diff --git a/README.md b/README.md index 2f8a8677..f154b088 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ class AntiSandboxSleep(Signature): categories = ["anti-sandbox"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["M0003.003"] + ttp = ["B0003.003"] ... ``` diff --git a/modules/signatures/android/android_reflection_code.py b/modules/signatures/android/android_reflection_code.py index 64c73fb8..c34e013f 100644 --- a/modules/signatures/android/android_reflection_code.py +++ b/modules/signatures/android/android_reflection_code.py @@ -11,7 +11,7 @@ class AndroidReflectionCode(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["M0032"] + ttp = ["B0032"] def on_complete(self): if self.get_apkinfo("static_method_calls").get("is_reflection_code"): diff --git a/modules/signatures/android/application_aborted_broadcast_receiver.py b/modules/signatures/android/application_aborted_broadcast_receiver.py index db52dcb4..76c66367 100644 --- a/modules/signatures/android/application_aborted_broadcast_receiver.py +++ b/modules/signatures/android/application_aborted_broadcast_receiver.py @@ -11,7 +11,7 @@ class AndroidAbortBroadcast(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["S0006"] + ttp = ["F0006"] def on_complete(self): if "abortBroadcast" in self.get_droidmon("events", []): diff --git a/modules/signatures/android/application_installed_app.py b/modules/signatures/android/application_installed_app.py index efee86b0..e6d136d9 100644 --- a/modules/signatures/android/application_installed_app.py +++ b/modules/signatures/android/application_installed_app.py @@ -11,7 +11,7 @@ class AndroidInstalledApps(Signature): categories = ["android"] authors = ["Check Point Software Technologies LTD"] minimum = "2.0" - ttp = ["M0023"] + ttp = ["B0023"] def on_complete(self): if "android/app/ApplicationPackageManager->installPackage" in self.get_droidmon(): diff --git a/modules/signatures/cross/js_suspicious.py b/modules/signatures/cross/js_suspicious.py index a178c09d..54f79a3e 100644 --- a/modules/signatures/cross/js_suspicious.py +++ b/modules/signatures/cross/js_suspicious.py @@ -41,7 +41,7 @@ class AntiAnalysisJavascript(Signature): authors = ["Cuckoo Technologies"] minimum = "2.0" on_call_dispatch = True - ttp = ["M0013", "M0009"] + ttp = ["B0013", "B0009"] filter_apinames = "ActiveXObjectFncObj_Construct", "CImgElement_put_src" diff --git a/modules/signatures/network/dns_cnc.py b/modules/signatures/network/dns_cnc.py index 6ef7b181..5177f69a 100644 --- a/modules/signatures/network/dns_cnc.py +++ b/modules/signatures/network/dns_cnc.py @@ -22,7 +22,7 @@ class NetworkDNSTXTLookup(Signature): categories = ["dns", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["X0011"] + ttp = ["C0011"] whitelist = [ "google.com", diff --git a/modules/signatures/network/dns_tld.py b/modules/signatures/network/dns_tld.py index fe9d66e3..66844472 100644 --- a/modules/signatures/network/dns_tld.py +++ b/modules/signatures/network/dns_tld.py @@ -12,7 +12,7 @@ class Suspicious_TLD(Signature): categories = ["tldwatch", "network"] authors = ["RedSocks", "Kevin Ross"] minimum = "2.0" - ttp = ["X0011.004"] + ttp = ["C0011.004"] domains_re = [ (".*\\.by$", "Belarus domain TLD"), diff --git a/modules/signatures/network/network_bind.py b/modules/signatures/network/network_bind.py index 2286f4f7..6bf8051a 100644 --- a/modules/signatures/network/network_bind.py +++ b/modules/signatures/network/network_bind.py @@ -22,7 +22,7 @@ class NetworkBIND(Signature): categories = ["bind"] authors = ["nex", "Accuvant"] minimum = "2.0" - ttp = ["X0001.002"] + ttp = ["C0001.002"] filter_apinames = "bind", "listen", "accept" diff --git a/modules/signatures/network/network_cnc_http.py b/modules/signatures/network/network_cnc_http.py index ef489f63..2a26da4d 100644 --- a/modules/signatures/network/network_cnc_http.py +++ b/modules/signatures/network/network_cnc_http.py @@ -27,7 +27,7 @@ class NetworkHTTPPOST(Signature): categories = ["http", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["X0002.005"] + ttp = ["C0002.005"] filter_analysistypes = set(["file"]) @@ -58,7 +58,7 @@ class NetworkCnCHTTP(Signature): categories = ["http", "cnc"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["T1071.001", "M0030"] + ttp = ["T1071.001", "B0030"] filter_analysistypes = set(["file"]) diff --git a/modules/signatures/network/network_dyndns.py b/modules/signatures/network/network_dyndns.py index 0ea61433..5452186d 100644 --- a/modules/signatures/network/network_dyndns.py +++ b/modules/signatures/network/network_dyndns.py @@ -12,7 +12,7 @@ class NetworkDynDNS(Signature): categories = ["dyndns"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0011.003"] + ttp = ["C0011.003"] domains_re = [ ".*\\.no-ip\\.", diff --git a/modules/signatures/network/network_http.py b/modules/signatures/network/network_http.py index cb4b92e4..b7f59d74 100644 --- a/modules/signatures/network/network_http.py +++ b/modules/signatures/network/network_http.py @@ -22,7 +22,7 @@ class NetworkHTTP(Signature): categories = ["http"] authors = ["nex"] minimum = "2.0" - ttp = ["X0002.003"] + ttp = ["C0002.003"] host_whitelist = [ "www.msftncsi.com" diff --git a/modules/signatures/network/network_icmp.py b/modules/signatures/network/network_icmp.py index 45f43576..439bb0b4 100644 --- a/modules/signatures/network/network_icmp.py +++ b/modules/signatures/network/network_icmp.py @@ -22,7 +22,7 @@ class NetworkICMP(Signature): categories = ["icmp"] authors = ["David Maciejak"] minimum = "2.0" - ttp = ["X0014.001"] + ttp = ["C0014.001"] def on_complete(self): if self.get_net_icmp(): diff --git a/modules/signatures/network/network_smtp.py b/modules/signatures/network/network_smtp.py index d795381a..fbf80960 100644 --- a/modules/signatures/network/network_smtp.py +++ b/modules/signatures/network/network_smtp.py @@ -22,7 +22,7 @@ class NetworkSMTP(Signature): categories = ["smtp", "spam"] authors = ["nex", "RicoVZ"] minimum = "2.0.0" - ttp = ["S0012.002"] + ttp = ["F0012.002"] def on_complete(self): for s in getattr(self, "get_net_smtp_ex", lambda: [])(): diff --git a/modules/signatures/windows/allocates_rwx.py b/modules/signatures/windows/allocates_rwx.py index 54bcbd41..ffe98cfe 100644 --- a/modules/signatures/windows/allocates_rwx.py +++ b/modules/signatures/windows/allocates_rwx.py @@ -11,7 +11,7 @@ class AllocatesRWX(Signature): categories = ["unpacking"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["X0007"] + ttp = ["C0007"] filter_apinames = ( "NtAllocateVirtualMemory", "NtProtectVirtualMemory", diff --git a/modules/signatures/windows/antianalysis_detectfile.py b/modules/signatures/windows/antianalysis_detectfile.py index 78ab24ea..8007df19 100644 --- a/modules/signatures/windows/antianalysis_detectfile.py +++ b/modules/signatures/windows/antianalysis_detectfile.py @@ -11,7 +11,7 @@ class AntiAnalysisDetectFile(Signature): categories = ["anti-analysis"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["M0013.008"] + ttp = ["B0013.008"] file_indicators = [ "[A-Za-z]:\\\\analysis", diff --git a/modules/signatures/windows/antiav_servicestop.py b/modules/signatures/windows/antiav_servicestop.py index ca1d6dd7..47c106cc 100644 --- a/modules/signatures/windows/antiav_servicestop.py +++ b/modules/signatures/windows/antiav_servicestop.py @@ -16,7 +16,7 @@ class AntiAVServiceStop(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] evented = True def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/antiav_srp.py b/modules/signatures/windows/antiav_srp.py index c4e4d219..e728c195 100644 --- a/modules/signatures/windows/antiav_srp.py +++ b/modules/signatures/windows/antiav_srp.py @@ -11,7 +11,7 @@ class AntiAVSRP(Signature): categories = ["anti-av"] authors = ["Optiv"] minimum = "2.0" - ttp = ["S0004.005", "E1478"] + ttp = ["F0004.005", "E1478"] regkeys_re = [ ".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*", diff --git a/modules/signatures/windows/antidbg_debuggercheck.py b/modules/signatures/windows/antidbg_debuggercheck.py index 1ce92c4d..ef886d4e 100644 --- a/modules/signatures/windows/antidbg_debuggercheck.py +++ b/modules/signatures/windows/antidbg_debuggercheck.py @@ -23,7 +23,7 @@ class ChecksDebugger(Signature): categories = ["anti-debug"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0001"] + ttp = ["B0001"] filter_apinames = [ "CheckRemoteDebuggerPresent", @@ -43,7 +43,7 @@ class ChecksKernelDebugger(Signature): categories = ["anti-debug"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0001"] + ttp = ["B0001"] filter_apinames = [ "SystemKernelDebuggerInformation", diff --git a/modules/signatures/windows/antidbg_devices.py b/modules/signatures/windows/antidbg_devices.py index 1b62a286..e1dd9ea9 100644 --- a/modules/signatures/windows/antidbg_devices.py +++ b/modules/signatures/windows/antidbg_devices.py @@ -22,7 +22,7 @@ class AntiDBGDevices(Signature): categories = ["anti-debug"] authors = ["nex"] minimum = "2.0" - ttp = ["M0001", "M0013"] + ttp = ["B0001", "B0013"] indicators = [ ".*SICE$", diff --git a/modules/signatures/windows/antidbg_windows.py b/modules/signatures/windows/antidbg_windows.py index 9b36d1f6..4c093273 100644 --- a/modules/signatures/windows/antidbg_windows.py +++ b/modules/signatures/windows/antidbg_windows.py @@ -22,7 +22,7 @@ class AntiDBGWindows(Signature): categories = ["anti-debug"] authors = ["nex", "KillerInstinct", "Brad Spengler"] minimum = "2.0" - ttp = ["M0013.009", "M0001.004"] + ttp = ["B0013.009", "B0001.004"] filter_categories = "ui", diff --git a/modules/signatures/windows/antiemu_wine.py b/modules/signatures/windows/antiemu_wine.py index d4818b9e..3bdbe23b 100644 --- a/modules/signatures/windows/antiemu_wine.py +++ b/modules/signatures/windows/antiemu_wine.py @@ -22,7 +22,7 @@ class WineDetect(Signature): categories = ["anti-emulation"] authors = ["nex"] minimum = "2.0" - ttp = ["M0004"] + ttp = ["B0004"] filter_apinames = "LdrGetProcedureAddress", diff --git a/modules/signatures/windows/antisandbox_clipboard.py b/modules/signatures/windows/antisandbox_clipboard.py index 02d79975..df1ef6e6 100644 --- a/modules/signatures/windows/antisandbox_clipboard.py +++ b/modules/signatures/windows/antisandbox_clipboard.py @@ -22,7 +22,7 @@ class AntisandboxClipboard(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007.001"] + ttp = ["B0007.001"] filter_apinames = set(["GetClipboardData"]) diff --git a/modules/signatures/windows/antisandbox_cuckoo_files.py b/modules/signatures/windows/antisandbox_cuckoo_files.py index b42d78b1..54a5c157 100644 --- a/modules/signatures/windows/antisandbox_cuckoo_files.py +++ b/modules/signatures/windows/antisandbox_cuckoo_files.py @@ -22,7 +22,7 @@ class CuckooDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] file_indicators = [ ".*\\\\agent\\.py$", diff --git a/modules/signatures/windows/antisandbox_file.py b/modules/signatures/windows/antisandbox_file.py index 9d03412f..d9b36015 100644 --- a/modules/signatures/windows/antisandbox_file.py +++ b/modules/signatures/windows/antisandbox_file.py @@ -11,7 +11,7 @@ class AntiSandboxFile(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] files_re = [ "[a-zA-Z]:\\\\sample\\.exe", diff --git a/modules/signatures/windows/antisandbox_forehwnd.py b/modules/signatures/windows/antisandbox_forehwnd.py index d87f6da8..1f921d23 100644 --- a/modules/signatures/windows/antisandbox_forehwnd.py +++ b/modules/signatures/windows/antisandbox_forehwnd.py @@ -20,7 +20,7 @@ class AntiSandboxForegroundWindow(Signature): severity = 2 categories = ["anti-sandbox"] minimum = "2.0" - ttp = ["M0007.003"] + ttp = ["B0007.003"] references = [ "https://www.virusbtn.com/virusbulletin/archive/2015/09/vb201509-custom-packer.dkb", diff --git a/modules/signatures/windows/antisandbox_fortinet_files.py b/modules/signatures/windows/antisandbox_fortinet_files.py index cbdfcc26..f8054e3e 100644 --- a/modules/signatures/windows/antisandbox_fortinet_files.py +++ b/modules/signatures/windows/antisandbox_fortinet_files.py @@ -22,7 +22,7 @@ class FortinetDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] files_re = [ "C:\\\\tracer\\\\mdare32_0\\.sys", diff --git a/modules/signatures/windows/antisandbox_idletime.py b/modules/signatures/windows/antisandbox_idletime.py index 9f4a3fe5..a99a66f4 100644 --- a/modules/signatures/windows/antisandbox_idletime.py +++ b/modules/signatures/windows/antisandbox_idletime.py @@ -11,7 +11,7 @@ class AntiSandboxIdleTime(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007.009"] + ttp = ["B0007.009"] filter_apinames = "NtQuerySystemInformation", diff --git a/modules/signatures/windows/antisandbox_joe_anubis_files.py b/modules/signatures/windows/antisandbox_joe_anubis_files.py index cb887c5f..d7420a01 100644 --- a/modules/signatures/windows/antisandbox_joe_anubis_files.py +++ b/modules/signatures/windows/antisandbox_joe_anubis_files.py @@ -22,7 +22,7 @@ class SandboxJoeAnubisDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] file_indicators = [ "C:\\\\sample\\.exe", diff --git a/modules/signatures/windows/antisandbox_mouse_hook.py b/modules/signatures/windows/antisandbox_mouse_hook.py index ea819dc0..9cf78efc 100644 --- a/modules/signatures/windows/antisandbox_mouse_hook.py +++ b/modules/signatures/windows/antisandbox_mouse_hook.py @@ -22,7 +22,7 @@ class HookMouse(Signature): categories = ["hooking", "anti-sandbox"] authors = ["nex"] minimum = "2.0" - ttp = ["M0007.003", "S0003.003"] + ttp = ["B0007.003", "F0003.003"] filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW" diff --git