updated mapping for MBC v2.0

modules/signatures/android/android_dynamic_code.py

@@ -11,7 +11,7 @@ class AndroidDynamicCode(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
-    ttp = ["E1129"]
+    ttp = ["T1129"]
 
     def on_complete(self):
         if self.get_apkinfo("static_method_calls").get("is_dynamic_code"):

modules/signatures/android/application_aborted_broadcast_receiver.py

@@ -11,7 +11,7 @@ class AndroidAbortBroadcast(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
-    ttp = ["E1054"]
+    ttp = ["S0006"]
 
     def on_complete(self):
         if "abortBroadcast" in self.get_droidmon("events", []):

modules/signatures/android/application_deleted_app.py

@@ -11,7 +11,7 @@ class AndroidDeletedApp(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
-    ttp = ["E1485"]
+    ttp = ["E1485.m03"]
 
     def on_complete(self):
         if "android/app/ApplicationPackageManager->deletePackage" in self.get_droidmon():

modules/signatures/android/application_executed_shell_command.py

@@ -11,7 +11,7 @@ class AndroidShellCommands(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
-    ttp = ["T1059"]
+    ttp = ["E1059"]
 
     def on_complete(self):
         if self.get_droidmon("commands", []):

modules/signatures/cross/js_eval.py

@@ -11,7 +11,7 @@ class EvalJS(Signature):
     categories = ["unpacking"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["T1064"]
+    ttp = ["T1059.007"]
 
     filter_apinames = "COleScript_Compile",
 

modules/signatures/cross/js_iframe.py

@@ -13,7 +13,7 @@ class JsIframe(Signature):
     categories = ["obfuscation"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["T1064"]
+    ttp = ["T1059"]
 
     filter_apinames = "CIFrameElement_CreateElement",
 

modules/signatures/cross/js_suspicious.py

@@ -13,7 +13,7 @@ class SuspiciousJavascript(Signature):
     categories = ["unpacking"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["T1064"]
+    ttp = ["E1059.007"]
 
     filter_apinames = "COleScript_Compile",
 
@@ -41,7 +41,7 @@ class AntiAnalysisJavascript(Signature):
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
     on_call_dispatch = True
-    ttp = ["M0013", "M0001"]
+    ttp = ["M0013", "M0009"]
 
     filter_apinames = "ActiveXObjectFncObj_Construct", "CImgElement_put_src"
 

modules/signatures/network/dns_cnc.py

@@ -22,6 +22,7 @@ class NetworkDNSTXTLookup(Signature):
     categories = ["dns", "cnc"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
+    ttp = ["X0011"]
 
     whitelist = [
             "google.com",

modules/signatures/network/dns_tld.py

@@ -12,6 +12,7 @@ class Suspicious_TLD(Signature):
     categories = ["tldwatch", "network"]
     authors = ["RedSocks", "Kevin Ross"]
     minimum = "2.0"
+    ttp = ["X0011.004"]
 
     domains_re = [
         (".*\\.by$", "Belarus domain TLD"),

modules/signatures/network/network_bind.py

@@ -22,6 +22,7 @@ class NetworkBIND(Signature):
     categories = ["bind"]
     authors = ["nex", "Accuvant"]
     minimum = "2.0"
+    ttp = ["X0001.002"]
 
     filter_apinames = "bind", "listen", "accept"
 

modules/signatures/network/network_cnc_http.py

@@ -27,7 +27,7 @@ class NetworkHTTPPOST(Signature):
     categories = ["http", "cnc"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1071", "M0030"]
+    ttp = ["X0002.005"]
 
     filter_analysistypes = set(["file"])
 
@@ -58,7 +58,7 @@ class NetworkCnCHTTP(Signature):
     categories = ["http", "cnc"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1071", "M0030"]
+    ttp = ["T1071.001", "M0030"]
 
     filter_analysistypes = set(["file"])
 

modules/signatures/network/network_dyndns.py

@@ -12,6 +12,7 @@ class NetworkDynDNS(Signature):
     categories = ["dyndns"]
     authors = ["RedSocks"]
     minimum = "2.0"
+    ttp = ["X0011.003"]
 
     domains_re = [
         ".*\\.no-ip\\.",

modules/signatures/network/network_http.py

@@ -22,6 +22,7 @@ class NetworkHTTP(Signature):
     categories = ["http"]
     authors = ["nex"]
     minimum = "2.0"
+    ttp = ["X0002.003"]
 
     host_whitelist = [
         "www.msftncsi.com"

