinetDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] files_re = [ "C:\\\\tracer\\\\mdare32_0\\.sys", diff --git a/modules/signatures/windows/antisandbox_idletime.py b/modules/signatures/windows/antisandbox_idletime.py index 80045495b..9f4a3fe57 100644 --- a/modules/signatures/windows/antisandbox_idletime.py +++ b/modules/signatures/windows/antisandbox_idletime.py @@ -11,7 +11,7 @@ class AntiSandboxIdleTime(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0003"] + ttp = ["M0007.009"] filter_apinames = "NtQuerySystemInformation", diff --git a/modules/signatures/windows/antisandbox_joe_anubis_files.py b/modules/signatures/windows/antisandbox_joe_anubis_files.py index b356382ff..cb887c5fe 100644 --- a/modules/signatures/windows/antisandbox_joe_anubis_files.py +++ b/modules/signatures/windows/antisandbox_joe_anubis_files.py @@ -22,7 +22,7 @@ class SandboxJoeAnubisDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] file_indicators = [ "C:\\\\sample\\.exe", diff --git a/modules/signatures/windows/antisandbox_mouse_hook.py b/modules/signatures/windows/antisandbox_mouse_hook.py index 2509efcc3..ea819dc0c 100644 --- a/modules/signatures/windows/antisandbox_mouse_hook.py +++ b/modules/signatures/windows/antisandbox_mouse_hook.py @@ -22,7 +22,7 @@ class HookMouse(Signature): categories = ["hooking", "anti-sandbox"] authors = ["nex"] minimum = "2.0" - ttp = ["M0007", "E1179"] + ttp = ["M0007.003", "S0003.003"] filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW" diff --git a/modules/signatures/windows/antisandbox_restart.py b/modules/signatures/windows/antisandbox_restart.py index 2a94ce0d3..53a33389e 100644 --- a/modules/signatures/windows/antisandbox_restart.py +++ b/modules/signatures/windows/antisandbox_restart.py @@ -12,7 +12,7 @@ class AntiSandboxRestart(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies", "Brad Spengler"] minimum = "2.0" - ttp = ["M0003"] + ttp = ["M0003.010"] filter_apinames = ( "InitiateSystemShutdownExW", "InitiateSystemShutdownExA", diff --git a/modules/signatures/windows/antisandbox_sleep.py b/modules/signatures/windows/antisandbox_sleep.py index cc5757a8b..63c623ac2 100644 --- a/modules/signatures/windows/antisandbox_sleep.py +++ b/modules/signatures/windows/antisandbox_sleep.py @@ -22,7 +22,7 @@ class AntiSandboxSleep(Signature): categories = ["anti-sandbox"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["M0003"] + ttp = ["M0003.003"] filter_apinames = "NtDelayExecution", diff --git a/modules/signatures/windows/antisandbox_sunbelt_files.py b/modules/signatures/windows/antisandbox_sunbelt_files.py index e2af95b57..2d8e51f3b 100644 --- a/modules/signatures/windows/antisandbox_sunbelt_files.py +++ b/modules/signatures/windows/antisandbox_sunbelt_files.py @@ -22,7 +22,7 @@ class SunbeltDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] file_indicators = [ ".*\\\\SandboxStarter\\.exe$", diff --git a/modules/signatures/windows/antisandbox_threattrack_files.py b/modules/signatures/windows/antisandbox_threattrack_files.py index 14085d24e..4cc5800de 100644 --- a/modules/signatures/windows/antisandbox_threattrack_files.py +++ b/modules/signatures/windows/antisandbox_threattrack_files.py @@ -22,7 +22,7 @@ class ThreatTrackDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] files_re = [ "C:\\\\cwsandbox", diff --git a/modules/signatures/windows/antisandbox_unhook.py b/modules/signatures/windows/antisandbox_unhook.py index 3dab093ff..d914703bc 100644 --- a/modules/signatures/windows/antisandbox_unhook.py +++ b/modules/signatures/windows/antisandbox_unhook.py @@ -22,7 +22,7 @@ class Unhook(Signature): categories = ["anti-sandbox"] authors = ["nex"] minimum = "2.0" - ttp = ["M0003"] + ttp = ["M0003.008"] filter_apinames = "__anomaly__", diff --git a/modules/signatures/windows/antivirus_detection_cn.py b/modules/signatures/windows/antivirus_detection_cn.py index bd66ae82f..cd00fed93 100644 --- a/modules/signatures/windows/antivirus_detection_cn.py +++ b/modules/signatures/windows/antivirus_detection_cn.py @@ -13,7 +13,7 @@ class AVDetectionChinaKey(Signature): families = ["china"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["T1012", "T1063"] + ttp = ["T1012", "T1518.001"] indicators = [ ".*360Safe", diff --git a/modules/signatures/windows/antivm_bochs_keys.py b/modules/signatures/windows/antivm_bochs_keys.py index 08f7787d2..73a44d194 100644 --- a/modules/signatures/windows/antivm_bochs_keys.py +++ b/modules/signatures/windows/antivm_bochs_keys.py @@ -22,7 +22,7 @@ class BochsDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS_.*", diff --git a/modules/signatures/windows/antivm_disksize.py b/modules/signatures/windows/antivm_disksize.py index ab32c02df..ea8c39d5e 100644 --- a/modules/signatures/windows/antivm_disksize.py +++ b/modules/signatures/windows/antivm_disksize.py @@ -22,7 +22,7 @@ class AntiVMDiskSize(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.015"] evented = True diff --git a/modules/signatures/windows/antivm_generic_bios.py b/modules/signatures/windows/antivm_generic_bios.py index a3f836dd1..09550c254 100644 --- a/modules/signatures/windows/antivm_generic_bios.py +++ b/modules/signatures/windows/antivm_generic_bios.py @@ -22,7 +22,7 @@ class AntiVMBios(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.024", "M0009.005", "T1012"] regkeys_re = [ ".*SystemBiosVersion", diff --git a/modules/signatures/windows/antivm_generic_cpu.py b/modules/signatures/windows/antivm_generic_cpu.py index 6aac61e7c..81ec5eb73 100644 --- a/modules/signatures/windows/antivm_generic_cpu.py +++ b/modules/signatures/windows/antivm_generic_cpu.py @@ -22,7 +22,7 @@ class AntiVMCPU(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.026", "M0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\.*\\\\ProcessorNameString", diff --git a/modules/signatures/windows/antivm_generic_disk.py b/modules/signatures/windows/antivm_generic_disk.py index f1a7dca0b..82e73d277 100644 --- a/modules/signatures/windows/antivm_generic_disk.py +++ b/modules/signatures/windows/antivm_generic_disk.py @@ -22,7 +22,7 @@ class DiskInformation(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] filter_apinames = [ "NtCreateFile", diff --git a/modules/signatures/windows/antivm_generic_firmware.py b/modules/signatures/windows/antivm_generic_firmware.py index 044e5420a..36e3a904e 100644 --- a/modules/signatures/windows/antivm_generic_firmware.py +++ b/modules/signatures/windows/antivm_generic_firmware.py @@ -11,7 +11,7 @@ class VMFirmware(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.023"] filter_apinames = "NtQuerySystemInformation", diff --git a/modules/signatures/windows/antivm_generic_ide.py b/modules/signatures/windows/antivm_generic_ide.py index 243b19ef4..7a5f6b4bb 100644 --- a/modules/signatures/windows/antivm_generic_ide.py +++ b/modules/signatures/windows/antivm_generic_ide.py @@ -22,7 +22,7 @@ class AntiVMIDE(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] def on_complete(self): for regkey in self.check_key(pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE", regex=True, all=True): diff --git a/modules/signatures/windows/antivm_generic_scsi.py b/modules/signatures/windows/antivm_generic_scsi.py index a1b37dfb0..c3ec91c90 100644 --- a/modules/signatures/windows/antivm_generic_scsi.py +++ b/modules/signatures/windows/antivm_generic_scsi.py @@ -22,7 +22,7 @@ class AntiVMSCSI(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port \\d+\\\\Scsi Bus \\d+\\\\Target Id \\d+\\\\Logical Unit Id \\d+\\\\Identifier", diff --git a/modules/signatures/windows/antivm_generic_services.py b/modules/signatures/windows/antivm_generic_services.py index 2c4dee4e5..500ad1e27 100644 --- a/modules/signatures/windows/antivm_generic_services.py +++ b/modules/signatures/windows/antivm_generic_services.py @@ -22,7 +22,7 @@ class AntiVMServices(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1007"] + ttp = ["M0009.006", "T1007"] filter_apinames = "EnumServicesStatusA", "EnumServicesStatusW" diff --git a/modules/signatures/windows/antivm_hyperv_keys.py b/modules/signatures/windows/antivm_hyperv_keys.py index b849ce101..e0de0afc5 100644 --- a/modules/signatures/windows/antivm_hyperv_keys.py +++ b/modules/signatures/windows/antivm_hyperv_keys.py @@ -22,7 +22,7 @@ class HyperVDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\Hyper_V_Gen_Counter_V1", diff --git a/modules/signatures/windows/antivm_memory_available.py b/modules/signatures/windows/antivm_memory_available.py index 6188d2626..93f5ecf7f 100644 --- a/modules/signatures/windows/antivm_memory_available.py +++ b/modules/signatures/windows/antivm_memory_available.py @@ -22,7 +22,7 @@ class MemoryAvailable(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.014"] filter_apinames = [ "GlobalMemoryStatusEx", "GetPhysicallyInstalledSystemMemory", diff --git a/modules/signatures/windows/antivm_network_adapter.py b/modules/signatures/windows/antivm_network_adapter.py index c100741f8..678935a99 100644 --- a/modules/signatures/windows/antivm_network_adapter.py +++ b/modules/signatures/windows/antivm_network_adapter.py @@ -22,7 +22,7 @@ class NetworkAdapters(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.023"] filter_apinames = set(["GetAdaptersAddresses"]) diff --git a/modules/signatures/windows/antivm_parallels_keys.py b/modules/signatures/windows/antivm_parallels_keys.py index a999bc23c..204682622 100644 --- a/modules/signatures/windows/antivm_parallels_keys.py +++ b/modules/signatures/windows/antivm_parallels_keys.py @@ -22,7 +22,7 @@ class ParallelsDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_1AB8&DEV_4000&SUBSYS_04001AB8&REV_00", diff --git a/modules/signatures/windows/antivm_parallels_window.py b/modules/signatures/windows/antivm_parallels_window.py index bede49429..b6846865e 100644 --- a/modules/signatures/windows/antivm_parallels_window.py +++ b/modules/signatures/windows/antivm_parallels_window.py @@ -22,7 +22,7 @@ class ParallelsDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vbox_acpi.py b/modules/signatures/windows/antivm_vbox_acpi.py index 537455dec..0d819de54 100644 --- a/modules/signatures/windows/antivm_vbox_acpi.py +++ b/modules/signatures/windows/antivm_vbox_acpi.py @@ -22,7 +22,7 @@ class VBoxDetectACPI(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.023", "M0009.005", "T1012"] def on_complete(self): for regkey in self.check_key("HARDWARE\\\\ACPI\\\\.*vbox_", regex=True, all=True): diff --git a/modules/signatures/windows/antivm_vbox_files.py b/modules/signatures/windows/antivm_vbox_files.py index c6231924d..fcec7e3a4 100644 --- a/modules/signatures/windows/antivm_vbox_files.py +++ b/modules/signatures/windows/antivm_vbox_files.py @@ -22,7 +22,7 @@ class VBoxDetectFiles(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.001"] indicators = [ ".*VBoxDisp\\.dll", diff --git a/modules/signatures/windows/antivm_vbox_keys.py b/modules/signatures/windows/antivm_vbox_keys.py index 1b4ef2924..7862e844f 100644 --- a/modules/signatures/windows/antivm_vbox_keys.py +++ b/modules/signatures/windows/antivm_vbox_keys.py @@ -22,7 +22,7 @@ class VBoxDetectKeys(Signature): categories = ["anti-vm"] authors = ["nex", "Brad Spengler"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Oracle\\\\VirtualBox\\ Guest\\ Additions", diff --git a/modules/signatures/windows/antivm_vbox_provname.py b/modules/signatures/windows/antivm_vbox_provname.py index 42b87f794..16f62e1fa 100644 --- a/modules/signatures/windows/antivm_vbox_provname.py +++ b/modules/signatures/windows/antivm_vbox_provname.py @@ -22,7 +22,7 @@ class VBoxDetectProvname(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.001"] evented = True diff --git a/modules/signatures/windows/antivm_vbox_window.py b/modules/signatures/windows/antivm_vbox_window.py index 916985e17..c5574e27a 100644 --- a/modules/signatures/windows/antivm_vbox_window.py +++ b/modules/signatures/windows/antivm_vbox_window.py @@ -22,7 +22,7 @@ class VBoxDetectWindow(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_virtualpc_window.py b/modules/signatures/windows/antivm_virtualpc_window.py index 830df7d5b..44002c207 100644 --- a/modules/signatures/windows/antivm_virtualpc_window.py +++ b/modules/signatures/windows/antivm_virtualpc_window.py @@ -22,7 +22,7 @@ class VirtualPCDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vmware_files.py b/modules/signatures/windows/antivm_vmware_files.py index e0265899e..2d4d9b8e7 100644 --- a/modules/signatures/windows/antivm_vmware_files.py +++ b/modules/signatures/windows/antivm_vmware_files.py @@ -11,7 +11,7 @@ class VMWareDetectFiles(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.001"] files_re = [ ".*vmmouse\\.sys", diff --git a/modules/signatures/windows/antivm_vmware_keys.py b/modules/signatures/windows/antivm_vmware_keys.py index 2c03c4a92..b499a6f26 100644 --- a/modules/signatures/windows/antivm_vmware_keys.py +++ b/modules/signatures/windows/antivm_vmware_keys.py @@ -21,7 +21,7 @@ class VMWareDetectKeys(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies", "Optiv"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?VMWare,\\ Inc\..*", diff --git a/modules/signatures/windows/antivm_vmware_window.py b/modules/signatures/windows/antivm_vmware_window.py index 98c1a213e..49b4e9423 100644 --- a/modules/signatures/windows/antivm_vmware_window.py +++ b/modules/signatures/windows/antivm_vmware_window.py @@ -22,7 +22,7 @@ class VMwareDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vpc_keys.py b/modules/signatures/windows/antivm_vpc_keys.py index 4f6c7c10b..0b3187e6a 100644 --- a/modules/signatures/windows/antivm_vpc_keys.py +++ b/modules/signatures/windows/antivm_vpc_keys.py @@ -22,7 +22,7 @@ class VPCDetectKeys(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00", diff --git a/modules/signatures/windows/antivm_xen_keys.py b/modules/signatures/windows/antivm_xen_keys.py index 5a19623d7..e58bdb88a 100644 --- a/modules/signatures/windows/antivm_xen_keys.py +++ b/modules/signatures/windows/antivm_xen_keys.py @@ -22,7 +22,7 @@ class XenDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\XEN0000.*", diff --git a/modules/signatures/windows/appinit.py b/modules/signatures/windows/appinit.py index 925117789..9f1818663 100644 --- a/modules/signatures/windows/appinit.py +++ b/modules/signatures/windows/appinit.py @@ -11,7 +11,7 @@ class InstallsAppInit(Signature): categories = ["persistence"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1112", "T1103"] + ttp = ["E1112", "T1546.010"] regkeys_re = [ ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\Appinit_Dlls", diff --git a/modules/signatures/windows/applocker_bypass.py b/modules/signatures/windows/applocker_bypass.py index c8a1a8845..d7480ceea 100644 --- a/modules/signatures/windows/applocker_bypass.py +++ b/modules/signatures/windows/applocker_bypass.py @@ -13,7 +13,7 @@ class AppLockerBypass(Signature): categories = ["applocker", "bypass"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1117", "T1086"] + ttp = ["T1218.010", "E1059.001"] def on_yara(self, category, filepath, match): if match.name != "ApplockerBypass": diff --git a/modules/signatures/windows/bitcoin_opencl.py b/modules/signatures/windows/bitcoin_opencl.py index 25b276781..da1716e1a 100644 --- a/modules/signatures/windows/bitcoin_opencl.py +++ b/modules/signatures/windows/bitcoin_opencl.py @@ -22,7 +22,7 @@ class BitcoinOpenCL(Signature): categories = ["bitcoin"] authors = ["nex"] minimum = "2.0" - ttp = ["M0018"] + ttp = ["M0018.002"] def on_complete(self): filepath = self.check_file(pattern=".*OpenCL\.dll$", regex=True) diff --git a/modules/signatures/windows/bootconfig_modify.py b/modules/signatures/windows/bootconfig_modify.py index 26de318ce..2926a2f3a 100644 --- a/modules/signatures/windows/bootconfig_modify.py +++ b/modules/signatures/windows/bootconfig_modify.py @@ -22,7 +22,7 @@ class ModifiesBootConfig(Signature): categories = ["persistance", "ransomware"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0028"] + ttp = ["S0013"] filter_apinames = "ShellExecuteExW", "CreateProcessInternalW", def on_call(self, call, process): diff --git a/modules/signatures/windows/bootkit.py b/modules/signatures/windows/bootkit.py index a94856601..97415916c 100644 --- a/modules/signatures/windows/bootkit.py +++ b/modules/signatures/windows/bootkit.py @@ -13,7 +13,7 @@ class Bootkit(Signature): authors = ["Optiv"] minimum = "2.0" evented = True - ttp = ["M0028"] + ttp = ["S0013"] BasicFileInformation = 4 def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/bypass_firewall.py b/modules/signatures/windows/bypass_firewall.py index 281073c56..2a534fb33 100644 --- a/modules/signatures/windows/bypass_firewall.py +++ b/modules/signatures/windows/bypass_firewall.py @@ -24,7 +24,7 @@ class BypassFirewall(Signature): categories = ["bypass"] authors = ["Anderson Tamborim", "nex", "Kevin Ross"] minimum = "2.0" - ttp = ["E1478", "E1089"] + ttp = ["E1478", "S0004"] indicator = ".