a/modules/signatures/windows/antisandbox_restart.py b/modules/signatures/windows/antisandbox_restart.py index 53a33389..00756b96 100644 --- a/modules/signatures/windows/antisandbox_restart.py +++ b/modules/signatures/windows/antisandbox_restart.py @@ -12,7 +12,7 @@ class AntiSandboxRestart(Signature): categories = ["anti-sandbox"] authors = ["Cuckoo Technologies", "Brad Spengler"] minimum = "2.0" - ttp = ["M0003.010"] + ttp = ["B0003.010"] filter_apinames = ( "InitiateSystemShutdownExW", "InitiateSystemShutdownExA", diff --git a/modules/signatures/windows/antisandbox_sleep.py b/modules/signatures/windows/antisandbox_sleep.py index 63c623ac..cc4160f2 100644 --- a/modules/signatures/windows/antisandbox_sleep.py +++ b/modules/signatures/windows/antisandbox_sleep.py @@ -22,7 +22,7 @@ class AntiSandboxSleep(Signature): categories = ["anti-sandbox"] authors = ["KillerInstinct"] minimum = "2.0" - ttp = ["M0003.003"] + ttp = ["B0003.003"] filter_apinames = "NtDelayExecution", diff --git a/modules/signatures/windows/antisandbox_sunbelt.py b/modules/signatures/windows/antisandbox_sunbelt.py index 538011ef..c54afecb 100644 --- a/modules/signatures/windows/antisandbox_sunbelt.py +++ b/modules/signatures/windows/antisandbox_sunbelt.py @@ -11,7 +11,7 @@ class SunBeltSandboxDetect(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007"] + ttp = ["B0007"] dlls_re = [ ".*api_log(\\.dll)?$", diff --git a/modules/signatures/windows/antisandbox_sunbelt_files.py b/modules/signatures/windows/antisandbox_sunbelt_files.py index 2d8e51f3..817398b6 100644 --- a/modules/signatures/windows/antisandbox_sunbelt_files.py +++ b/modules/signatures/windows/antisandbox_sunbelt_files.py @@ -22,7 +22,7 @@ class SunbeltDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] file_indicators = [ ".*\\\\SandboxStarter\\.exe$", diff --git a/modules/signatures/windows/antisandbox_threattrack_files.py b/modules/signatures/windows/antisandbox_threattrack_files.py index 4cc5800d..b6e0a681 100644 --- a/modules/signatures/windows/antisandbox_threattrack_files.py +++ b/modules/signatures/windows/antisandbox_threattrack_files.py @@ -22,7 +22,7 @@ class ThreatTrackDetectFiles(Signature): categories = ["anti-sandbox"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0007.002"] + ttp = ["B0007.002"] files_re = [ "C:\\\\cwsandbox", diff --git a/modules/signatures/windows/antisandbox_unhook.py b/modules/signatures/windows/antisandbox_unhook.py index d914703b..694daf76 100644 --- a/modules/signatures/windows/antisandbox_unhook.py +++ b/modules/signatures/windows/antisandbox_unhook.py @@ -22,7 +22,7 @@ class Unhook(Signature): categories = ["anti-sandbox"] authors = ["nex"] minimum = "2.0" - ttp = ["M0003.008"] + ttp = ["B0003.008"] filter_apinames = "__anomaly__", diff --git a/modules/signatures/windows/antivm_bochs_keys.py b/modules/signatures/windows/antivm_bochs_keys.py index 73a44d19..def6e4db 100644 --- a/modules/signatures/windows/antivm_bochs_keys.py +++ b/modules/signatures/windows/antivm_bochs_keys.py @@ -22,7 +22,7 @@ class BochsDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS_.*", diff --git a/modules/signatures/windows/antivm_computername.py b/modules/signatures/windows/antivm_computername.py index e1873904..90e18f6e 100644 --- a/modules/signatures/windows/antivm_computername.py +++ b/modules/signatures/windows/antivm_computername.py @@ -22,7 +22,7 @@ class AntiVMComputernameQuery(Signature): categories = ["AntiVM"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009", "T1082"] + ttp = ["B0009", "T1082"] filter_apinames = [ "GetComputerNameA", diff --git a/modules/signatures/windows/antivm_disksize.py b/modules/signatures/windows/antivm_disksize.py index ea8c39d5..95ec5c13 100644 --- a/modules/signatures/windows/antivm_disksize.py +++ b/modules/signatures/windows/antivm_disksize.py @@ -22,7 +22,7 @@ class AntiVMDiskSize(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.015"] + ttp = ["B0009.015"] evented = True diff --git a/modules/signatures/windows/antivm_generic_bios.py b/modules/signatures/windows/antivm_generic_bios.py index 09550c25..9b9e6e8f 100644 --- a/modules/signatures/windows/antivm_generic_bios.py +++ b/modules/signatures/windows/antivm_generic_bios.py @@ -22,7 +22,7 @@ class AntiVMBios(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.024", "M0009.005", "T1012"] + ttp = ["B0009.024", "B0009.005", "T1012"] regkeys_re = [ ".*SystemBiosVersion", diff --git a/modules/signatures/windows/antivm_generic_cpu.py b/modules/signatures/windows/antivm_generic_cpu.py index 81ec5eb7..64e7f402 100644 --- a/modules/signatures/windows/antivm_generic_cpu.py +++ b/modules/signatures/windows/antivm_generic_cpu.py @@ -22,7 +22,7 @@ class AntiVMCPU(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009.026", "M0009.005", "T1012"] + ttp = ["B0009.026", "B0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\.*\\\\ProcessorNameString", diff --git a/modules/signatures/windows/antivm_generic_disk.py b/modules/signatures/windows/antivm_generic_disk.py index 82e73d27..d5a455db 100644 --- a/modules/signatures/windows/antivm_generic_disk.py +++ b/modules/signatures/windows/antivm_generic_disk.py @@ -22,7 +22,7 @@ class DiskInformation(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] filter_apinames = [ "NtCreateFile", diff --git a/modules/signatures/windows/antivm_generic_firmware.py b/modules/signatures/windows/antivm_generic_firmware.py index 36e3a904..b8680d2f 100644 --- a/modules/signatures/windows/antivm_generic_firmware.py +++ b/modules/signatures/windows/antivm_generic_firmware.py @@ -11,7 +11,7 @@ class VMFirmware(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009.023"] + ttp = ["B0009.023"] filter_apinames = "NtQuerySystemInformation", diff --git a/modules/signatures/windows/antivm_generic_ide.py b/modules/signatures/windows/antivm_generic_ide.py index 7a5f6b4b..32997052 100644 --- a/modules/signatures/windows/antivm_generic_ide.py +++ b/modules/signatures/windows/antivm_generic_ide.py @@ -22,7 +22,7 @@ class AntiVMIDE(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] def on_complete(self): for regkey in self.check_key(pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE", regex=True, all=True): diff --git a/modules/signatures/windows/antivm_generic_scsi.py b/modules/signatures/windows/antivm_generic_scsi.py index c3ec91c9..707ea187 100644 --- a/modules/signatures/windows/antivm_generic_scsi.py +++ b/modules/signatures/windows/antivm_generic_scsi.py @@ -22,7 +22,7 @@ class AntiVMSCSI(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port \\d+\\\\Scsi Bus \\d+\\\\Target Id \\d+\\\\Logical Unit Id \\d+\\\\Identifier", diff --git a/modules/signatures/windows/antivm_generic_services.py b/modules/signatures/windows/antivm_generic_services.py