From 89096b37b62b7c77656a85c76033555c6fb403e7 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Tue, 31 Jul 2018 13:06:42 +0100 Subject: [PATCH 1/4] Add in Dosfuscation Signature https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf --- .../signatures/windows/commandline_anomaly.py | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 modules/signatures/windows/commandline_anomaly.py diff --git a/modules/signatures/windows/commandline_anomaly.py b/modules/signatures/windows/commandline_anomaly.py new file mode 100644 index 000000000..7805baa96 --- /dev/null +++ b/modules/signatures/windows/commandline_anomaly.py @@ -0,0 +1,80 @@ +# Copyright (C) 2018 Kevin Ross +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from lib.cuckoo.common.abstracts import Signature + +class CmdlineCompsecEvasion(Signature): + name = "cmdline_comspec_evasion" + description = "Uses the %COMSPEC% environment variable to access the command line interpreter to evade detection" + severity = 3 + categories = ["commands"] + authors = ["Kevin Ross"] + minimum = "2.0" + references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"] + + def on_complete(self): + for cmdline in self.get_command_lines(): + if "%comspec" in cmdline.lower(): + self.mark_ioc("cmdline", cmdline) + + return self.has_marks() + +class CmdlineChracterObfsucation(Signature): + name = "cmdline_chracter_obfuscation" + description = "Appears to use character obfuscation in a command line" + severity = 3 + categories = ["commands"] + authors = ["Kevin Ross"] + minimum = "2.0" + references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"] + + def on_complete(self): + for cmdline in self.get_command_lines(): + if "cmd" in cmdline.lower() and (cmdline.count("^") > 3 or cmdline.count("&") > 6): + self.mark_ioc("cmdline", cmdline) + + return self.has_marks() + +class CmdlineConcatenationObfsucation(Signature): + name = "cmdline_concatenation_obfuscation" + description = "Appears to use adjacent environment variables for concatenation reassembly obfuscation in a command line" + severity = 3 + categories = ["commands"] + authors = ["Kevin Ross"] + minimum = "2.0" + references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"] + + def on_complete(self): + for cmdline in self.get_command_lines(): + if "cmd" in cmdline.lower() and re.search('(%[^%]+%){4}', cmdline): + self.mark_ioc("cmdline", cmdline) + + return self.has_marks() + +class CmdlineSetObfsucation(Signature): + name = "cmdline_set_obfuscation" + description = "Appears to use multiple set variables in command line likely for obfsucation" + severity = 3 + categories = ["commands"] + authors = ["Kevin Ross"] + minimum = "2.0" + references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"] + + def on_complete(self): + for cmdline in self.get_command_lines(): + if "cmd" in cmdline.lower() and cmdline.lower().count("set ") > 2: + self.mark_ioc("cmdline", cmdline) + + return self.has_marks() From 0f409525c0d39d3af332493c7402e2dfb8e8573a Mon Sep 17 00:00:00 2001 From: kevross33 Date: Tue, 31 Jul 2018 13:41:52 +0100 Subject: [PATCH 2/4] Update commandline_anomaly.py --- modules/signatures/windows/commandline_anomaly.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/signatures/windows/commandline_anomaly.py b/modules/signatures/windows/commandline_anomaly.py index 7805baa96..509fcaca9 100644 --- a/modules/signatures/windows/commandline_anomaly.py +++ b/modules/signatures/windows/commandline_anomaly.py @@ -65,7 +65,7 @@ def on_complete(self): class CmdlineSetObfsucation(Signature): name = "cmdline_set_obfuscation" - description = "Appears to use multiple set variables in command line likely for obfsucation" + description = "Appears to use set to define variables in command line likely for obfsucation" severity = 3 categories = ["commands"] authors = ["Kevin Ross"] From 5f3886814e532c15d109f4ab9321629cb4670fb0 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Tue, 31 Jul 2018 14:09:10 +0100 Subject: [PATCH 3/4] Update commandline_anomaly.py --- modules/signatures/windows/commandline_anomaly.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/signatures/windows/commandline_anomaly.py b/modules/signatures/windows/commandline_anomaly.py index 509fcaca9..6501beab3 100644 --- a/modules/signatures/windows/commandline_anomaly.py +++ b/modules/signatures/windows/commandline_anomaly.py @@ -42,7 +42,7 @@ class CmdlineChracterObfsucation(Signature): def on_complete(self): for cmdline in self.get_command_lines(): - if "cmd" in cmdline.lower() and (cmdline.count("^") > 3 or cmdline.count("&") > 6): + if "cmd" in cmdline.lower() and (cmdline.count("^") > 3 or cmdline.count("&") > 6 or cmdline.count("+") > 4 or cmdline.count("\"") > 8): self.mark_ioc("cmdline", cmdline) return self.has_marks() From 7c67d1dd7a4c24fc617be015fd1842d3f73bac7c Mon Sep 17 00:00:00 2001 From: kevross33 Date: Wed, 1 Aug 2018 15:13:30 +0100 Subject: [PATCH 4/4] Add in some more sigs --- .../signatures/windows/commandline_anomaly.py | 36 +++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/modules/signatures/windows/commandline_anomaly.py b/modules/signatures/windows/commandline_anomaly.py index 6501beab3..a22453a3f 100644 --- a/modules/signatures/windows/commandline_anomaly.py +++ b/modules/signatures/windows/commandline_anomaly.py @@ -42,7 +42,7 @@ class CmdlineChracterObfsucation(Signature): def on_complete(self): for cmdline in self.get_command_lines(): - if "cmd" in cmdline.lower() and (cmdline.count("^") > 3 or cmdline.count("&") > 6 or cmdline.count("+") > 4 or cmdline.count("\"") > 8): + if "cmd" in cmdline.lower() and (cmdline.count("^") > 3 or cmdline.count("&") > 6 or cmdline.count("+") > 4 or cmdline.count("\"") > 8 or cmdline.count(";") > 6): self.mark_ioc("cmdline", cmdline) return self.has_marks() @@ -65,7 +65,7 @@ def on_complete(self): class CmdlineSetObfsucation(Signature): name = "cmdline_set_obfuscation" - description = "Appears to use set to define variables in command line likely for obfsucation" + description = "Appears to use set to define variables in a command line likely for obfuscation" severity = 3 categories = ["commands"] authors = ["Kevin Ross"] @@ -78,3 +78,35 @@ def on_complete(self): self.mark_ioc("cmdline", cmdline) return self.has_marks() + +class CmdlineSetCallObfsucation(Signature): + name = "cmdline_setcall_obfuscation" + description = "Appears to use set and call to define a variable in a command line likely for obfuscation" + severity = 3 + categories = ["commands"] + authors = ["Kevin Ross"] + minimum = "2.0" + references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"] + + def on_complete(self): + for cmdline in self.get_command_lines(): + if "cmd" in cmdline.lower() and "set " in cmdline.lower() and "call " in cmdline.lower(): + self.mark_ioc("cmdline", cmdline) + + return self.has_marks() + +class CmdlineSetForLoopObfsucation(Signature): + name = "cmdline_set_forloop_obfuscation" + description = "Appears to use a for loop in a command line likely for obfuscation" + severity = 3 + categories = ["commands"] + authors = ["Kevin Ross"] + minimum = "2.0" + references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"] + + def on_complete(self): + for cmdline in self.get_command_lines(): + if "cmd" in cmdline.lower() and "set " in cmdline.lower() and "for " in cmdline.lower(): + self.mark_ioc("cmdline", cmdline) + + return self.has_marks()