Skip to content

Commit

Permalink
Merge pull request #194 from CybercentreCanada/update/quickscope-sigs
Browse files Browse the repository at this point in the history 
Additional behaviour combinations in PS1Profiler
  • Loading branch information
@cccs-kevin
cccs-kevin committed Dec 12, 2023
2 parents 3c1dcbd + 979995c commit 3fc3346
Show file tree
Hide file tree
Showing 14 changed files with 516 additions and 56 deletions.
2 changes: 1 addition & 1 deletion tests/results/1954ce6974e8203214c9eb20c2d73bd765e8d5599b9a02b3656845a50f61a634/result.json
View file
Expand Up @@ -168,7 +168,7 @@
},
{
"auto_collapse": false,
"body": "Marks: Net.WebClient, DownloadString",
"body": "Marks: WebClient, DownloadString",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Expand Down
64 changes: 63 additions & 1 deletion tests/results/35867e49e1c048ad00c9f40c10ec62a2c5e81c3b9b25511ea70fa44501fbe57e/result.json
View file
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 2063,
"score": 2173,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -262,6 +262,54 @@
"title_text": "Signature: Sleeps",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: EncodedCommand",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 100,
"score_map": {
"Obfuscation": 100
},
"signatures": {
"Obfuscation": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Obfuscation",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: -ExecutionPolicy",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 10,
"score_map": {
"Evasion": 10
},
"signatures": {
"Evasion": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Evasion",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": [
Expand Down Expand Up @@ -784,6 +832,20 @@
"Sleeps"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Obfuscation"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Evasion"
]
},
{
"attack_ids": [],
"heur_id": 3,
Expand Down
66 changes: 64 additions & 2 deletions tests/results/6db756ef33294db47957b8351d4419dbff3fa7aa508259f419b669eef017fe09/result.json
View file
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 1331,
"score": 1441,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -223,7 +223,31 @@
},
{
"auto_collapse": false,
"body": "Marks: [System.Convert]::FromBase64String(",
"body": "Marks: Text.Encoding, System.Convert",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 100,
"score_map": {
"Obfuscation": 100
},
"signatures": {
"Obfuscation": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Obfuscation",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: FromBase64String(",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Expand Down Expand Up @@ -317,6 +341,30 @@
"title_text": "Signature: Imports BitsTransfer",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: env:APPDATA",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 10,
"score_map": {
"Filesystem": 10
},
"signatures": {
"Filesystem": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Filesystem",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: Downloader, Imports BitsTransfer, Deobfuscation, Compression, Sleeps",
Expand Down Expand Up @@ -408,6 +456,13 @@
"Sleeps"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Obfuscation"
]
},
{
"attack_ids": [],
"heur_id": 3,
Expand Down Expand Up @@ -436,6 +491,13 @@
"Imports BitsTransfer"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Filesystem"
]
},
{
"attack_ids": [],
"heur_id": 3,
Expand Down
35 changes: 33 additions & 2 deletions tests/results/74a47198fefa10a8ebb88a8b130259e56a5a9fc4302089ac73009742ba5c98dc/result.json
View file
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 541,
"score": 641,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -38,7 +38,7 @@
},
{
"auto_collapse": false,
"body": "Marks: wget",
"body": "Marks: TCPClient, wget, Net.Sockets, AcceptTcpClient",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Expand Down Expand Up @@ -108,6 +108,30 @@
"title_text": "Signature: Hidden Window",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: Text.Encoding",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 100,
"score_map": {
"Obfuscation": 100
},
"signatures": {
"Obfuscation": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Obfuscation",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: gwmi",
Expand Down Expand Up @@ -199,6 +223,13 @@
"Hidden Window"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Obfuscation"
]
},
{
"attack_ids": [],
"heur_id": 3,
Expand Down
68 changes: 65 additions & 3 deletions tests/results/786d3f381553f08829ac453963596c2e71c4ad9ea25bb6f097c918fc4ff9d8fb/result.json
View file
@@ -1,7 +1,7 @@
{
"extra": {
"drop_file": false,
"score": 151,
"score": 261,
"sections": [
{
"auto_collapse": false,
Expand Down Expand Up @@ -66,7 +66,7 @@
},
{
"auto_collapse": false,
"body": "Marks: Convert, FromBase64String, Text.Encoding, Compression.CompressionMode]::Decompress, IO.Compression.DeflateStream, IO.MemoryStream",
"body": "Marks: Convert, FromBase64String, Text.Encoding, Compression.CompressionMode, IO.Compression.DeflateStream, IO.MemoryStream",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Expand All @@ -90,7 +90,31 @@
},
{
"auto_collapse": false,
"body": "Marks: [Convert]::FromBase64String(",
"body": "Marks: Text.Encoding, System.Convert",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 100,
"score_map": {
"Obfuscation": 100
},
"signatures": {
"Obfuscation": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Obfuscation",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: FromBase64String(",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
Expand Down Expand Up @@ -160,6 +184,30 @@
"title_text": "Signature: Byte Usage",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": "Marks: IO.File",
"body_config": {},
"body_format": "TEXT",
"classification": "TLP:C",
"depth": 1,
"heuristic": {
"attack_ids": [],
"frequency": 1,
"heur_id": 3,
"score": 10,
"score_map": {
"Filesystem": 10
},
"signatures": {
"Filesystem": 1
}
},
"promote_to": null,
"tags": {},
"title_text": "Signature: Filesystem",
"zeroize_on_tag_safe": false
},
{
"auto_collapse": false,
"body": [
Expand Down Expand Up @@ -264,6 +312,13 @@
"Compression"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Obfuscation"
]
},
{
"attack_ids": [],
"heur_id": 3,
Expand All @@ -284,6 +339,13 @@
"signatures": [
"Byte Usage"
]
},
{
"attack_ids": [],
"heur_id": 3,
"signatures": [
"Filesystem"
]
}
],
"tags": {
Expand Down

0 comments on commit 3fc3346

Please sign in to comment.