index 500ad1e2..8a54b36f 100644 --- a/modules/signatures/windows/antivm_generic_services.py +++ b/modules/signatures/windows/antivm_generic_services.py @@ -22,7 +22,7 @@ class AntiVMServices(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.006", "T1007"] + ttp = ["B0009.006", "T1007"] filter_apinames = "EnumServicesStatusA", "EnumServicesStatusW" diff --git a/modules/signatures/windows/antivm_hyperv_keys.py b/modules/signatures/windows/antivm_hyperv_keys.py index e0de0afc..6e317fbf 100644 --- a/modules/signatures/windows/antivm_hyperv_keys.py +++ b/modules/signatures/windows/antivm_hyperv_keys.py @@ -22,7 +22,7 @@ class HyperVDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\Hyper_V_Gen_Counter_V1", diff --git a/modules/signatures/windows/antivm_memory_available.py b/modules/signatures/windows/antivm_memory_available.py index 93f5ecf7..adc24f2e 100644 --- a/modules/signatures/windows/antivm_memory_available.py +++ b/modules/signatures/windows/antivm_memory_available.py @@ -22,7 +22,7 @@ class MemoryAvailable(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.014"] + ttp = ["B0009.014"] filter_apinames = [ "GlobalMemoryStatusEx", "GetPhysicallyInstalledSystemMemory", diff --git a/modules/signatures/windows/antivm_network_adapter.py b/modules/signatures/windows/antivm_network_adapter.py index 678935a9..c89be794 100644 --- a/modules/signatures/windows/antivm_network_adapter.py +++ b/modules/signatures/windows/antivm_network_adapter.py @@ -22,7 +22,7 @@ class NetworkAdapters(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.023"] + ttp = ["B0009.023"] filter_apinames = set(["GetAdaptersAddresses"]) diff --git a/modules/signatures/windows/antivm_parallels_keys.py b/modules/signatures/windows/antivm_parallels_keys.py index 20468262..98d805ed 100644 --- a/modules/signatures/windows/antivm_parallels_keys.py +++ b/modules/signatures/windows/antivm_parallels_keys.py @@ -22,7 +22,7 @@ class ParallelsDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_1AB8&DEV_4000&SUBSYS_04001AB8&REV_00", diff --git a/modules/signatures/windows/antivm_parallels_window.py b/modules/signatures/windows/antivm_parallels_window.py index b6846865..2c44a5ee 100644 --- a/modules/signatures/windows/antivm_parallels_window.py +++ b/modules/signatures/windows/antivm_parallels_window.py @@ -22,7 +22,7 @@ class ParallelsDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.009"] + ttp = ["B0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_psuedo_device.py b/modules/signatures/windows/antivm_psuedo_device.py index e37a602b..7eebfe7b 100644 --- a/modules/signatures/windows/antivm_psuedo_device.py +++ b/modules/signatures/windows/antivm_psuedo_device.py @@ -22,7 +22,7 @@ class AntiVMSharedDevice(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] filter_apinames = "NtCreateFile", diff --git a/modules/signatures/windows/antivm_sandboxie.py b/modules/signatures/windows/antivm_sandboxie.py index 6f93b403..f0454bf1 100644 --- a/modules/signatures/windows/antivm_sandboxie.py +++ b/modules/signatures/windows/antivm_sandboxie.py @@ -11,7 +11,7 @@ class SandboxieDetect(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] mutexes_re = [ ".*Sandboxie_SingleInstanceMutex_Control", diff --git a/modules/signatures/windows/antivm_vbox_acpi.py b/modules/signatures/windows/antivm_vbox_acpi.py index 0d819de5..e794e75a 100644 --- a/modules/signatures/windows/antivm_vbox_acpi.py +++ b/modules/signatures/windows/antivm_vbox_acpi.py @@ -22,7 +22,7 @@ class VBoxDetectACPI(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.023", "M0009.005", "T1012"] + ttp = ["B0009.023", "B0009.005", "T1012"] def on_complete(self): for regkey in self.check_key("HARDWARE\\\\ACPI\\\\.*vbox_", regex=True, all=True): diff --git a/modules/signatures/windows/antivm_vbox_devices.py b/modules/signatures/windows/antivm_vbox_devices.py index 85af8a01..f78b9a6a 100644 --- a/modules/signatures/windows/antivm_vbox_devices.py +++ b/modules/signatures/windows/antivm_vbox_devices.py @@ -22,7 +22,7 @@ class VBoxDetectDevices(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] # TODO Might as well just do a generic ".*VBox.*" regex? indicators = [ diff --git a/modules/signatures/windows/antivm_vbox_files.py b/modules/signatures/windows/antivm_vbox_files.py index fcec7e3a..4a37cd11 100644 --- a/modules/signatures/windows/antivm_vbox_files.py +++ b/modules/signatures/windows/antivm_vbox_files.py @@ -22,7 +22,7 @@ class VBoxDetectFiles(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.001"] + ttp = ["B0009.001"] indicators = [ ".*VBoxDisp\\.dll", diff --git a/modules/signatures/windows/antivm_vbox_keys.py b/modules/signatures/windows/antivm_vbox_keys.py index 7862e844..bf67dce7 100644 --- a/modules/signatures/windows/antivm_vbox_keys.py +++ b/modules/signatures/windows/antivm_vbox_keys.py @@ -22,7 +22,7 @@ class VBoxDetectKeys(Signature): categories = ["anti-vm"] authors = ["nex", "Brad Spengler"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Oracle\\\\VirtualBox\\ Guest\\ Additions", diff --git a/modules/signatures/windows/antivm_vbox_provname.py b/modules/signatures/windows/antivm_vbox_provname.py index 16f62e1f..27392d0e 100644 --- a/modules/signatures/windows/antivm_vbox_provname.py +++ b/modules/signatures/windows/antivm_vbox_provname.py @@ -22,7 +22,7 @@ class VBoxDetectProvname(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009.001"] + ttp = ["B0009.001"] evented = True diff --git a/modules/signatures/windows/antivm_vbox_window.py b/modules/signatures/windows/antivm_vbox_window.py index c5574e27..e499cc79 100644 --- a/modules/signatures/windows/antivm_vbox_window.py +++ b/modules/signatures/windows/antivm_vbox_window.py @@ -22,7 +22,7 @@ class VBoxDetectWindow(Signature): categories = ["anti-vm"] authors = ["nex"] minimum = "2.0" - ttp = ["M0009.009"] + ttp = ["B0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_virtualpc.py b/modules/signatures/windows/antivm_virtualpc.py index e55c92aa..0b4db21a 100644 --- a/modules/signatures/windows/antivm_virtualpc.py +++ b/modules/signatures/windows/antivm_virtualpc.py @@ -11,7 +11,7 @@ class VirtualPCDetect(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] mutexes_re = [ ".*MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex", diff --git a/modules/signatures/windows/antivm_virtualpc_magic.py b/modules/signatures/windows/antivm_virtualpc_magic.py index 4032b03a..fb1af9d1 100644 --- a/modules/signatures/windows/antivm_virtualpc_magic.py +++ b/modules/signatures/windows/antivm_virtualpc_magic.py @@ -11,7 +11,7 @@ class VirtualPCIllegalInstruction(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] filter_apinames = "__exception__", diff --git a/modules/signatures/windows/antivm_virtualpc_window.py b/modules/signatures/windows/antivm_virtualpc_window.py index 44002c20..36195f27 100644 --- a/modules/signatures/windows/antivm_virtualpc_window.py +++ b/modules/signatures/windows/antivm_virtualpc_window.py @@ -22,7 +22,7 @@ class VirtualPCDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.009"] + ttp = ["B0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vmware_files.py b/modules/signatures/windows/antivm_vmware_files.py index 2d4d9b8e..58b912c5 100644 --- a/modules/signatures/windows/antivm_vmware_files.py +++ b/modules/signatures/windows/antivm_vmware_files.py @@ -11,7 +11,7 @@ class VMWareDetectFiles(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009.001"] + ttp = ["B0009.001"] files_re = [ ".*vmmouse\\.sys", diff --git a/modules/signatures/windows/antivm_vmware_in_insn.py b/modules/signatures/windows/antivm_vmware_in_insn.py index b2cc477d..d1c8cddc 100644 --- a/modules/signatures/windows/antivm_vmware_in_insn.py +++ b/modules/signatures/windows/antivm_vmware_in_insn.py @@ -11,7 +11,7 @@ class VMWareInInstruction(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009"] + ttp = ["B0009"] filter_apinames = "__exception__", diff --git a/modules/signatures/windows/antivm_vmware_keys.py b/modules/signatures/windows/antivm_vmware_keys.py index b499a6f2..aebced47 100644 --- a/modules/signatures/windows/antivm_vmware_keys.py +++ b/modules/signatures/windows/antivm_vmware_keys.py @@ -21,7 +21,7 @@ class VMWareDetectKeys(Signature): categories = ["anti-vm"] authors = ["Cuckoo Technologies", "Optiv"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?VMWare,\\ Inc\..*", diff --git a/modules/signatures/windows/antivm_vmware_window.py b/modules/signatures/windows/antivm_vmware_window.py index 49b4e942..8cd402ec 100644 --- a/modules/signatures/windows/antivm_vmware_window.py +++ b/modules/signatures/windows/antivm_vmware_window.py @@ -22,7 +22,7 @@ class VMwareDetectWindow(Signature): categories = ["anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009.009"] + ttp = ["B0009.009"] filter_categories = "ui", diff --git a/modules/signatures/windows/antivm_vpc_keys.py b/modules/signatures/windows/antivm_vpc_keys.py index 0b3187e6..a665248e 100644 --- a/modules/signatures/windows/antivm_vpc_keys.py +++ b/modules/signatures/windows/antivm_vpc_keys.py @@ -22,7 +22,7 @@ class VPCDetectKeys(Signature): categories = ["anti-vm"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00", diff --git a/modules/signatures/windows/antivm_xen_keys.py b/modules/signatures/windows/antivm_xen_keys.py index e58bdb88..477b4b95 100644 --- a/modules/signatures/windows/antivm_xen_keys.py +++ b/modules/signatures/windows/antivm_xen_keys.py @@ -22,7 +22,7 @@ class XenDetectKeys(Signature): categories = ["anti-vm"] authors = ["Brad Spengler"] minimum = "2.0" - ttp = ["M0009.005", "T1012"] + ttp = ["B0009.005", "T1012"] regkeys_re = [ ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\XEN0000.*", diff --git a/modules/signatures/windows/bitcoin_opencl.py b/modules/signatures/windows/bitcoin_opencl.py index da1716e1..c2be1481 100644 --- a/modules/signatures/windows/bitcoin_opencl.py +++ b/modules/signatures/windows/bitcoin_opencl.py @@ -22,7 +22,7 @@ class BitcoinOpenCL(Signature): categories = ["bitcoin"] authors = ["nex"] minimum = "2.0" - ttp = ["M0018.002"] + ttp = ["B0018.002"] def on_complete(self): filepath = self.check_file(pattern=".*OpenCL\.dll$", regex=True) diff --git a/modules/signatures/windows/bootconfig_modify.py b/modules/signatures/windows/bootconfig_modify.py index 2926a2f3..d2a95302 100644 --- a/modules/signatures/windows/bootconfig_modify.py +++ b/modules/signatures/windows/bootconfig_modify.py @@ -22,7 +22,7 @@ class ModifiesBootConfig(Signature): categories = ["persistance", "ransomware"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0013"] + ttp = ["F0013"] filter_apinames = "ShellExecuteExW", "CreateProcessInternalW", def on_call(self, call, process): diff --git a/modules/signatures/windows/bootkit.py b/modules/signatures/windows/bootkit.py index 97415916..e2c5f45c 100644 --- a/modules/signatures/windows/bootkit.py +++ b/modules/signatures/windows/bootkit.py @@ -13,7 +13,7 @@ class Bootkit(Signature): authors = ["Optiv"] minimum = "2.0" evented = True - ttp = ["S0013"] + ttp = ["F0013"] BasicFileInformation = 4 def __init__(self, *args, **kwargs): diff --git a/modules/signatures/windows/bypass_firewall.py b/modules/signatures/windows/bypass_firewall.py index 2a534fb3..79089712 100644 --- a/modules/signatures/windows/bypass_firewall.py +++ b/modules/signatures/windows/bypass_firewall.py @@ -24,7 +24,7 @@ class BypassFirewall(Signature): categories = ["bypass"] authors = ["Anderson Tamborim", "nex", "Kevin Ross"] minimum = "2.0" - ttp = ["E1478", "S0004"] + ttp = ["E1478", "F0004"] indicator = ".*\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\.*" def on_complete(self): diff --git a/modules/signatures/windows/creates_doc.py b/modules/signatures/windows/creates_doc.py index 059ff01d..434ead4e 100644 --- a/modules/signatures/windows/creates_doc.py +++ b/modules/signatures/windows/creates_doc.py @@ -11,7 +11,7 @@ class CreatesDocument(Signature): categories = ["generic"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["X0016.001"] + ttp = ["C0016.001"] pattern = ".*\\.(doc|docm|dotm|docx|ppt|pptm|pptx|potm|ppam|ppsm|xls|xlsm|xlsx|pdf)$" diff --git a/modules/signatures/windows/creates_exe.py b/modules/signatures/windows/creates_exe.py index 2331cf1f..b1a170b0 100644 --- a/modules/signatures/windows/creates_exe.py +++ b/modules/signatures/windows/creates_exe.py @@ -16,7 +16,7 @@ class CreatesExe(Signature): categories = ["generic"] authors = ["Cuckoo Developers"] minimum = "2.0" - ttp = ["E1105", "M0023"] + ttp = ["E1105", "B0023"] pattern = ( ".*\\.(bat|cmd|com|cpl|dll|exe|js|jse|lnk|msi|msh|msh1|msh2|mshxml|" @@ -37,7 +37,7 @@ class CreatesUserFolderEXE(Signature): families = ["persistance"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1105", "M0023"] + ttp = ["E1105", "B0023"] directories_re = [ "^[a-zA-Z]:\\\\Users\\\\[^\\\\]+\\\\AppData\\\\.