diff --git a/modules/signatures/android/android_dynamic_code.py b/modules/signatures/android/android_dynamic_code.py index a6702be03..597089036 100644 --- a/modules/signatures/android/android_dynamic_code.py +++ b/modules/signatures/android/android_dynamic_code.py @@ -11,7 +11,7 @@ class AndroidDynamicCode(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["E1129"] + ttp = ["T1129"] def on_complete(self): if self.get_apkinfo("static_method_calls").get("is_dynamic_code"): diff --git a/modules/signatures/android/application_aborted_broadcast_receiver.py b/modules/signatures/android/application_aborted_broadcast_receiver.py index 7859fad90..db52dcb49 100644 --- a/modules/signatures/android/application_aborted_broadcast_receiver.py +++ b/modules/signatures/android/application_aborted_broadcast_receiver.py @@ -11,7 +11,7 @@ class AndroidAbortBroadcast(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["E1054"] + ttp = ["S0006"] def on_complete(self): if "abortBroadcast" in self.get_droidmon("events", []): diff --git a/modules/signatures/android/application_deleted_app.py b/modules/signatures/android/application_deleted_app.py index febeecc05..e90239683 100644 --- a/modules/signatures/android/application_deleted_app.py +++ b/modules/signatures/android/application_deleted_app.py @@ -11,7 +11,7 @@ class AndroidDeletedApp(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["E1485"] + ttp = ["E1485.m03"] def on_complete(self): if "android/app/ApplicationPackageManager->deletePackage" in self.get_droidmon(): diff --git a/modules/signatures/android/application_executed_shell_command.py b/modules/signatures/android/application_executed_shell_command.py index 5cefa78df..101c396e3 100644 --- a/modules/signatures/android/application_executed_shell_command.py +++ b/modules/signatures/android/application_executed_shell_command.py @@ -11,7 +11,7 @@ class AndroidShellCommands(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["T1059"] + ttp = ["E1059"] def on_complete(self): if self.get_droidmon("commands", []): diff --git a/modules/signatures/cross/js_eval.py b/modules/signatures/cross/js_eval.py index 19a38b44b..87ee8b49a 100644 --- a/modules/signatures/cross/js_eval.py +++ b/modules/signatures/cross/js_eval.py @@ -11,7 +11,7 @@ class EvalJS(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["T1059.007"] filter_apinames = "COleScript_Compile", diff --git a/modules/signatures/cross/js_iframe.py b/modules/signatures/cross/js_iframe.py index af96aa8c6..29057b476 100644 --- a/modules/signatures/cross/js_iframe.py +++ b/modules/signatures/cross/js_iframe.py @@ -13,7 +13,7 @@ class JsIframe(Signature): categories = ["obfuscation"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["T1059"] filter_apinames = "CIFrameElement_CreateElement", diff --git a/modules/signatures/cross/js_suspicious.py b/modules/signatures/cross/js_suspicious.py index a11a8e5bd..a178c09d0 100644 --- a/modules/signatures/cross/js_suspicious.py +++ b/modules/signatures/cross/js_suspicious.py @@ -13,7 +13,7 @@ class SuspiciousJavascript(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["E1059.007"] filter_apinames = "COleScript_Compile", @@ -41,7 +41,7 @@ class AntiAnalysisJavascript(Signature): authors = ["Cuckoo Technologies"] minimum = "2.0" on_call_dispatch = True - ttp = ["M0013", "M0001"] + ttp = ["M0013", "M0009"] filter_apinames = "ActiveXObjectFncObj_Construct", "CImgElement_put_src" diff --git a/modules/signatures/network/dns_cnc.py b/modules/signatures/network/dns_cnc.py index c7b9baba4..6ef7b1816 100644 --- a/modules/signatures/network/dns_cnc.py +++ b/modules/signatures/network/dns_cnc.py @@ -22,6 +22,7 @@ class NetworkDNSTXTLookup(Signature): categories = ["dns", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["X0011"] whitelist = [ "google.com", diff --git a/modules/signatures/network/dns_tld.py b/modules/signatures/network/dns_tld.py index e86cd63ac..fe9d66e30 100644 --- a/modules/signatures/network/dns_tld.py +++ b/modules/signatures/network/dns_tld.py @@ -12,6 +12,7 @@ class Suspicious_TLD(Signature): categories = ["tldwatch", "network"] authors = ["RedSocks", "Kevin Ross"] minimum = "2.0" + ttp = ["X0011.004"] domains_re = [ (".*\\.by$", "Belarus domain TLD"), diff --git a/modules/signatures/network/network_bind.py b/modules/signatures/network/network_bind.py index b326a976a..2286f4f72 100644 --- a/modules/signatures/network/network_bind.py +++ b/modules/signatures/network/network_bind.py @@ -22,6 +22,7 @@ class NetworkBIND(Signature): categories = ["bind"] authors = ["nex", "Accuvant"] minimum = "2.0" + ttp = ["X0001.002"] filter_apinames = "bind", "listen", "accept" diff --git a/modules/signatures/network/network_cnc_http.py b/modules/signatures/network/network_cnc_http.py index 1d9c1f986..ef489f636 100644 --- a/modules/signatures/network/network_cnc_http.py +++ b/modules/signatures/network/network_cnc_http.py @@ -27,7 +27,7 @@ class NetworkHTTPPOST(Signature): categories = ["http", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1071", "M0030"] + ttp = ["X0002.005"] filter_analysistypes = set(["file"]) @@ -58,7 +58,7 @@ class NetworkCnCHTTP(Signature): categories = ["http", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1071", "M0030"] + ttp = ["T1071.001", "M0030"] filter_analysistypes = set(["file"]) diff --git a/modules/signatures/network/network_dyndns.py b/modules/signatures/network/network_dyndns.py index 75c450c2c..0ea614336 100644 --- a/modules/signatures/network/network_dyndns.py +++ b/modules/signatures/network/network_dyndns.py @@ -12,6 +12,7 @@ class NetworkDynDNS(Signature): categories = ["dyndns"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0011.003"] domains_re = [ ".*\\.no-ip\\.", diff --git a/modules/signatures/network/network_http.py b/modules/signatures/network/network_http.py index c9bcd5bb0..cb4b92e44 100644 --- a/modules/signatures/network/network_http.py +++ b/modules/signatures/network/network_http.py @@ -22,6 +22,7 @@ class NetworkHTTP(Signature): categories = ["http"] authors = ["nex"] minimum = "2.0" + ttp = ["X0002.003"] host_whitelist = [ "www.msftncsi.com" diff --git a/modules/signatures/network/network_icmp.py b/modules/signatures/network/network_icmp.py index 8df886b5a..45f435768 100644 --- a/modules/signatures/network/network_icmp.py +++ b/modules/signatures/network/network_icmp.py @@ -22,6 +22,7 @@ class NetworkICMP(Signature): categories = ["icmp"] authors = ["David Maciejak"] minimum = "2.0" + ttp = ["X0014.001"] def on_complete(self): if self.get_net_icmp(): diff --git a/modules/signatures/network/network_smtp.py b/modules/signatures/network/network_smtp.py index c42edea74..d795381ad 100644 --- a/modules/signatures/network/network_smtp.py +++ b/modules/signatures/network/network_smtp.py @@ -22,6 +22,7 @@ class NetworkSMTP(Signature): categories = ["smtp", "spam"] authors = ["nex", "RicoVZ"] minimum = "2.0.0" + ttp = ["S0012.002"] def on_complete(self): for s in getattr(self, "get_net_smtp_ex", lambda: [])(): diff --git a/modules/signatures/network/network_torgateway.py b/modules/signatures/network/network_torgateway.py index 5455d80fd..051869351 100644 --- a/modules/signatures/network/network_torgateway.py +++ b/modules/signatures/network/network_torgateway.py @@ -22,7 +22,7 @@ class TorGateway(Signature): categories = ["network"] authors = ["nex", "Optiv"] minimum = "2.0" - ttp = ["T1188"] + ttp = ["T1090.003"] domains_re = [ ".*\\.tor2web\\.[a-z]{2,20}$", diff --git a/modules/signatures/network/network_wscript.py b/modules/signatures/network/network_wscript.py index bb359c49c..958c1e32b 100644 --- a/modules/signatures/network/network_wscript.py +++ b/modules/signatures/network/network_wscript.py @@ -22,7 +22,7 @@ class WscriptDownloader(Signature): categories = ["downloader"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1064", "T1105"] + ttp = ["T1059", "E1105"] filter_apinames = [ "InternetCrackUrlW", diff --git a/modules/signatures/network/p2p_cnc.py b/modules/signatures/network/p2p_cnc.py index 75437a8ca..1d445919b 100644 --- a/modules/signatures/network/p2p_cnc.py +++ b/modules/signatures/network/p2p_cnc.py @@ -22,7 +22,7 @@ class P2PCnC(Signature): categories = ["p2p", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1094"] + ttp = ["T1095"] filter_analysistypes = set(["file"]) diff --git a/modules/signatures/windows/allocates_rwx.py b/modules/signatures/windows/allocates_rwx.py index 7a13f9009..54bcbd414 100644 --- a/modules/signatures/windows/allocates_rwx.py +++ b/modules/signatures/windows/allocates_rwx.py @@ -11,7 +11,7 @@ class AllocatesRWX(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1055"] + ttp = ["X0007"] filter_apinames = ( "NtAllocateVirtualMemory", "NtProtectVirtualMemory", diff --git a/modules/signatures/windows/antianalysis_detectfile.py b/modules/signatures/windows/antianalysis_detectfile.py index a1da72c37..78ab24ea0 100644 --- a/modules/signatures/windows/antianalysis_detectfile.py +++ b/modules/signatures/windows/antianalysis_detectfile.py @@ -11,7 +11,7 @@ class AntiAnalysisDetectFile(Signature): categories = ["anti-analysis"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["M0013"] + ttp = ["M0013.008"] file_indicators = [ "[A-Za-z]:\\\\analysis", diff --git a/modules/signatures/windows/antiav_avast_libs.py b/modules/signatures/windows/antiav_avast_libs.py index 3b6427436..867fc05bb 100644 --- a/modules/signatures/windows/antiav_avast_libs.py +++ b/modules/signatures/windows/antiav_avast_libs.py @@ -22,7 +22,7 @@ class AvastDetectLibs(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1063"] + ttp = ["T1518.001"] filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"]) diff --git a/modules/signatures/windows/antiav_bitdefender_libs.py b/modules/signatures/windows/antiav_bitdefender_libs.py index 3d409d780..d383bd4b8 100644 --- a/modules/signatures/windows/antiav_bitdefender_libs.py +++ b/modules/signatures/windows/antiav_bitdefender_libs.py @@ -22,7 +22,7 @@ class BitdefenderDetectLibs(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1063"] + ttp = ["T1518.001"] filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"]) diff --git a/modules/signatures/windows/antiav_detectfile.py b/modules/signatures/windows/antiav_detectfile.py index 369a74a0f..2a7df93d8 100644 --- a/modules/signatures/windows/antiav_detectfile.py +++ b/modules/signatures/windows/antiav_detectfile.py @@ -15,7 +15,7 @@ class AntiAVDetectFile(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1063", "T1083"] + ttp = ["T1518.001", "T1083"] file_indicators = [ ".