*\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\.*" def on_complete(self): diff --git a/modules/signatures/windows/clears_logs.py b/modules/signatures/windows/clears_logs.py index 8943e1f0d..a56509ef1 100644 --- a/modules/signatures/windows/clears_logs.py +++ b/modules/signatures/windows/clears_logs.py @@ -22,7 +22,7 @@ class ClearsEventLogs(Signature): categories = ["commands", "stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1070"] + ttp = ["T1070.001"] utilities = [ "wevtutil cl", "wevtutil.exe cl" diff --git a/modules/signatures/windows/cloud_google.py b/modules/signatures/windows/cloud_google.py index 30648aa9f..0004916b4 100644 --- a/modules/signatures/windows/cloud_google.py +++ b/modules/signatures/windows/cloud_google.py @@ -11,7 +11,7 @@ class CloudGoogle(Signature): categories = ["cloud"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1105", "T1102"] + ttp = ["E1105", "T1102"] domains = [ "docs.google.com", diff --git a/modules/signatures/windows/creates_doc.py b/modules/signatures/windows/creates_doc.py index e08e25b61..059ff01d8 100644 --- a/modules/signatures/windows/creates_doc.py +++ b/modules/signatures/windows/creates_doc.py @@ -11,6 +11,7 @@ class CreatesDocument(Signature): categories = ["generic"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["X0016.001"] pattern = ".*\\.(doc|docm|dotm|docx|ppt|pptm|pptx|potm|ppam|ppsm|xls|xlsm|xlsx|pdf)$" diff --git a/modules/signatures/windows/creates_exe.py b/modules/signatures/windows/creates_exe.py index 4a2780b45..2331cf1fa 100644 --- a/modules/signatures/windows/creates_exe.py +++ b/modules/signatures/windows/creates_exe.py @@ -16,7 +16,7 @@ class CreatesExe(Signature): categories = ["generic"] authors = ["Cuckoo Developers"] minimum = "2.0" - ttp = ["T1105"] + ttp = ["E1105", "M0023"] pattern = ( ".*\\.(bat|cmd|com|cpl|dll|exe|js|jse|lnk|msi|msh|msh1|msh2|mshxml|" @@ -37,7 +37,7 @@ class CreatesUserFolderEXE(Signature): families = ["persistance"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1105"] + ttp = ["E1105", "M0023"] directories_re = [ "^[a-zA-Z]:\\\\Users\\\\[^\\\\]+\\\\AppData\\\\.*", diff --git a/modules/signatures/windows/creates_hidden_file.py b/modules/signatures/windows/creates_hidden_file.py index 27acc6b3b..d0c990b93 100644 --- a/modules/signatures/windows/creates_hidden_file.py +++ b/modules/signatures/windows/creates_hidden_file.py @@ -12,7 +12,7 @@ class CreatesHiddenFile(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - ttp = ["E1158"] + ttp = ["T1564.001"] filter_apinames = "NtCreateFile", "SetFileAttributesW" def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/creates_largekey.py b/modules/signatures/windows/creates_largekey.py index aa57705d5..bd09869e0 100644 --- a/modules/signatures/windows/creates_largekey.py +++ b/modules/signatures/windows/creates_largekey.py @@ -29,7 +29,7 @@ class CreatesLargeKey(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0040", "E1112"] + ttp = ["M0040.001", "E1112"] evented = True filter_apinames = set(["NtSetValueKey", "RegSetValueExA", "RegSetValueExW"]) diff --git a/modules/signatures/windows/creates_null_reg_entry.py b/modules/signatures/windows/creates_null_reg_entry.py index 2834b031a..4f81aed98 100644 --- a/modules/signatures/windows/creates_null_reg_entry.py +++ b/modules/signatures/windows/creates_null_reg_entry.py @@ -12,7 +12,7 @@ class CreatesNullRegistryEntry(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - ttp = ["E1054", "E1112"] + ttp = ["S0006", "E1112"] filter_apinames = ( "NtSetValueKey", "NtCreateKey", "RegCreateKeyExA", "RegCreateKeyExW", "RegSetValueExA", "RegSetValueExW", diff --git a/modules/signatures/windows/creates_service.py b/modules/signatures/windows/creates_service.py index 1c7727f4f..e35826793 100644 --- a/modules/signatures/windows/creates_service.py +++ b/modules/signatures/windows/creates_service.py @@ -11,7 +11,7 @@ class CreatesService(Signature): categories = ["service", "persistence"] authors = ["Cuckoo Technologies", "Kevin Ross"] minimum = "2.0" - ttp = ["T1050"] + ttp = ["T1543.003"] filter_apinames = [ "CreateServiceA", "CreateServiceW", diff --git a/modules/signatures/windows/creates_shortcut.py b/modules/signatures/windows/creates_shortcut.py index 4abd31465..dbaef9f3d 100644 --- a/modules/signatures/windows/creates_shortcut.py +++ b/modules/signatures/windows/creates_shortcut.py @@ -22,7 +22,7 @@ class CreatesShortcut(Signature): categories = ["persistance"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1023", "T1204"] + ttp = ["T1547.009", "T1204"] files_re = [ ".*\\.lnk$", ] diff --git a/modules/signatures/windows/credential_dump.py b/modules/signatures/windows/credential_dump.py index de5ffcf90..df2f8ef28 100644 --- a/modules/signatures/windows/credential_dump.py +++ b/modules/signatures/windows/credential_dump.py @@ -24,7 +24,7 @@ class CredentialDumpingLsass(Signature): minimum = "2.0" evented = True references = ["cyberwardog.blogspot.co.uk/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "cyberwardog.blogspot.co.uk/2017/04/chronicles-of-threat-hunter-hunting-for.html"] - ttp = ["T1003"] + ttp = ["T1003.001"] lsasspid = [] lsasshandle = [] @@ -62,7 +62,7 @@ class CredentialDumpingLsassAccess(Signature): minimum = "2.0" evented = True references = ["cyberwardog.blogspot.co.uk/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "cyberwardog.blogspot.co.uk/2017/04/chronicles-of-threat-hunter-hunting-for.html"] - ttp = ["T1003"] + ttp = ["T1003.001"] lsasspid = [] creddump = False diff --git a/modules/signatures/windows/crypto_apis.py b/modules/signatures/windows/crypto_apis.py index b27868b7f..c25a4e0da 100644 --- a/modules/signatures/windows/crypto_apis.py +++ b/modules/signatures/windows/crypto_apis.py @@ -22,6 +22,7 @@ class CryptGenKey(Signature): families = ["generic"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["X0021.003"] filter_apinames = "CryptGenKey", "CryptExportKey", diff --git a/modules/signatures/windows/deletes_executed.py b/modules/signatures/windows/deletes_executed.py index e88c5a3ea..383634713 100644 --- a/modules/signatures/windows/deletes_executed.py +++ b/modules/signatures/windows/deletes_executed.py @@ -22,7 +22,7 @@ class DeletesExecutedFiles(Signature): categories = ["persistence", "stealth"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["E1007"] + ttp = ["S0007"] evented = True def on_complete(self): diff --git a/modules/signatures/windows/disables_browserwarn.py b/modules/signatures/windows/disables_browserwarn.py index 2cf789e55..6315d8233 100644 --- a/modules/signatures/windows/disables_browserwarn.py +++ b/modules/signatures/windows/disables_browserwarn.py @@ -11,7 +11,7 @@ class DisablesBrowserWarn(Signature): categories = ["generic", "banker", "clickfraud"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["E1089", "E1112"] + ttp = ["S0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnBadCertRecving", diff --git a/modules/signatures/windows/disables_security.py b/modules/signatures/windows/disables_security.py index 52c51ff17..a839683f3 100644 --- a/modules/signatures/windows/disables_security.py +++ b/modules/signatures/windows/disables_security.py @@ -11,7 +11,7 @@ class DisablesSecurity(Signature): categories = ["anti-av"] authors = ["Cuckoo Technologies", "Brad Spengler"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] regkeys_re = [ ("HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA", "attempts to disable user access control"), diff --git a/modules/signatures/windows/disables_wer.py b/modules/signatures/windows/disables_wer.py index 9b29252a7..d8a0fa636 100644 --- a/modules/signatures/windows/disables_wer.py +++ b/modules/signatures/windows/disables_wer.py @@ -11,7 +11,7 @@ class DisablesWER(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1054", "E1089", "E1112"] + ttp = ["S0006", "S0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ Error\\ Reporting\\\\Disabled$", diff --git a/modules/signatures/windows/disables_windowsupdate.py b/modules/signatures/windows/disables_windowsupdate.py index 6d148e673..34f8b8a41 100644 --- a/modules/signatures/windows/disables_windowsupdate.py +++ b/modules/signatures/windows/disables_windowsupdate.py @@ -11,7 +11,7 @@ class DisablesWindowsUpdate(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\(AU\\\\NoAutoUpdate|Auto\\ Update\\\\AUOptions)$", diff --git a/modules/signatures/windows/dns_dyndns_provider.py b/modules/signatures/windows/dns_dyndns_provider.py index 86f1feac9..76cd8f4ee 100644 --- a/modules/signatures/windows/dns_dyndns_provider.py +++ b/modules/signatures/windows/dns_dyndns_provider.py @@ -12,6 +12,7 @@ class dnsserver_dynamic(Signature): categories = ["dns"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0011.003"] ipaddrs = [ "221.228.198.216", diff --git a/modules/signatures/windows/dns_freehosting_domain.py b/modules/signatures/windows/dns_freehosting_domain.py index ace449d7d..3e41b0aeb 100644 --- a/modules/signatures/windows/dns_freehosting_domain.py +++ b/modules/signatures/windows/dns_freehosting_domain.py @@ -12,6 +12,7 @@ class Dns_Freehosting_Domain(Signature): categories = ["freehosting"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0011.005"] domains_re = [ ".*\.yzi\.me", diff --git a/modules/signatures/windows/driver_load.py b/modules/signatures/windows/driver_load.py index 282c1b7ec..2db43a3b4 100644 --- a/modules/signatures/windows/driver_load.py +++ b/modules/signatures/windows/driver_load.py @@ -22,6 +22,7 @@ class DriverLoad(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" + ttp = ["X0023"] filter_apinames = set(["NtLoadDriver"]) diff --git a/modules/signatures/windows/dropper.py b/modules/signatures/windows/dropper.py index 9e0093446..c8fb4bc48 100644 --- a/modules/signatures/windows/dropper.py +++ b/modules/signatures/windows/dropper.py @@ -22,7 +22,7 @@ class Dropper(Signature): categories = ["dropper"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0023", "E1105"] + ttp = ["M0023"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/emoves_zoneid_ads.py b/modules/signatures/windows/emoves_zoneid_ads.py index 2a0b49623..9ad29d52b 100644 --- a/modules/signatures/windows/emoves_zoneid_ads.py +++ b/modules/signatures/windows/emoves_zoneid_ads.py @@ -11,7 +11,7 @@ class RemovesZoneIdADS(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" - ttp = ["E1007"] + ttp = ["S0007"] def on_complete(self): for deletedfile in self.get_files(actions=["file_deleted"]): diff --git a/modules/signatures/windows/exec_waitfor.py b/modules/signatures/windows/exec_waitfor.py index 50c468294..e1f8df8fb 100644 --- a/modules/signatures/windows/exec_waitfor.py +++ b/modules/signatures/windows/exec_waitfor.py @@ -13,7 +13,7 @@ class ExecWaitFor(Signature): categories = ["script", "bypass"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0003"] + ttp = ["M0003.003"] def on_complete(self): lower = "".join(self.get_command_lines()).lower() diff --git a/modules/signatures/windows/exploitation.py b/modules/signatures/windows/exploitation.py index 1361b8fe6..a78ac9d7e 100644 --- a/modules/signatures/windows/exploitation.py +++ b/modules/signatures/windows/exploitation.py @@ -11,6 +11,7 @@ class ExploitHeapspray(Signature): categories = ["exploit"] authors = ["Cuckoo Technologies", "Kevin Ross"] minimum = "2.0" + ttp = ["X0006"] references = ["https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/"] filter_apinames = "NtAllocateVirtualMemory", @@ -103,7 +104,7 @@ class StackPivot(Signature): categories = ["exploit", "rop"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["E1203"] + ttp = ["X0009"] filter_apinames = critical_apinames @@ -141,6 +142,7 @@ class DEPHeapBypass(Signature): categories = ["exploit"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" + ttp = ["X0002.002"] filter_apinames = critical_apinames @@ -178,6 +180,7 @@ class DEPStackBypass(Signature): categories = ["exploit"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" + ttp = ["X0002.001"] filter_apinames = critical_apinames @@ -267,7 +270,7 @@ class StackPivotShellcodeAPIs(Signature): categories = ["exploit", "rop", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1203"] + ttp = ["X0009", "E1059"] evented = True @@ -308,7 +311,7 @@ class StackPivotShellcodeCreateProcess(Signature): categories = ["exploit", "rop", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1203"] + ttp = ["X0009", "X0017.001", "E1059"] evented = True diff --git a/modules/signatures/windows/has_authenticode.py b/modules/signatures/windows/has_authenticode.py index aa662eb13..c01adad3c 100644 --- a/modules/signatures/windows/has_authenticode.py +++ b/modules/signatures/windows/has_authenticode.py @@ -8,7 +8,7 @@ class HasAuthenticode(Signature): name = "has_authenticode" description = "This executable is signed" severity = 1 - ttp = ["T1116"] + ttp = ["T1553.002"] def on_complete(self): if self.get_results("static", {}).get("signature"): diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index 1d82d05b4..ff3c20806 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -22,7 +22,7 @@ class BrowserStealer(Signature): categories = ["infostealer"] authors = ["nex", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1503", "T1081", "T1003"] + ttp = ["T1555.003", "T1552.001", "T1003"] files_re = [ ".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\signons\\.sqlite$", diff --git a/modules/signatures/windows/infostealer_ftp.py b/modules/signatures/windows/infostealer_ftp.py index 72765d196..4c468ddd6 100644 --- a/modules/signatures/windows/infostealer_ftp.py +++ b/modules/signatures/windows/infostealer_ftp.py @@ -22,7 +22,7 @@ class FTPStealer(Signature): categories = ["infostealer"] authors = ["nex", "RedSocks", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1003", "T1081"] + ttp = ["T1003", "T1552.001"] files_re = [ ".*\\\\CuteFTP\\\\sm\\.dat$", diff --git a/modules/signatures/windows/infostealer_im.py b/modules/signatures/windows/infostealer_im.py index 24d4b96f3..6a2c25c44 100644 --- a/modules/signatures/windows/infostealer_im.py +++ b/modules/signatures/windows/infostealer_im.py @@ -11,7 +11,7 @@ class IMStealer(Signature): categories = ["infostealer"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1003", "T1081"] + ttp = ["T1003", "T1552.001"] file_indicators = [ ".