modules/signatures/network/network_icmp.py

@@ -22,6 +22,7 @@ class NetworkICMP(Signature):
     categories = ["icmp"]
     authors = ["David Maciejak"]
     minimum = "2.0"
+    ttp = ["X0014.001"]
 
     def on_complete(self):
         if self.get_net_icmp():

modules/signatures/network/network_smtp.py

@@ -22,6 +22,7 @@ class NetworkSMTP(Signature):
     categories = ["smtp", "spam"]
     authors = ["nex", "RicoVZ"]
     minimum = "2.0.0"
+    ttp = ["S0012.002"]
 
     def on_complete(self):
         for s in getattr(self, "get_net_smtp_ex", lambda: [])():

modules/signatures/network/network_torgateway.py

@@ -22,7 +22,7 @@ class TorGateway(Signature):
     categories = ["network"]
     authors = ["nex", "Optiv"]
     minimum = "2.0"
-    ttp = ["T1188"]
+    ttp = ["T1090.003"]
 
     domains_re = [
         ".*\\.tor2web\\.[a-z]{2,20}$",

modules/signatures/network/network_wscript.py

@@ -22,7 +22,7 @@ class WscriptDownloader(Signature):
     categories = ["downloader"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1064", "T1105"]
+    ttp = ["T1059", "E1105"]
 
     filter_apinames = [
         "InternetCrackUrlW",

modules/signatures/network/p2p_cnc.py

@@ -22,7 +22,7 @@ class P2PCnC(Signature):
     categories = ["p2p", "cnc"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1094"]
+    ttp = ["T1095"]
 
     filter_analysistypes = set(["file"])
 

modules/signatures/windows/allocates_rwx.py

@@ -11,7 +11,7 @@ class AllocatesRWX(Signature):
     categories = ["unpacking"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["E1055"]
+    ttp = ["X0007"]
 
     filter_apinames = (
         "NtAllocateVirtualMemory", "NtProtectVirtualMemory",

modules/signatures/windows/antianalysis_detectfile.py

@@ -11,7 +11,7 @@ class AntiAnalysisDetectFile(Signature):
     categories = ["anti-analysis"]
     authors = ["KillerInstinct"]
     minimum = "2.0"
-    ttp = ["M0013"]
+    ttp = ["M0013.008"]
 
     file_indicators = [
         "[A-Za-z]:\\\\analysis",

modules/signatures/windows/antiav_avast_libs.py

@@ -22,7 +22,7 @@ class AvastDetectLibs(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1063"]
+    ttp = ["T1518.001"]
 
     filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"])
 

modules/signatures/windows/antiav_bitdefender_libs.py

@@ -22,7 +22,7 @@ class BitdefenderDetectLibs(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1063"]
+    ttp = ["T1518.001"]
 
     filter_apinames = set(["LdrLoadDll", "LdrGetDllHandle"])
 

modules/signatures/windows/antiav_detectfile.py

@@ -15,7 +15,7 @@ class AntiAVDetectFile(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1063", "T1083"]
+    ttp = ["T1518.001", "T1083"]
 
     file_indicators = [
         ".*\\\\AVAST\\ Software",

modules/signatures/windows/antiav_detectreg.py

@@ -11,7 +11,7 @@ class AntiAVDetectReg(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["T1063", "T1012"]
+    ttp = ["T1518.001", "T1012"]
 
     reg_indicators = [
         ".*\\\\Software\\\\(Wow6432Node\\\\)?Avg",

modules/signatures/windows/antiav_servicestop.py

@@ -16,7 +16,7 @@ class AntiAVServiceStop(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["E1089"]
+    ttp = ["S0004"]
     evented = True
 
     def __init__(self, *args, **kwargs):

modules/signatures/windows/antiav_srp.py

@@ -11,7 +11,7 @@ class AntiAVSRP(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["E1089", "E1478"]
+    ttp = ["S0004.005", "E1478"]
 
     regkeys_re = [
         ".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*",

modules/signatures/windows/antidbg_windows.py

@@ -22,7 +22,7 @@ class AntiDBGWindows(Signature):
     categories = ["anti-debug"]
     authors = ["nex", "KillerInstinct", "Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0013"]
+    ttp = ["M0013.009", "M0001.004"]
 
     filter_categories = "ui",
 

modules/signatures/windows/antisandbox_clipboard.py

@@ -22,7 +22,7 @@ class AntisandboxClipboard(Signature):
     categories = ["anti-sandbox"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["M0007"]	
+    ttp = ["M0007.001"]	
 
     filter_apinames = set(["GetClipboardData"])
 

modules/signatures/windows/antisandbox_cuckoo_files.py

@@ -22,7 +22,7 @@ class CuckooDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0007"]
+    ttp = ["M0007.002"]
 
