diff --git a/tests/results/1954ce6974e8203214c9eb20c2d73bd765e8d5599b9a02b3656845a50f61a634/result.json b/tests/results/1954ce6974e8203214c9eb20c2d73bd765e8d5599b9a02b3656845a50f61a634/result.json index cefb249..80c05cf 100644 --- a/tests/results/1954ce6974e8203214c9eb20c2d73bd765e8d5599b9a02b3656845a50f61a634/result.json +++ b/tests/results/1954ce6974e8203214c9eb20c2d73bd765e8d5599b9a02b3656845a50f61a634/result.json @@ -168,7 +168,7 @@ }, { "auto_collapse": false, - "body": "Marks: Net.WebClient, DownloadString", + "body": "Marks: WebClient, DownloadString", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/35867e49e1c048ad00c9f40c10ec62a2c5e81c3b9b25511ea70fa44501fbe57e/result.json b/tests/results/35867e49e1c048ad00c9f40c10ec62a2c5e81c3b9b25511ea70fa44501fbe57e/result.json index 611511d..6f795c9 100644 --- a/tests/results/35867e49e1c048ad00c9f40c10ec62a2c5e81c3b9b25511ea70fa44501fbe57e/result.json +++ b/tests/results/35867e49e1c048ad00c9f40c10ec62a2c5e81c3b9b25511ea70fa44501fbe57e/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 2063, + "score": 2173, "sections": [ { "auto_collapse": false, @@ -262,6 +262,54 @@ "title_text": "Signature: Sleeps", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "Marks: EncodedCommand", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 100, + "score_map": { + "Obfuscation": 100 + }, + "signatures": { + "Obfuscation": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Obfuscation", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "Marks: -ExecutionPolicy", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "Evasion": 10 + }, + "signatures": { + "Evasion": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Evasion", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -784,6 +832,20 @@ "Sleeps" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Obfuscation" + ] + }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Evasion" + ] + }, { "attack_ids": [], "heur_id": 3, diff --git a/tests/results/6db756ef33294db47957b8351d4419dbff3fa7aa508259f419b669eef017fe09/result.json b/tests/results/6db756ef33294db47957b8351d4419dbff3fa7aa508259f419b669eef017fe09/result.json index 2237326..caad24b 100644 --- a/tests/results/6db756ef33294db47957b8351d4419dbff3fa7aa508259f419b669eef017fe09/result.json +++ b/tests/results/6db756ef33294db47957b8351d4419dbff3fa7aa508259f419b669eef017fe09/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1331, + "score": 1441, "sections": [ { "auto_collapse": false, @@ -223,7 +223,31 @@ }, { "auto_collapse": false, - "body": "Marks: [System.Convert]::FromBase64String(", + "body": "Marks: Text.Encoding, System.Convert", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 100, + "score_map": { + "Obfuscation": 100 + }, + "signatures": { + "Obfuscation": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Obfuscation", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "Marks: FromBase64String(", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -317,6 +341,30 @@ "title_text": "Signature: Imports BitsTransfer", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "Marks: env:APPDATA", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "Filesystem": 10 + }, + "signatures": { + "Filesystem": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Filesystem", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "Marks: Downloader, Imports BitsTransfer, Deobfuscation, Compression, Sleeps", @@ -408,6 +456,13 @@ "Sleeps" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Obfuscation" + ] + }, { "attack_ids": [], "heur_id": 3, @@ -436,6 +491,13 @@ "Imports BitsTransfer" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Filesystem" + ] + }, { "attack_ids": [], "heur_id": 3, diff --git a/tests/results/74a47198fefa10a8ebb88a8b130259e56a5a9fc4302089ac73009742ba5c98dc/result.json b/tests/results/74a47198fefa10a8ebb88a8b130259e56a5a9fc4302089ac73009742ba5c98dc/result.json index 8828a05..efa11c8 100644 --- a/tests/results/74a47198fefa10a8ebb88a8b130259e56a5a9fc4302089ac73009742ba5c98dc/result.json +++ b/tests/results/74a47198fefa10a8ebb88a8b130259e56a5a9fc4302089ac73009742ba5c98dc/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 541, + "score": 641, "sections": [ { "auto_collapse": false, @@ -38,7 +38,7 @@ }, { "auto_collapse": false, - "body": "Marks: wget", + "body": "Marks: TCPClient, wget, Net.Sockets, AcceptTcpClient", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -108,6 +108,30 @@ "title_text": "Signature: Hidden Window", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "Marks: Text.Encoding", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 100, + "score_map": { + "Obfuscation": 100 + }, + "signatures": { + "Obfuscation": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Obfuscation", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "Marks: gwmi", @@ -199,6 +223,13 @@ "Hidden Window" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Obfuscation" + ] + }, { "attack_ids": [], "heur_id": 3, diff --git a/tests/results/786d3f381553f08829ac453963596c2e71c4ad9ea25bb6f097c918fc4ff9d8fb/result.json b/tests/results/786d3f381553f08829ac453963596c2e71c4ad9ea25bb6f097c918fc4ff9d8fb/result.json index 9c4c1c7..520788c 100644 --- a/tests/results/786d3f381553f08829ac453963596c2e71c4ad9ea25bb6f097c918fc4ff9d8fb/result.json +++ b/tests/results/786d3f381553f08829ac453963596c2e71c4ad9ea25bb6f097c918fc4ff9d8fb/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 151, + "score": 261, "sections": [ { "auto_collapse": false, @@ -66,7 +66,7 @@ }, { "auto_collapse": false, - "body": "Marks: Convert, FromBase64String, Text.Encoding, Compression.CompressionMode]::Decompress, IO.Compression.DeflateStream, IO.MemoryStream", + "body": "Marks: Convert, FromBase64String, Text.Encoding, Compression.CompressionMode, IO.Compression.DeflateStream, IO.MemoryStream", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -90,7 +90,31 @@ }, { "auto_collapse": false, - "body": "Marks: [Convert]::FromBase64String(", + "body": "Marks: Text.Encoding, System.Convert", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 100, + "score_map": { + "Obfuscation": 100 + }, + "signatures": { + "Obfuscation": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Obfuscation", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "Marks: FromBase64String(", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -160,6 +184,30 @@ "title_text": "Signature: Byte Usage", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "Marks: IO.File", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "Filesystem": 10 + }, + "signatures": { + "Filesystem": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Filesystem", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": [ @@ -264,6 +312,13 @@ "Compression" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Obfuscation" + ] + }, { "attack_ids": [], "heur_id": 3, @@ -284,6 +339,13 @@ "signatures": [ "Byte Usage" ] + }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Filesystem" + ] } ], "tags": { diff --git a/tests/results/8a14efe45843057c5d7a8ec7258c3bb6757a7b8ce5831c98873e0242041b8de8/result.json b/tests/results/8a14efe45843057c5d7a8ec7258c3bb6757a7b8ce5831c98873e0242041b8de8/result.json index 6369808..4640639 100644 --- a/tests/results/8a14efe45843057c5d7a8ec7258c3bb6757a7b8ce5831c98873e0242041b8de8/result.json +++ b/tests/results/8a14efe45843057c5d7a8ec7258c3bb6757a7b8ce5831c98873e0242041b8de8/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 140, + "score": 150, "sections": [ { "auto_collapse": false, @@ -157,6 +157,30 @@ "tags": {}, "title_text": "Signature: Byte Usage", "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "Marks: env:APPDATA, Remove-Item, New-Item, IO.File", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "Filesystem": 10 + }, + "signatures": { + "Filesystem": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Filesystem", + "zeroize_on_tag_safe": false } ] }, @@ -222,6 +246,13 @@ "signatures": [ "Byte Usage" ] + }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Filesystem" + ] } ], "tags": { diff --git a/tests/results/8dcad766215c455f6c70f5e78ebb1776e5e436775cbb7f66f1d5d4ccd217e03a/result.json