Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update beacon sig with extra APIs #140

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update beacon sig with extra APIs #140

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 36 additions & 5 deletions modules/signatures/recon_beacon.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,35 +17,59 @@

class Recon_Beacon(Signature):
name = "recon_beacon"
description = "A process sent information about the computer to a remote location."
description = "A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations."
weight = 2
severity = 3
categories = ["network", "recon"]
authors = ["KillerInstinct"]
authors = ["KillerInstinct", "Kevin Ross"]
minimum = "1.3"
evented = True

def __init__(self, *args, **kwargs):
Signature.__init__(self, *args, **kwargs)
self.proclogs = dict()
self.proclogs_obf = dict()

filter_apinames = set(["HttpSendRequestA", "HttpOpenRequestA"])
filter_apinames = set(["HttpSendRequestA","HttpSendRequestW","HttpOpenRequestA","HttpOpenRequestW","InternetCrackUrlA","InternetCrackUrlW","WSASend","CryptHashData"])

def on_call(self, call, process):
if call["api"] == "HttpSendRequestA":
# Checks for sending data over network
if call["api"] == "HttpSendRequestA" or call["api"] == "HttpSendRequestW":
buf = self.get_argument(call, "PostData")
if buf:
if process["process_name"] not in self.proclogs:
self.proclogs[process["process_name"]] = set()
self.proclogs[process["process_name"]].add(buf)

elif call["api"] == "HttpOpenRequestA":
elif call["api"] == "HttpOpenRequestA" or call["api"] == "HttpOpenRequestW":
buf = self.get_argument(call, "Path")
if buf:
if process["process_name"] not in self.proclogs:
self.proclogs[process["process_name"]] = set()
self.proclogs[process["process_name"]].add(buf)

elif call["api"] == "InternetCrackUrlA" or call["api"] == "InternetCrackUrlW":
buf = self.get_argument(call, "Url")
if buf:
if process["process_name"] not in self.proclogs:
self.proclogs[process["process_name"]] = set()
self.proclogs[process["process_name"]].add(buf)

elif call["api"] == "WSASend":
buf = self.get_argument(call, "Buffer")
if buf:
if process["process_name"] not in self.proclogs:
self.proclogs[process["process_name"]] = set()
self.proclogs[process["process_name"]].add(buf)

# Data preperation likely prior to sending over network in obfsucated form
elif call["api"] == "CryptHashData":
buf = self.get_argument(call, "Buffer")
if buf:
if process["process_name"] not in self.proclogs_obf:
self.proclogs_obf[process["process_name"]] = set()
self.proclogs_obf[process["process_name"]].add(buf)

def on_complete(self):
ret = False
# should perhaps check for any observed username, not just that of the initial process
Expand All @@ -64,4 +88,11 @@ def on_complete(self):
self.data.append({"Beacon": proc + ": " + beacon})
ret = True

if self.proclogs_obf and cname and uname:
for proc in self.proclogs_obf:
for beacon in self.proclogs_obf[proc]:
if cname in beacon.lower() or uname in beacon.lower():
self.data.append({"Data Being Obfuscated": proc + ": " + beacon})
ret = True

return ret