[plugin_imports] Added the NetWksta* API functions as suspicious.

JusticeRage · Aug 30, 2019 · 4e24e2e · 4e24e2e
1 parent 9c0a367
commit 4e24e2e
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/plugins/plugin_imports.cpp b/plugins/plugin_imports.cpp
@@ -86,6 +86,8 @@ std::string shutdown_functions = "Initiate(System)?Shutdown(Ex)?(A|W)|LockWorkSt
 
 std::string networking_api = "(Un)?EnableRouter|SetAdapterIpAddress|SetIp(Forward|Net|Statistics|TTL).*|SetPerTcp(6)?ConnectionEStats";
 
+std::string netwksta_api = "NetWksta(GetInfo|UserEnum|UserGetInfo)";
+
 // ----------------------------------------------------------------------------
 
 /**
@@ -244,6 +246,7 @@ class ImportsPlugin : public IPlugin
 		check_functions(pe, screenshot_api, SUSPICIOUS, "Can take screenshots", AT_LEAST_TWO, res);
 		check_functions(pe, audio_api, SUSPICIOUS, "Can use the microphone to record audio", AT_LEAST_ONE, res);
 		check_functions(pe, networking_api, SUSPICIOUS, "Modifies the network configuration", AT_LEAST_ONE, res);
+        check_functions(pe, netwksta_api, SUSPICIOUS, "Queries user information on remote machines", AT_LEAST_ONE, res);
 		check_functions(pe, "GetClipboardData", NO_OPINION, "Reads the contents of the clipboard", AT_LEAST_ONE, res);
 		check_functions(pe, "IsUserAnAdmin", NO_OPINION, "Checks if it has admin rights", AT_LEAST_ONE, res);
 		check_functions(pe, "Cert(Add|Open|Register|Remove|Save|Srv|Store).*", SUSPICIOUS, "Interacts with the certificate store", AT_LEAST_ONE, res);