*\\\\AIM\\\\aimx\.bin$", diff --git a/modules/signatures/windows/infostealer_keylogger.py b/modules/signatures/windows/infostealer_keylogger.py index 5a38b712a..6421b3fa3 100644 --- a/modules/signatures/windows/infostealer_keylogger.py +++ b/modules/signatures/windows/infostealer_keylogger.py @@ -23,7 +23,7 @@ class Keylogger(Signature): categories = ["generic"] authors = ["Thomas Birn", "nex"] minimum = "2.0" - ttp = ["T1056", "E1179"] + ttp = ["S0002.001", "S0003.003"] filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW" diff --git a/modules/signatures/windows/infostealer_mail.py b/modules/signatures/windows/infostealer_mail.py index 582eb9ae9..14af1b4b2 100644 --- a/modules/signatures/windows/infostealer_mail.py +++ b/modules/signatures/windows/infostealer_mail.py @@ -11,7 +11,7 @@ class MailStealer(Signature): categories = ["infostealer"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1003", "T1081"] + ttp = ["T1003", "T1552.001"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?IncrediMail" diff --git a/modules/signatures/windows/injection_explorer.py b/modules/signatures/windows/injection_explorer.py index 69a51c2d9..e869ea1c7 100644 --- a/modules/signatures/windows/injection_explorer.py +++ b/modules/signatures/windows/injection_explorer.py @@ -22,7 +22,7 @@ class InjectionExplorer(Signature): categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1055"] + ttp = ["E1055.011"] references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] filter_apinames = [ diff --git a/modules/signatures/windows/injection_memorymodify.py b/modules/signatures/windows/injection_memorymodify.py index eb3202c37..f9e08653e 100644 --- a/modules/signatures/windows/injection_memorymodify.py +++ b/modules/signatures/windows/injection_memorymodify.py @@ -23,7 +23,7 @@ class InjectionModifiesMemory(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] - ttp = ["E1055"] + ttp = ["E1055.009"] filter_apinames = [ "NtAllocateVirtualMemory", diff --git a/modules/signatures/windows/injection_thread.py b/modules/signatures/windows/injection_thread.py index aa438c856..cfd96fe1c 100644 --- a/modules/signatures/windows/injection_thread.py +++ b/modules/signatures/windows/injection_thread.py @@ -22,7 +22,7 @@ class InjectionCreateRemoteThread(Signature): categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1055"] + ttp = ["E1055.001"] references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] filter_apinames = [ @@ -53,7 +53,7 @@ class InjectionQueueApcThread(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] - ttp = ["E1055"] + ttp = ["E1055.004"] filter_apinames = [ "NtQueueApcThread", @@ -107,7 +107,7 @@ class NtSetContextThreadRemote(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] - ttp = ["E1055"] + ttp = ["E1055.003"] filter_apinames = [ "NtSetContextThread", diff --git a/modules/signatures/windows/injection_writememory.py b/modules/signatures/windows/injection_writememory.py index 8c83e13e8..08db6ba25 100644 --- a/modules/signatures/windows/injection_writememory.py +++ b/modules/signatures/windows/injection_writememory.py @@ -22,7 +22,7 @@ class InjectionWriteMemory(Signature): categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1055"] + ttp = ["E1055.012"] filter_apinames = [ "NtWriteVirtualmemory", @@ -56,7 +56,7 @@ class InjectionWriteMemoryEXE(Signature): categories = ["injection", "unpacking"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1055"] + ttp = ["E1055.012"] filter_apinames = [ "NtWriteVirtualmemory", diff --git a/modules/signatures/windows/javascript_commandline.py b/modules/signatures/windows/javascript_commandline.py index 302618c11..8e50fd553 100644 --- a/modules/signatures/windows/javascript_commandline.py +++ b/modules/signatures/windows/javascript_commandline.py @@ -22,7 +22,7 @@ class JavaScriptCommandline(Signature): categories = ["javascript", "persistence", "downloader"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["E1059.007"] def on_complete(self): for cmdline in self.get_command_lines(): diff --git a/modules/signatures/windows/maldoc.py b/modules/signatures/windows/maldoc.py index 165c16340..99e5ff0c5 100644 --- a/modules/signatures/windows/maldoc.py +++ b/modules/signatures/windows/maldoc.py @@ -11,7 +11,7 @@ class MaliciousDocumentURLs(Signature): categories = ["downloader"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0023", "T1064"] + ttp = ["M0023", "E1059.007", "E1059.005"] filter_apinames = [ "InternetCrackUrlW", diff --git a/modules/signatures/windows/martians.py b/modules/signatures/windows/martians.py index 669cf85f1..a1276ac5f 100644 --- a/modules/signatures/windows/martians.py +++ b/modules/signatures/windows/martians.py @@ -82,7 +82,7 @@ class MartianCommandProcess(Signature): categories = ["martian", "exploit", "dropper"] authors = ["Cuckoo Technologies", "Will Metcalf", "Kevin Ross"] minimum = "2.0" - ttp = ["T1059", "T1064"] + ttp = ["T1059"] whitelist_procs = [ "acrord32.exe", diff --git a/modules/signatures/windows/memdump_urls.py b/modules/signatures/windows/memdump_urls.py index ae8c5cbb9..bafdc86bb 100644 --- a/modules/signatures/windows/memdump_urls.py +++ b/modules/signatures/windows/memdump_urls.py @@ -16,7 +16,6 @@ class ProcMemDumpURLs(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1188"] def on_complete(self): for procmem in self.get_results("procmemory", []): @@ -32,7 +31,7 @@ class ProcMemDumpTorURLs(Signature): categories = ["unpacking", "ransomware", "c2"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1188"] + ttp = ["T1090.003"] def on_complete(self): # List based on https://github.com/cuckoosandbox/community/blob/master/modules/signatures/network/network_torgateway.py diff --git a/modules/signatures/windows/mining.py b/modules/signatures/windows/mining.py index 2dd4a1441..bf069322c 100644 --- a/modules/signatures/windows/mining.py +++ b/modules/signatures/windows/mining.py @@ -12,7 +12,7 @@ class miningpool(Signature): categories = ["mining"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["M0018"] + ttp = ["M0018.002"] ipaddrs = [ "144.76.102.176", diff --git a/modules/signatures/windows/modifies_certs.py b/modules/signatures/windows/modifies_certs.py index 9ae332247..74660e7c1 100644 --- a/modules/signatures/windows/modifies_certs.py +++ b/modules/signatures/windows/modifies_certs.py @@ -22,7 +22,7 @@ class ModifiesCertificates(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1130", "E1112"] + ttp = ["T1553.004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\SystemCertificates\\\\.*\\\\Certificates\\\\.*", diff --git a/modules/signatures/windows/modifies_proxies.py b/modules/signatures/windows/modifies_proxies.py index b8822fa98..407fb5a9c 100644 --- a/modules/signatures/windows/modifies_proxies.py +++ b/modules/signatures/windows/modifies_proxies.py @@ -97,7 +97,7 @@ class DisablesProxy(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1089", "E1112"] + ttp = ["S0004", "E1112"] evented = True filter_apinames = [ diff --git a/modules/signatures/windows/modifies_seccenter.py b/modules/signatures/windows/modifies_seccenter.py index cfc12c1ad..0ac48cd93 100644 --- a/modules/signatures/windows/modifies_seccenter.py +++ b/modules/signatures/windows/modifies_seccenter.py @@ -11,7 +11,7 @@ class ModifySecurityCenterWarnings(Signature): categories = ["stealth"] authors = ["Kevin Ross", "Optiv"] minimum = "2.0" - ttp = ["E1089", "E1112"] + ttp = ["S0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\.*", diff --git a/modules/signatures/windows/modifies_uac_notify.py b/modules/signatures/windows/modifies_uac_notify.py index 376ab765f..b7e5d3bed 100644 --- a/modules/signatures/windows/modifies_uac_notify.py +++ b/modules/signatures/windows/modifies_uac_notify.py @@ -11,7 +11,7 @@ class ModifiesUACNotify(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1088", "E1112"] + ttp = ["T1548.002", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin", diff --git a/modules/signatures/windows/modifies_zoneid.py b/modules/signatures/windows/modifies_zoneid.py index d864ee4b7..e55dc608d 100644 --- a/modules/signatures/windows/modifies_zoneid.py +++ b/modules/signatures/windows/modifies_zoneid.py @@ -23,7 +23,7 @@ class ZoneID(Signature): categories = [""] authors = ["nex"] minimum = "2.0" - ttp = ["T1070", "T1096"] + ttp = ["T1070", "T1564.004"] filter_apinames = "NtCreateFile", "NtWriteFile" diff --git a/modules/signatures/windows/moves_self.py b/modules/signatures/windows/moves_self.py index e87329f11..8b12fc62f 100644 --- a/modules/signatures/windows/moves_self.py +++ b/modules/signatures/windows/moves_self.py @@ -11,7 +11,7 @@ class MovesSelf(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - ttp = ["E1158"] + ttp = ["E1564.001"] filter_apinames = ( "MoveFileWithProgressW", "MoveFileWithProgressTransactedW", diff --git a/modules/signatures/windows/network_rdp_mutex.py b/modules/signatures/windows/network_rdp_mutex.py index aac4c0cf1..c04fec6e2 100644 --- a/modules/signatures/windows/network_rdp_mutex.py +++ b/modules/signatures/windows/network_rdp_mutex.py @@ -13,6 +13,7 @@ class RdpMutexes(Signature): families = ["rdp"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0022.001"] mutexes_re = [ "msrdp*", diff --git a/modules/signatures/windows/network_tor.py b/modules/signatures/windows/network_tor.py index a0924b9a1..3261f19c9 100644 --- a/modules/signatures/windows/network_tor.py +++ b/modules/signatures/windows/network_tor.py @@ -22,7 +22,7 @@ class Tor(Signature): categories = ["network", "anonimity", "tor"] authors = ["nex"] minimum = "2.0" - ttp = ["T1188"] + ttp = ["T1090.003"] filter_apinames = "CreateServiceA", "CreateServiceW" diff --git a/modules/signatures/windows/network_tor_service.py b/modules/signatures/windows/network_tor_service.py index 933537997..a1cb4c940 100644 --- a/modules/signatures/windows/network_tor_service.py +++ b/modules/signatures/windows/network_tor_service.py @@ -22,7 +22,7 @@ class TorHiddenService(Signature): categories = ["network", "anonimity", "tor"] authors = ["nex"] minimum = "2.0" - ttp = ["T1188"] + ttp = ["T1090.003"] indicators = [ ".*\\\\tor\\\\hidden_service\\\\private_key$", diff --git a/modules/signatures/windows/office.py b/modules/signatures/windows/office.py index 69ad4d464..15befa790 100644 --- a/modules/signatures/windows/office.py +++ b/modules/signatures/windows/office.py @@ -58,7 +58,7 @@ class OfficeCheckProjectName(Signature): categories = ["vba"] authors = ["FDD", "Cuckoo Sandbox"] minimum = "2.0" - ttp = ["M0038", "M0007"] + ttp = ["M0038", "M0007.007"] filter_apinames = "vbe6_Invoke", @@ -76,7 +76,7 @@ class OfficeCountDirectories(Signature): categories = ["vba"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007", "T1083"] + ttp = ["M0007.003", "T1083"] filter_apinames = "vbe6_Invoke", @@ -94,7 +94,7 @@ class OfficeCheckVersion(Signature): categories = ["vba"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009", "T1518"] + ttp = ["M0009.007", "T1518"] filter_apinames = "vbe6_Invoke", @@ -118,7 +118,7 @@ class OfficeCheckWindow(Signature): categories = ["vba"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009", "T1010"] + ttp = ["M0009.020", "T1010"] filter_apinames = "vbe6_Invoke", @@ -142,7 +142,7 @@ class OfficeHttpRequest(Signature): categories = ["vba"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1203", "T1071"] + ttp = ["X0002.003"] filter_apinames = "vbe6_Invoke", @@ -168,7 +168,7 @@ class OfficeRecentFiles(Signature): categories = ["vba"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007", "T1083"] + ttp = ["M0007.003", "T1083"] filter_apinames = "vbe6_Invoke", @@ -197,7 +197,7 @@ class OfficeIndirectCall(Signature): categories = ["office"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["E1059"] patterns = [ "CallByName[^\r\n;']*", @@ -221,7 +221,7 @@ class OfficeCheckName(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0038", "M0007", "T1064"] + ttp = ["M0038", "M0007.007", "E1059"] patterns = [ "[^\n\r;']*Me.Name[^\n\r;']*", @@ -245,7 +245,7 @@ class OfficePlatformDetect(Signature): categories = ["office"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1082", "T1064"] + ttp = ["T1082", "E1059"] patterns = [ "#If\s+(?:Not\s+)?Win32", @@ -270,7 +270,7 @@ class DocumentClose(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["E1059"] def on_complete(self): office = self.get_results("static", {}).get("office", {}) @@ -286,7 +286,7 @@ class DocumentOpen(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["E1059"] def on_complete(self): office = self.get_results("static", {}).get("office", {}) diff --git a/modules/signatures/windows/packer_entropy.py b/modules/signatures/windows/packer_entropy.py index 02a148de5..b3408ed30 100644 --- a/modules/signatures/windows/packer_entropy.py +++ b/modules/signatures/windows/packer_entropy.py @@ -22,7 +22,7 @@ class PackerEntropy(Signature): categories = ["packer"] authors = ["Robby Zeitfuchs", "nex"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001"] references = [ "http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", diff --git a/modules/signatures/windows/packer_upx.py b/modules/signatures/windows/packer_upx.py index c292f9f46..69db2d8d7 100644 --- a/modules/signatures/windows/packer_upx.py +++ b/modules/signatures/windows/packer_upx.py @@ -22,7 +22,7 @@ class UPXCompressed(Signature): categories = ["packer"] authors = ["Michael Boman", "nex"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001.008"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/packer_vmprotect.py b/modules/signatures/windows/packer_vmprotect.py index a1a8ff0de..73e0a1867 100644 --- a/modules/signatures/windows/packer_vmprotect.py +++ b/modules/signatures/windows/packer_vmprotect.py @@ -22,7 +22,7 @@ class VMPPacked(Signature): categories = ["packer"] authors = ["Jeremy Hedges"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001.010"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/payload_download.py b/modules/signatures/windows/payload_download.py index ec679ee5f..fb452cb04 100644 --- a/modules/signatures/windows/payload_download.py +++ b/modules/signatures/windows/payload_download.py @@ -23,7 +23,7 @@ class NetworkDocumentFile(Signature): categories = ["exploit", "downloader"] authors = ["Kevin Ross", "Will Metcalf"] minimum = "2.0" - ttp = ["T1071", "T1105"] + ttp = ["T1071", "E1105"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/pe_features.py b/modules/signatures/windows/pe_features.py index 9321b9d23..c6fddf090 100644 --- a/modules/signatures/windows/pe_features.py +++ b/modules/signatures/windows/pe_features.py @@ -13,7 +13,7 @@ class PEFeatures(Signature): categories = ["packer"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001"] section_names = [ ".text", ".rdata", ".data", ".pdata", ".DATA", ".reloc", ".idata", @@ -45,7 +45,7 @@ class PEIDPacker(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001.002"] def on_complete(self): if self.get_results("static", {}).get("peid_signatures", []): @@ -61,7 +61,7 @@ class PEUnknownResourceName(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001"] names = [ "RT_ACCELERATOR", diff --git a/modules/signatures/windows/persistence_ads.py b/modules/signatures/windows/persistence_ads.py index c668f7d61..b60c65f09 100644 --- a/modules/signatures/windows/persistence_ads.py +++ b/modules/signatures/windows/persistence_ads.py @@ -27,7 +27,7 @@ class ADS(Signature): categories = ["persistence", "ads"] authors = ["nex", "Optiv"] minimum = "2.0" - ttp = ["T1096"] + ttp = ["T1564.004"] def on_complete(self): for filepath in self.get_files(): diff --git a/modules/signatures/windows/persistence_autorun.py b/modules/signatures/windows/persistence_autorun.py index bc45fea71..f7ebf7ee1 100644 --- a/modules/signatures/windows/persistence_autorun.py +++ b/modules/signatures/windows/persistence_autorun.py @@ -31,7 +31,7 @@ class Autorun(Signature): categories = ["persistence"] authors = ["Michael Boman", "nex", "securitykitten", "Cuckoo Technologies", "Optiv", "KillerInstinct", "Kevin Ross"] minimum = "2.0" - ttp = ["E1060", "T1050", "E1112"] + ttp = ["S0012", "T1543.003", "E1112"] regkeys_re = [ ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\.*", diff --git a/modules/signatures/windows/persistence_bootexecute.py b/modules/signatures/windows/persistence_bootexecute.py index 2918d1ba1..9c2f12571 100644 --- a/modules/signatures/windows/persistence_bootexecute.py +++ b/modules/signatures/windows/persistence_bootexecute.py @@ -23,7 +23,7 @@ class PersistenceBootexecute(Signature): authors = ["Brad Spengler"] minimum = "2.0" evented = True - ttp = ["E1060"] + ttp = ["S0012"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/persistence_registry_fileless.py b/modules/signatures/windows/persistence_registry_fileless.py index cdd0558a5..1864cf5e3 100644 --- a/modules/signatures/windows/persistence_registry_fileless.py +++ b/modules/signatures/windows/persistence_registry_fileless.py @@ -45,7 +45,7 @@ class PersistenceRegistryEXE(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True - ttp = ["M0040", "E1112"] + ttp = ["M0040.001", "E1112"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) @@ -67,7 +67,7 @@ class PersistenceRegistryPowershell(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True - ttp = ["E1112", "T1086"] + ttp = ["E1112", "E1059.001"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) diff --git a/modules/signatures/windows/powerfun.py b/modules/signatures/windows/powerfun.py index c65c8b59e..7b7d05925 100644 --- a/modules/signatures/windows/powerfun.py +++ b/modules/signatures/windows/powerfun.py @@ -11,7 +11,7 @@ class Powerfun(Signature): categories = ["script", "malware", "injector"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086"] + ttp = ["E1059.001"] def on_yara(self, category, filepath, match): if match.name != "Powerfun": diff --git a/modules/signatures/windows/powershell.py b/modules/signatures/windows/powershell.py index c9f3053ea..62dbdbdd8 100644 --- a/modules/signatures/windows/powershell.py +++ b/modules/signatures/windows/powershell.py @@ -13,7 +13,7 @@ class SuspiciousPowershell(Signature): categories = ["script", "dropper", "downloader", "packer"] authors = ["Kevin Ross", "Cuckoo Technologies", "FDD"] minimum = "2.0" - ttp = ["T1086"] + ttp = ["E1059.001"] def on_complete(self): for cmdline in self.get_command_lines(): @@ -64,7 +64,7 @@ class AmsiBypass(Signature): categories = ["script", "malware", "powershell", "amsi"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["E1089"] + ttp = ["S0004.004", "E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellAMSI": @@ -82,7 +82,7 @@ class PowershellBitsTransfer(Signature): categories = ["script", "dropper", "downloader", "malware", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1197"] + ttp = ["E1059.001", "T1197"] def on_yara(self, category, filepath, match): if match.name != "PowershellBitsTransfer": @@ -101,7 +101,7 @@ class PowershellDdiRc4(Signature): categories = ["script", "dropper", "downloader", "malware", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1105", "T1086"] + ttp = ["E1105", "E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellDdiRc4": @@ -130,7 +130,7 @@ class PowershellDFSP(Signature): categories = ["script", "dropper", "downloader", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1105", "T1086"] + ttp = ["E1105", "E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellDFSP": @@ -149,7 +149,7 @@ class PowershellDI(Signature): categories = ["script", "dropper", "downloader", "malware", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086", "T1105"] + ttp = ["E1059.001", "E1105"] def on_yara(self, category, filepath, match): if match.name != "PowershellDI": @@ -181,7 +181,7 @@ class PowershellDownload(Signature): categories = ["downloader"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1086", "T1105"] + ttp = ["E1059.001", "E1105"] filter_apinames = [ "recv", @@ -204,7 +204,7 @@ class PowershellEmpire(Signature): categories = ["script", "dropper", "downloader", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086"] + ttp = ["E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellEmpire": @@ -222,7 +222,7 @@ class PowershellMeterpreter(Signature): categories = ["script", "meterpreter", "powershell", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086"] + ttp = ["E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellMeterpreter": @@ -246,7 +246,7 @@ class PowershellRequest(Signature): categories = ["downloader"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1086"] + ttp = ["E1059.001"] filter_apinames = [ "send", @@ -266,7 +266,7 @@ class PowershellCcDns(Signature): categories = ["script", "bot", "dns", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086", "T1071"] + ttp = ["E1059.001", "T1071.004"] def on_yara(self, category, filepath, match): if match.name != "PowershellCcDns": @@ -286,7 +286,7 @@ class PowershellUnicorn(Signature): categories = ["script", "dropper", "downloader", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086", "E1055"] + ttp = ["E1059.001", "E1055"] def on_yara(self, category, filepath, match): if match.name != "UnicornGen": diff --git a/modules/signatures/windows/powershell_reg.py b/modules/signatures/windows/powershell_reg.py index 69a6e888a..befdc84ca 100644 --- a/modules/signatures/windows/powershell_reg.py +++ b/modules/signatures/windows/powershell_reg.py @@ -14,7 +14,7 @@ class PowershellRegAdd(Signature): categories = ["script", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["E1112", "T1086"] + ttp = ["E1112", "E1059.001"] def on_complete(self): lower = "".join(self.get_command_lines()).lower() diff --git a/modules/signatures/windows/powerworm.py b/modules/signatures/windows/powerworm.py index 495379057..5a5968788 100644 --- a/modules/signatures/windows/powerworm.py +++ b/modules/signatures/windows/powerworm.py @@ -11,7 +11,7 @@ class Powerworm(Signature): categories = ["script", "malware", "powershell", "worm"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086"] + ttp = ["E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowerWorm": diff --git a/modules/signatures/windows/protection_rx.py b/modules/signatures/windows/protection_rx.py index a19bfdf4e..1c36ef9c6 100644 --- a/modules/signatures/windows/protection_rx.py +++ b/modules/signatures/windows/protection_rx.py @@ -12,6 +12,7 @@ class MemoryProtectionRX(Signature): severity = 2 categories = ["unpacking"] minimum = "2.0" + ttp = ["X0008"] filter_apinames = ( "NtAllocateVirtualMemory", "NtProtectVirtualMemory", diff --git a/modules/signatures/windows/ransomware_filemodications.py b/modules/signatures/windows/ransomware_filemodications.py index 9504bd52c..ec4f072c7 100644 --- a/modules/signatures/windows/ransomware_filemodications.py +++ b/modules/signatures/windows/ransomware_filemodications.py @@ -53,7 +53,7 @@ class RansomwareAppendsExtension(Signature): categories = ["ransomware"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1486"] + ttp = ["E1486", "X0015.001"] filter_apinames = "MoveFileWithProgressW", "MoveFileWithProgressTransactedW" @@ -119,7 +119,7 @@ class RansomwareMassFileDelete(Signature): categories = ["ransomware", "wiper"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1488"] + ttp = ["T1561.001"] evented = True def on_complete(self): diff --git a/modules/signatures/windows/ransomware_files.py b/modules/signatures/windows/ransomware_files.py index 9dcbfe5dc..dc876738c 100644 --- a/modules/signatures/windows/ransomware_files.py +++ b/modules/signatures/windows/ransomware_files.py @@ -23,7 +23,7 @@ class RansomwareFiles(Signature): categories = ["ransomware"] authors = ["KillerInstinct", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1486"] + ttp = ["E1486", "X0016.002"] indicators = [ (".*\\\\help_decrypt\.html$", ["CryptoWall"]), diff --git a/modules/signatures/windows/ransomware_recyclebin.py b/modules/signatures/windows/ransomware_recyclebin.py index d591ec66b..1d1ee69ab 100644 --- a/modules/signatures/windows/ransomware_recyclebin.py +++ b/modules/signatures/windows/ransomware_recyclebin.py @@ -11,7 +11,7 @@ class RansomwareRecyclebin(Signature): categories = ["ransomware"] authors = ["Optiv"] minimum = "2.0" - ttp = ["E1485"] + ttp = ["E1485.m02"] def on_complete(self): for deleted in self.check_file("C:\\\\RECYCLER\\\\.*", actions=["file_deleted"], regex=True, all=True): diff --git a/modules/signatures/windows/self_delete_bat.py b/modules/signatures/windows/self_delete_bat.py index 26df29256..42085bff1 100644 --- a/modules/signatures/windows/self_delete_bat.py +++ b/modules/signatures/windows/self_delete_bat.py @@ -13,7 +13,7 @@ class SelfDeleteBat(Signature): categories = ["trojan"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1007"] + ttp = ["S0007"] indicator = ( "@echo.*off.*" diff --git a/modules/signatures/windows/smtp_gmail.py b/modules/signatures/windows/smtp_gmail.py index c3057c6df..e510f29a6 100644 --- a/modules/signatures/windows/smtp_gmail.py +++ b/modules/signatures/windows/smtp_gmail.py @@ -12,6 +12,7 @@ class Smtp_GMail(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0012.001"] domains = [ "smtp.gmail.com", diff --git a/modules/signatures/windows/smtp_live.py b/modules/signatures/windows/smtp_live.py index ac650e4ea..473caa144 100644 --- a/modules/signatures/windows/smtp_live.py +++ b/modules/signatures/windows/smtp_live.py @@ -12,6 +12,7 @@ class Smtp_Live(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0012.001"] domains = [ "smtp.live.com", diff --git a/modules/signatures/windows/smtp_mailru.py b/modules/signatures/windows/smtp_mailru.py index 5256779c0..5a7216b5a 100644 --- a/modules/signatures/windows/smtp_mailru.py +++ b/modules/signatures/windows/smtp_mailru.py @@ -12,6 +12,7 @@ class Smtp_Mail_Ru(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0012.001"] ipaddrs = [ "94.100.180.160", diff --git a/modules/signatures/windows/smtp_yahoo.py b/modules/signatures/windows/smtp_yahoo.py index 42d7c6744..bf4bdc048 100644 --- a/modules/signatures/windows/smtp_yahoo.py +++ b/modules/signatures/windows/smtp_yahoo.py @@ -12,6 +12,7 @@ class Smtp_Yahoo(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0012.001"] domains = [ "smtp.mail.yahoo.com", diff --git a/modules/signatures/windows/stealth_childproc.py b/modules/signatures/windows/stealth_childproc.py index 3436c507f..8f39923a5 100644 --- a/modules/signatures/windows/stealth_childproc.py +++ b/modules/signatures/windows/stealth_childproc.py @@ -11,7 +11,7 @@ class StealthChildProc(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1502"] + ttp = ["T1134.004"] filter_apinames = [ "NtCreateProcess", diff --git a/modules/signatures/windows/stealth_hidenotifications.py b/modules/signatures/windows/stealth_hidenotifications.py index 798a4f3e3..25c1816c8 100644 --- a/modules/signatures/windows/stealth_hidenotifications.py +++ b/modules/signatures/windows/stealth_hidenotifications.py @@ -11,7 +11,7 @@ class StealthHideNotifications(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1054", "E1112"] + ttp = ["S0006", "E1112"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth$", diff --git a/modules/signatures/windows/stealth_window.py b/modules/signatures/windows/stealth_window.py index 245d5c2db..f8c3ad301 100644 --- a/modules/signatures/windows/stealth_window.py +++ b/modules/signatures/windows/stealth_window.py @@ -27,7 +27,7 @@ class Hidden_Window(Signature): categories = ["stealth"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["T1143"] + ttp = ["T1564.003"] filter_apinames = set(["ShellExecuteExW", "CreateProcessInternalW"]) diff --git a/modules/signatures/windows/suspicious_process.py b/modules/signatures/windows/suspicious_process.py index 5f82af85a..d43ed3d0b 100644 --- a/modules/signatures/windows/suspicious_process.py +++ b/modules/signatures/windows/suspicious_process.py @@ -11,6 +11,7 @@ class CreatesSuspiciousProcess(Signature): categories = ["packer"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["X0017"] processes = [ "svchost", "powershell", "regsvr32", "bcdedit", "mshta", "schtasks", diff --git a/modules/signatures/windows/terminates_process.py b/modules/signatures/windows/terminates_process.py index e3006d1b4..11ca8f38e 100644 --- a/modules/signatures/windows/terminates_process.py +++ b/modules/signatures/windows/terminates_process.py @@ -23,6 +23,7 @@ class TerminatesRemoteProcess(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True + ttp = ["X0018"] filter_apinames = "NtTerminateProcess", diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py index de2e148af..b2d5766fe 100644 --- a/modules/signatures/windows/volatility_sig.py +++ b/modules/signatures/windows/volatility_sig.py @@ -73,7 +73,7 @@ class VolDevicetree1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["E1215"] + ttp = ["S0010.001"] # http://mnin.blogspot.de/2011/10/zeroaccess-volatility-and-kernel-timers.html @@ -92,7 +92,7 @@ class VolSvcscan1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -110,7 +110,7 @@ class VolSvcscan2(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -128,7 +128,7 @@ class VolSvcscan3(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -146,7 +146,7 @@ class VolModscan1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["E1215"] + ttp = ["S0010"] def on_complete(self): for row in self.get_volatility("modscan").get("data", []): diff --git a/modules/signatures/windows/windows_utilities.py b/modules/signatures/windows/windows_utilities.py index 80645ae0b..cc8360122 100644 --- a/modules/signatures/windows/windows_utilities.py +++ b/modules/signatures/windows/windows_utilities.py @@ -150,7 +150,7 @@ class UsesWindowsUtilities(Signature): categories = ["commands", "lateral"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1053"] + ttp = ["E1203.m06"] references = ["http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"] def on_complete(self): @@ -168,6 +168,7 @@ class SuspiciousCommandTools(Signature): categories = ["commands", "lateral"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1203.m06"] def on_complete(self): for cmdline in self.get_command_lines(): @@ -185,6 +186,7 @@ class SysInternalsToolsUsage(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["docs.microsoft.com/en-us/sysinternals/downloads/"] + ttp = ["E1203.m05"] def on_complete(self): for cmdline in self.get_command_lines(): diff --git a/modules/signatures/windows/wmi.py b/modules/signatures/windows/wmi.py index aa90f1120..1db5ffdde 100644 --- a/modules/signatures/windows/wmi.py +++ b/modules/signatures/windows/wmi.py @@ -33,7 +33,7 @@ class Win32ProcessCreate(Signature): categories = ["wmi"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1047"] + ttp = ["T1047", "X0017.002"] filter_apinames = [ "IWbemServices_ExecMethod", From fcdf6b713ff02839d252b14e39679c18f0e0b7d9 Mon Sep 17 00:00:00 2001 From: Desiree Beck Date: Fri, 7 Aug 2020 14:59:29 -0400 Subject: [PATCH 08/12] Update README.md --- README.md | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 3da7dba19..60f040554 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,21 @@ # Cuckoo Community Signature-MBC Mappings # -The MBC team has mapped [Cuckoo community signatures](https://github.com/cuckoosandbox/community) into MBC. Of the 560+ signatures available, approximately 275 are appropriate for mapping into MBC (the others are anti-virus related signatures that identify specific threats). +The MBC team has mapped [Cuckoo community signatures](https://github.com/cuckoosandbox/community) into MBC. Of the 565 signatures available, 313 were mapped into MBC (the others are anti-virus related signatures that identify specific threats). Prior to this MBC-oriented mapping, 165 of the signatures were mapped into ATT&CK. We added new signatures, which was possible because MBC includes malware-related behaviors that ATT&CK doesn't. We also used MBC's malware-focused content to revise and/or extend the existing ATT&CK mappings. -Approximately 140 of the signatures were already mapped into ATT&CK. We added new signatures, which was possible because MBC includes malware-related behaviors that ATT&CK doesn't. We also used MBC's malware-focused content to revise 80 of the existing ATT&CK mappings. +|Description|Number| +|-----------|------| +|New mappings|148| +|Updated mappings|83| +|Extended mappings|21| +|Unchanged mappings|61| +|**TOTAL MAPPINGS**|**313**| Below, we explain how these signatures are used. We begin with an example Python signature and then show example Cuckoo report output. We conclude with information on using the signature repository. Example Cuckoo Signature ------------------------ -This signature example (antisandbox_sleep.py) was not mapped to an ATT&CK technique. We map it to **Dynamic Analysis Evasion [M0003]** as shown below (see the ttp variable). +This signature example (antisandbox_sleep.py) was not mapped to an ATT&CK technique. We map it to **Dynamic Analysis Evasion::Delayed Execution [M0003.003]** as shown below (see the ttp variable). ```python from lib.cuckoo.common.abstracts import Signature @@ -21,14 +27,14 @@ class AntiSandboxSleep(Signature): categories = ["anti-sandbox"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["M0003"] + ttp = ["M0003.003"] ... ``` Cuckoo Reports -------------- -The signature section of a Cuckoo report specifies associated MBC behavior as shown in the example below (Dynamic Analysis Evasion [M0003] behavior is shown). +The signature section of a Cuckoo report specifies associated MBC behavior as shown in the example below (Dynamic Analysis Evasion [M0003.003] behavior is shown). ```json { @@ -38,7 +44,7 @@ The signature section of a Cuckoo report specifies associated MBC behavior as sh "description": "A process attempted to delay the analysis task.", "severity": 1, "ttp": { - "M0003": { + "M0003.003": { "short": "Dynamic Analysis Evasion", "long": "Malware may obstruct dynamic analysis in a sandbox, emulator, or virtual " } @@ -63,4 +69,4 @@ latest Cuckoo Sandbox release. While it's possible to download the whole repository and extract it in Cuckoo's root directory, it is suggested that only the modules of interest are copied. Cuckoo also provides an utility to automatically download and install -latest modules. You can do so by running the `cuckoo community` command. \ No newline at end of file +latest modules. You can do so by running the `cuckoo community` command. From 9ef29f5e817545621096a64d728266aa23de7ca5 Mon Sep 17 00:00:00 2001 From: Desiree Beck Date: Fri, 7 Aug 2020 15:00:51 -0400 Subject: [PATCH 09/12] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 60f040554..2f8a86776 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Cuckoo Community Signature-MBC Mappings # -The MBC team has mapped [Cuckoo community signatures](https://github.com/cuckoosandbox/community) into MBC. Of the 565 signatures available, 313 were mapped into MBC (the others are anti-virus related signatures that identify specific threats). Prior to this MBC-oriented mapping, 165 of the signatures were mapped into ATT&CK. We added new signatures, which was possible because MBC includes malware-related behaviors that ATT&CK doesn't. We also used MBC's malware-focused content to revise and/or extend the existing ATT&CK mappings. +The MBC team has mapped [Cuckoo community signatures](https://github.com/cuckoosandbox/community) into MBC. Of the 565 signatures available, 313 have been mapped into MBC (the others are anti-virus related signatures that identify specific threats). Prior to this MBC-oriented mapping, 165 of the signatures were mapped into ATT&CK. We added new signatures, which was possible because MBC includes malware-related behaviors that ATT&CK doesn't. We also used MBC's malware-focused content to revise and/or extend the existing ATT&CK mappings. |Description|Number| |-----------|------| From a7f58f1044089edc1de835f62910ebe3266dc816 Mon Sep 17 00:00:00 2001 From: Emmanuelle Vargas-Gonzalez Date: Thu, 13 Aug 2020 13:39:58 -0400 Subject: [PATCH 10/12] Remap letters in MBC IDs to match v2.0 M -> B X -> C S -> F --- README.md | 2 +- .../signatures/android/android_reflection_code.py | 2 +- .../application_aborted_broadcast_receiver.py | 2 +- .../android/application_installed_app.py | 2 +- modules/signatures/cross/js_suspicious.py | 2 +- modules/signatures/network/dns_cnc.py | 2 +- modules/signatures/network/dns_tld.py | 2 +- modules/signatures/network/network_bind.py | 2 +- modules/signatures/network/network_cnc_http.py | 4 ++-- modules/signatures/network/network_dyndns.py | 2 +- modules/signatures/network/network_http.py | 2 +- modules/signatures/network/network_icmp.py | 2 +- modules/signatures/network/network_smtp.py | 2 +- modules/signatures/windows/allocates_rwx.py | 2 +- .../signatures/windows/antianalysis_detectfile.py | 2 +- modules/signatures/windows/antiav_servicestop.py | 2 +- modules/signatures/windows/antiav_srp.py | 2 +- .../signatures/windows/antidbg_debuggercheck.py | 4 ++-- modules/signatures/windows/antidbg_devices.py | 2 +- modules/signatures/windows/antidbg_windows.py | 2 +- modules/signatures/windows/antiemu_wine.py | 2 +- .../signatures/windows/antisandbox_clipboard.py | 2 +- .../signatures/windows/antisandbox_cuckoo_files.py | 2 +- modules/signatures/windows/antisandbox_file.py | 2 +- modules/signatures/windows/antisandbox_forehwnd.py | 2 +- .../windows/antisandbox_fortinet_files.py | 2 +- modules/signatures/windows/antisandbox_idletime.py | 2 +- .../windows/antisandbox_joe_anubis_files.py | 2 +- .../signatures/windows/antisandbox_mouse_hook.py | 2 +- modules/signatures/windows/antisandbox_restart.py | 2 +- modules/signatures/windows/antisandbox_sleep.py | 2 +- modules/signatures/windows/antisandbox_sunbelt.py | 2 +- .../windows/antisandbox_sunbelt_files.py | 2 +- .../windows/antisandbox_threattrack_files.py | 2 +- modules/signatures/windows/antisandbox_unhook.py | 2 +- modules/signatures/windows/antivm_bochs_keys.py | 2 +- modules/signatures/windows/antivm_computername.py | 2 +- modules/signatures/windows/antivm_disksize.py | 2 +- modules/signatures/windows/antivm_generic_bios.py | 2 +- modules/signatures/windows/antivm_generic_cpu.py | 2 +- modules/signatures/windows/antivm_generic_disk.py | 2 +- .../signatures/windows/antivm_generic_firmware.py | 2 +- modules/signatures/windows/antivm_generic_ide.py | 2 +- modules/signatures/windows/antivm_generic_scsi.py | 2 +- .../signatures/windows/antivm_generic_services.py | 2 +- modules/signatures/windows/antivm_hyperv_keys.py | 2 +- .../signatures/windows/antivm_memory_available.py | 2 +- .../signatures/windows/antivm_network_adapter.py | 2 +- .../signatures/windows/antivm_parallels_keys.py | 2 +- .../signatures/windows/antivm_parallels_window.py | 2 +- modules/signatures/windows/antivm_psuedo_device.py | 2 +- modules/signatures/windows/antivm_sandboxie.py | 2 +- modules/signatures/windows/antivm_vbox_acpi.py | 2 +- modules/signatures/windows/antivm_vbox_devices.py | 2 +- modules/signatures/windows/antivm_vbox_files.py | 2 +- modules/signatures/windows/antivm_vbox_keys.py | 2 +- modules/signatures/windows/antivm_vbox_provname.py | 2 +- modules/signatures/windows/antivm_vbox_window.py | 2 +- modules/signatures/windows/antivm_virtualpc.py | 2 +- .../signatures/windows/antivm_virtualpc_magic.py | 2 +- .../signatures/windows/antivm_virtualpc_window.py | 2 +- modules/signatures/windows/antivm_vmware_files.py | 2 +- .../signatures/windows/antivm_vmware_in_insn.py | 2 +- modules/signatures/windows/antivm_vmware_keys.py | 2 +- modules/signatures/windows/antivm_vmware_window.py | 2 +- modules/signatures/windows/antivm_vpc_keys.py | 2 +- modules/signatures/windows/antivm_xen_keys.py | 2 +- modules/signatures/windows/bitcoin_opencl.py | 2 +- modules/signatures/windows/bootconfig_modify.py | 2 +- modules/signatures/windows/bootkit.py | 2 +- modules/signatures/windows/bypass_firewall.py | 2 +- modules/signatures/windows/creates_doc.py | 2 +- modules/signatures/windows/creates_exe.py | 4 ++-- modules/signatures/windows/creates_largekey.py | 2 +- .../signatures/windows/creates_null_reg_entry.py | 2 +- modules/signatures/windows/crypto_apis.py | 2 +- modules/signatures/windows/deletes_executed.py | 2 +- modules/signatures/windows/disables_browserwarn.py | 2 +- modules/signatures/windows/disables_security.py | 2 +- modules/signatures/windows/disables_wer.py | 2 +- .../signatures/windows/disables_windowsupdate.py | 2 +- modules/signatures/windows/dns_dyndns_provider.py | 2 +- .../signatures/windows/dns_freehosting_domain.py | 2 +- modules/signatures/windows/driver_load.py | 2 +- modules/signatures/windows/dropper.py | 4 ++-- modules/signatures/windows/emoves_zoneid_ads.py | 2 +- modules/signatures/windows/exec_waitfor.py | 2 +- modules/signatures/windows/exploitation.py | 12 ++++++------ .../signatures/windows/infostealer_keylogger.py | 2 +- modules/signatures/windows/locates_sniffer.py | 2 +- modules/signatures/windows/maldoc.py | 2 +- modules/signatures/windows/memdump_urls.py | 2 +- modules/signatures/windows/mining.py | 2 +- modules/signatures/windows/modifies_proxies.py | 2 +- modules/signatures/windows/modifies_seccenter.py | 2 +- modules/signatures/windows/network_rdp_mutex.py | 2 +- modules/signatures/windows/office.py | 14 +++++++------- modules/signatures/windows/packer_entropy.py | 2 +- modules/signatures/windows/packer_polymorphic.py | 2 +- modules/signatures/windows/packer_upx.py | 2 +- modules/signatures/windows/packer_vmprotect.py | 2 +- modules/signatures/windows/payload_download.py | 4 ++-- modules/signatures/windows/pe_features.py | 6 +++--- modules/signatures/windows/persistence_autorun.py | 2 +- .../signatures/windows/persistence_bootexecute.py | 2 +- .../windows/persistence_registry_fileless.py | 2 +- modules/signatures/windows/powershell.py | 2 +- modules/signatures/windows/protection_rx.py | 2 +- .../windows/ransomware_filemodications.py | 2 +- modules/signatures/windows/ransomware_files.py | 2 +- modules/signatures/windows/self_delete_bat.py | 2 +- modules/signatures/windows/smtp_gmail.py | 2 +- modules/signatures/windows/smtp_live.py | 2 +- modules/signatures/windows/smtp_mailru.py | 2 +- modules/signatures/windows/smtp_yahoo.py | 2 +- modules/signatures/windows/sniffer_winpcap.py | 2 +- .../windows/stealth_hidenotifications.py | 2 +- modules/signatures/windows/suspicious_process.py | 2 +- modules/signatures/windows/terminates_process.py | 2 +- modules/signatures/windows/volatility_sig.py | 10 +++++----- modules/signatures/windows/wmi.py | 4 ++-- 121 files changed, 144 insertions(+), 144 deletions(-) diff --git a/README.md b/README.md index 2f8a86776..f154b0889 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ class AntiSandboxSleep(Signature): categories = ["anti-sandbox"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["M0003.003"] + ttp = ["B0003.003"] ... ``` diff --git a/modules/signatures/android/android_reflection_code.py b/modules/signatures/android/android_reflection_code.py index 64c73fb81..c34e013f3 100644 --- a/modules/signatures/android/android_reflection_code.py +++ b/modules/signatures/android/android_reflection_code.py @@ -11,7 +11,7 @@ class AndroidReflectionCode(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["M0032"] + ttp = ["B0032"] def on_complete(self): if self.get_apkinfo("static_method_calls").get("is_reflection_code"): diff --git a/modules/signatures/android/application_aborted_broadcast_receiver.py b/modules/signatures/android/application_aborted_broadcast_receiver.py index db52dcb49..76c663673 100644 --- a/modules/signatures/android/application_aborted_broadcast_receiver.py +++ b/modules/signatures/android/application_aborted_broadcast_receiver.py @@ -11,7 +11,7 @@ class AndroidAbortBroadcast(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["S0006"] + ttp = ["F0006"] def on_complete(self): if "abortBroadcast" in self.get_droidmon("events", []): diff --git a/modules/signatures/android/application_installed_app.py b/modules/signatures/android/application_installed_app.py index efee86b0d..e6d136d91 100644 --- a/modules/signatures/android/application_installed_app.py +++ b/modules/signatures/android/application_installed_app.py @@ -11,7 +11,7 @@ class AndroidInstalledApps(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["M0023"] + ttp = ["B0023"] def on_complete(self): if "android/app/ApplicationPackageManager->installPackage" in self.get_droidmon(): diff --git a/modules/signatures/cross/js_suspicious.py b/modules/signatures/cross/js_suspicious.py index a178c09d0..54f79a3e7 100644 --- a/modules/signatures/cross/js_suspicious.py +++ b/modules/signatures/cross/js_suspicious.py @@ -41,7 +41,7 @@ class AntiAnalysisJavascript(Signature): authors = ["Cuckoo Technologies"] minimum = "2.0" on_call_dispatch = True - ttp = ["M0013", "M0009"] + ttp = ["B0013", "B0009"] filter_apinames = "ActiveXObjectFncObj_Construct", "CImgElement_put_src" diff --git a/modules/signatures/network/dns_cnc.py b/modules/signatures/network/dns_cnc.py index 6ef7b1816..5177f69a9 100644 --- a/modules/signatures/network/dns_cnc.py +++ b/modules/signatures/network/dns_cnc.py @@ -22,7 +22,7 @@ class NetworkDNSTXTLookup(Signature): categories = ["dns", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["X0011"] + ttp = ["C0011"] whitelist = [ "google.com", diff --git a/modules/signatures/network/dns_tld.py b/modules/signatures/network/dns_tld.py index fe9d66e30..668444722 100644 --- a/modules/signatures/network/dns_tld.py +++ b/modules/signatures/network/dns_tld.py @@ -12,7 +12,7 @@ class Suspicious_TLD(Signature): categories = ["tldwatch", "network"] authors = ["RedSocks", "Kevin Ross"] minimum = "2.0" - ttp = ["X0011.004"] + ttp = ["C0011.004"] domains_re = [ (".*\\.by$", "Belarus domain TLD"), diff --git a/modules/signatures/network/network_bind.py b/modules/signatures/network/network_bind.py index 2286f4f72..6bf8051a1 100644 --- a/modules/signatures/network/network_bind.py +++ b/modules/signatures/network/network_bind.py @@ -22,7 +22,7 @@ class NetworkBIND(Signature): categories = ["bind"] authors = ["nex", "Accuvant"] minimum = "2.0" - ttp = ["X0001.002"] + ttp = ["C0001.002"] filter_apinames = "bind", "listen", "accept" diff --git a/modules/signatures/network/network_cnc_http.py b/modules/signatures/network/network_cnc_http.py index ef489f636..2a26da4d2 100644 --- a/modules/signatures/network/network_cnc_http.py +++ b/modules/signatures/network/network_cnc_http.py @@ -27,7 +27,7 @@ class NetworkHTTPPOST(Signature): categories = ["http", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["X0002.005"] + ttp = ["C0002.005"] filter_analysistypes = set(["file"]) @@ -58,7 +58,7 @@ class NetworkCnCHTTP(Signature): categories = ["http", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1071.001", "M0030"] + ttp = ["T1071.001", "B0030"] filter_analysistypes = set(["file"]) diff --git a/modules/signatures/network/network_dyndns.py b/modules/signatures/network/network_dyndns.py index 0ea614336..5452186da 100644 --- a/modules/signatures/network/network_dyndns.py +++ b/modules/signatures/network/network_dyndns.py @@ -12,7 +12,7 @@ class NetworkDynDNS(Signature): categories = ["dyndns"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0011.003"] + ttp = ["C0011.003"] domains_re = [ ".*\\.no-ip\\.", diff --git a/modules/signatures/network/network_http.py b/modules/signatures/network/network_http.py index cb4b92e44..b7f59d74c 100644 --- a/modules/signatures/network/network_http.py +++ b/modules/signatures/network/network_http.py @@ -22,7 +22,7 @@ class NetworkHTTP(Signature): categories = ["http"] authors = ["nex"] minimum = "2.0" - ttp = ["X0002.003"] + ttp = ["C0002.003"] host_whitelist = [ "www.msftncsi.com" diff --git a/modules/signatures/network/network_icmp.py b/modules/signatures/network/network_icmp.py index 45f435768..439bb0b40 100644 --- a/modules/signatures/network/network_icmp.py +++ b/modules/signatures/network/network_icmp.py @@ -22,7 +22,7 @@ class NetworkICMP(Signature): categories = ["icmp"] authors = ["David Maciejak"] minimum = "2.0" - ttp = ["X0014.001"] + ttp = ["C0014.001"] def on_complete(self): if self.get_net_icmp(): diff --git a/modules/signatures/network/network_smtp.py b/modules/signatures/network/network_smtp.py index d795381ad..fbf809600 100644 --- a/modules/signatures/network/network_smtp.py +++ b/modules/signatures/network/network_smtp.py @@ -22,7 +22,7 @@ class NetworkSMTP(Signature): categories = ["smtp", "spam"] authors = ["nex", "RicoVZ"] minimum = "2.0.0" - ttp = ["S0012.002"] + ttp = ["F0012.002"] def on_complete(self): for s in getattr(self, "get_net_smtp_ex", lambda: [])(): diff --git a/modules/signatures/windows/allocates_rwx.py b/modules/signatures/windows/allocates_rwx.py index 54bcbd414..ffe98cfe3 100644 --- a/modules/signatures/windows/allocates_rwx.py +++ b/modules/signatures/windows/allocates_rwx.py @@ -11,7 +11,7 @@ class AllocatesRWX(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["X0007"] + ttp = ["C0007"] filter_apinames = ( "NtAllocateVirtualMemory", "NtProtectVirtualMemory", diff --git a/modules/signatures/windows/antianalysis_detectfile.py b/modules/signatures/windows/antianalysis_detectfile.py index 78ab24ea0..8007df19d 100644 --- a/modules/signatures/windows/antianalysis_detectfile.py +++ b/modules/signatures/windows/antianalysis_detectfile.py @@ -11,7 +11,7 @@ class AntiAnalysisDetectFile(Signature): categories = ["anti-analysis"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["M0013.008"] + ttp = ["B0013.008"] file_indicators = [ "[A-Za-z]:\\\\analysis", diff --git a/modules/signatures/windows/antiav_servicestop.py b/modules/signatures/windows/antiav_servicestop.py index ca1d6dd74..47c106cc6 100644 --- a/modules/signatures/windows/antiav_servicestop.py +++ b/modules/signatures/windows/antiav_servicestop.py @@ -16,7 +16,7 @@ class AntiAVServiceStop(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] evented = True def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/antiav_srp.py b/modules/signatures/windows/antiav_srp.py index c4e4d2198..e728c195e 100644 --- a/modules/signatures/windows/antiav_srp.py +++ b/modules/signatures/windows/antiav_srp.py @@ -11,7 +11,7 @@ class AntiAVSRP(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["S0004.005", "E1478"] + ttp = ["F0004.005", "E1478"] regkeys_re = [ ".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*", diff --git a/modules/signatures/windows/antidbg_debuggercheck.py b/modules/signatures/windows/antidbg_debuggercheck.py index 1ce92c4df..ef886d4ed 100644 --- a/modules/signatures/windows/antidbg_debuggercheck.py +++ b/modules/signatures/windows/antidbg_debuggercheck.py @@ -23,7 +23,7 @@ class ChecksDebugger(Signature): categories = ["anti-debug"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0001"] + ttp = ["B0001"] filter_apinames = [ "CheckRemoteDebuggerPresent", @@ -43,7 +43,7 @@ class ChecksKernelDebugger(Signature): categories = ["anti-debug"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0001"] + ttp = ["B0001"] filter_apinames = [ "SystemKernelDebuggerInformation", diff --git a/modules/signatures/windows/antidbg_devices.py b/modules/signatures/windows/antidbg_devices.py index 1b62a286e..e1dd9ea93 100644 --- a/modules/signatures/windows/antidbg_devices.py +++ b/modules/signatures/windows/antidbg_devices.py @@ -22,7 +22,7 @@ class AntiDBGDevices(Signature): categories = ["anti-debug"] authors = ["nex"] minimum = "2.0" - ttp = ["M0001", "M0013"] + ttp = ["B0001", "B0013"] indicators = [ ".*SICE$", diff --git a/modules/signatures/windows/antidbg_windows.py b/modules/signatures/windows/antidbg_windows.py index 9b36d1f6d..4c0932739 100644 --- a/modules/signatures/windows/antidbg_windows.py +++ b/modules/signatures/windows/antidbg_windows.py @@ -22,7 +22,7 @@ class AntiDBGWindows(Signature): categories = ["anti-debug"] authors = ["nex", "KillerInstinct", "Brad Spengler"] minimum = "2.0" - ttp = ["M0013.009", "M0001.004"] + ttp = ["B0013.009", "B0001.004"] filter_categories = "ui", diff --git a/modules/signatures/windows/antiemu_wine.py b/modules/signatures/windows/antiemu_wine.py index d4818b9e6..3bdbe23b3 100644 --- a/modules/signatures/windows/antiemu_wine.py +++ b/modules/signatures/windows/antiemu_wine.py @@ -22,7 +22,7 @@ class WineDetect(Signature): categories = ["anti-emulation"] authors = ["nex"] minimum = "2.0" - ttp = ["M0004"] + ttp = ["B0004"] filter_apinames = "LdrGetProcedureAddress", diff --git a/modules/signatures/windows/antisandbox_clipboard.py b/modules/signatures/windows/antisandbox_clipboard.py index 02d799750..df1ef6e66 100644 --- a/modules/signatures/windows/antisandbox_clipboard.py +++ b/modules/signatures/windows/antisandbox_clipboard.py @@ -22,7 +22,7 @@ class AntisandboxClipboard(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007.001"] + ttp = ["B0007.001"] filter_apinames = set(["GetClipboardData"]) diff --git a/modules/signatures/windows/antisandbox_cuckoo_files.py b/modules/signatures/windows/antisandbox_cuckoo_files.py index b42d78b15..54a5c1570 100644 --- a/modules/signatures/windows/antisandbox_cuckoo_files.py +++ b/modules/signatures/windows/antisandbox_cuckoo_files.py @@ -22,7 +22,7 @@ class CuckooDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] file_indicators = [ ".