*\\\\AVAST\\ Software", diff --git a/modules/signatures/windows/antiav_detectreg.py b/modules/signatures/windows/antiav_detectreg.py index 57408f94a..51d66a46d 100644 --- a/modules/signatures/windows/antiav_detectreg.py +++ b/modules/signatures/windows/antiav_detectreg.py @@ -11,7 +11,7 @@ class AntiAVDetectReg(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1063", "T1012"] + ttp = ["T1518.001", "T1012"] reg_indicators = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Avg", diff --git a/modules/signatures/windows/antiav_servicestop.py b/modules/signatures/windows/antiav_servicestop.py index d1787772a..ca1d6dd74 100644 --- a/modules/signatures/windows/antiav_servicestop.py +++ b/modules/signatures/windows/antiav_servicestop.py @@ -16,7 +16,7 @@ class AntiAVServiceStop(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] evented = True def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/antiav_srp.py b/modules/signatures/windows/antiav_srp.py index 1720fb2af..c4e4d2198 100644 --- a/modules/signatures/windows/antiav_srp.py +++ b/modules/signatures/windows/antiav_srp.py @@ -11,7 +11,7 @@ class AntiAVSRP(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["E1089", "E1478"] + ttp = ["S0004.005", "E1478"] regkeys_re = [ ".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*", diff --git a/modules/signatures/windows/antidbg_windows.py b/modules/signatures/windows/antidbg_windows.py index ef0c34cc2..9b36d1f6d 100644 --- a/modules/signatures/windows/antidbg_windows.py +++ b/modules/signatures/windows/antidbg_windows.py @@ -22,7 +22,7 @@ class AntiDBGWindows(Signature): categories = ["anti-debug"] authors = ["nex", "KillerInstinct", "Brad Spengler"] minimum = "2.0" - ttp = ["M0013"] + ttp = ["M0013.009", "M0001.004"] filter_categories = "ui", diff --git a/modules/signatures/windows/antisandbox_clipboard.py b/modules/signatures/windows/antisandbox_clipboard.py index 67d144c18..02d799750 100644 --- a/modules/signatures/windows/antisandbox_clipboard.py +++ b/modules/signatures/windows/antisandbox_clipboard.py @@ -22,7 +22,7 @@ class AntisandboxClipboard(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.001"] filter_apinames = set(["GetClipboardData"]) diff --git a/modules/signatures/windows/antisandbox_cuckoo_files.py b/modules/signatures/windows/antisandbox_cuckoo_files.py index 17517192d..b42d78b15 100644 --- a/modules/signatures/windows/antisandbox_cuckoo_files.py +++ b/modules/signatures/windows/antisandbox_cuckoo_files.py @@ -22,7 +22,7 @@ class CuckooDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] file_indicators = [ ".*\\\\agent\\.py$", diff --git a/modules/signatures/windows/antisandbox_file.py b/modules/signatures/windows/antisandbox_file.py index cc1e0cd92..9d03412f3 100644 --- a/modules/signatures/windows/antisandbox_file.py +++ b/modules/signatures/windows/antisandbox_file.py @@ -11,7 +11,7 @@ class AntiSandboxFile(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] files_re = [ "[a-zA-Z]:\\\\sample\\.exe", diff --git a/modules/signatures/windows/antisandbox_forehwnd.py b/modules/signatures/windows/antisandbox_forehwnd.py index 037b45c95..d87f6da86 100644 --- a/modules/signatures/windows/antisandbox_forehwnd.py +++ b/modules/signatures/windows/antisandbox_forehwnd.py @@ -20,7 +20,7 @@ class AntiSandboxForegroundWindow(Signature): severity = 2 categories = ["anti-sandbox"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.003"] references = [ "https://www.virusbtn.com/virusbulletin/archive/2015/09/vb201509-custom-packer.dkb", diff --git a/modules/signatures/windows/antisandbox_fortinet_files.py b/modules/signatures/windows/antisandbox_fortinet_files.py index f7c8590c4..cbdfcc266 100644 --- a/modules/signatures/windows/antisandbox_fortinet_files.py +++ b/modules/signatures/windows/antisandbox_fortinet_files.py @@ -22,7 +22,7 @@ class FortinetDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] files_re = [ "C:\\\\tracer\\\\mdare32_0\\.sys", diff --git a/modules/signatures/windows/antisandbox_idletime.py b/modules/signatures/windows/antisandbox_idletime.py index 80045495b..9f4a3fe57 100644 --- a/modules/signatures/windows/antisandbox_idletime.py +++ b/modules/signatures/windows/antisandbox_idletime.py @@ -11,7 +11,7 @@ class AntiSandboxIdleTime(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0003"] + ttp = ["M0007.009"] filter_apinames = "NtQuerySystemInformation", diff --git a/modules/signatures/windows/antisandbox_joe_anubis_files.py b/modules/signatures/windows/antisandbox_joe_anubis_files.py index b356382ff..cb887c5fe 100644 --- a/modules/signatures/windows/antisandbox_joe_anubis_files.py +++ b/modules/signatures/windows/antisandbox_joe_anubis_files.py @@ -22,7 +22,7 @@ class SandboxJoeAnubisDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] file_indicators = [ "C:\\\\sample\\.exe", diff --git a/modules/signatures/windows/antisandbox_mouse_hook.py b/modules/signatures/windows/antisandbox_mouse_hook.py index 2509efcc3..ea819dc0c 100644 --- a/modules/signatures/windows/antisandbox_mouse_hook.py +++ b/modules/signatures/windows/antisandbox_mouse_hook.py @@ -22,7 +22,7 @@ class HookMouse(Signature): categories = ["hooking", "anti-sandbox"] authors = ["nex"] minimum = "2.0" - ttp = ["M0007", "E1179"] + ttp = ["M0007.003", "S0003.003"] filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW" diff --git a/modules/signatures/windows/antisandbox_restart.py b/modules/signatures/windows/antisandbox_restart.py index 2a94ce0d3..53a33389e 100644 --- a/modules/signatures/windows/antisandbox_restart.py +++ b/modules/signatures/windows/antisandbox_restart.py @@ -12,7 +12,7 @@ class AntiSandboxRestart(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies", "Brad Spengler"] minimum = "2.0" - ttp = ["M0003"] + ttp = ["M0003.010"] filter_apinames = ( "InitiateSystemShutdownExW", "InitiateSystemShutdownExA", diff --git a/modules/signatures/windows/antisandbox_sleep.py b/modules/signatures/windows/antisandbox_sleep.py index cc5757a8b..63c623ac2 100644 --- a/modules/signatures/windows/antisandbox_sleep.py +++ b/modules/signatures/windows/antisandbox_sleep.py @@ -22,7 +22,7 @@ class AntiSandboxSleep(Signature): categories = ["anti-sandbox"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["M0003"] + ttp = ["M0003.003"] filter_apinames = "NtDelayExecution", diff --git a/modules/signatures/windows/antisandbox_sunbelt_files.py b/modules/signatures/windows/antisandbox_sunbelt_files.py index e2af95b57..2d8e51f3b 100644 --- a/modules/signatures/windows/antisandbox_sunbelt_files.py +++ b/modules/signatures/windows/antisandbox_sunbelt_files.py @@ -22,7 +22,7 @@ class SunbeltDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] file_indicators = [ ".*\\\\SandboxStarter\\.exe$", diff --git a/modules/signatures/windows/antisandbox_threattrack_files.py b/modules/signatures/windows/antisandbox_threattrack_files.py index 14085d24e..4cc5800de 100644 --- a/modules/signatures/windows/antisandbox_threattrack_files.py +++ b/modules/signatures/windows/antisandbox_threattrack_files.py @@ -22,7 +22,7 @@ class ThreatTrackDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["M0007.002"] files_re = [ "C:\\\\cwsandbox", diff --git a/modules/signatures/windows/antisandbox_unhook.py b/modules/signatures/windows/antisandbox_unhook.py index 3dab093ff..d914703bc 100644 --- a/modules/signatures/windows/antisandbox_unhook.py +++ b/modules/signatures/windows/antisandbox_unhook.py @@ -22,7 +22,7 @@ class Unhook(Signature): categories = ["anti-sandbox"] authors = ["nex"] minimum = "2.0" - ttp = ["M0003"] + ttp = ["M0003.008"] filter_apinames = "__anomaly__", diff --git a/modules/signatures/windows/antivirus_detection_cn.py b/modules/signatures/windows/antivirus_detection_cn.py index bd66ae82f..cd00fed93 100644 --- a/modules/signatures/windows/antivirus_detection_cn.py +++ b/modules/signatures/windows/antivirus_detection_cn.py @@ -13,7 +13,7 @@ class AVDetectionChinaKey(Signature): families = ["china"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["T1012", "T1063"] + ttp = ["T1012", "T1518.001"] indicators = [ ".*360Safe", diff --git a/modules/signatures/windows/antivm_bochs_keys.py b/modules/signatures/windows/antivm_bochs_keys.py index 08f7787d2..73a44d194 100644 --- a/modules/signatures/windows/antivm_bochs_keys.py +++ b/modules/signatures/windows/antivm_bochs_keys.py @@ -22,7 +22,7 @@ class BochsDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS_.