     file_indicators = [
         ".*\\\\agent\\.py$",

modules/signatures/windows/antisandbox_file.py

@@ -11,7 +11,7 @@ class AntiSandboxFile(Signature):
     categories = ["anti-sandbox"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["M0007"]
+    ttp = ["M0007.002"]
 
     files_re = [
         "[a-zA-Z]:\\\\sample\\.exe",

modules/signatures/windows/antisandbox_forehwnd.py

@@ -20,7 +20,7 @@ class AntiSandboxForegroundWindow(Signature):
     severity = 2
     categories = ["anti-sandbox"]
     minimum = "2.0"
-    ttp = ["M0007"]
+    ttp = ["M0007.003"]
 
     references = [
         "https://www.virusbtn.com/virusbulletin/archive/2015/09/vb201509-custom-packer.dkb",

modules/signatures/windows/antisandbox_fortinet_files.py

@@ -22,7 +22,7 @@ class FortinetDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0007"]
+    ttp = ["M0007.002"]
 
     files_re = [
         "C:\\\\tracer\\\\mdare32_0\\.sys",

modules/signatures/windows/antisandbox_idletime.py

@@ -11,7 +11,7 @@ class AntiSandboxIdleTime(Signature):
     categories = ["anti-sandbox"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["M0003"]
+    ttp = ["M0007.009"]
 
     filter_apinames = "NtQuerySystemInformation",
 

modules/signatures/windows/antisandbox_joe_anubis_files.py

@@ -22,7 +22,7 @@ class SandboxJoeAnubisDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["M0007"]
+    ttp = ["M0007.002"]
 
     file_indicators = [
         "C:\\\\sample\\.exe",

modules/signatures/windows/antisandbox_mouse_hook.py

@@ -22,7 +22,7 @@ class HookMouse(Signature):
     categories = ["hooking", "anti-sandbox"]
     authors = ["nex"]
     minimum = "2.0"
-    ttp = ["M0007", "E1179"]
+    ttp = ["M0007.003", "S0003.003"]
 
     filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW"
 

modules/signatures/windows/antisandbox_restart.py

@@ -12,7 +12,7 @@ class AntiSandboxRestart(Signature):
     categories = ["anti-sandbox"]
     authors = ["Cuckoo Technologies", "Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0003"]
+    ttp = ["M0003.010"]
 
     filter_apinames = (
         "InitiateSystemShutdownExW", "InitiateSystemShutdownExA",

modules/signatures/windows/antisandbox_sleep.py

@@ -22,7 +22,7 @@ class AntiSandboxSleep(Signature):
     categories = ["anti-sandbox"]
     authors = ["KillerInstinct"]
     minimum = "2.0"
-    ttp = ["M0003"]
+    ttp = ["M0003.003"]
 
     filter_apinames = "NtDelayExecution",
 

modules/signatures/windows/antisandbox_sunbelt_files.py

@@ -22,7 +22,7 @@ class SunbeltDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["M0007"]
+    ttp = ["M0007.002"]
 
     file_indicators = [
         ".*\\\\SandboxStarter\\.exe$",

modules/signatures/windows/antisandbox_threattrack_files.py

@@ -22,7 +22,7 @@ class ThreatTrackDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0007"]
+    ttp = ["M0007.002"]
 
     files_re = [
         "C:\\\\cwsandbox",

modules/signatures/windows/antisandbox_unhook.py

@@ -22,7 +22,7 @@ class Unhook(Signature):
     categories = ["anti-sandbox"]
     authors = ["nex"]
     minimum = "2.0"
-    ttp = ["M0003"]
+    ttp = ["M0003.008"]
 
     filter_apinames = "__anomaly__",
 

modules/signatures/windows/antivirus_detection_cn.py

@@ -13,7 +13,7 @@ class AVDetectionChinaKey(Signature):
     families = ["china"]
     authors = ["RedSocks"]
     minimum = "2.0"
-    ttp = ["T1012", "T1063"]
+    ttp = ["T1012", "T1518.001"]
 
     indicators = [
         ".*360Safe",

modules/signatures/windows/antivm_bochs_keys.py

@@ -22,7 +22,7 @@ class BochsDetectKeys(Signature):
     categories = ["anti-vm"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0009", "T1012"]
+    ttp = ["M0009.005", "T1012"]
 
     regkeys_re = [
         ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS_.*",

modules/signatures/windows/antivm_disksize.py

@@ -22,7 +22,7 @@ class AntiVMDiskSize(Signature):
     categories = ["anti-vm"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["M0009"]
+    ttp = ["M0009.015"]
 
     evented = True