*\\\\agent\\.py$", diff --git a/modules/signatures/windows/antisandbox_file.py b/modules/signatures/windows/antisandbox_file.py index 9d03412f3..d9b360159 100644 --- a/modules/signatures/windows/antisandbox_file.py +++ b/modules/signatures/windows/antisandbox_file.py @@ -11,7 +11,7 @@ class AntiSandboxFile(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] files_re = [ "[a-zA-Z]:\\\\sample\\.exe", diff --git a/modules/signatures/windows/antisandbox_forehwnd.py b/modules/signatures/windows/antisandbox_forehwnd.py index d87f6da86..1f921d234 100644 --- a/modules/signatures/windows/antisandbox_forehwnd.py +++ b/modules/signatures/windows/antisandbox_forehwnd.py @@ -20,7 +20,7 @@ class AntiSandboxForegroundWindow(Signature): severity = 2 categories = ["anti-sandbox"] minimum = "2.0" - ttp = ["M0007.003"] + ttp = ["B0007.003"] references = [ "https://www.virusbtn.com/virusbulletin/archive/2015/09/vb201509-custom-packer.dkb", diff --git a/modules/signatures/windows/antisandbox_fortinet_files.py b/modules/signatures/windows/antisandbox_fortinet_files.py index cbdfcc266..f8054e3ed 100644 --- a/modules/signatures/windows/antisandbox_fortinet_files.py +++ b/modules/signatures/windows/antisandbox_fortinet_files.py @@ -22,7 +22,7 @@ class FortinetDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] files_re = [ "C:\\\\tracer\\\\mdare32_0\\.sys", diff --git a/modules/signatures/windows/antisandbox_idletime.py b/modules/signatures/windows/antisandbox_idletime.py index 9f4a3fe57..a99a66f4b 100644 --- a/modules/signatures/windows/antisandbox_idletime.py +++ b/modules/signatures/windows/antisandbox_idletime.py @@ -11,7 +11,7 @@ class AntiSandboxIdleTime(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007.009"] + ttp = ["B0007.009"] filter_apinames = "NtQuerySystemInformation", diff --git a/modules/signatures/windows/antisandbox_joe_anubis_files.py b/modules/signatures/windows/antisandbox_joe_anubis_files.py index cb887c5fe..d7420a012 100644 --- a/modules/signatures/windows/antisandbox_joe_anubis_files.py +++ b/modules/signatures/windows/antisandbox_joe_anubis_files.py @@ -22,7 +22,7 @@ class SandboxJoeAnubisDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] file_indicators = [ "C:\\\\sample\\.exe", diff --git a/modules/signatures/windows/antisandbox_mouse_hook.py b/modules/signatures/windows/antisandbox_mouse_hook.py index ea819dc0c..9cf78efc0 100644 --- a/modules/signatures/windows/antisandbox_mouse_hook.py +++ b/modules/signatures/windows/antisandbox_mouse_hook.py @@ -22,7 +22,7 @@ class HookMouse(Signature): categories = ["hooking", "anti-sandbox"] authors = ["nex"] minimum = "2.0" - ttp = ["M0007.003", "S0003.003"] + ttp = ["B0007.003", "F0003.003"] filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW" diff --git a/modules/signatures/windows/antisandbox_restart.py b/modules/signatures/windows/antisandbox_restart.py index 53a33389e..00756b96a 100644 --- a/modules/signatures/windows/antisandbox_restart.py +++ b/modules/signatures/windows/antisandbox_restart.py @@ -12,7 +12,7 @@ class AntiSandboxRestart(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies", "Brad Spengler"] minimum = "2.0" - ttp = ["M0003.010"] + ttp = ["B0003.010"] filter_apinames = ( "InitiateSystemShutdownExW", "InitiateSystemShutdownExA", diff --git a/modules/signatures/windows/antisandbox_sleep.py b/modules/signatures/windows/antisandbox_sleep.py index 63c623ac2..cc4160f2c 100644 --- a/modules/signatures/windows/antisandbox_sleep.py +++ b/modules/signatures/windows/antisandbox_sleep.py @@ -22,7 +22,7 @@ class AntiSandboxSleep(Signature): categories = ["anti-sandbox"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["M0003.003"] + ttp = ["B0003.003"] filter_apinames = "NtDelayExecution", diff --git a/modules/signatures/windows/antisandbox_sunbelt.py b/modules/signatures/windows/antisandbox_sunbelt.py index 538011ef7..c54afecb1 100644 --- a/modules/signatures/windows/antisandbox_sunbelt.py +++ b/modules/signatures/windows/antisandbox_sunbelt.py @@ -11,7 +11,7 @@ class SunBeltSandboxDetect(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["B0007"] dlls_re = [ ".*api_log(\\.dll)?$", diff --git a/modules/signatures/windows/antisandbox_sunbelt_files.py b/modules/signatures/windows/antisandbox_sunbelt_files.py index 2d8e51f3b..817398b65 100644 --- a/modules/signatures/windows/antisandbox_sunbelt_files.py +++ b/modules/signatures/windows/antisandbox_sunbelt_files.py @@ -22,7 +22,7 @@ class SunbeltDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] file_indicators = [ ".*\\\\SandboxStarter\\.exe$", diff --git a/modules/signatures/windows/antisandbox_threattrack_files.py b/modules/signatures/windows/antisandbox_threattrack_files.py index 4cc5800de..b6e0a6813 100644 --- a/modules/signatures/windows/antisandbox_threattrack_files.py +++ b/modules/signatures/windows/antisandbox_threattrack_files.py @@ -22,7 +22,7 @@ class ThreatTrackDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] files_re = [ "C:\\\\cwsandbox", diff --git a/modules/signatures/windows/antisandbox_unhook.py b/modules/signatures/windows/antisandbox_unhook.py index d914703bc..694daf767 100644 --- a/modules/signatures/windows/antisandbox_unhook.py +++ b/modules/signatures/windows/antisandbox_unhook.py @@ -22,7 +22,7 @@ class Unhook(Signature): categories = ["anti-sandbox"] authors = ["nex"] minimum = "2.0" - ttp = ["M0003.008"] + ttp = ["B0003.008"] filter_apinames = "__anomaly__", diff --git a/modules/signatures/windows/antivm_bochs_keys.py b/modules/signatures/windows/antivm_bochs_keys.py index 73a44d194..def6e4dbd 100644 --- a/modules/signatures/windows/antivm_bochs_keys.py +++ b/modules/signatures/windows/antivm_bochs_keys.py @@ -22,7 +22,7 @@ class BochsDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS_.*", diff --git a/modules/signatures/windows/antivm_computername.py b/modules/signatures/windows/antivm_computername.py index e18739047..90e18f6e6 100644 --- a/modules/signatures/windows/antivm_computername.py +++ b/modules/signatures/windows/antivm_computername.py @@ -22,7 +22,7 @@ class AntiVMComputernameQuery(Signature): categories = ["AntiVM"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009", "T1082"] + ttp = ["B0009", "T1082"] filter_apinames = [ "GetComputerNameA", diff --git a/modules/signatures/windows/antivm_disksize.py b/modules/signatures/windows/antivm_disksize.py index ea8c39d5e..95ec5c13f 100644 --- a/modules/signatures/windows/antivm_disksize.py +++ b/modules/signatures/windows/antivm_disksize.py @@ -22,7 +22,7 @@ class AntiVMDiskSize(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.015"] + ttp = ["B0009.015"] evented = True diff --git a/modules/signatures/windows/antivm_generic_bios.py b/modules/signatures/windows/antivm_generic_bios.py index 09550c254..9b9e6e8f1 100644 --- a/modules/signatures/windows/antivm_generic_bios.py +++ b/modules/signatures/windows/antivm_generic_bios.py @@ -22,7 +22,7 @@ class AntiVMBios(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.024", "M0009.005", "T1012"] + ttp = ["B0009.024", "B0009.005", "T1012"] regkeys_re = [ ".*SystemBiosVersion", diff --git a/modules/signatures/windows/antivm_generic_cpu.py b/modules/signatures/windows/antivm_generic_cpu.py index 81ec5eb73..64e7f4027 100644 --- a/modules/signatures/windows/antivm_generic_cpu.py +++ b/modules/signatures/windows/antivm_generic_cpu.py @@ -22,7 +22,7 @@ class AntiVMCPU(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009.026", "M0009.005", "T1012"] + ttp = ["B0009.026", "B0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\.*\\\\ProcessorNameString", diff --git a/modules/signatures/windows/antivm_generic_disk.py b/modules/signatures/windows/antivm_generic_disk.py index 82e73d277..d5a455db2 100644 --- a/modules/signatures/windows/antivm_generic_disk.py +++ b/modules/signatures/windows/antivm_generic_disk.py @@ -22,7 +22,7 @@ class DiskInformation(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] filter_apinames = [ "NtCreateFile", diff --git a/modules/signatures/windows/antivm_generic_firmware.py b/modules/signatures/windows/antivm_generic_firmware.py index 36e3a904e..b8680d2f6 100644 --- a/modules/signatures/windows/antivm_generic_firmware.py +++ b/modules/signatures/windows/antivm_generic_firmware.py @@ -11,7 +11,7 @@ class VMFirmware(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009.023"] + ttp = ["B0009.023"] filter_apinames = "NtQuerySystemInformation", diff --git a/modules/signatures/windows/antivm_generic_ide.py b/modules/signatures/windows/antivm_generic_ide.py index 7a5f6b4bb..329970525 100644 --- a/modules/signatures/windows/antivm_generic_ide.py +++ b/modules/signatures/windows/antivm_generic_ide.py @@ -22,7 +22,7 @@ class AntiVMIDE(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] def on_complete(self): for regkey in self.check_key(pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE", regex=True, all=True): diff --git a/modules/signatures/windows/antivm_generic_scsi.py b/modules/signatures/windows/antivm_generic_scsi.py index c3ec91c90..707ea187e 100644 --- a/modules/signatures/windows/antivm_generic_scsi.py +++ b/modules/signatures/windows/antivm_generic_scsi.py @@ -22,7 +22,7 @@ class AntiVMSCSI(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port \\d+\\\\Scsi Bus \\d+\\\\Target Id \\d+\\\\Logical Unit Id \\d+\\\\Identifier", diff --git a/modules/signatures/windows/antivm_generic_services.py b/modules/signatures/windows/antivm_generic_services.py index 500ad1e27..8a54b36f4 100644 --- a/modules/signatures/windows/antivm_generic_services.py +++ b/modules/signatures/windows/antivm_generic_services.py @@ -22,7 +22,7 @@ class AntiVMServices(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.006", "T1007"] + ttp = ["B0009.006", "T1007"] filter_apinames = "EnumServicesStatusA", "EnumServicesStatusW" diff --git a/modules/signatures/windows/antivm_hyperv_keys.py b/modules/signatures/windows/antivm_hyperv_keys.py index e0de0afc5..6e317fbff 100644 --- a/modules/signatures/windows/antivm_hyperv_keys.py +++ b/modules/signatures/windows/antivm_hyperv_keys.py @@ -22,7 +22,7 @@ class HyperVDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\Hyper_V_Gen_Counter_V1", diff --git a/modules/signatures/windows/antivm_memory_available.py b/modules/signatures/windows/antivm_memory_available.py index 93f5ecf7f..adc24f2e4 100644 --- a/modules/signatures/windows/antivm_memory_available.py +++ b/modules/signatures/windows/antivm_memory_available.py @@ -22,7 +22,7 @@ class MemoryAvailable(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.014"] + ttp = ["B0009.014"] filter_apinames = [ "GlobalMemoryStatusEx", "GetPhysicallyInstalledSystemMemory", diff --git a/modules/signatures/windows/antivm_network_adapter.py b/modules/signatures/windows/antivm_network_adapter.py index 678935a99..c89be7945 100644 --- a/modules/signatures/windows/antivm_network_adapter.py +++ b/modules/signatures/windows/antivm_network_adapter.py @@ -22,7 +22,7 @@ class NetworkAdapters(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.023"] + ttp = ["B0009.023"] filter_apinames = set(["GetAdaptersAddresses"]) diff --git a/modules/signatures/windows/antivm_parallels_keys.py b/modules/signatures/windows/antivm_parallels_keys.py index 204682622..98d805ed5 100644 --- a/modules/signatures/windows/antivm_parallels_keys.py +++ b/modules/signatures/windows/antivm_parallels_keys.py @@ -22,7 +22,7 @@ class ParallelsDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_1AB8&DEV_4000&SUBSYS_04001AB8&REV_00", diff --git a/modules/signatures/windows/antivm_parallels_window.py b/modules/signatures/windows/antivm_parallels_window.py index b6846865e..2c44a5ee8 100644 --- a/modules/signatures/windows/antivm_parallels_window.py +++ b/modules/signatures/windows/antivm_parallels_window.py @@ -22,7 +22,7 @@ class ParallelsDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.009"] + ttp = ["B0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_psuedo_device.py b/modules/signatures/windows/antivm_psuedo_device.py index e37a602b0..7eebfe7b6 100644 --- a/modules/signatures/windows/antivm_psuedo_device.py +++ b/modules/signatures/windows/antivm_psuedo_device.py @@ -22,7 +22,7 @@ class AntiVMSharedDevice(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] filter_apinames = "NtCreateFile", diff --git a/modules/signatures/windows/antivm_sandboxie.py b/modules/signatures/windows/antivm_sandboxie.py index 6f93b4032..f0454bf12 100644 --- a/modules/signatures/windows/antivm_sandboxie.py +++ b/modules/signatures/windows/antivm_sandboxie.py @@ -11,7 +11,7 @@ class SandboxieDetect(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] mutexes_re = [ ".*Sandboxie_SingleInstanceMutex_Control", diff --git a/modules/signatures/windows/antivm_vbox_acpi.py b/modules/signatures/windows/antivm_vbox_acpi.py index 0d819de54..e794e75a6 100644 --- a/modules/signatures/windows/antivm_vbox_acpi.py +++ b/modules/signatures/windows/antivm_vbox_acpi.py @@ -22,7 +22,7 @@ class VBoxDetectACPI(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.023", "M0009.005", "T1012"] + ttp = ["B0009.023", "B0009.005", "T1012"] def on_complete(self): for regkey in self.check_key("HARDWARE\\\\ACPI\\\\.*vbox_", regex=True, all=True): diff --git a/modules/signatures/windows/antivm_vbox_devices.py b/modules/signatures/windows/antivm_vbox_devices.py index 85af8a013..f78b9a6af 100644 --- a/modules/signatures/windows/antivm_vbox_devices.py +++ b/modules/signatures/windows/antivm_vbox_devices.py @@ -22,7 +22,7 @@ class VBoxDetectDevices(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] # TODO Might as well just do a generic ".*VBox.*" regex? indicators = [ diff --git a/modules/signatures/windows/antivm_vbox_files.py b/modules/signatures/windows/antivm_vbox_files.py index fcec7e3a4..4a37cd11f 100644 --- a/modules/signatures/windows/antivm_vbox_files.py +++ b/modules/signatures/windows/antivm_vbox_files.py @@ -22,7 +22,7 @@ class VBoxDetectFiles(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.001"] + ttp = ["B0009.001"] indicators = [ ".*VBoxDisp\\.dll", diff --git a/modules/signatures/windows/antivm_vbox_keys.py b/modules/signatures/windows/antivm_vbox_keys.py index 7862e844f..bf67dce75 100644 --- a/modules/signatures/windows/antivm_vbox_keys.py +++ b/modules/signatures/windows/antivm_vbox_keys.py @@ -22,7 +22,7 @@ class VBoxDetectKeys(Signature): categories = ["anti-vm"] authors = ["nex", "Brad Spengler"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Oracle\\\\VirtualBox\\ Guest\\ Additions", diff --git a/modules/signatures/windows/antivm_vbox_provname.py b/modules/signatures/windows/antivm_vbox_provname.py index 16f62e1fa..27392d0ef 100644 --- a/modules/signatures/windows/antivm_vbox_provname.py +++ b/modules/signatures/windows/antivm_vbox_provname.py @@ -22,7 +22,7 @@ class VBoxDetectProvname(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009.001"] + ttp = ["B0009.001"] evented = True diff --git a/modules/signatures/windows/antivm_vbox_window.py b/modules/signatures/windows/antivm_vbox_window.py index c5574e27a..e499cc79f 100644 --- a/modules/signatures/windows/antivm_vbox_window.py +++ b/modules/signatures/windows/antivm_vbox_window.py @@ -22,7 +22,7 @@ class VBoxDetectWindow(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.009"] + ttp = ["B0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_virtualpc.py b/modules/signatures/windows/antivm_virtualpc.py index e55c92aa0..0b4db21a0 100644 --- a/modules/signatures/windows/antivm_virtualpc.py +++ b/modules/signatures/windows/antivm_virtualpc.py @@ -11,7 +11,7 @@ class VirtualPCDetect(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] mutexes_re = [ ".*MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex", diff --git a/modules/signatures/windows/antivm_virtualpc_magic.py b/modules/signatures/windows/antivm_virtualpc_magic.py index 4032b03a4..fb1af9d11 100644 --- a/modules/signatures/windows/antivm_virtualpc_magic.py +++ b/modules/signatures/windows/antivm_virtualpc_magic.py @@ -11,7 +11,7 @@ class VirtualPCIllegalInstruction(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] filter_apinames = "__exception__", diff --git a/modules/signatures/windows/antivm_virtualpc_window.py b/modules/signatures/windows/antivm_virtualpc_window.py index 44002c207..36195f278 100644 --- a/modules/signatures/windows/antivm_virtualpc_window.py +++ b/modules/signatures/windows/antivm_virtualpc_window.py @@ -22,7 +22,7 @@ class VirtualPCDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.009"] + ttp = ["B0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vmware_files.py b/modules/signatures/windows/antivm_vmware_files.py index 2d4d9b8e7..58b912c5b 100644 --- a/modules/signatures/windows/antivm_vmware_files.py +++ b/modules/signatures/windows/antivm_vmware_files.py @@ -11,7 +11,7 @@ class VMWareDetectFiles(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009.001"] + ttp = ["B0009.001"] files_re = [ ".