*", diff --git a/modules/signatures/windows/antivm_disksize.py b/modules/signatures/windows/antivm_disksize.py index ab32c02df..ea8c39d5e 100644 --- a/modules/signatures/windows/antivm_disksize.py +++ b/modules/signatures/windows/antivm_disksize.py @@ -22,7 +22,7 @@ class AntiVMDiskSize(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.015"] evented = True diff --git a/modules/signatures/windows/antivm_generic_bios.py b/modules/signatures/windows/antivm_generic_bios.py index a3f836dd1..09550c254 100644 --- a/modules/signatures/windows/antivm_generic_bios.py +++ b/modules/signatures/windows/antivm_generic_bios.py @@ -22,7 +22,7 @@ class AntiVMBios(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.024", "M0009.005", "T1012"] regkeys_re = [ ".*SystemBiosVersion", diff --git a/modules/signatures/windows/antivm_generic_cpu.py b/modules/signatures/windows/antivm_generic_cpu.py index 6aac61e7c..81ec5eb73 100644 --- a/modules/signatures/windows/antivm_generic_cpu.py +++ b/modules/signatures/windows/antivm_generic_cpu.py @@ -22,7 +22,7 @@ class AntiVMCPU(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.026", "M0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\.*\\\\ProcessorNameString", diff --git a/modules/signatures/windows/antivm_generic_disk.py b/modules/signatures/windows/antivm_generic_disk.py index f1a7dca0b..82e73d277 100644 --- a/modules/signatures/windows/antivm_generic_disk.py +++ b/modules/signatures/windows/antivm_generic_disk.py @@ -22,7 +22,7 @@ class DiskInformation(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] filter_apinames = [ "NtCreateFile", diff --git a/modules/signatures/windows/antivm_generic_firmware.py b/modules/signatures/windows/antivm_generic_firmware.py index 044e5420a..36e3a904e 100644 --- a/modules/signatures/windows/antivm_generic_firmware.py +++ b/modules/signatures/windows/antivm_generic_firmware.py @@ -11,7 +11,7 @@ class VMFirmware(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.023"] filter_apinames = "NtQuerySystemInformation", diff --git a/modules/signatures/windows/antivm_generic_ide.py b/modules/signatures/windows/antivm_generic_ide.py index 243b19ef4..7a5f6b4bb 100644 --- a/modules/signatures/windows/antivm_generic_ide.py +++ b/modules/signatures/windows/antivm_generic_ide.py @@ -22,7 +22,7 @@ class AntiVMIDE(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] def on_complete(self): for regkey in self.check_key(pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE", regex=True, all=True): diff --git a/modules/signatures/windows/antivm_generic_scsi.py b/modules/signatures/windows/antivm_generic_scsi.py index a1b37dfb0..c3ec91c90 100644 --- a/modules/signatures/windows/antivm_generic_scsi.py +++ b/modules/signatures/windows/antivm_generic_scsi.py @@ -22,7 +22,7 @@ class AntiVMSCSI(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port \\d+\\\\Scsi Bus \\d+\\\\Target Id \\d+\\\\Logical Unit Id \\d+\\\\Identifier", diff --git a/modules/signatures/windows/antivm_generic_services.py b/modules/signatures/windows/antivm_generic_services.py index 2c4dee4e5..500ad1e27 100644 --- a/modules/signatures/windows/antivm_generic_services.py +++ b/modules/signatures/windows/antivm_generic_services.py @@ -22,7 +22,7 @@ class AntiVMServices(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1007"] + ttp = ["M0009.006", "T1007"] filter_apinames = "EnumServicesStatusA", "EnumServicesStatusW" diff --git a/modules/signatures/windows/antivm_hyperv_keys.py b/modules/signatures/windows/antivm_hyperv_keys.py index b849ce101..e0de0afc5 100644 --- a/modules/signatures/windows/antivm_hyperv_keys.py +++ b/modules/signatures/windows/antivm_hyperv_keys.py @@ -22,7 +22,7 @@ class HyperVDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\Hyper_V_Gen_Counter_V1", diff --git a/modules/signatures/windows/antivm_memory_available.py b/modules/signatures/windows/antivm_memory_available.py index 6188d2626..93f5ecf7f 100644 --- a/modules/signatures/windows/antivm_memory_available.py +++ b/modules/signatures/windows/antivm_memory_available.py @@ -22,7 +22,7 @@ class MemoryAvailable(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.014"] filter_apinames = [ "GlobalMemoryStatusEx", "GetPhysicallyInstalledSystemMemory", diff --git a/modules/signatures/windows/antivm_network_adapter.py b/modules/signatures/windows/antivm_network_adapter.py index c100741f8..678935a99 100644 --- a/modules/signatures/windows/antivm_network_adapter.py +++ b/modules/signatures/windows/antivm_network_adapter.py @@ -22,7 +22,7 @@ class NetworkAdapters(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.023"] filter_apinames = set(["GetAdaptersAddresses"]) diff --git a/modules/signatures/windows/antivm_parallels_keys.py b/modules/signatures/windows/antivm_parallels_keys.py index a999bc23c..204682622 100644 --- a/modules/signatures/windows/antivm_parallels_keys.py +++ b/modules/signatures/windows/antivm_parallels_keys.py @@ -22,7 +22,7 @@ class ParallelsDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_1AB8&DEV_4000&SUBSYS_04001AB8&REV_00", diff --git a/modules/signatures/windows/antivm_parallels_window.py b/modules/signatures/windows/antivm_parallels_window.py index bede49429..b6846865e 100644 --- a/modules/signatures/windows/antivm_parallels_window.py +++ b/modules/signatures/windows/antivm_parallels_window.py @@ -22,7 +22,7 @@ class ParallelsDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vbox_acpi.py b/modules/signatures/windows/antivm_vbox_acpi.py index 537455dec..0d819de54 100644 --- a/modules/signatures/windows/antivm_vbox_acpi.py +++ b/modules/signatures/windows/antivm_vbox_acpi.py @@ -22,7 +22,7 @@ class VBoxDetectACPI(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.023", "M0009.005", "T1012"] def on_complete(self): for regkey in self.check_key("HARDWARE\\\\ACPI\\\\.*vbox_", regex=True, all=True): diff --git a/modules/signatures/windows/antivm_vbox_files.py b/modules/signatures/windows/antivm_vbox_files.py index c6231924d..fcec7e3a4 100644 --- a/modules/signatures/windows/antivm_vbox_files.py +++ b/modules/signatures/windows/antivm_vbox_files.py @@ -22,7 +22,7 @@ class VBoxDetectFiles(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.001"] indicators = [ ".*VBoxDisp\\.dll", diff --git a/modules/signatures/windows/antivm_vbox_keys.py b/modules/signatures/windows/antivm_vbox_keys.py index 1b4ef2924..7862e844f 100644 --- a/modules/signatures/windows/antivm_vbox_keys.py +++ b/modules/signatures/windows/antivm_vbox_keys.py @@ -22,7 +22,7 @@ class VBoxDetectKeys(Signature): categories = ["anti-vm"] authors = ["nex", "Brad Spengler"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Oracle\\\\VirtualBox\\ Guest\\ Additions", diff --git a/modules/signatures/windows/antivm_vbox_provname.py b/modules/signatures/windows/antivm_vbox_provname.py index 42b87f794..16f62e1fa 100644 --- a/modules/signatures/windows/antivm_vbox_provname.py +++ b/modules/signatures/windows/antivm_vbox_provname.py @@ -22,7 +22,7 @@ class VBoxDetectProvname(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.001"] evented = True diff --git a/modules/signatures/windows/antivm_vbox_window.py b/modules/signatures/windows/antivm_vbox_window.py index 916985e17..c5574e27a 100644 --- a/modules/signatures/windows/antivm_vbox_window.py +++ b/modules/signatures/windows/antivm_vbox_window.py @@ -22,7 +22,7 @@ class VBoxDetectWindow(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_virtualpc_window.py b/modules/signatures/windows/antivm_virtualpc_window.py index 830df7d5b..44002c207 100644 --- a/modules/signatures/windows/antivm_virtualpc_window.py +++ b/modules/signatures/windows/antivm_virtualpc_window.py @@ -22,7 +22,7 @@ class VirtualPCDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vmware_files.py b/modules/signatures/windows/antivm_vmware_files.py index e0265899e..2d4d9b8e7 100644 --- a/modules/signatures/windows/antivm_vmware_files.py +++ b/modules/signatures/windows/antivm_vmware_files.py @@ -11,7 +11,7 @@ class VMWareDetectFiles(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.001"] files_re = [ ".*vmmouse\\.sys", diff --git a/modules/signatures/windows/antivm_vmware_keys.py b/modules/signatures/windows/antivm_vmware_keys.py index 2c03c4a92..b499a6f26 100644 --- a/modules/signatures/windows/antivm_vmware_keys.py +++ b/modules/signatures/windows/antivm_vmware_keys.py @@ -21,7 +21,7 @@ class VMWareDetectKeys(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies", "Optiv"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?VMWare,\\ Inc\..*", diff --git a/modules/signatures/windows/antivm_vmware_window.py b/modules/signatures/windows/antivm_vmware_window.py index 98c1a213e..49b4e9423 100644 --- a/modules/signatures/windows/antivm_vmware_window.py +++ b/modules/signatures/windows/antivm_vmware_window.py @@ -22,7 +22,7 @@ class VMwareDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["M0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vpc_keys.py b/modules/signatures/windows/antivm_vpc_keys.py index 4f6c7c10b..0b3187e6a 100644 --- a/modules/signatures/windows/antivm_vpc_keys.py +++ b/modules/signatures/windows/antivm_vpc_keys.py @@ -22,7 +22,7 @@ class VPCDetectKeys(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00", diff --git a/modules/signatures/windows/antivm_xen_keys.py b/modules/signatures/windows/antivm_xen_keys.py index 5a19623d7..e58bdb88a 100644 --- a/modules/signatures/windows/antivm_xen_keys.py +++ b/modules/signatures/windows/antivm_xen_keys.py @@ -22,7 +22,7 @@ class XenDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009", "T1012"] + ttp = ["M0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\XEN0000.