b/tests/results/8dcad766215c455f6c70f5e78ebb1776e5e436775cbb7f66f1d5d4ccd217e03a/result.json index 6ba19f7..92e7e9b 100644 --- a/tests/results/8dcad766215c455f6c70f5e78ebb1776e5e436775cbb7f66f1d5d4ccd217e03a/result.json +++ b/tests/results/8dcad766215c455f6c70f5e78ebb1776e5e436775cbb7f66f1d5d4ccd217e03a/result.json @@ -166,7 +166,7 @@ }, { "auto_collapse": false, - "body": "Marks: Net.WebClient, DownloadFile", + "body": "Marks: WebClient, DownloadFile, host", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/8f17242fd8a6ffbdda9969e09c04ae54f499ef9768693e29068f41bc54ea4bcd/result.json b/tests/results/8f17242fd8a6ffbdda9969e09c04ae54f499ef9768693e29068f41bc54ea4bcd/result.json index 97eebf2..7756d47 100644 --- a/tests/results/8f17242fd8a6ffbdda9969e09c04ae54f499ef9768693e29068f41bc54ea4bcd/result.json +++ b/tests/results/8f17242fd8a6ffbdda9969e09c04ae54f499ef9768693e29068f41bc54ea4bcd/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 230, + "score": 240, "sections": [ { "auto_collapse": false, @@ -90,7 +90,7 @@ }, { "auto_collapse": false, - "body": "Marks: [Convert]::FromBase64String(", + "body": "Marks: FromBase64String(", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -135,6 +135,30 @@ "tags": {}, "title_text": "Signature: Byte Usage", "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "Marks: IO.File", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "Filesystem": 10 + }, + "signatures": { + "Filesystem": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Filesystem", + "zeroize_on_tag_safe": false } ] }, @@ -183,6 +207,13 @@ "signatures": [ "Byte Usage" ] + }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Filesystem" + ] } ], "tags": {}, diff --git a/tests/results/958ed6efd9131c1207df57aeae8b5e0635d135e53d51bbf3d2c3ea1e770d6a97/result.json b/tests/results/958ed6efd9131c1207df57aeae8b5e0635d135e53d51bbf3d2c3ea1e770d6a97/result.json index 2a7a8e8..ecf4561 100644 --- a/tests/results/958ed6efd9131c1207df57aeae8b5e0635d135e53d51bbf3d2c3ea1e770d6a97/result.json +++ b/tests/results/958ed6efd9131c1207df57aeae8b5e0635d135e53d51bbf3d2c3ea1e770d6a97/result.json @@ -187,7 +187,7 @@ }, { "auto_collapse": false, - "body": "Marks: Net.WebClient, DownloadFile", + "body": "Marks: WebClient, DownloadFile", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", diff --git a/tests/results/c4cf9f8de6d0be53e5ba263fe8eeb33c199a21f70004d83e06bbded76dc5f322/result.json b/tests/results/c4cf9f8de6d0be53e5ba263fe8eeb33c199a21f70004d83e06bbded76dc5f322/result.json index 1597a7e..083cf20 100644 --- a/tests/results/c4cf9f8de6d0be53e5ba263fe8eeb33c199a21f70004d83e06bbded76dc5f322/result.json +++ b/tests/results/c4cf9f8de6d0be53e5ba263fe8eeb33c199a21f70004d83e06bbded76dc5f322/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 861, + "score": 871, "sections": [ { "auto_collapse": false, @@ -105,7 +105,7 @@ }, { "auto_collapse": false, - "body": "Marks: [System.Convert]::FromBase64String(", + "body": "Marks: Text.Encoding, System.Convert", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -114,22 +114,22 @@ "attack_ids": [], "frequency": 1, "heur_id": 3, - "score": 10, + "score": 100, "score_map": { - "Deobfuscation": 10 + "Obfuscation": 100 }, "signatures": { - "Deobfuscation": 1 + "Obfuscation": 1 } }, "promote_to": null, "tags": {}, - "title_text": "Signature: Deobfuscation", + "title_text": "Signature: Obfuscation", "zeroize_on_tag_safe": false }, { "auto_collapse": false, - "body": null, + "body": "Marks: FromBase64String(", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -140,15 +140,15 @@ "heur_id": 3, "score": 10, "score_map": { - "One Liner": 10 + "Deobfuscation": 10 }, "signatures": { - "One Liner": 1 + "Deobfuscation": 1 } }, "promote_to": null, "tags": {}, - "title_text": "Signature: One Liner", + "title_text": "Signature: Deobfuscation", "zeroize_on_tag_safe": false }, { @@ -162,17 +162,17 @@ "attack_ids": [], "frequency": 1, "heur_id": 3, - "score": 100, + "score": 10, "score_map": { - "Obfuscation:Char Frequency": 100 + "One Liner": 10 }, "signatures": { - "Obfuscation:Char Frequency": 1 + "One Liner": 1 } }, "promote_to": null, "tags": {}, - "title_text": "Signature: Obfuscation:Char Frequency", + "title_text": "Signature: One Liner", "zeroize_on_tag_safe": false }, { @@ -307,6 +307,30 @@ "tags": {}, "title_text": "Signature: Byte Usage", "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "Marks: IO.File", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "Filesystem": 10 + }, + "signatures": { + "Filesystem": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Filesystem", + "zeroize_on_tag_safe": false } ] }, @@ -352,21 +376,21 @@ "attack_ids": [], "heur_id": 3, "signatures": [ - "Deobfuscation" + "Obfuscation" ] }, { "attack_ids": [], "heur_id": 3, "signatures": [ - "One Liner" + "Deobfuscation" ] }, { "attack_ids": [], "heur_id": 3, "signatures": [ - "Obfuscation:Char Frequency" + "One Liner" ] }, { @@ -404,6 +428,13 @@ "Byte Usage" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Filesystem" + ] + }, { "attack_ids": [], "heur_id": 5, diff --git a/tests/results/c538472cd9af46f9f72ec09194aecada626acfde0506e07e3a872a6e95a8f0a2/result.json b/tests/results/c538472cd9af46f9f72ec09194aecada626acfde0506e07e3a872a6e95a8f0a2/result.json index 8c40a8e..7bfe0c2 100644 --- a/tests/results/c538472cd9af46f9f72ec09194aecada626acfde0506e07e3a872a6e95a8f0a2/result.json +++ b/tests/results/c538472cd9af46f9f72ec09194aecada626acfde0506e07e3a872a6e95a8f0a2/result.json @@ -110,7 +110,7 @@ }, { "auto_collapse": false, - "body": "Marks: [Convert]::FromBase64String(", + "body": "Marks: Text.Encoding, UTF8.GetString", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -119,22 +119,22 @@ "attack_ids": [], "frequency": 1, "heur_id": 3, - "score": 10, + "score": 100, "score_map": { - "Deobfuscation": 10 + "Obfuscation": 100 }, "signatures": { - "Deobfuscation": 1 + "Obfuscation": 1 } }, "promote_to": null, "tags": {}, - "title_text": "Signature: Deobfuscation", + "title_text": "Signature: Obfuscation", "zeroize_on_tag_safe": false }, { "auto_collapse": false, - "body": null, + "body": "Marks: FromBase64String(", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -143,17 +143,17 @@ "attack_ids": [], "frequency": 1, "heur_id": 3, - "score": 100, + "score": 10, "score_map": { - "Obfuscation:Char Frequency": 100 + "Deobfuscation": 10 }, "signatures": { - "Obfuscation:Char Frequency": 1 + "Deobfuscation": 1 } }, "promote_to": null, "tags": {}, - "title_text": "Signature: Obfuscation:Char Frequency", + "title_text": "Signature: Deobfuscation", "zeroize_on_tag_safe": false } ] @@ -199,14 +199,14 @@ "attack_ids": [], "heur_id": 3, "signatures": [ - "Deobfuscation" + "Obfuscation" ] }, { "attack_ids": [], "heur_id": 3, "signatures": [ - "Obfuscation:Char Frequency" + "Deobfuscation" ] }, { diff --git a/tests/results/e1c40d86c558a003a1971480fac4cefc663efb5cddd9ac91104acc54e9150293/result.json b/tests/results/e1c40d86c558a003a1971480fac4cefc663efb5cddd9ac91104acc54e9150293/result.json index b64ba33..03241aa 100644 --- a/tests/results/e1c40d86c558a003a1971480fac4cefc663efb5cddd9ac91104acc54e9150293/result.json +++ b/tests/results/e1c40d86c558a003a1971480fac4cefc663efb5cddd9ac91104acc54e9150293/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1221, + "score": 1231, "sections": [ { "auto_collapse": false, @@ -99,7 +99,7 @@ }, { "auto_collapse": false, - "body": "Marks: -bxor", + "body": "Marks: -bxor, System.Convert", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -123,7 +123,7 @@ }, { "auto_collapse": false, - "body": "Marks: [System.Convert]::FromBase64String(", + "body": "Marks: FromBase64String(", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -168,6 +168,30 @@ "tags": {}, "title_text": "Signature: Byte Usage", "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "Marks: Microsoft.Win32.UnsafeNativeMethods, Start-Job", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "Evasion": 10 + }, + "signatures": { + "Evasion": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Evasion", + "zeroize_on_tag_safe": false } ] }, @@ -239,6 +263,13 @@ "Byte Usage" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Evasion" + ] + }, { "attack_ids": [], "heur_id": 5, diff --git a/tests/results/f18a802525cde21f142da5ddd2b83c27dff4e4fdf6468ada2bf0b194fb477030/result.json b/tests/results/f18a802525cde21f142da5ddd2b83c27dff4e4fdf6468ada2bf0b194fb477030/result.json index faa482b..733aadd 100644 --- a/tests/results/f18a802525cde21f142da5ddd2b83c27dff4e4fdf6468ada2bf0b194fb477030/result.json +++ b/tests/results/f18a802525cde21f142da5ddd2b83c27dff4e4fdf6468ada2bf0b194fb477030/result.json @@ -1,7 +1,7 @@ { "extra": { "drop_file": false, - "score": 1572, + "score": 1682, "sections": [ { "auto_collapse": false, @@ -190,7 +190,7 @@ }, { "auto_collapse": false, - "body": "Marks: Net.WebClient, DownloadFile", + "body": "Marks: WebClient, DownloadFile", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -286,7 +286,31 @@ }, { "auto_collapse": false, - "body": "Marks: [Convert]::FromBase64String(", + "body": "Marks: Text.Encoding", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 100, + "score_map": { + "Obfuscation": 100 + }, + "signatures": { + "Obfuscation": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Obfuscation", + "zeroize_on_tag_safe": false + }, + { + "auto_collapse": false, + "body": "Marks: FromBase64String(", "body_config": {}, "body_format": "TEXT", "classification": "TLP:C", @@ -332,6 +356,30 @@ "title_text": "Signature: One Liner", "zeroize_on_tag_safe": false }, + { + "auto_collapse": false, + "body": "Marks: -ExecutionPolicy", + "body_config": {}, + "body_format": "TEXT", + "classification": "TLP:C", + "depth": 1, + "heuristic": { + "attack_ids": [], + "frequency": 1, + "heur_id": 3, + "score": 10, + "score_map": { + "Evasion": 10 + }, + "signatures": { + "Evasion": 1 + } + }, + "promote_to": null, + "tags": {}, + "title_text": "Signature: Evasion", + "zeroize_on_tag_safe": false + }, { "auto_collapse": false, "body": "Marks: Downloader, One Liner, Hidden Window, Persistence", @@ -471,6 +519,13 @@ "Persistence" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Obfuscation" + ] + }, { "attack_ids": [], "heur_id": 3, @@ -485,6 +540,13 @@ "One Liner" ] }, + { + "attack_ids": [], + "heur_id": 3, + "signatures": [ + "Evasion" + ] + }, { "attack_ids": [], "heur_id": 3, diff --git a/tools/ps1_profiler.py b/tools/ps1_profiler.py index dca5a38..9c3d4aa 100644 --- a/tools/ps1_profiler.py +++ b/tools/ps1_profiler.py @@ -116,6 +116,8 @@ def score_behaviours(behaviour_tags: Dict[str, Any]) -> Tuple[float, str, Dict[s "Ping": 1.0, "Mshta": 1.0, "Imports BitsTransfer": 1.0, + "Evasion": 1.0, + "Filesystem": 1.0, # Benign # Behaviours which are generally only seen in Benign scripts - subtracts from score. "Script Logging": -1.0, @@ -335,7 +337,7 @@ def profile_behaviours(behaviour_tags: Dict[str, any], original_data, alternativ ["Get-Random -count 16", "Win32_NetworkAdapterConfiguration", "whoami", "POST"], ["Get-Random -Minimum", "System.Buffer]::BlockCopy", "GetResponseStream()", "POST"], ["*.vbs", "*.lnk", "DllOpen", "DllCall"], - ["start-process -WindowStyle hidden -FilePath taskkill.exe -ArgumentList"], + ["start-process", "-WindowStyle", "hidden", "-FilePath", "taskkill.exe", "-ArgumentList"], ["$xorkey", "xordData"], ["powershell_payloads"], ["attackcode"], @@ -359,21 +361,28 @@ def profile_behaviours(behaviour_tags: Dict[str, any], original_data, alternativ ] behaviour_col["Downloader"] = [ - ["Net.WebClient"], + # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L35 + ["WebClient"], + # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L35 ["DownloadFile"], ["DownloadString"], ["DownloadData"], ["WebProxy", "Net.CredentialCache"], + # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L35 ["Start-BitsTransfer"], ["bitsadmin"], - ["Sockets.TCPClient", "GetStream"], + # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L35 + ["TCPClient"], ["$env:LocalAppData"], + # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L35 ["Invoke-WebRequest"], + # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L35 ["Net.WebRequest"], ["wget"], # ["Get-Content"], ["send", "open", "responseBody"], - ["HttpWebRequest", "GetResponse"], + # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L35 + ["HttpWebRequest"], ["InternetExplorer.Application", "Navigate"], ["Excel.Workbooks.Open('http"], ["Notepad", "SendKeys", "ForEach-Object", "Clipboard", "http"], @@ -381,6 +390,19 @@ def profile_behaviours(behaviour_tags: Dict[str, any], original_data, alternativ ["iwr", "-outf"], # https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_operators?view=powershell-7.3 [". ", "mshta.exe", "http"], + # Inspired by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L35 + ["MSXML2.XMLH"], + ["Net.Sockets"], + ["Reverse TCP"], + ["GetSystemWebProxy"], + ["host"], + ["user-agent"], + ["Mozilla/4.0"], + ["PowerShellTcp"], + ["IPAddress"], + ["AcceptTcpClient"], + ["Invoke-RestMethod"], + ["-Uri"], ] behaviour_col["Starts Process"] = [ @@ -392,6 +414,12 @@ def profile_behaviours(behaviour_tags: Dict[str, any], original_data, alternativ ["WScript.Shell", "ActiveXObject", "run"], ["START", "$ENV:APPDATA", "exe", "http"], ["START", "rundll32"], + # Inspired by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Modules/powershell_analyzer.py#L77 + ["regsvr32 ", "C://", ".dll"], + ["regsvr32 ", "C:\\", ".dll"], + ["start ", ".exe)"], + ["CMD ", "/C ", "powershell"], + ["powershell ", "-exec ", "bypass ", "-c"], ] behaviour_col["Starts RunDll"] = [["START", "rundll32"]] @@ -417,7 +445,8 @@ def profile_behaviours(behaviour_tags: Dict[str, any], original_data, alternativ behaviour_col["Compression"] = [ ["Convert", "FromBase64String", "Text.Encoding"], ["IO.Compression.GzipStream"], - ["Compression.CompressionMode]::Decompress"], + # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L2 + ["Compression.CompressionMode"], ["IO.Compression.DeflateStream"], ["IO.MemoryStream"], ] @@ -430,6 +459,7 @@ def profile_behaviours(behaviour_tags: Dict[str, any], original_data, alternativ ] behaviour_col["Custom Web Fields"] = [ + # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L35 ["Headers.Add"], ["SessionKey", "SessiodID"], ["Method", "ContentType", "UserAgent", "WebRequest]::create"], @@ -453,16 +483,25 @@ def profile_behaviours(behaviour_tags: Dict[str, any], original_data, alternativ behaviour_col["Obfuscation"] = [ ["-Join", "[int]", "-as", "[char]"], + # Supported by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L2 ["-bxor"], ["PtrToStringAnsi"], ["[-1..-"], ["[array]::Reverse"], ["$ENV:COMSPEC\\..\\"], + # Inspired by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L2 + ["Text.Encoding"], + ["UTF8.GetString"], + ["System.Convert"], + ["EncodedCommand"], + # Inspired by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L35 + ["Text.AsciiEncoding"], ] behaviour_col["Deobfuscation"] = [ - ["[Convert]::FromBase64String("], - ["[System.Convert]::FromBase64String("], + # Supported/inspired by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L2 + ["FromBase64String("], + ["FromHEXString("], ] behaviour_col["Crypto"] = [ @@ -590,6 +629,24 @@ def profile_behaviours(behaviour_tags: Dict[str, any], original_data, alternativ behaviour_col["Imports BitsTransfer"] = [["Import-Module", "BitsTransfer"]] + # Inspired by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L15 + behaviour_col["Evasion"] = [ + ["Microsoft.Win32.UnsafeNativeMethods"], + ["Start-Job"], + ["-EP Bypass"], + ["-ExecutionPolicy"], + ] + + # Inspired by https://github.com/CYB3RMX/Qu1cksc0pe/blob/086db196d2de289f0784ae4d8ee03f34bf10354b/Systems/Windows/powershell_code_patterns.json#L24 + behaviour_col["Filesystem"] = [ + ["env:APPDATA"], + ["Remove-Item"], + ["expand-archive"], + ["New-Item"], + ["WriteAllText"], + ["IO.File"], + ] + # Behavioural Combos combine a base grouping of behaviours to help raise the score of files without a lot of complexity. # Take care in adding to this list and use a minimum length of 3 behaviours (or 2 really good ones!). # Instances where FP hits occur have been commented out