*vmmouse\\.sys", diff --git a/modules/signatures/windows/antivm_vmware_in_insn.py b/modules/signatures/windows/antivm_vmware_in_insn.py index b2cc477da..d1c8cddc8 100644 --- a/modules/signatures/windows/antivm_vmware_in_insn.py +++ b/modules/signatures/windows/antivm_vmware_in_insn.py @@ -11,7 +11,7 @@ class VMWareInInstruction(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] filter_apinames = "__exception__", diff --git a/modules/signatures/windows/antivm_vmware_keys.py b/modules/signatures/windows/antivm_vmware_keys.py index b499a6f26..aebced475 100644 --- a/modules/signatures/windows/antivm_vmware_keys.py +++ b/modules/signatures/windows/antivm_vmware_keys.py @@ -21,7 +21,7 @@ class VMWareDetectKeys(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies", "Optiv"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?VMWare,\\ Inc\..*", diff --git a/modules/signatures/windows/antivm_vmware_window.py b/modules/signatures/windows/antivm_vmware_window.py index 49b4e9423..8cd402ec2 100644 --- a/modules/signatures/windows/antivm_vmware_window.py +++ b/modules/signatures/windows/antivm_vmware_window.py @@ -22,7 +22,7 @@ class VMwareDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.009"] + ttp = ["B0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vpc_keys.py b/modules/signatures/windows/antivm_vpc_keys.py index 0b3187e6a..a665248ed 100644 --- a/modules/signatures/windows/antivm_vpc_keys.py +++ b/modules/signatures/windows/antivm_vpc_keys.py @@ -22,7 +22,7 @@ class VPCDetectKeys(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00", diff --git a/modules/signatures/windows/antivm_xen_keys.py b/modules/signatures/windows/antivm_xen_keys.py index e58bdb88a..477b4b958 100644 --- a/modules/signatures/windows/antivm_xen_keys.py +++ b/modules/signatures/windows/antivm_xen_keys.py @@ -22,7 +22,7 @@ class XenDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\XEN0000.*", diff --git a/modules/signatures/windows/bitcoin_opencl.py b/modules/signatures/windows/bitcoin_opencl.py index da1716e1a..c2be14818 100644 --- a/modules/signatures/windows/bitcoin_opencl.py +++ b/modules/signatures/windows/bitcoin_opencl.py @@ -22,7 +22,7 @@ class BitcoinOpenCL(Signature): categories = ["bitcoin"] authors = ["nex"] minimum = "2.0" - ttp = ["M0018.002"] + ttp = ["B0018.002"] def on_complete(self): filepath = self.check_file(pattern=".*OpenCL\.dll$", regex=True) diff --git a/modules/signatures/windows/bootconfig_modify.py b/modules/signatures/windows/bootconfig_modify.py index 2926a2f3a..d2a953028 100644 --- a/modules/signatures/windows/bootconfig_modify.py +++ b/modules/signatures/windows/bootconfig_modify.py @@ -22,7 +22,7 @@ class ModifiesBootConfig(Signature): categories = ["persistance", "ransomware"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0013"] + ttp = ["F0013"] filter_apinames = "ShellExecuteExW", "CreateProcessInternalW", def on_call(self, call, process): diff --git a/modules/signatures/windows/bootkit.py b/modules/signatures/windows/bootkit.py index 97415916c..e2c5f45c3 100644 --- a/modules/signatures/windows/bootkit.py +++ b/modules/signatures/windows/bootkit.py @@ -13,7 +13,7 @@ class Bootkit(Signature): authors = ["Optiv"] minimum = "2.0" evented = True - ttp = ["S0013"] + ttp = ["F0013"] BasicFileInformation = 4 def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/bypass_firewall.py b/modules/signatures/windows/bypass_firewall.py index 2a534fb33..790897123 100644 --- a/modules/signatures/windows/bypass_firewall.py +++ b/modules/signatures/windows/bypass_firewall.py @@ -24,7 +24,7 @@ class BypassFirewall(Signature): categories = ["bypass"] authors = ["Anderson Tamborim", "nex", "Kevin Ross"] minimum = "2.0" - ttp = ["E1478", "S0004"] + ttp = ["E1478", "F0004"] indicator = ".*\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\.*" def on_complete(self): diff --git a/modules/signatures/windows/creates_doc.py b/modules/signatures/windows/creates_doc.py index 059ff01d8..434ead4e1 100644 --- a/modules/signatures/windows/creates_doc.py +++ b/modules/signatures/windows/creates_doc.py @@ -11,7 +11,7 @@ class CreatesDocument(Signature): categories = ["generic"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["X0016.001"] + ttp = ["C0016.001"] pattern = ".*\\.(doc|docm|dotm|docx|ppt|pptm|pptx|potm|ppam|ppsm|xls|xlsm|xlsx|pdf)$" diff --git a/modules/signatures/windows/creates_exe.py b/modules/signatures/windows/creates_exe.py index 2331cf1fa..b1a170b0a 100644 --- a/modules/signatures/windows/creates_exe.py +++ b/modules/signatures/windows/creates_exe.py @@ -16,7 +16,7 @@ class CreatesExe(Signature): categories = ["generic"] authors = ["Cuckoo Developers"] minimum = "2.0" - ttp = ["E1105", "M0023"] + ttp = ["E1105", "B0023"] pattern = ( ".*\\.(bat|cmd|com|cpl|dll|exe|js|jse|lnk|msi|msh|msh1|msh2|mshxml|" @@ -37,7 +37,7 @@ class CreatesUserFolderEXE(Signature): families = ["persistance"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1105", "M0023"] + ttp = ["E1105", "B0023"] directories_re = [ "^[a-zA-Z]:\\\\Users\\\\[^\\\\]+\\\\AppData\\\\.*", diff --git a/modules/signatures/windows/creates_largekey.py b/modules/signatures/windows/creates_largekey.py index bd09869e0..56e50d3c2 100644 --- a/modules/signatures/windows/creates_largekey.py +++ b/modules/signatures/windows/creates_largekey.py @@ -29,7 +29,7 @@ class CreatesLargeKey(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0040.001", "E1112"] + ttp = ["B0040.001", "E1112"] evented = True filter_apinames = set(["NtSetValueKey", "RegSetValueExA", "RegSetValueExW"]) diff --git a/modules/signatures/windows/creates_null_reg_entry.py b/modules/signatures/windows/creates_null_reg_entry.py index 4f81aed98..4236e50b5 100644 --- a/modules/signatures/windows/creates_null_reg_entry.py +++ b/modules/signatures/windows/creates_null_reg_entry.py @@ -12,7 +12,7 @@ class CreatesNullRegistryEntry(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - ttp = ["S0006", "E1112"] + ttp = ["F0006", "E1112"] filter_apinames = ( "NtSetValueKey", "NtCreateKey", "RegCreateKeyExA", "RegCreateKeyExW", "RegSetValueExA", "RegSetValueExW", diff --git a/modules/signatures/windows/crypto_apis.py b/modules/signatures/windows/crypto_apis.py index c25a4e0da..35c0bb21d 100644 --- a/modules/signatures/windows/crypto_apis.py +++ b/modules/signatures/windows/crypto_apis.py @@ -22,7 +22,7 @@ class CryptGenKey(Signature): families = ["generic"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["X0021.003"] + ttp = ["C0021.003"] filter_apinames = "CryptGenKey", "CryptExportKey", diff --git a/modules/signatures/windows/deletes_executed.py b/modules/signatures/windows/deletes_executed.py index 383634713..b69a417cb 100644 --- a/modules/signatures/windows/deletes_executed.py +++ b/modules/signatures/windows/deletes_executed.py @@ -22,7 +22,7 @@ class DeletesExecutedFiles(Signature): categories = ["persistence", "stealth"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["S0007"] + ttp = ["F0007"] evented = True def on_complete(self): diff --git a/modules/signatures/windows/disables_browserwarn.py b/modules/signatures/windows/disables_browserwarn.py index 6315d8233..1e8eec4eb 100644 --- a/modules/signatures/windows/disables_browserwarn.py +++ b/modules/signatures/windows/disables_browserwarn.py @@ -11,7 +11,7 @@ class DisablesBrowserWarn(Signature): categories = ["generic", "banker", "clickfraud"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["S0004", "E1112"] + ttp = ["F0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnBadCertRecving", diff --git a/modules/signatures/windows/disables_security.py b/modules/signatures/windows/disables_security.py index a839683f3..33d5fdb18 100644 --- a/modules/signatures/windows/disables_security.py +++ b/modules/signatures/windows/disables_security.py @@ -11,7 +11,7 @@ class DisablesSecurity(Signature): categories = ["anti-av"] authors = ["Cuckoo Technologies", "Brad Spengler"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] regkeys_re = [ ("HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA", "attempts to disable user access control"), diff --git a/modules/signatures/windows/disables_wer.py b/modules/signatures/windows/disables_wer.py index d8a0fa636..e7e7c4123 100644 --- a/modules/signatures/windows/disables_wer.py +++ b/modules/signatures/windows/disables_wer.py @@ -11,7 +11,7 @@ class DisablesWER(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0006", "S0004", "E1112"] + ttp = ["F0006", "F0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ Error\\ Reporting\\\\Disabled$", diff --git a/modules/signatures/windows/disables_windowsupdate.py b/modules/signatures/windows/disables_windowsupdate.py index 34f8b8a41..bdfb2c316 100644 --- a/modules/signatures/windows/disables_windowsupdate.py +++ b/modules/signatures/windows/disables_windowsupdate.py @@ -11,7 +11,7 @@ class DisablesWindowsUpdate(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\(AU\\\\NoAutoUpdate|Auto\\ Update\\\\AUOptions)$", diff --git a/modules/signatures/windows/dns_dyndns_provider.py b/modules/signatures/windows/dns_dyndns_provider.py index 76cd8f4ee..3716418a0 100644 --- a/modules/signatures/windows/dns_dyndns_provider.py +++ b/modules/signatures/windows/dns_dyndns_provider.py @@ -12,7 +12,7 @@ class dnsserver_dynamic(Signature): categories = ["dns"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0011.003"] + ttp = ["C0011.003"] ipaddrs = [ "221.228.198.216", diff --git a/modules/signatures/windows/dns_freehosting_domain.py b/modules/signatures/windows/dns_freehosting_domain.py index 3e41b0aeb..90dee2488 100644 --- a/modules/signatures/windows/dns_freehosting_domain.py +++ b/modules/signatures/windows/dns_freehosting_domain.py @@ -12,7 +12,7 @@ class Dns_Freehosting_Domain(Signature): categories = ["freehosting"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0011.005"] + ttp = ["C0011.005"] domains_re = [ ".*\.yzi\.me", diff --git a/modules/signatures/windows/driver_load.py b/modules/signatures/windows/driver_load.py index 2db43a3b4..49d13b43d 100644 --- a/modules/signatures/windows/driver_load.py +++ b/modules/signatures/windows/driver_load.py @@ -22,7 +22,7 @@ class DriverLoad(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" - ttp = ["X0023"] + ttp = ["C0023"] filter_apinames = set(["NtLoadDriver"]) diff --git a/modules/signatures/windows/dropper.py b/modules/signatures/windows/dropper.py index c8fb4bc48..882a96e14 100644 --- a/modules/signatures/windows/dropper.py +++ b/modules/signatures/windows/dropper.py @@ -22,7 +22,7 @@ class Dropper(Signature): categories = ["dropper"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0023"] + ttp = ["B0023"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) @@ -59,7 +59,7 @@ class ExeAppData(Signature): categories = ["dropper", "persistence"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0023"] + ttp = ["B0023"] def on_complete(self): for dropped in self.get_results("dropped", []): diff --git a/modules/signatures/windows/emoves_zoneid_ads.py b/modules/signatures/windows/emoves_zoneid_ads.py index 9ad29d52b..a3644f90c 100644 --- a/modules/signatures/windows/emoves_zoneid_ads.py +++ b/modules/signatures/windows/emoves_zoneid_ads.py @@ -11,7 +11,7 @@ class RemovesZoneIdADS(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" - ttp = ["S0007"] + ttp = ["F0007"] def on_complete(self): for deletedfile in self.get_files(actions=["file_deleted"]): diff --git a/modules/signatures/windows/exec_waitfor.py b/modules/signatures/windows/exec_waitfor.py index e1f8df8fb..bc8224d80 100644 --- a/modules/signatures/windows/exec_waitfor.py +++ b/modules/signatures/windows/exec_waitfor.py @@ -13,7 +13,7 @@ class ExecWaitFor(Signature): categories = ["script", "bypass"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0003.003"] + ttp = ["B0003.003"] def on_complete(self): lower = "".join(self.get_command_lines()).lower() diff --git a/modules/signatures/windows/exploitation.py b/modules/signatures/windows/exploitation.py index a78ac9d7e..5d63288f3 100644 --- a/modules/signatures/windows/exploitation.py +++ b/modules/signatures/windows/exploitation.py @@ -11,7 +11,7 @@ class ExploitHeapspray(Signature): categories = ["exploit"] authors = ["Cuckoo Technologies", "Kevin Ross"] minimum = "2.0" - ttp = ["X0006"] + ttp = ["C0006"] references = ["https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/"] filter_apinames = "NtAllocateVirtualMemory", @@ -104,7 +104,7 @@ class StackPivot(Signature): categories = ["exploit", "rop"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["X0009"] + ttp = ["C0009"] filter_apinames = critical_apinames @@ -142,7 +142,7 @@ class DEPHeapBypass(Signature): categories = ["exploit"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["X0002.002"] + ttp = ["C0002.002"] filter_apinames = critical_apinames @@ -180,7 +180,7 @@ class DEPStackBypass(Signature): categories = ["exploit"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["X0002.001"] + ttp = ["C0002.001"] filter_apinames = critical_apinames @@ -270,7 +270,7 @@ class StackPivotShellcodeAPIs(Signature): categories = ["exploit", "rop", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["X0009", "E1059"] + ttp = ["C0009", "E1059"] evented = True @@ -311,7 +311,7 @@ class StackPivotShellcodeCreateProcess(Signature): categories = ["exploit", "rop", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["X0009", "X0017.001", "E1059"] + ttp = ["C0009", "C0017.001", "E1059"] evented = True diff --git a/modules/signatures/windows/infostealer_keylogger.py b/modules/signatures/windows/infostealer_keylogger.py index 6421b3fa3..9f4c142c4 100644 --- a/modules/signatures/windows/infostealer_keylogger.py +++ b/modules/signatures/windows/infostealer_keylogger.py @@ -23,7 +23,7 @@ class Keylogger(Signature): categories = ["generic"] authors = ["Thomas Birn", "nex"] minimum = "2.0" - ttp = ["S0002.001", "S0003.003"] + ttp = ["F0002.001", "F0003.003"] filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW" diff --git a/modules/signatures/windows/locates_sniffer.py b/modules/signatures/windows/locates_sniffer.py index d363337b1..62af2a5be 100644 --- a/modules/signatures/windows/locates_sniffer.py +++ b/modules/signatures/windows/locates_sniffer.py @@ -10,7 +10,7 @@ class LocatesSniffer(Signature): severity = 2 authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0013"] + ttp = ["B0013"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\App\\ Paths\\\\Wireshark.exe", diff --git a/modules/signatures/windows/maldoc.py b/modules/signatures/windows/maldoc.py index 99e5ff0c5..2322450a1 100644 --- a/modules/signatures/windows/maldoc.py +++ b/modules/signatures/windows/maldoc.py @@ -11,7 +11,7 @@ class MaliciousDocumentURLs(Signature): categories = ["downloader"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0023", "E1059.007", "E1059.005"] + ttp = ["B0023", "E1059.007", "E1059.005"] filter_apinames = [ "InternetCrackUrlW", diff --git a/modules/signatures/windows/memdump_urls.py b/modules/signatures/windows/memdump_urls.py index bafdc86bb..fb53aa5dc 100644 --- a/modules/signatures/windows/memdump_urls.py +++ b/modules/signatures/windows/memdump_urls.py @@ -77,7 +77,7 @@ class ProcMemDumpIPURLs(Signature): categories = ["unpacking", "c2"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0030"] + ttp = ["B0030"] def on_complete(self): ip = re.compile("^(http|https)\:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") diff --git a/modules/signatures/windows/mining.py b/modules/signatures/windows/mining.py index bf069322c..ea760a854 100644 --- a/modules/signatures/windows/mining.py +++ b/modules/signatures/windows/mining.py @@ -12,7 +12,7 @@ class miningpool(Signature): categories = ["mining"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["M0018.002"] + ttp = ["B0018.002"] ipaddrs = [ "144.76.102.176", diff --git a/modules/signatures/windows/modifies_proxies.py b/modules/signatures/windows/modifies_proxies.py index 407fb5a9c..d5e5659ba 100644 --- a/modules/signatures/windows/modifies_proxies.py +++ b/modules/signatures/windows/modifies_proxies.py @@ -97,7 +97,7 @@ class DisablesProxy(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0004", "E1112"] + ttp = ["F0004", "E1112"] evented = True filter_apinames = [ diff --git a/modules/signatures/windows/modifies_seccenter.py b/modules/signatures/windows/modifies_seccenter.py index 0ac48cd93..931ee4acf 100644 --- a/modules/signatures/windows/modifies_seccenter.py +++ b/modules/signatures/windows/modifies_seccenter.py @@ -11,7 +11,7 @@ class ModifySecurityCenterWarnings(Signature): categories = ["stealth"] authors = ["Kevin Ross", "Optiv"] minimum = "2.0" - ttp = ["S0004", "E1112"] + ttp = ["F0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\.