*", diff --git a/modules/signatures/windows/appinit.py b/modules/signatures/windows/appinit.py index 925117789..9f1818663 100644 --- a/modules/signatures/windows/appinit.py +++ b/modules/signatures/windows/appinit.py @@ -11,7 +11,7 @@ class InstallsAppInit(Signature): categories = ["persistence"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1112", "T1103"] + ttp = ["E1112", "T1546.010"] regkeys_re = [ ".*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\Appinit_Dlls", diff --git a/modules/signatures/windows/applocker_bypass.py b/modules/signatures/windows/applocker_bypass.py index c8a1a8845..d7480ceea 100644 --- a/modules/signatures/windows/applocker_bypass.py +++ b/modules/signatures/windows/applocker_bypass.py @@ -13,7 +13,7 @@ class AppLockerBypass(Signature): categories = ["applocker", "bypass"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1117", "T1086"] + ttp = ["T1218.010", "E1059.001"] def on_yara(self, category, filepath, match): if match.name != "ApplockerBypass": diff --git a/modules/signatures/windows/bitcoin_opencl.py b/modules/signatures/windows/bitcoin_opencl.py index 25b276781..da1716e1a 100644 --- a/modules/signatures/windows/bitcoin_opencl.py +++ b/modules/signatures/windows/bitcoin_opencl.py @@ -22,7 +22,7 @@ class BitcoinOpenCL(Signature): categories = ["bitcoin"] authors = ["nex"] minimum = "2.0" - ttp = ["M0018"] + ttp = ["M0018.002"] def on_complete(self): filepath = self.check_file(pattern=".*OpenCL\.dll$", regex=True) diff --git a/modules/signatures/windows/bootconfig_modify.py b/modules/signatures/windows/bootconfig_modify.py index 26de318ce..2926a2f3a 100644 --- a/modules/signatures/windows/bootconfig_modify.py +++ b/modules/signatures/windows/bootconfig_modify.py @@ -22,7 +22,7 @@ class ModifiesBootConfig(Signature): categories = ["persistance", "ransomware"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0028"] + ttp = ["S0013"] filter_apinames = "ShellExecuteExW", "CreateProcessInternalW", def on_call(self, call, process): diff --git a/modules/signatures/windows/bootkit.py b/modules/signatures/windows/bootkit.py index a94856601..97415916c 100644 --- a/modules/signatures/windows/bootkit.py +++ b/modules/signatures/windows/bootkit.py @@ -13,7 +13,7 @@ class Bootkit(Signature): authors = ["Optiv"] minimum = "2.0" evented = True - ttp = ["M0028"] + ttp = ["S0013"] BasicFileInformation = 4 def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/bypass_firewall.py b/modules/signatures/windows/bypass_firewall.py index 281073c56..2a534fb33 100644 --- a/modules/signatures/windows/bypass_firewall.py +++ b/modules/signatures/windows/bypass_firewall.py @@ -24,7 +24,7 @@ class BypassFirewall(Signature): categories = ["bypass"] authors = ["Anderson Tamborim", "nex", "Kevin Ross"] minimum = "2.0" - ttp = ["E1478", "E1089"] + ttp = ["E1478", "S0004"] indicator = ".*\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\.*" def on_complete(self): diff --git a/modules/signatures/windows/clears_logs.py b/modules/signatures/windows/clears_logs.py index 8943e1f0d..a56509ef1 100644 --- a/modules/signatures/windows/clears_logs.py +++ b/modules/signatures/windows/clears_logs.py @@ -22,7 +22,7 @@ class ClearsEventLogs(Signature): categories = ["commands", "stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1070"] + ttp = ["T1070.001"] utilities = [ "wevtutil cl", "wevtutil.exe cl" diff --git a/modules/signatures/windows/cloud_google.py b/modules/signatures/windows/cloud_google.py index 30648aa9f..0004916b4 100644 --- a/modules/signatures/windows/cloud_google.py +++ b/modules/signatures/windows/cloud_google.py @@ -11,7 +11,7 @@ class CloudGoogle(Signature): categories = ["cloud"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1105", "T1102"] + ttp = ["E1105", "T1102"] domains = [ "docs.google.com", diff --git a/modules/signatures/windows/creates_doc.py b/modules/signatures/windows/creates_doc.py index e08e25b61..059ff01d8 100644 --- a/modules/signatures/windows/creates_doc.py +++ b/modules/signatures/windows/creates_doc.py @@ -11,6 +11,7 @@ class CreatesDocument(Signature): categories = ["generic"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["X0016.001"] pattern = ".*\\.(doc|docm|dotm|docx|ppt|pptm|pptx|potm|ppam|ppsm|xls|xlsm|xlsx|pdf)$" diff --git a/modules/signatures/windows/creates_exe.py b/modules/signatures/windows/creates_exe.py index 4a2780b45..2331cf1fa 100644 --- a/modules/signatures/windows/creates_exe.py +++ b/modules/signatures/windows/creates_exe.py @@ -16,7 +16,7 @@ class CreatesExe(Signature): categories = ["generic"] authors = ["Cuckoo Developers"] minimum = "2.0" - ttp = ["T1105"] + ttp = ["E1105", "M0023"] pattern = ( ".*\\.(bat|cmd|com|cpl|dll|exe|js|jse|lnk|msi|msh|msh1|msh2|mshxml|" @@ -37,7 +37,7 @@ class CreatesUserFolderEXE(Signature): families = ["persistance"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1105"] + ttp = ["E1105", "M0023"] directories_re = [ "^[a-zA-Z]:\\\\Users\\\\[^\\\\]+\\\\AppData\\\\.*", diff --git a/modules/signatures/windows/creates_hidden_file.py b/modules/signatures/windows/creates_hidden_file.py index 27acc6b3b..d0c990b93 100644 --- a/modules/signatures/windows/creates_hidden_file.py +++ b/modules/signatures/windows/creates_hidden_file.py @@ -12,7 +12,7 @@ class CreatesHiddenFile(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - ttp = ["E1158"] + ttp = ["T1564.001"] filter_apinames = "NtCreateFile", "SetFileAttributesW" def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/creates_largekey.py b/modules/signatures/windows/creates_largekey.py index aa57705d5..bd09869e0 100644 --- a/modules/signatures/windows/creates_largekey.py +++ b/modules/signatures/windows/creates_largekey.py @@ -29,7 +29,7 @@ class CreatesLargeKey(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0040", "E1112"] + ttp = ["M0040.001", "E1112"] evented = True filter_apinames = set(["NtSetValueKey", "RegSetValueExA", "RegSetValueExW"]) diff --git a/modules/signatures/windows/creates_null_reg_entry.py b/modules/signatures/windows/creates_null_reg_entry.py index 2834b031a..4f81aed98 100644 --- a/modules/signatures/windows/creates_null_reg_entry.py +++ b/modules/signatures/windows/creates_null_reg_entry.py @@ -12,7 +12,7 @@ class CreatesNullRegistryEntry(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - ttp = ["E1054", "E1112"] + ttp = ["S0006", "E1112"] filter_apinames = ( "NtSetValueKey", "NtCreateKey", "RegCreateKeyExA", "RegCreateKeyExW", "RegSetValueExA", "RegSetValueExW", diff --git a/modules/signatures/windows/creates_service.py b/modules/signatures/windows/creates_service.py index 1c7727f4f..e35826793 100644 --- a/modules/signatures/windows/creates_service.py +++ b/modules/signatures/windows/creates_service.py @@ -11,7 +11,7 @@ class CreatesService(Signature): categories = ["service", "persistence"] authors = ["Cuckoo Technologies", "Kevin Ross"] minimum = "2.0" - ttp = ["T1050"] + ttp = ["T1543.003"] filter_apinames = [ "CreateServiceA", "CreateServiceW", diff --git a/modules/signatures/windows/creates_shortcut.py b/modules/signatures/windows/creates_shortcut.py index 4abd31465..dbaef9f3d 100644 --- a/modules/signatures/windows/creates_shortcut.py +++ b/modules/signatures/windows/creates_shortcut.py @@ -22,7 +22,7 @@ class CreatesShortcut(Signature): categories = ["persistance"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1023", "T1204"] + ttp = ["T1547.009", "T1204"] files_re = [ ".*\\.lnk$", ] diff --git a/modules/signatures/windows/credential_dump.py b/modules/signatures/windows/credential_dump.py index de5ffcf90..df2f8ef28 100644 --- a/modules/signatures/windows/credential_dump.py +++ b/modules/signatures/windows/credential_dump.py @@ -24,7 +24,7 @@ class CredentialDumpingLsass(Signature): minimum = "2.0" evented = True references = ["cyberwardog.blogspot.co.uk/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "cyberwardog.blogspot.co.uk/2017/04/chronicles-of-threat-hunter-hunting-for.html"] - ttp = ["T1003"] + ttp = ["T1003.001"] lsasspid = [] lsasshandle = [] @@ -62,7 +62,7 @@ class CredentialDumpingLsassAccess(Signature): minimum = "2.0" evented = True references = ["cyberwardog.blogspot.co.uk/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "cyberwardog.blogspot.co.uk/2017/04/chronicles-of-threat-hunter-hunting-for.html"] - ttp = ["T1003"] + ttp = ["T1003.001"] lsasspid = [] creddump = False diff --git a/modules/signatures/windows/crypto_apis.py b/modules/signatures/windows/crypto_apis.py index b27868b7f..c25a4e0da 100644 --- a/modules/signatures/windows/crypto_apis.py +++ b/modules/signatures/windows/crypto_apis.py @@ -22,6 +22,7 @@ class CryptGenKey(Signature): families = ["generic"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["X0021.003"] filter_apinames = "CryptGenKey", "CryptExportKey", diff --git a/modules/signatures/windows/deletes_executed.py b/modules/signatures/windows/deletes_executed.py index e88c5a3ea..383634713 100644 --- a/modules/signatures/windows/deletes_executed.py +++ b/modules/signatures/windows/deletes_executed.py @@ -22,7 +22,7 @@ class DeletesExecutedFiles(Signature): categories = ["persistence", "stealth"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["E1007"] + ttp = ["S0007"] evented = True def on_complete(self): diff --git a/modules/signatures/windows/disables_browserwarn.py b/modules/signatures/windows/disables_browserwarn.py index 2cf789e55..6315d8233 100644 --- a/modules/signatures/windows/disables_browserwarn.py +++ b/modules/signatures/windows/disables_browserwarn.py @@ -11,7 +11,7 @@ class DisablesBrowserWarn(Signature): categories = ["generic", "banker", "clickfraud"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["E1089", "E1112"] + ttp = ["S0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnBadCertRecving", diff --git