Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add in Dosfuscation Signature #432

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add in Dosfuscation Signature #432

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
89096b3
Add in Dosfuscation Signature
kevross33 Jul 31, 2018
0f40952
Update commandline_anomaly.py
kevross33 Jul 31, 2018
5f38868
Update commandline_anomaly.py
kevross33 Jul 31, 2018
7c67d1d
Add in some more sigs
kevross33 Aug 1, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 112 additions & 0 deletions modules/signatures/windows/commandline_anomaly.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
# Copyright (C) 2018 Kevin Ross
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

from lib.cuckoo.common.abstracts import Signature

class CmdlineCompsecEvasion(Signature):
name = "cmdline_comspec_evasion"
description = "Uses the %COMSPEC% environment variable to access the command line interpreter to evade detection"
severity = 3
categories = ["commands"]
authors = ["Kevin Ross"]
minimum = "2.0"
references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"]

def on_complete(self):
for cmdline in self.get_command_lines():
if "%comspec" in cmdline.lower():
self.mark_ioc("cmdline", cmdline)

return self.has_marks()

class CmdlineChracterObfsucation(Signature):
name = "cmdline_chracter_obfuscation"
description = "Appears to use character obfuscation in a command line"
severity = 3
categories = ["commands"]
authors = ["Kevin Ross"]
minimum = "2.0"
references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"]

def on_complete(self):
for cmdline in self.get_command_lines():
if "cmd" in cmdline.lower() and (cmdline.count("^") > 3 or cmdline.count("&") > 6 or cmdline.count("+") > 4 or cmdline.count("\"") > 8 or cmdline.count(";") > 6):
self.mark_ioc("cmdline", cmdline)

return self.has_marks()

class CmdlineConcatenationObfsucation(Signature):
name = "cmdline_concatenation_obfuscation"
description = "Appears to use adjacent environment variables for concatenation reassembly obfuscation in a command line"
severity = 3
categories = ["commands"]
authors = ["Kevin Ross"]
minimum = "2.0"
references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"]

def on_complete(self):
for cmdline in self.get_command_lines():
if "cmd" in cmdline.lower() and re.search('(%[^%]+%){4}', cmdline):
self.mark_ioc("cmdline", cmdline)

return self.has_marks()

class CmdlineSetObfsucation(Signature):
name = "cmdline_set_obfuscation"
description = "Appears to use set to define variables in a command line likely for obfuscation"
severity = 3
categories = ["commands"]
authors = ["Kevin Ross"]
minimum = "2.0"
references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"]

def on_complete(self):
for cmdline in self.get_command_lines():
if "cmd" in cmdline.lower() and cmdline.lower().count("set ") > 2:
self.mark_ioc("cmdline", cmdline)

return self.has_marks()

class CmdlineSetCallObfsucation(Signature):
name = "cmdline_setcall_obfuscation"
description = "Appears to use set and call to define a variable in a command line likely for obfuscation"
severity = 3
categories = ["commands"]
authors = ["Kevin Ross"]
minimum = "2.0"
references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"]

def on_complete(self):
for cmdline in self.get_command_lines():
if "cmd" in cmdline.lower() and "set " in cmdline.lower() and "call " in cmdline.lower():
self.mark_ioc("cmdline", cmdline)

return self.has_marks()

class CmdlineSetForLoopObfsucation(Signature):
name = "cmdline_set_forloop_obfuscation"
description = "Appears to use a for loop in a command line likely for obfuscation"
severity = 3
categories = ["commands"]
authors = ["Kevin Ross"]
minimum = "2.0"
references = ["www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf"]

def on_complete(self):
for cmdline in self.get_command_lines():
if "cmd" in cmdline.lower() and "set " in cmdline.lower() and "for " in cmdline.lower():
self.mark_ioc("cmdline", cmdline)

return self.has_marks()