*", diff --git a/modules/signatures/windows/network_rdp_mutex.py b/modules/signatures/windows/network_rdp_mutex.py index c04fec6e2..1d6198840 100644 --- a/modules/signatures/windows/network_rdp_mutex.py +++ b/modules/signatures/windows/network_rdp_mutex.py @@ -13,7 +13,7 @@ class RdpMutexes(Signature): families = ["rdp"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0022.001"] + ttp = ["C0022.001"] mutexes_re = [ "msrdp*", diff --git a/modules/signatures/windows/office.py b/modules/signatures/windows/office.py index 15befa790..15b556948 100644 --- a/modules/signatures/windows/office.py +++ b/modules/signatures/windows/office.py @@ -58,7 +58,7 @@ class OfficeCheckProjectName(Signature): categories = ["vba"] authors = ["FDD", "Cuckoo Sandbox"] minimum = "2.0" - ttp = ["M0038", "M0007.007"] + ttp = ["B0038", "B0007.007"] filter_apinames = "vbe6_Invoke", @@ -76,7 +76,7 @@ class OfficeCountDirectories(Signature): categories = ["vba"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007.003", "T1083"] + ttp = ["B0007.003", "T1083"] filter_apinames = "vbe6_Invoke", @@ -94,7 +94,7 @@ class OfficeCheckVersion(Signature): categories = ["vba"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009.007", "T1518"] + ttp = ["B0009.007", "T1518"] filter_apinames = "vbe6_Invoke", @@ -118,7 +118,7 @@ class OfficeCheckWindow(Signature): categories = ["vba"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009.020", "T1010"] + ttp = ["B0009.020", "T1010"] filter_apinames = "vbe6_Invoke", @@ -142,7 +142,7 @@ class OfficeHttpRequest(Signature): categories = ["vba"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["X0002.003"] + ttp = ["C0002.003"] filter_apinames = "vbe6_Invoke", @@ -168,7 +168,7 @@ class OfficeRecentFiles(Signature): categories = ["vba"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007.003", "T1083"] + ttp = ["B0007.003", "T1083"] filter_apinames = "vbe6_Invoke", @@ -221,7 +221,7 @@ class OfficeCheckName(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0038", "M0007.007", "E1059"] + ttp = ["B0038", "B0007.007", "E1059"] patterns = [ "[^\n\r;']*Me.Name[^\n\r;']*", diff --git a/modules/signatures/windows/packer_entropy.py b/modules/signatures/windows/packer_entropy.py index b3408ed30..d775f0aa3 100644 --- a/modules/signatures/windows/packer_entropy.py +++ b/modules/signatures/windows/packer_entropy.py @@ -22,7 +22,7 @@ class PackerEntropy(Signature): categories = ["packer"] authors = ["Robby Zeitfuchs", "nex"] minimum = "2.0" - ttp = ["S0001"] + ttp = ["F0001"] references = [ "http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", diff --git a/modules/signatures/windows/packer_polymorphic.py b/modules/signatures/windows/packer_polymorphic.py index 80e9b238d..603fbfa68 100644 --- a/modules/signatures/windows/packer_polymorphic.py +++ b/modules/signatures/windows/packer_polymorphic.py @@ -20,7 +20,7 @@ class Polymorphic(Signature): categories = ["packer"] authors = ["lordr"] minimum = "2.0" - ttp = ["M0029"] + ttp = ["B0029"] def on_complete(self): if not HAVE_SSDEEP: diff --git a/modules/signatures/windows/packer_upx.py b/modules/signatures/windows/packer_upx.py index 69db2d8d7..6738d76b4 100644 --- a/modules/signatures/windows/packer_upx.py +++ b/modules/signatures/windows/packer_upx.py @@ -22,7 +22,7 @@ class UPXCompressed(Signature): categories = ["packer"] authors = ["Michael Boman", "nex"] minimum = "2.0" - ttp = ["S0001.008"] + ttp = ["F0001.008"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/packer_vmprotect.py b/modules/signatures/windows/packer_vmprotect.py index 73e0a1867..2c1ca37c4 100644 --- a/modules/signatures/windows/packer_vmprotect.py +++ b/modules/signatures/windows/packer_vmprotect.py @@ -22,7 +22,7 @@ class VMPPacked(Signature): categories = ["packer"] authors = ["Jeremy Hedges"] minimum = "2.0" - ttp = ["S0001.010"] + ttp = ["F0001.010"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/payload_download.py b/modules/signatures/windows/payload_download.py index fb452cb04..4534d4b73 100644 --- a/modules/signatures/windows/payload_download.py +++ b/modules/signatures/windows/payload_download.py @@ -66,7 +66,7 @@ class NetworkEXE(Signature): categories = ["exploit", "downloader"] authors = ["Kevin Ross", "Will Metcalf"] minimum = "2.0" - ttp = ["M0023"] + ttp = ["B0023"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) @@ -107,7 +107,7 @@ class SuspiciousWriteEXE(Signature): categories = ["exploit", "downloader", "virus"] authors = ["Will Metcalf", "Kevin Ross"] minimum = "2.0" - ttp = ["M0023"] + ttp = ["B0023"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/pe_features.py b/modules/signatures/windows/pe_features.py index c6fddf090..c97a563d9 100644 --- a/modules/signatures/windows/pe_features.py +++ b/modules/signatures/windows/pe_features.py @@ -13,7 +13,7 @@ class PEFeatures(Signature): categories = ["packer"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["S0001"] + ttp = ["F0001"] section_names = [ ".text", ".rdata", ".data", ".pdata", ".DATA", ".reloc", ".idata", @@ -45,7 +45,7 @@ class PEIDPacker(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0001.002"] + ttp = ["F0001.002"] def on_complete(self): if self.get_results("static", {}).get("peid_signatures", []): @@ -61,7 +61,7 @@ class PEUnknownResourceName(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0001"] + ttp = ["F0001"] names = [ "RT_ACCELERATOR", diff --git a/modules/signatures/windows/persistence_autorun.py b/modules/signatures/windows/persistence_autorun.py index f7ebf7ee1..3bada2aed 100644 --- a/modules/signatures/windows/persistence_autorun.py +++ b/modules/signatures/windows/persistence_autorun.py @@ -31,7 +31,7 @@ class Autorun(Signature): categories = ["persistence"] authors = ["Michael Boman", "nex", "securitykitten", "Cuckoo Technologies", "Optiv", "KillerInstinct", "Kevin Ross"] minimum = "2.0" - ttp = ["S0012", "T1543.003", "E1112"] + ttp = ["F0012", "T1543.003", "E1112"] regkeys_re = [ ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\.*", diff --git a/modules/signatures/windows/persistence_bootexecute.py b/modules/signatures/windows/persistence_bootexecute.py index 9c2f12571..41c782e60 100644 --- a/modules/signatures/windows/persistence_bootexecute.py +++ b/modules/signatures/windows/persistence_bootexecute.py @@ -23,7 +23,7 @@ class PersistenceBootexecute(Signature): authors = ["Brad Spengler"] minimum = "2.0" evented = True - ttp = ["S0012"] + ttp = ["F0012"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/persistence_registry_fileless.py b/modules/signatures/windows/persistence_registry_fileless.py index 1864cf5e3..e32ce1cfd 100644 --- a/modules/signatures/windows/persistence_registry_fileless.py +++ b/modules/signatures/windows/persistence_registry_fileless.py @@ -45,7 +45,7 @@ class PersistenceRegistryEXE(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True - ttp = ["M0040.001", "E1112"] + ttp = ["B0040.001", "E1112"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) diff --git a/modules/signatures/windows/powershell.py b/modules/signatures/windows/powershell.py index 62dbdbdd8..397f42902 100644 --- a/modules/signatures/windows/powershell.py +++ b/modules/signatures/windows/powershell.py @@ -64,7 +64,7 @@ class AmsiBypass(Signature): categories = ["script", "malware", "powershell", "amsi"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["S0004.004", "E1059.001"] + ttp = ["F0004.004", "E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellAMSI": diff --git a/modules/signatures/windows/protection_rx.py b/modules/signatures/windows/protection_rx.py index 1c36ef9c6..5994ac658 100644 --- a/modules/signatures/windows/protection_rx.py +++ b/modules/signatures/windows/protection_rx.py @@ -12,7 +12,7 @@ class MemoryProtectionRX(Signature): severity = 2 categories = ["unpacking"] minimum = "2.0" - ttp = ["X0008"] + ttp = ["C0008"] filter_apinames = ( "NtAllocateVirtualMemory", "NtProtectVirtualMemory", diff --git a/modules/signatures/windows/ransomware_filemodications.py b/modules/signatures/windows/ransomware_filemodications.py index ec4f072c7..bcb0e304e 100644 --- a/modules/signatures/windows/ransomware_filemodications.py +++ b/modules/signatures/windows/ransomware_filemodications.py @@ -53,7 +53,7 @@ class RansomwareAppendsExtension(Signature): categories = ["ransomware"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1486", "X0015.001"] + ttp = ["E1486", "C0015.001"] filter_apinames = "MoveFileWithProgressW", "MoveFileWithProgressTransactedW" diff --git a/modules/signatures/windows/ransomware_files.py b/modules/signatures/windows/ransomware_files.py index dc876738c..f02883d5d 100644 --- a/modules/signatures/windows/ransomware_files.py +++ b/modules/signatures/windows/ransomware_files.py @@ -23,7 +23,7 @@ class RansomwareFiles(Signature): categories = ["ransomware"] authors = ["KillerInstinct", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1486", "X0016.002"] + ttp = ["E1486", "C0016.002"] indicators = [ (".*\\\\help_decrypt\.html$", ["CryptoWall"]), diff --git a/modules/signatures/windows/self_delete_bat.py b/modules/signatures/windows/self_delete_bat.py index 42085bff1..09a73c3d0 100644 --- a/modules/signatures/windows/self_delete_bat.py +++ b/modules/signatures/windows/self_delete_bat.py @@ -13,7 +13,7 @@ class SelfDeleteBat(Signature): categories = ["trojan"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["S0007"] + ttp = ["F0007"] indicator = ( "@echo.*off.*" diff --git a/modules/signatures/windows/smtp_gmail.py b/modules/signatures/windows/smtp_gmail.py index e510f29a6..8c98b50a9 100644 --- a/modules/signatures/windows/smtp_gmail.py +++ b/modules/signatures/windows/smtp_gmail.py @@ -12,7 +12,7 @@ class Smtp_GMail(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0012.001"] + ttp = ["C0012.001"] domains = [ "smtp.gmail.com", diff --git a/modules/signatures/windows/smtp_live.py b/modules/signatures/windows/smtp_live.py index 473caa144..1f06ab85a 100644 --- a/modules/signatures/windows/smtp_live.py +++ b/modules/signatures/windows/smtp_live.py @@ -12,7 +12,7 @@ class Smtp_Live(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0012.001"] + ttp = ["C0012.001"] domains = [ "smtp.live.com", diff --git a/modules/signatures/windows/smtp_mailru.py b/modules/signatures/windows/smtp_mailru.py index 5a7216b5a..c7a616303 100644 --- a/modules/signatures/windows/smtp_mailru.py +++ b/modules/signatures/windows/smtp_mailru.py @@ -12,7 +12,7 @@ class Smtp_Mail_Ru(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0012.001"] + ttp = ["C0012.001"] ipaddrs = [ "94.100.180.160", diff --git a/modules/signatures/windows/smtp_yahoo.py b/modules/signatures/windows/smtp_yahoo.py index bf4bdc048..1ea46a4d5 100644 --- a/modules/signatures/windows/smtp_yahoo.py +++ b/modules/signatures/windows/smtp_yahoo.py @@ -12,7 +12,7 @@ class Smtp_Yahoo(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0012.001"] + ttp = ["C0012.001"] domains = [ "smtp.mail.yahoo.com", diff --git a/modules/signatures/windows/sniffer_winpcap.py b/modules/signatures/windows/sniffer_winpcap.py index a21a01f59..a810c65d6 100644 --- a/modules/signatures/windows/sniffer_winpcap.py +++ b/modules/signatures/windows/sniffer_winpcap.py @@ -22,7 +22,7 @@ class InstallsWinpcap(Signature): categories = ["sniffer"] authors = ["Thomas Birn", "nex"] minimum = "2.0" - ttp = ["M0023", "T1040"] + ttp = ["B0023", "T1040"] indicators = [ ".*\\\\packet\\.dll$", diff --git a/modules/signatures/windows/stealth_hidenotifications.py b/modules/signatures/windows/stealth_hidenotifications.py index 25c1816c8..b4f14b776 100644 --- a/modules/signatures/windows/stealth_hidenotifications.py +++ b/modules/signatures/windows/stealth_hidenotifications.py @@ -11,7 +11,7 @@ class StealthHideNotifications(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0006", "E1112"] + ttp = ["F0006", "E1112"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth$", diff --git a/modules/signatures/windows/suspicious_process.py b/modules/signatures/windows/suspicious_process.py index d43ed3d0b..0d95e45cd 100644 --- a/modules/signatures/windows/suspicious_process.py +++ b/modules/signatures/windows/suspicious_process.py @@ -11,7 +11,7 @@ class CreatesSuspiciousProcess(Signature): categories = ["packer"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["X0017"] + ttp = ["C0017"] processes = [ "svchost", "powershell", "regsvr32", "bcdedit", "mshta", "schtasks", diff --git a/modules/signatures/windows/terminates_process.py b/modules/signatures/windows/terminates_process.py index 11ca8f38e..f7ba812d6 100644 --- a/modules/signatures/windows/terminates_process.py +++ b/modules/signatures/windows/terminates_process.py @@ -23,7 +23,7 @@ class TerminatesRemoteProcess(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True - ttp = ["X0018"] + ttp = ["C0018"] filter_apinames = "NtTerminateProcess", diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py index b2d5766fe..64b94a424 100644 --- a/modules/signatures/windows/volatility_sig.py +++ b/modules/signatures/windows/volatility_sig.py @@ -73,7 +73,7 @@ class VolDevicetree1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["S0010.001"] + ttp = ["F0010.001"] # http://mnin.blogspot.de/2011/10/zeroaccess-volatility-and-kernel-timers.html @@ -92,7 +92,7 @@ class VolSvcscan1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -110,7 +110,7 @@ class VolSvcscan2(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -128,7 +128,7 @@ class VolSvcscan3(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -146,7 +146,7 @@ class VolModscan1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["S0010"] + ttp = ["F0010"] def on_complete(self): for row in self.get_volatility("modscan").get("data", []): diff --git a/modules/signatures/windows/wmi.py b/modules/signatures/windows/wmi.py index 1db5ffdde..bbb75cb35 100644 --- a/modules/signatures/windows/wmi.py +++ b/modules/signatures/windows/wmi.py @@ -33,7 +33,7 @@ class Win32ProcessCreate(Signature): categories = ["wmi"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1047", "X0017.002"] + ttp = ["T1047", "C0017.002"] filter_apinames = [ "IWbemServices_ExecMethod", @@ -53,7 +53,7 @@ class WMIAntiVM(Signature): categories = ["wmi", "anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009", "T1047", "T1497"] + ttp = ["B0009", "T1047", "T1497"] antivm = [ "win32_processor", From badbc4b2b12f75479e035299fa815d0ca7cf3216 Mon Sep 17 00:00:00 2001 From: Emmanuelle Vargas-Gonzalez Date: Thu, 13 Aug 2020 14:35:44 -0400 Subject: [PATCH 11/12] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f154b0889..5d8a0a317 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ Below, we explain how these signatures are used. We begin with an example Python Example Cuckoo Signature ------------------------ -This signature example (antisandbox_sleep.py) was not mapped to an ATT&CK technique. We map it to **Dynamic Analysis Evasion::Delayed Execution [M0003.003]** as shown below (see the ttp variable). +This signature example (antisandbox_sleep.py) was not mapped to an ATT&CK technique. We map it to **Dynamic Analysis Evasion::Delayed Execution [B0003.003]** as shown below (see the ttp variable). ```python from lib.cuckoo.common.abstracts import Signature @@ -34,7 +34,7 @@ class AntiSandboxSleep(Signature): Cuckoo Reports -------------- -The signature section of a Cuckoo report specifies associated MBC behavior as shown in the example below (Dynamic Analysis Evasion [M0003.003] behavior is shown). +The signature section of a Cuckoo report specifies associated MBC behavior as shown in the example below (Dynamic Analysis Evasion [B0003.003] behavior is shown). ```json { @@ -44,7 +44,7 @@ The signature section of a Cuckoo report specifies associated MBC behavior as sh "description": "A process attempted to delay the analysis task.", "severity": 1, "ttp": { - "M0003.003": { + "B0003.003": { "short": "Dynamic Analysis Evasion", "long": "Malware may obstruct dynamic analysis in a sandbox, emulator, or virtual " } From 4478ea96aa1ab67e42d12e92446ffc491efba35a Mon Sep 17 00:00:00 2001 From: Desiree Beck Date: Mon, 21 Sep 2020 14:47:12 -0400 Subject: [PATCH 12/12] Update exploitation.py wrong ID for two mappings. --- modules/signatures/windows/exploitation.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/signatures/windows/exploitation.py b/modules/signatures/windows/exploitation.py index 5d63288f3..a0a23f23c 100644 --- a/modules/signatures/windows/exploitation.py +++ b/modules/signatures/windows/exploitation.py @@ -142,7 +142,7 @@ class DEPHeapBypass(Signature): categories = ["exploit"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["C0002.002"] + ttp = ["C0008.002"] filter_apinames = critical_apinames @@ -180,7 +180,7 @@ class DEPStackBypass(Signature): categories = ["exploit"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["C0002.001"] + ttp = ["C0008.001"] filter_apinames = critical_apinames