a/modules/signatures/windows/disables_security.py b/modules/signatures/windows/disables_security.py index 52c51ff17..a839683f3 100644 --- a/modules/signatures/windows/disables_security.py +++ b/modules/signatures/windows/disables_security.py @@ -11,7 +11,7 @@ class DisablesSecurity(Signature): categories = ["anti-av"] authors = ["Cuckoo Technologies", "Brad Spengler"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] regkeys_re = [ ("HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA", "attempts to disable user access control"), diff --git a/modules/signatures/windows/disables_wer.py b/modules/signatures/windows/disables_wer.py index 9b29252a7..d8a0fa636 100644 --- a/modules/signatures/windows/disables_wer.py +++ b/modules/signatures/windows/disables_wer.py @@ -11,7 +11,7 @@ class DisablesWER(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1054", "E1089", "E1112"] + ttp = ["S0006", "S0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ Error\\ Reporting\\\\Disabled$", diff --git a/modules/signatures/windows/disables_windowsupdate.py b/modules/signatures/windows/disables_windowsupdate.py index 6d148e673..34f8b8a41 100644 --- a/modules/signatures/windows/disables_windowsupdate.py +++ b/modules/signatures/windows/disables_windowsupdate.py @@ -11,7 +11,7 @@ class DisablesWindowsUpdate(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\(AU\\\\NoAutoUpdate|Auto\\ Update\\\\AUOptions)$", diff --git a/modules/signatures/windows/dns_dyndns_provider.py b/modules/signatures/windows/dns_dyndns_provider.py index 86f1feac9..76cd8f4ee 100644 --- a/modules/signatures/windows/dns_dyndns_provider.py +++ b/modules/signatures/windows/dns_dyndns_provider.py @@ -12,6 +12,7 @@ class dnsserver_dynamic(Signature): categories = ["dns"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0011.003"] ipaddrs = [ "221.228.198.216", diff --git a/modules/signatures/windows/dns_freehosting_domain.py b/modules/signatures/windows/dns_freehosting_domain.py index ace449d7d..3e41b0aeb 100644 --- a/modules/signatures/windows/dns_freehosting_domain.py +++ b/modules/signatures/windows/dns_freehosting_domain.py @@ -12,6 +12,7 @@ class Dns_Freehosting_Domain(Signature): categories = ["freehosting"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0011.005"] domains_re = [ ".*\.yzi\.me", diff --git a/modules/signatures/windows/driver_load.py b/modules/signatures/windows/driver_load.py index 282c1b7ec..2db43a3b4 100644 --- a/modules/signatures/windows/driver_load.py +++ b/modules/signatures/windows/driver_load.py @@ -22,6 +22,7 @@ class DriverLoad(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" + ttp = ["X0023"] filter_apinames = set(["NtLoadDriver"]) diff --git a/modules/signatures/windows/dropper.py b/modules/signatures/windows/dropper.py index 9e0093446..c8fb4bc48 100644 --- a/modules/signatures/windows/dropper.py +++ b/modules/signatures/windows/dropper.py @@ -22,7 +22,7 @@ class Dropper(Signature): categories = ["dropper"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0023", "E1105"] + ttp = ["M0023"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/emoves_zoneid_ads.py b/modules/signatures/windows/emoves_zoneid_ads.py index 2a0b49623..9ad29d52b 100644 --- a/modules/signatures/windows/emoves_zoneid_ads.py +++ b/modules/signatures/windows/emoves_zoneid_ads.py @@ -11,7 +11,7 @@ class RemovesZoneIdADS(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" - ttp = ["E1007"] + ttp = ["S0007"] def on_complete(self): for deletedfile in self.get_files(actions=["file_deleted"]): diff --git a/modules/signatures/windows/exec_waitfor.py b/modules/signatures/windows/exec_waitfor.py index 50c468294..e1f8df8fb 100644 --- a/modules/signatures/windows/exec_waitfor.py +++ b/modules/signatures/windows/exec_waitfor.py @@ -13,7 +13,7 @@ class ExecWaitFor(Signature): categories = ["script", "bypass"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0003"] + ttp = ["M0003.003"] def on_complete(self): lower = "".join(self.get_command_lines()).lower() diff --git a/modules/signatures/windows/exploitation.py b/modules/signatures/windows/exploitation.py index 1361b8fe6..a78ac9d7e 100644 --- a/modules/signatures/windows/exploitation.py +++ b/modules/signatures/windows/exploitation.py @@ -11,6 +11,7 @@ class ExploitHeapspray(Signature): categories = ["exploit"] authors = ["Cuckoo Technologies", "Kevin Ross"] minimum = "2.0" + ttp = ["X0006"] references = ["https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/"] filter_apinames = "NtAllocateVirtualMemory", @@ -103,7 +104,7 @@ class StackPivot(Signature): categories = ["exploit", "rop"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["E1203"] + ttp = ["X0009"] filter_apinames = critical_apinames @@ -141,6 +142,7 @@ class DEPHeapBypass(Signature): categories = ["exploit"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" + ttp = ["X0002.002"] filter_apinames = critical_apinames @@ -178,6 +180,7 @@ class DEPStackBypass(Signature): categories = ["exploit"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" + ttp = ["X0002.001"] filter_apinames = critical_apinames @@ -267,7 +270,7 @@ class StackPivotShellcodeAPIs(Signature): categories = ["exploit", "rop", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1203"] + ttp = ["X0009", "E1059"] evented = True @@ -308,7 +311,7 @@ class StackPivotShellcodeCreateProcess(Signature): categories = ["exploit", "rop", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1203"] + ttp = ["X0009", "X0017.001", "E1059"] evented = True diff --git a/modules/signatures/windows/has_authenticode.py b/modules/signatures/windows/has_authenticode.py index aa662eb13..c01adad3c 100644 --- a/modules/signatures/windows/has_authenticode.py +++ b/modules/signatures/windows/has_authenticode.py @@ -8,7 +8,7 @@ class HasAuthenticode(Signature): name = "has_authenticode" description = "This executable is signed" severity = 1 - ttp = ["T1116"] + ttp = ["T1553.002"] def on_complete(self): if self.get_results("static", {}).get("signature"): diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index 1d82d05b4..ff3c20806 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -22,7 +22,7 @@ class BrowserStealer(Signature): categories = ["infostealer"] authors = ["nex", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1503", "T1081", "T1003"] + ttp = ["T1555.003", "T1552.001", "T1003"] files_re = [ ".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\signons\\.sqlite$", diff --git a/modules/signatures/windows/infostealer_ftp.py b/modules/signatures/windows/infostealer_ftp.py index 72765d196..4c468ddd6 100644 --- a/modules/signatures/windows/infostealer_ftp.py +++ b/modules/signatures/windows/infostealer_ftp.py @@ -22,7 +22,7 @@ class FTPStealer(Signature): categories = ["infostealer"] authors = ["nex", "RedSocks", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1003", "T1081"] + ttp = ["T1003", "T1552.001"] files_re = [ ".*\\\\CuteFTP\\\\sm\\.dat$", diff --git a/modules/signatures/windows/infostealer_im.py b/modules/signatures/windows/infostealer_im.py index 24d4b96f3..6a2c25c44 100644 --- a/modules/signatures/windows/infostealer_im.py +++ b/modules/signatures/windows/infostealer_im.py @@ -11,7 +11,7 @@ class IMStealer(Signature): categories = ["infostealer"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1003", "T1081"] + ttp = ["T1003", "T1552.001"] file_indicators = [ ".*\\\\AIM\\\\aimx\.bin$", diff --git a/modules/signatures/windows/infostealer_keylogger.py b/modules/signatures/windows/infostealer_keylogger.py index 5a38b712a..6421b3fa3 100644 --- a/modules/signatures/windows/infostealer_keylogger.py +++ b/modules/signatures/windows/infostealer_keylogger.py @@ -23,7 +23,7 @@ class Keylogger(Signature): categories = ["generic"] authors = ["Thomas Birn", "nex"] minimum = "2.0" - ttp = ["T1056", "E1179"] + ttp = ["S0002.001", "S0003.003"] filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW" diff --git a/modules/signatures/windows/infostealer_mail.py b/modules/signatures/windows/infostealer_mail.py index 582eb9ae9..14af1b4b2 100644 --- a/modules/signatures/windows/infostealer_mail.py +++ b/modules/signatures/windows/infostealer_mail.py @@ -11,7 +11,7 @@ class MailStealer(Signature): categories = ["infostealer"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1003", "T1081"] + ttp = ["T1003", "T1552.001"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?IncrediMail" diff --git a/modules/signatures/windows/injection_explorer.py b/modules/signatures/windows/injection_explorer.py index 69a51c2d9..e869ea1c7 100644 --- a/modules/signatures/windows/injection_explorer.py +++ b/modules/signatures/windows/injection_explorer.py @@ -22,7 +22,7 @@ class InjectionExplorer(Signature): categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1055"] + ttp = ["E1055.011"] references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] filter_apinames = [ diff --git a/modules/signatures/windows/injection_memorymodify.py b/modules/signatures/windows/injection_memorymodify.py index eb3202c37..f9e08653e 100644 --- a/modules/signatures/windows/injection_memorymodify.py +++ b/modules/signatures/windows/injection_memorymodify.py @@ -23,7 +23,7 @@ class InjectionModifiesMemory(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] - ttp = ["E1055"] + ttp = ["E1055.009"] filter_apinames = [ "NtAllocateVirtualMemory", diff --git a/modules/signatures/windows/injection_thread.py b/modules/signatures/windows/injection_thread.py index aa438c856..cfd96fe1c 100644 --- a/modules/signatures/windows/injection_thread.py +++ b/modules/signatures/windows/injection_thread.py @@ -22,7 +22,7 @@ class InjectionCreateRemoteThread(Signature): categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1055"] + ttp = ["E1055.001"] references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] filter_apinames = [ @@ -53,7 +53,7 @@ class InjectionQueueApcThread(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] - ttp = ["E1055"] + ttp = ["E1055.004"] filter_apinames = [ "NtQueueApcThread", @@ -107,7 +107,7 @@ class NtSetContextThreadRemote(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process"] - ttp = ["E1055"] + ttp = ["E1055.003"] filter_apinames = [ "NtSetContextThread", diff --git a/modules/signatures/windows/injection_writememory.py b/modules/signatures/windows/injection_writememory.py index 8c83e13e8..08db6ba25 100644 --- a/modules/signatures/windows/injection_writememory.py +++ b/modules/signatures/windows/injection_writememory.py @@ -22,7 +22,7 @@ class InjectionWriteMemory(Signature): categories = ["injection"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1055"] + ttp = ["E1055.012"] filter_apinames = [ "NtWriteVirtualmemory", @@ -56,7 +56,7 @@ class InjectionWriteMemoryEXE(Signature): categories = ["injection", "unpacking"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1055"] + ttp = ["E1055.012"] filter_apinames = [ "NtWriteVirtualmemory", diff --git a/modules/signatures/windows/javascript_commandline.py b/modules/signatures/windows/javascript_commandline.py index 302618c11..8e50fd553 100644 --- a/modules/signatures/windows/javascript_commandline.py +++ b/modules/signatures/windows/javascript_commandline.py @@ -22,7 +22,7 @@ class JavaScriptCommandline(Signature): categories = ["javascript", "persistence", "downloader"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["E1059.007"] def on_complete(self): for cmdline in self.get_command_lines(): diff --git a/modules/signatures/windows/maldoc.py b/modules/signatures/windows/maldoc.py index 165c16340..99e5ff0c5 100644 --- a/modules/signatures/windows/maldoc.py +++ b/modules/signatures/windows/maldoc.py @@ -11,7 +11,7 @@ class MaliciousDocumentURLs(Signature): categories = ["downloader"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0023", "T1064"] + ttp = ["M0023", "E1059.007", "E1059.005"] filter_apinames = [ "InternetCrackUrlW", diff --git a/modules/signatures/windows/martians.py b/modules/signatures/windows/martians.py index 669cf85f1..a1276ac5f 100644 --- a/modules/signatures/windows/martians.py +++ b/modules/signatures/windows/martians.py @@ -82,7 +82,7 @@ class MartianCommandProcess(Signature): categories = ["martian", "exploit", "dropper"] authors = ["Cuckoo Technologies", "Will Metcalf", "Kevin Ross"] minimum = "2.0" - ttp = ["T1059", "T1064"] + ttp = ["T1059"] whitelist_procs = [ "acrord32.exe", diff --git a/modules/signatures/windows/memdump_urls.py b/modules/signatures/windows/memdump_urls.py index ae8c5cbb9..bafdc86bb 100644 --- a/modules/signatures/windows/memdump_urls.py +++ b/modules/signatures/windows/memdump_urls.py @@ -16,7 +16,6 @@ class ProcMemDumpURLs(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1188"] def on_complete(self): for procmem in self.get_results("procmemory", []): @@ -32,7 +31,7 @@ class ProcMemDumpTorURLs(Signature): categories = ["unpacking", "ransomware", "c2"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1188"] + ttp = ["T1090.003"] def on_complete(self): # List based on https://github.com/cuckoosandbox/community/blob/master/modules/signatures/network/network_torgateway.py diff --git a/modules/signatures/windows/mining.py b/modules/signatures/windows/mining.py index 2dd4a1441..bf069322c 100644 --- a/modules/signatures/windows/mining.py +++ b/modules/signatures/windows/mining.py @@ -12,7 +12,7 @@ class miningpool(Signature): categories = ["mining"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["M0018"] + ttp = ["M0018.002"] ipaddrs = [ "144.76.102.176", diff --git a/modules/signatures/windows/modifies_certs.py b/modules/signatures/windows/modifies_certs.py index 9ae332247..74660e7c1 100644 --- a/modules/signatures/windows/modifies_certs.py +++ b/modules/signatures/windows/modifies_certs.py @@ -22,7 +22,7 @@ class ModifiesCertificates(Signature): categories = ["infostealer", "banker"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1130", "E1112"] + ttp = ["T1553.004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\SystemCertificates\\\\.*\\\\Certificates\\\\.*", diff --git a/modules/signatures/windows/modifies_proxies.py b/modules/signatures/windows/modifies_proxies.py index b8822fa98..407fb5a9c 100644 --- a/modules/signatures/windows/modifies_proxies.py +++ b/modules/signatures/windows/modifies_proxies.py @@ -97,7 +97,7 @@ class DisablesProxy(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1089", "E1112"] + ttp = ["S0004", "E1112"] evented = True filter_apinames = [ diff --git a/modules/signatures/windows/modifies_seccenter.py b/modules/signatures/windows/modifies_seccenter.py index cfc12c1ad..0ac48cd93 100644 --- a/modules/signatures/windows/modifies_seccenter.py +++ b/modules/signatures/windows/modifies_seccenter.py @@ -11,7 +11,7 @@ class ModifySecurityCenterWarnings(Signature): categories = ["stealth"] authors = ["Kevin Ross", "Optiv"] minimum = "2.0" - ttp = ["E1089", "E1112"] + ttp = ["S0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\.*", diff --git a/modules/signatures/windows/modifies_uac_notify.py b/modules/signatures/windows/modifies_uac_notify.py index 376ab765f..b7e5d3bed 100644 --- a/modules/signatures/windows/modifies_uac_notify.py +++ b/modules/signatures/windows/modifies_uac_notify.py @@ -11,7 +11,7 @@ class ModifiesUACNotify(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1088", "E1112"] + ttp = ["T1548.002", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin", diff --git a/modules/signatures/windows/modifies_zoneid.py b/modules/signatures/windows/modifies_zoneid.py index d864ee4b7..e55dc608d 100644 --- a/modules/signatures/windows/modifies_zoneid.py +++ b/modules/signatures/windows/modifies_zoneid.py @@ -23,7 +23,7 @@ class ZoneID(Signature): categories = [""] authors = ["nex"] minimum = "2.0" - ttp = ["T1070", "T1096"] + ttp = ["T1070", "T1564.004"] filter_apinames = "NtCreateFile", "NtWriteFile" diff --git a/modules/signatures/windows/moves_self.py b/modules/signatures/windows/moves_self.py index e87329f11..8b12fc62f 100644 --- a/modules/signatures/windows/moves_self.py +++ b/modules/signatures/windows/moves_self.py @@ -11,7 +11,7 @@ class MovesSelf(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - ttp = ["E1158"] + ttp = ["E1564.001"] filter_apinames = ( "MoveFileWithProgressW", "MoveFileWithProgressTransactedW", diff --git a/modules/signatures/windows/network_rdp_mutex.py b/modules/signatures/windows/network_rdp_mutex.py index aac4c0cf1..c04fec6e2 100644 --- a/modules/signatures/windows/network_rdp_mutex.py +++ b/modules/signatures/windows/network_rdp_mutex.py @@ -13,6 +13,7 @@ class RdpMutexes(Signature): families = ["rdp"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0022.001"] mutexes_re = [ "msrdp*", diff --git a/modules/signatures/windows/network_tor.py b/modules/signatures/windows/network_tor.py index a0924b9a1..3261f19c9 100644 --- a/modules/signatures/windows/network_tor.py +++ b/modules/signatures/windows/network_tor.py @@ -22,7 +22,7 @@ class Tor(Signature): categories = ["network", "anonimity", "tor"] authors = ["nex"] minimum = "2.0" - ttp = ["T1188"] + ttp = ["T1090.003"] filter_apinames = "CreateServiceA", "CreateServiceW" diff --git a/modules/signatures/windows/network_tor_service.py b/modules/signatures/windows/network_tor_service.py index 933537997..a1cb4c940 100644 --- a/modules/signatures/windows/network_tor_service.py +++ b/modules/signatures/windows/network_tor_service.py @@ -22,7 +22,7 @@ class TorHiddenService(Signature): categories = ["network", "anonimity", "tor"] authors = ["nex"] minimum = "2.0" - ttp = ["T1188"] + ttp = ["T1090.003"] indicators = [ ".*\\\\tor\\\\hidden_service\\\\private_key$", diff --git a/modules/signatures/windows/office.py b/modules/signatures/windows/office.py index 69ad4d464..15befa790 100644 --- a/modules/signatures/windows/office.py +++ b/modules/signatures/windows/office.py @@ -58,7 +58,7 @@ class OfficeCheckProjectName(Signature): categories = ["vba"] authors = ["FDD", "Cuckoo Sandbox"] minimum = "2.0" - ttp = ["M0038", "M0007"] + ttp = ["M0038", "M0007.007"] filter_apinames = "vbe6_Invoke", @@ -76,7 +76,7 @@ class OfficeCountDirectories(Signature): categories = ["vba"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007", "T1083"] + ttp = ["M0007.003", "T1083"] filter_apinames = "vbe6_Invoke", @@ -94,7 +94,7 @@ class OfficeCheckVersion(Signature): categories = ["vba"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009", "T1518"] + ttp = ["M0009.007", "T1518"] filter_apinames = "vbe6_Invoke", @@ -118,7 +118,7 @@ class OfficeCheckWindow(Signature): categories = ["vba"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009", "T1010"] + ttp = ["M0009.020", "T1010"] filter_apinames = "vbe6_Invoke", @@ -142,7 +142,7 @@ class OfficeHttpRequest(Signature): categories = ["vba"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1203", "T1071"] + ttp = ["X0002.003"] filter_apinames = "vbe6_Invoke", @@ -168,7 +168,7 @@ class OfficeRecentFiles(Signature): categories = ["vba"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007", "T1083"] + ttp = ["M0007.003", "T1083"] filter_apinames = "vbe6_Invoke", @@ -197,7 +197,7 @@ class OfficeIndirectCall(Signature): categories = ["office"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["E1059"] patterns = [ "CallByName[^\r\n;']*", @@ -221,7 +221,7 @@ class OfficeCheckName(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0038", "M0007", "T1064"] + ttp = ["M0038", "M0007.007", "E1059"] patterns = [ "[^\n\r;']*Me.Name[^\n\r;']*", @@ -245,7 +245,7 @@ class OfficePlatformDetect(Signature): categories = ["office"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1082", "T1064"] + ttp = ["T1082", "E1059"] patterns = [ "#If\s+(?:Not\s+)?Win32", @@ -270,7 +270,7 @@ class DocumentClose(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["E1059"] def on_complete(self): office = self.get_results("static", {}).get("office", {}) @@ -286,7 +286,7 @@ class DocumentOpen(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1064"] + ttp = ["E1059"] def on_complete(self): office = self.get_results("static", {}).get("office", {}) diff --git a/modules/signatures/windows/packer_entropy.py b/modules/signatures/windows/packer_entropy.py index 02a148de5..b3408ed30 100644 --- a/modules/signatures/windows/packer_entropy.py +++ b/modules/signatures/windows/packer_entropy.py @@ -22,7 +22,7 @@ class PackerEntropy(Signature): categories = ["packer"] authors = ["Robby Zeitfuchs", "nex"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001"] references = [ "http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", diff --git a/modules/signatures/windows/packer_upx.py b/modules/signatures/windows/packer_upx.py index c292f9f46..69db2d8d7 100644 --- a/modules/signatures/windows/packer_upx.py +++ b/modules/signatures/windows/packer_upx.py @@ -22,7 +22,7 @@ class UPXCompressed(Signature): categories = ["packer"] authors = ["Michael Boman", "nex"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001.008"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/packer_vmprotect.py b/modules/signatures/windows/packer_vmprotect.py index a1a8ff0de..73e0a1867 100644 --- a/modules/signatures/windows/packer_vmprotect.py +++ b/modules/signatures/windows/packer_vmprotect.py @@ -22,7 +22,7 @@ class VMPPacked(Signature): categories = ["packer"] authors = ["Jeremy Hedges"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001.010"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/payload_download.py b/modules/signatures/windows/payload_download.py index ec679ee5f..fb452cb04 100644 --- a/modules/signatures/windows/payload_download.py +++ b/modules/signatures/windows/payload_download.py @@ -23,7 +23,7 @@ class NetworkDocumentFile(Signature): categories = ["exploit", "downloader"] authors = ["Kevin Ross", "Will Metcalf"] minimum = "2.0" - ttp = ["T1071", "T1105"] + ttp = ["T1071", "E1105"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/pe_features.py b/modules/signatures/windows/pe_features.py index 9321b9d23..c6fddf090 100644 --- a/modules/signatures/windows/pe_features.py +++ b/modules/signatures/windows/pe_features.py @@ -13,7 +13,7 @@ class PEFeatures(Signature): categories = ["packer"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001"] section_names = [ ".text", ".rdata", ".data", ".pdata", ".DATA", ".reloc", ".idata", @@ -45,7 +45,7 @@ class PEIDPacker(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001.002"] def on_complete(self): if self.get_results("static", {}).get("peid_signatures", []): @@ -61,7 +61,7 @@ class PEUnknownResourceName(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1045"] + ttp = ["S0001"] names = [ "RT_ACCELERATOR", diff --git a/modules/signatures/windows/persistence_ads.py b/modules/signatures/windows/persistence_ads.py index c668f7d61..b60c65f09 100644 --- a/modules/signatures/windows/persistence_ads.py +++ b/modules/signatures/windows/persistence_ads.py @@ -27,7 +27,7 @@ class ADS(Signature): categories = ["persistence", "ads"] authors = ["nex", "Optiv"] minimum = "2.0" - ttp = ["T1096"] + ttp = ["T1564.004"] def on_complete(self): for filepath in self.get_files(): diff --git a/modules/signatures/windows/persistence_autorun.py b/modules/signatures/windows/persistence_autorun.py index bc45fea71..f7ebf7ee1 100644 --- a/modules/signatures/windows/persistence_autorun.py +++ b/modules/signatures/windows/persistence_autorun.py @@ -31,7 +31,7 @@ class Autorun(Signature): categories = ["persistence"] authors = ["Michael Boman", "nex", "securitykitten", "Cuckoo Technologies", "Optiv", "KillerInstinct", "Kevin Ross"] minimum = "2.0" - ttp = ["E1060", "T1050", "E1112"] + ttp = ["S0012", "T1543.003", "E1112"] regkeys_re = [ ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\.*", diff --git a/modules/signatures/windows/persistence_bootexecute.py b/modules/signatures/windows/persistence_bootexecute.py index 2918d1ba1..9c2f12571 100644 --- a/modules/signatures/windows/persistence_bootexecute.py +++ b/modules/signatures/windows/persistence_bootexecute.py @@ -23,7 +23,7 @@ class PersistenceBootexecute(Signature): authors = ["Brad Spengler"] minimum = "2.0" evented = True - ttp = ["E1060"] + ttp = ["S0012"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/persistence_registry_fileless.py b/modules/signatures/windows/persistence_registry_fileless.py index cdd0558a5..1864cf5e3 100644 --- a/modules/signatures/windows/persistence_registry_fileless.py +++ b/modules/signatures/windows/persistence_registry_fileless.py @@ -45,7 +45,7 @@ class PersistenceRegistryEXE(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True - ttp = ["M0040", "E1112"] + ttp = ["M0040.001", "E1112"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) @@ -67,7 +67,7 @@ class PersistenceRegistryPowershell(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True - ttp = ["E1112", "T1086"] + ttp = ["E1112", "E1059.001"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) diff --git a/modules/signatures/windows/powerfun.py b/modules/signatures/windows/powerfun.py index c65c8b59e..7b7d05925 100644 --- a/modules/signatures/windows/powerfun.py +++ b/modules/signatures/windows/powerfun.py @@ -11,7 +11,7 @@ class Powerfun(Signature): categories = ["script", "malware", "injector"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086"] + ttp = ["E1059.001"] def on_yara(self, category, filepath, match): if match.name != "Powerfun": diff --git a/modules/signatures/windows/powershell.py b/modules/signatures/windows/powershell.py index c9f3053ea..62dbdbdd8 100644 --- a/modules/signatures/windows/powershell.py +++ b/modules/signatures/windows/powershell.py @@ -13,7 +13,7 @@ class SuspiciousPowershell(Signature): categories = ["script", "dropper", "downloader", "packer"] authors = ["Kevin Ross", "Cuckoo Technologies", "FDD"] minimum = "2.0" - ttp = ["T1086"] + ttp = ["E1059.001"] def on_complete(self): for cmdline in self.get_command_lines(): @@ -64,7 +64,7 @@ class AmsiBypass(Signature): categories = ["script", "malware", "powershell", "amsi"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["E1089"] + ttp = ["S0004.004", "E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellAMSI": @@ -82,7 +82,7 @@ class PowershellBitsTransfer(Signature): categories = ["script", "dropper", "downloader", "malware", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1197"] + ttp = ["E1059.001", "T1197"] def on_yara(self, category, filepath, match): if match.name != "PowershellBitsTransfer": @@ -101,7 +101,7 @@ class PowershellDdiRc4(Signature): categories = ["script", "dropper", "downloader", "malware", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1105", "T1086"] + ttp = ["E1105", "E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellDdiRc4": @@ -130,7 +130,7 @@ class PowershellDFSP(Signature): categories = ["script", "dropper", "downloader", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1105", "T1086"] + ttp = ["E1105", "E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellDFSP": @@ -149,7 +149,7 @@ class PowershellDI(Signature): categories = ["script", "dropper", "downloader", "malware", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086", "T1105"] + ttp = ["E1059.001", "E1105"] def on_yara(self, category, filepath, match): if match.name != "PowershellDI": @@ -181,7 +181,7 @@ class PowershellDownload(Signature): categories = ["downloader"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1086", "T1105"] + ttp = ["E1059.001", "E1105"] filter_apinames = [ "recv", @@ -204,7 +204,7 @@ class PowershellEmpire(Signature): categories = ["script", "dropper", "downloader", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086"] + ttp = ["E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellEmpire": @@ -222,7 +222,7 @@ class PowershellMeterpreter(Signature): categories = ["script", "meterpreter", "powershell", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086"] + ttp = ["E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellMeterpreter": @@ -246,7 +246,7 @@ class PowershellRequest(Signature): categories = ["downloader"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1086"] + ttp = ["E1059.001"] filter_apinames = [ "send", @@ -266,7 +266,7 @@ class PowershellCcDns(Signature): categories = ["script", "bot", "dns", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086", "T1071"] + ttp = ["E1059.001", "T1071.004"] def on_yara(self, category, filepath, match): if match.name != "PowershellCcDns": @@ -286,7 +286,7 @@ class PowershellUnicorn(Signature): categories = ["script", "dropper", "downloader", "malware"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086", "E1055"] + ttp = ["E1059.001", "E1055"] def on_yara(self, category, filepath, match): if match.name != "UnicornGen": diff --git a/modules/signatures/windows/powershell_reg.py b/modules/signatures/windows/powershell_reg.py index 69a6e888a..befdc84ca 100644 --- a/modules/signatures/windows/powershell_reg.py +++ b/modules/signatures/windows/powershell_reg.py @@ -14,7 +14,7 @@ class PowershellRegAdd(Signature): categories = ["script", "powershell"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["E1112", "T1086"] + ttp = ["E1112", "E1059.001"] def on_complete(self): lower = "".join(self.get_command_lines()).lower() diff --git a/modules/signatures/windows/powerworm.py b/modules/signatures/windows/powerworm.py index 495379057..5a5968788 100644 --- a/modules/signatures/windows/powerworm.py +++ b/modules/signatures/windows/powerworm.py @@ -11,7 +11,7 @@ class Powerworm(Signature): categories = ["script", "malware", "powershell", "worm"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["T1086"] + ttp = ["E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowerWorm": diff --git a/modules/signatures/windows/protection_rx.py b/modules/signatures/windows/protection_rx.py index a19bfdf4e..1c36ef9c6 100644 --- a/modules/signatures/windows/protection_rx.py +++ b/modules/signatures/windows/protection_rx.py @@ -12,6 +12,7 @@ class MemoryProtectionRX(Signature): severity = 2 categories = ["unpacking"] minimum = "2.0" + ttp = ["X0008"] filter_apinames = ( "NtAllocateVirtualMemory", "NtProtectVirtualMemory", diff --git a/modules/signatures/windows/ransomware_filemodications.py b/modules/signatures/windows/ransomware_filemodications.py index 9504bd52c..ec4f072c7 100644 --- a/modules/signatures/windows/ransomware_filemodications.py +++ b/modules/signatures/windows/ransomware_filemodications.py @@ -53,7 +53,7 @@ class RansomwareAppendsExtension(Signature): categories = ["ransomware"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1486"] + ttp = ["E1486", "X0015.001"] filter_apinames = "MoveFileWithProgressW", "MoveFileWithProgressTransactedW" @@ -119,7 +119,7 @@ class RansomwareMassFileDelete(Signature): categories = ["ransomware", "wiper"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1488"] + ttp = ["T1561.001"] evented = True def on_complete(self): diff --git a/modules/signatures/windows/ransomware_files.py b/modules/signatures/windows/ransomware_files.py index 9dcbfe5dc..dc876738c 100644 --- a/modules/signatures/windows/ransomware_files.py +++ b/modules/signatures/windows/ransomware_files.py @@ -23,7 +23,7 @@ class RansomwareFiles(Signature): categories = ["ransomware"] authors = ["KillerInstinct", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1486"] + ttp = ["E1486", "X0016.002"] indicators = [ (".*\\\\help_decrypt\.html$", ["CryptoWall"]), diff --git a/modules/signatures/windows/ransomware_recyclebin.py b/modules/signatures/windows/ransomware_recyclebin.py index d591ec66b..1d1ee69ab 100644 --- a/modules/signatures/windows/ransomware_recyclebin.py +++ b/modules/signatures/windows/ransomware_recyclebin.py @@ -11,7 +11,7 @@ class RansomwareRecyclebin(Signature): categories = ["ransomware"] authors = ["Optiv"] minimum = "2.0" - ttp = ["E1485"] + ttp = ["E1485.m02"] def on_complete(self): for deleted in self.check_file("C:\\\\RECYCLER\\\\.*", actions=["file_deleted"], regex=True, all=True): diff --git a/modules/signatures/windows/self_delete_bat.py b/modules/signatures/windows/self_delete_bat.py index 26df29256..42085bff1 100644 --- a/modules/signatures/windows/self_delete_bat.py +++ b/modules/signatures/windows/self_delete_bat.py @@ -13,7 +13,7 @@ class SelfDeleteBat(Signature): categories = ["trojan"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1007"] + ttp = ["S0007"] indicator = ( "@echo.*off.*" diff --git a/modules/signatures/windows/smtp_gmail.py b/modules/signatures/windows/smtp_gmail.py index c3057c6df..e510f29a6 100644 --- a/modules/signatures/windows/smtp_gmail.py +++ b/modules/signatures/windows/smtp_gmail.py @@ -12,6 +12,7 @@ class Smtp_GMail(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0012.001"] domains = [ "smtp.gmail.com", diff --git a/modules/signatures/windows/smtp_live.py b/modules/signatures/windows/smtp_live.py index ac650e4ea..473caa144 100644 --- a/modules/signatures/windows/smtp_live.py +++ b/modules/signatures/windows/smtp_live.py @@ -12,6 +12,7 @@ class Smtp_Live(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0012.001"] domains = [ "smtp.live.com", diff --git a/modules/signatures/windows/smtp_mailru.py b/modules/signatures/windows/smtp_mailru.py index 5256779c0..5a7216b5a 100644 --- a/modules/signatures/windows/smtp_mailru.py +++ b/modules/signatures/windows/smtp_mailru.py @@ -12,6 +12,7 @@ class Smtp_Mail_Ru(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0012.001"] ipaddrs = [ "94.100.180.160", diff --git a/modules/signatures/windows/smtp_yahoo.py b/modules/signatures/windows/smtp_yahoo.py index 42d7c6744..bf4bdc048 100644 --- a/modules/signatures/windows/smtp_yahoo.py +++ b/modules/signatures/windows/smtp_yahoo.py @@ -12,6 +12,7 @@ class Smtp_Yahoo(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" + ttp = ["X0012.001"] domains = [ "smtp.mail.yahoo.com", diff --git a/modules/signatures/windows/stealth_childproc.py b/modules/signatures/windows/stealth_childproc.py index 3436c507f..8f39923a5 100644 --- a/modules/signatures/windows/stealth_childproc.py +++ b/modules/signatures/windows/stealth_childproc.py @@ -11,7 +11,7 @@ class StealthChildProc(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" - ttp = ["T1502"] + ttp = ["T1134.004"] filter_apinames = [ "NtCreateProcess", diff --git a/modules/signatures/windows/stealth_hidenotifications.py b/modules/signatures/windows/stealth_hidenotifications.py index 798a4f3e3..25c1816c8 100644 --- a/modules/signatures/windows/stealth_hidenotifications.py +++ b/modules/signatures/windows/stealth_hidenotifications.py @@ -11,7 +11,7 @@ class StealthHideNotifications(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1054", "E1112"] + ttp = ["S0006", "E1112"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth$", diff --git a/modules/signatures/windows/stealth_window.py b/modules/signatures/windows/stealth_window.py index 245d5c2db..f8c3ad301 100644 --- a/modules/signatures/windows/stealth_window.py +++ b/modules/signatures/windows/stealth_window.py @@ -27,7 +27,7 @@ class Hidden_Window(Signature): categories = ["stealth"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["T1143"] + ttp = ["T1564.003"] filter_apinames = set(["ShellExecuteExW", "CreateProcessInternalW"]) diff --git a/modules/signatures/windows/suspicious_process.py b/modules/signatures/windows/suspicious_process.py index 5f82af85a..d43ed3d0b 100644 --- a/modules/signatures/windows/suspicious_process.py +++ b/modules/signatures/windows/suspicious_process.py @@ -11,6 +11,7 @@ class CreatesSuspiciousProcess(Signature): categories = ["packer"] authors = ["Cuckoo Technologies"] minimum = "2.0" + ttp = ["X0017"] processes = [ "svchost", "powershell", "regsvr32", "bcdedit", "mshta", "schtasks", diff --git a/modules/signatures/windows/terminates_process.py b/modules/signatures/windows/terminates_process.py index e3006d1b4..11ca8f38e 100644 --- a/modules/signatures/windows/terminates_process.py +++ b/modules/signatures/windows/terminates_process.py @@ -23,6 +23,7 @@ class TerminatesRemoteProcess(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True + ttp = ["X0018"] filter_apinames = "NtTerminateProcess", diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py index de2e148af..b2d5766fe 100644 --- a/modules/signatures/windows/volatility_sig.py +++ b/modules/signatures/windows/volatility_sig.py @@ -73,7 +73,7 @@ class VolDevicetree1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["E1215"] + ttp = ["S0010.001"] # http://mnin.blogspot.de/2011/10/zeroaccess-volatility-and-kernel-timers.html @@ -92,7 +92,7 @@ class VolSvcscan1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -110,7 +110,7 @@ class VolSvcscan2(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -128,7 +128,7 @@ class VolSvcscan3(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["E1089"] + ttp = ["S0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -146,7 +146,7 @@ class VolModscan1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["E1215"] + ttp = ["S0010"] def on_complete(self): for row in self.get_volatility("modscan").get("data", []): diff --git a/modules/signatures/windows/windows_utilities.py b/modules/signatures/windows/windows_utilities.py index 80645ae0b..cc8360122 100644 --- a/modules/signatures/windows/windows_utilities.py +++ b/modules/signatures/windows/windows_utilities.py @@ -150,7 +150,7 @@ class UsesWindowsUtilities(Signature): categories = ["commands", "lateral"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1053"] + ttp = ["E1203.m06"] references = ["http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html"] def on_complete(self): @@ -168,6 +168,7 @@ class SuspiciousCommandTools(Signature): categories = ["commands", "lateral"] authors = ["Kevin Ross"] minimum = "2.0" + ttp = ["E1203.m06"] def on_complete(self): for cmdline in self.get_command_lines(): @@ -185,6 +186,7 @@ class SysInternalsToolsUsage(Signature): authors = ["Kevin Ross"] minimum = "2.0" references = ["docs.microsoft.com/en-us/sysinternals/downloads/"] + ttp = ["E1203.m05"] def on_complete(self): for cmdline in self.get_command_lines(): diff --git a/modules/signatures/windows/wmi.py b/modules/signatures/windows/wmi.py index aa90f1120..1db5ffdde 100644 --- a/modules/signatures/windows/wmi.py +++ b/modules/signatures/windows/wmi.py @@ -33,7 +33,7 @@ class Win32ProcessCreate(Signature): categories = ["wmi"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1047"] + ttp = ["T1047", "X0017.002"] filter_apinames = [ "IWbemServices_ExecMethod",