*", diff --git a/modules/signatures/windows/creates_largekey.py b/modules/signatures/windows/creates_largekey.py index bd09869e..56e50d3c 100644 --- a/modules/signatures/windows/creates_largekey.py +++ b/modules/signatures/windows/creates_largekey.py @@ -29,7 +29,7 @@ class CreatesLargeKey(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0040.001", "E1112"] + ttp = ["B0040.001", "E1112"] evented = True filter_apinames = set(["NtSetValueKey", "RegSetValueExA", "RegSetValueExW"]) diff --git a/modules/signatures/windows/creates_null_reg_entry.py b/modules/signatures/windows/creates_null_reg_entry.py index 4f81aed9..4236e50b 100644 --- a/modules/signatures/windows/creates_null_reg_entry.py +++ b/modules/signatures/windows/creates_null_reg_entry.py @@ -12,7 +12,7 @@ class CreatesNullRegistryEntry(Signature): severity = 2 categories = ["stealth"] minimum = "2.0" - ttp = ["S0006", "E1112"] + ttp = ["F0006", "E1112"] filter_apinames = ( "NtSetValueKey", "NtCreateKey", "RegCreateKeyExA", "RegCreateKeyExW", "RegSetValueExA", "RegSetValueExW", diff --git a/modules/signatures/windows/crypto_apis.py b/modules/signatures/windows/crypto_apis.py index c25a4e0d..35c0bb21 100644 --- a/modules/signatures/windows/crypto_apis.py +++ b/modules/signatures/windows/crypto_apis.py @@ -22,7 +22,7 @@ class CryptGenKey(Signature): families = ["generic"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["X0021.003"] + ttp = ["C0021.003"] filter_apinames = "CryptGenKey", "CryptExportKey", diff --git a/modules/signatures/windows/deletes_executed.py b/modules/signatures/windows/deletes_executed.py index 38363471..b69a417c 100644 --- a/modules/signatures/windows/deletes_executed.py +++ b/modules/signatures/windows/deletes_executed.py @@ -22,7 +22,7 @@ class DeletesExecutedFiles(Signature): categories = ["persistence", "stealth"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["S0007"] + ttp = ["F0007"] evented = True def on_complete(self): diff --git a/modules/signatures/windows/disables_browserwarn.py b/modules/signatures/windows/disables_browserwarn.py index 6315d823..1e8eec4e 100644 --- a/modules/signatures/windows/disables_browserwarn.py +++ b/modules/signatures/windows/disables_browserwarn.py @@ -11,7 +11,7 @@ class DisablesBrowserWarn(Signature): categories = ["generic", "banker", "clickfraud"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["S0004", "E1112"] + ttp = ["F0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnBadCertRecving", diff --git a/modules/signatures/windows/disables_security.py b/modules/signatures/windows/disables_security.py index a839683f..33d5fdb1 100644 --- a/modules/signatures/windows/disables_security.py +++ b/modules/signatures/windows/disables_security.py @@ -11,7 +11,7 @@ class DisablesSecurity(Signature): categories = ["anti-av"] authors = ["Cuckoo Technologies", "Brad Spengler"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] regkeys_re = [ ("HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA", "attempts to disable user access control"), diff --git a/modules/signatures/windows/disables_wer.py b/modules/signatures/windows/disables_wer.py index d8a0fa63..e7e7c412 100644 --- a/modules/signatures/windows/disables_wer.py +++ b/modules/signatures/windows/disables_wer.py @@ -11,7 +11,7 @@ class DisablesWER(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0006", "S0004", "E1112"] + ttp = ["F0006", "F0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ Error\\ Reporting\\\\Disabled$", diff --git a/modules/signatures/windows/disables_windowsupdate.py b/modules/signatures/windows/disables_windowsupdate.py index 34f8b8a4..bdfb2c31 100644 --- a/modules/signatures/windows/disables_windowsupdate.py +++ b/modules/signatures/windows/disables_windowsupdate.py @@ -11,7 +11,7 @@ class DisablesWindowsUpdate(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\(AU\\\\NoAutoUpdate|Auto\\ Update\\\\AUOptions)$", diff --git a/modules/signatures/windows/dns_dyndns_provider.py b/modules/signatures/windows/dns_dyndns_provider.py index 76cd8f4e..3716418a 100644 --- a/modules/signatures/windows/dns_dyndns_provider.py +++ b/modules/signatures/windows/dns_dyndns_provider.py @@ -12,7 +12,7 @@ class dnsserver_dynamic(Signature): categories = ["dns"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0011.003"] + ttp = ["C0011.003"] ipaddrs = [ "221.228.198.216", diff --git a/modules/signatures/windows/dns_freehosting_domain.py b/modules/signatures/windows/dns_freehosting_domain.py index 3e41b0ae..90dee248 100644 --- a/modules/signatures/windows/dns_freehosting_domain.py +++ b/modules/signatures/windows/dns_freehosting_domain.py @@ -12,7 +12,7 @@ class Dns_Freehosting_Domain(Signature): categories = ["freehosting"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0011.005"] + ttp = ["C0011.005"] domains_re = [ ".*\.yzi\.me", diff --git a/modules/signatures/windows/driver_load.py b/modules/signatures/windows/driver_load.py index 2db43a3b..49d13b43 100644 --- a/modules/signatures/windows/driver_load.py +++ b/modules/signatures/windows/driver_load.py @@ -22,7 +22,7 @@ class DriverLoad(Signature): categories = ["stealth"] authors = ["Optiv"] minimum = "2.0" - ttp = ["X0023"] + ttp = ["C0023"] filter_apinames = set(["NtLoadDriver"]) diff --git a/modules/signatures/windows/dropper.py b/modules/signatures/windows/dropper.py index c8fb4bc4..882a96e1 100644 --- a/modules/signatures/windows/dropper.py +++ b/modules/signatures/windows/dropper.py @@ -22,7 +22,7 @@ class Dropper(Signature): categories = ["dropper"] authors = ["Optiv"] minimum = "2.0" - ttp = ["M0023"] + ttp = ["B0023"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) @@ -59,7 +59,7 @@ class ExeAppData(Signature): categories = ["dropper", "persistence"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0023"] + ttp = ["B0023"] def on_complete(self): for dropped in self.get_results("dropped", []): diff --git a/modules/signatures/windows/emoves_zoneid_ads.py b/modules/signatures/windows/emoves_zoneid_ads.py index 9ad29d52..a3644f90 100644 --- a/modules/signatures/windows/emoves_zoneid_ads.py +++ b/modules/signatures/windows/emoves_zoneid_ads.py @@ -11,7 +11,7 @@ class RemovesZoneIdADS(Signature): categories = ["generic"] authors = ["Optiv"] minimum = "2.0" - ttp = ["S0007"] + ttp = ["F0007"] def on_complete(self): for deletedfile in self.get_files(actions=["file_deleted"]): diff --git a/modules/signatures/windows/exec_waitfor.py b/modules/signatures/windows/exec_waitfor.py index e1f8df8f..bc8224d8 100644 --- a/modules/signatures/windows/exec_waitfor.py +++ b/modules/signatures/windows/exec_waitfor.py @@ -13,7 +13,7 @@ class ExecWaitFor(Signature): categories = ["script", "bypass"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0003.003"] + ttp = ["B0003.003"] def on_complete(self): lower = "".join(self.get_command_lines()).lower() diff --git a/modules/signatures/windows/exploitation.py b/modules/signatures/windows/exploitation.py index a78ac9d7..5d63288f 100644 --- a/modules/signatures/windows/exploitation.py +++ b/modules/signatures/windows/exploitation.py @@ -11,7 +11,7 @@ class ExploitHeapspray(Signature): categories = ["exploit"] authors = ["Cuckoo Technologies", "Kevin Ross"] minimum = "2.0" - ttp = ["X0006"] + ttp = ["C0006"] references = ["https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/"] filter_apinames = "NtAllocateVirtualMemory", @@ -104,7 +104,7 @@ class StackPivot(Signature): categories = ["exploit", "rop"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["X0009"] + ttp = ["C0009"] filter_apinames = critical_apinames @@ -142,7 +142,7 @@ class DEPHeapBypass(Signature): categories = ["exploit"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["X0002.002"] + ttp = ["C0002.002"] filter_apinames = critical_apinames @@ -180,7 +180,7 @@ class DEPStackBypass(Signature): categories = ["exploit"] authors = ["Optiv", "Kevin Ross"] minimum = "2.0" - ttp = ["X0002.001"] + ttp = ["C0002.001"] filter_apinames = critical_apinames @@ -270,7 +270,7 @@ class StackPivotShellcodeAPIs(Signature): categories = ["exploit", "rop", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["X0009", "E1059"] + ttp = ["C0009", "E1059"] evented = True @@ -311,7 +311,7 @@ class StackPivotShellcodeCreateProcess(Signature): categories = ["exploit", "rop", "shellcode"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["X0009", "X0017.001", "E1059"] + ttp = ["C0009", "C0017.001", "E1059"] evented = True diff --git a/modules/signatures/windows/infostealer_keylogger.py b/modules/signatures/windows/infostealer_keylogger.py index 6421b3fa..9f4c142c 100644 --- a/modules/signatures/windows/infostealer_keylogger.py +++ b/modules/signatures/windows/infostealer_keylogger.py @@ -23,7 +23,7 @@ class Keylogger(Signature): categories = ["generic"] authors = ["Thomas Birn", "nex"] minimum = "2.0" - ttp = ["S0002.001", "S0003.003"] + ttp = ["F0002.001", "F0003.003"] filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW" diff --git a/modules/signatures/windows/locates_sniffer.py b/modules/signatures/windows/locates_sniffer.py index d363337b..62af2a5b 100644 --- a/modules/signatures/windows/locates_sniffer.py +++ b/modules/signatures/windows/locates_sniffer.py @@ -10,7 +10,7 @@ class LocatesSniffer(Signature): severity = 2 authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0013"] + ttp = ["B0013"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\App\\ Paths\\\\Wireshark.exe", diff --git a/modules/signatures/windows/maldoc.py b/modules/signatures/windows/maldoc.py index 99e5ff0c..2322450a 100644 --- a/modules/signatures/windows/maldoc.py +++ b/modules/signatures/windows/maldoc.py @@ -11,7 +11,7 @@ class MaliciousDocumentURLs(Signature): categories = ["downloader"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0023", "E1059.007", "E1059.005"] + ttp = ["B0023", "E1059.007", "E1059.005"] filter_apinames = [ "InternetCrackUrlW", diff --git a/modules/signatures/windows/memdump_urls.py b/modules/signatures/windows/memdump_urls.py index bafdc86b..fb53aa5d 100644 --- a/modules/signatures/windows/memdump_urls.py +++ b/modules/signatures/windows/memdump_urls.py @@ -77,7 +77,7 @@ class ProcMemDumpIPURLs(Signature): categories = ["unpacking", "c2"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0030"] + ttp = ["B0030"] def on_complete(self): ip = re.compile("^(http|https)\:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") diff --git a/modules/signatures/windows/mining.py b/modules/signatures/windows/mining.py index bf069322..ea760a85 100644 --- a/modules/signatures/windows/mining.py +++ b/modules/signatures/windows/mining.py @@ -12,7 +12,7 @@ class miningpool(Signature): categories = ["mining"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["M0018.002"] + ttp = ["B0018.002"] ipaddrs = [ "144.76.102.176", diff --git a/modules/signatures/windows/modifies_proxies.py b/modules/signatures/windows/modifies_proxies.py index 407fb5a9..d5e5659b 100644 --- a/modules/signatures/windows/modifies_proxies.py +++ b/modules/signatures/windows/modifies_proxies.py @@ -97,7 +97,7 @@ class DisablesProxy(Signature): categories = ["infostealer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0004", "E1112"] + ttp = ["F0004", "E1112"] evented = True filter_apinames = [ diff --git a/modules/signatures/windows/modifies_seccenter.py b/modules/signatures/windows/modifies_seccenter.py index 0ac48cd9..931ee4ac 100644 --- a/modules/signatures/windows/modifies_seccenter.py +++ b/modules/signatures/windows/modifies_seccenter.py @@ -11,7 +11,7 @@ class ModifySecurityCenterWarnings(Signature): categories = ["stealth"] authors = ["Kevin Ross", "Optiv"] minimum = "2.0" - ttp = ["S0004", "E1112"] + ttp = ["F0004", "E1112"] regkeys_re = [ ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\.*", diff --git a/modules/signatures/windows/network_rdp_mutex.py b/modules/signatures/windows/network_rdp_mutex.py index c04fec6e..1d619884 100644 --- a/modules/signatures/windows/network_rdp_mutex.py +++ b/modules/signatures/windows/network_rdp_mutex.py @@ -13,7 +13,7 @@ class RdpMutexes(Signature): families = ["rdp"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0022.001"] + ttp = ["C0022.001"] mutexes_re = [ "msrdp*", diff --git a/modules/signatures/windows/office.py b/modules/signatures/windows/office.py index 15befa79..15b55694 100644 --- a/modules/signatures/windows/office.py +++ b/modules/signatures/windows/office.py @@ -58,7 +58,7 @@ class OfficeCheckProjectName(Signature): categories = ["vba"] authors = ["FDD", "Cuckoo Sandbox"] minimum = "2.0" - ttp = ["M0038", "M0007.007"] + ttp = ["B0038", "B0007.007"] filter_apinames = "vbe6_Invoke", @@ -76,7 +76,7 @@ class OfficeCountDirectories(Signature): categories = ["vba"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007.003", "T1083"] + ttp = ["B0007.003", "T1083"] filter_apinames = "vbe6_Invoke", @@ -94,7 +94,7 @@ class OfficeCheckVersion(Signature): categories = ["vba"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009.007", "T1518"] + ttp = ["B0009.007", "T1518"] filter_apinames = "vbe6_Invoke", @@ -118,7 +118,7 @@ class OfficeCheckWindow(Signature): categories = ["vba"] authors = ["FDD @ Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0009.020", "T1010"] + ttp = ["B0009.020", "T1010"] filter_apinames = "vbe6_Invoke", @@ -142,7 +142,7 @@ class OfficeHttpRequest(Signature): categories = ["vba"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["X0002.003"] + ttp = ["C0002.003"] filter_apinames = "vbe6_Invoke", @@ -168,7 +168,7 @@ class OfficeRecentFiles(Signature): categories = ["vba"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0007.003", "T1083"] + ttp = ["B0007.003", "T1083"] filter_apinames = "vbe6_Invoke", @@ -221,7 +221,7 @@ class OfficeCheckName(Signature): categories = ["office"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["M0038", "M0007.007", "E1059"] + ttp = ["B0038", "B0007.007", "E1059"] patterns = [ "[^\n\r;']*Me.Name[^\n\r;']*", diff --git a/modules/signatures/windows/packer_entropy.py b/modules/signatures/windows/packer_entropy.py index b3408ed3..d775f0aa 100644 --- a/modules/signatures/windows/packer_entropy.py +++ b/modules/signatures/windows/packer_entropy.py @@ -22,7 +22,7 @@ class PackerEntropy(Signature): categories = ["packer"] authors = ["Robby Zeitfuchs", "nex"] minimum = "2.0" - ttp = ["S0001"] + ttp = ["F0001"] references = [ "http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://virii.es/U/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf", diff --git a/modules/signatures/windows/packer_polymorphic.py b/modules/signatures/windows/packer_polymorphic.py index 80e9b238..603fbfa6 100644 --- a/modules/signatures/windows/packer_polymorphic.py +++ b/modules/signatures/windows/packer_polymorphic.py @@ -20,7 +20,7 @@ class Polymorphic(Signature): categories = ["packer"] authors = ["lordr"] minimum = "2.0" - ttp = ["M0029"] + ttp = ["B0029"] def on_complete(self): if not HAVE_SSDEEP: diff --git a/modules/signatures/windows/packer_upx.py b/modules/signatures/windows/packer_upx.py index 69db2d8d..6738d76b 100644 --- a/modules/signatures/windows/packer_upx.py +++ b/modules/signatures/windows/packer_upx.py @@ -22,7 +22,7 @@ class UPXCompressed(Signature): categories = ["packer"] authors = ["Michael Boman", "nex"] minimum = "2.0" - ttp = ["S0001.008"] + ttp = ["F0001.008"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/packer_vmprotect.py b/modules/signatures/windows/packer_vmprotect.py index 73e0a186..2c1ca37c 100644 --- a/modules/signatures/windows/packer_vmprotect.py +++ b/modules/signatures/windows/packer_vmprotect.py @@ -22,7 +22,7 @@ class VMPPacked(Signature): categories = ["packer"] authors = ["Jeremy Hedges"] minimum = "2.0" - ttp = ["S0001.010"] + ttp = ["F0001.010"] def on_complete(self): for section in self.get_results("static", {}).get("pe_sections", []): diff --git a/modules/signatures/windows/payload_download.py b/modules/signatures/windows/payload_download.py index fb452cb0..4534d4b7 100644 --- a/modules/signatures/windows/payload_download.py +++ b/modules/signatures/windows/payload_download.py @@ -66,7 +66,7 @@ class NetworkEXE(Signature): categories = ["exploit", "downloader"] authors = ["Kevin Ross", "Will Metcalf"] minimum = "2.0" - ttp = ["M0023"] + ttp = ["B0023"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) @@ -107,7 +107,7 @@ class SuspiciousWriteEXE(Signature): categories = ["exploit", "downloader", "virus"] authors = ["Will Metcalf", "Kevin Ross"] minimum = "2.0" - ttp = ["M0023"] + ttp = ["B0023"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/pe_features.py b/modules/signatures/windows/pe_features.py index c6fddf09..c97a563d 100644 --- a/modules/signatures/windows/pe_features.py +++ b/modules/signatures/windows/pe_features.py @@ -13,7 +13,7 @@ class PEFeatures(Signature): categories = ["packer"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["S0001"] + ttp = ["F0001"] section_names = [ ".text", ".rdata", ".data", ".pdata", ".DATA", ".reloc", ".idata", @@ -45,7 +45,7 @@ class PEIDPacker(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0001.002"] + ttp = ["F0001.002"] def on_complete(self): if self.get_results("static", {}).get("peid_signatures", []): @@ -61,7 +61,7 @@ class PEUnknownResourceName(Signature): categories = ["packer"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0001"] + ttp = ["F0001"] names = [ "RT_ACCELERATOR", diff --git a/modules/signatures/windows/persistence_autorun.py b/modules/signatures/windows/persistence_autorun.py index f7ebf7ee..3bada2ae 100644 --- a/modules/signatures/windows/persistence_autorun.py +++ b/modules/signatures/windows/persistence_autorun.py @@ -31,7 +31,7 @@ class Autorun(Signature): categories = ["persistence"] authors = ["Michael Boman", "nex", "securitykitten", "Cuckoo Technologies", "Optiv", "KillerInstinct", "Kevin Ross"] minimum = "2.0" - ttp = ["S0012", "T1543.003", "E1112"] + ttp = ["F0012", "T1543.003", "E1112"] regkeys_re = [ ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\.*", diff --git a/modules/signatures/windows/persistence_bootexecute.py b/modules/signatures/windows/persistence_bootexecute.py index 9c2f1257..41c782e6 100644 --- a/modules/signatures/windows/persistence_bootexecute.py +++ b/modules/signatures/windows/persistence_bootexecute.py @@ -23,7 +23,7 @@ class PersistenceBootexecute(Signature): authors = ["Brad Spengler"] minimum = "2.0" evented = True - ttp = ["S0012"] + ttp = ["F0012"] def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) diff --git a/modules/signatures/windows/persistence_registry_fileless.py b/modules/signatures/windows/persistence_registry_fileless.py index 1864cf5e..e32ce1cf 100644 --- a/modules/signatures/windows/persistence_registry_fileless.py +++ b/modules/signatures/windows/persistence_registry_fileless.py @@ -45,7 +45,7 @@ class PersistenceRegistryEXE(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True - ttp = ["M0040.001", "E1112"] + ttp = ["B0040.001", "E1112"] filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"]) diff --git a/modules/signatures/windows/powershell.py b/modules/signatures/windows/powershell.py index 62dbdbdd..397f4290 100644 --- a/modules/signatures/windows/powershell.py +++ b/modules/signatures/windows/powershell.py @@ -64,7 +64,7 @@ class AmsiBypass(Signature): categories = ["script", "malware", "powershell", "amsi"] authors = ["FDD", "Cuckoo Technologies"] minimum = "2.0.4" - ttp = ["S0004.004", "E1059.001"] + ttp = ["F0004.004", "E1059.001"] def on_yara(self, category, filepath, match): if match.name != "PowershellAMSI": diff --git a/modules/signatures/windows/protection_rx.py b/modules/signatures/windows/protection_rx.py index 1c36ef9c..5994ac65 100644 --- a/modules/signatures/windows/protection_rx.py +++ b/modules/signatures/windows/protection_rx.py @@ -12,7 +12,7 @@ class MemoryProtectionRX(Signature): severity = 2 categories = ["unpacking"] minimum = "2.0" - ttp = ["X0008"] + ttp = ["C0008"] filter_apinames = ( "NtAllocateVirtualMemory", "NtProtectVirtualMemory", diff --git a/modules/signatures/windows/ransomware_filemodications.py b/modules/signatures/windows/ransomware_filemodications.py index ec4f072c..bcb0e304 100644 --- a/modules/signatures/windows/ransomware_filemodications.py +++ b/modules/signatures/windows/ransomware_filemodications.py @@ -53,7 +53,7 @@ class RansomwareAppendsExtension(Signature): categories = ["ransomware"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["E1486", "X0015.001"] + ttp = ["E1486", "C0015.001"] filter_apinames = "MoveFileWithProgressW", "MoveFileWithProgressTransactedW" diff --git a/modules/signatures/windows/ransomware_files.py b/modules/signatures/windows/ransomware_files.py index dc876738..f02883d5 100644 --- a/modules/signatures/windows/ransomware_files.py +++ b/modules/signatures/windows/ransomware_files.py @@ -23,7 +23,7 @@ class RansomwareFiles(Signature): categories = ["ransomware"] authors = ["KillerInstinct", "Cuckoo Technologies"] minimum = "2.0" - ttp = ["E1486", "X0016.002"] + ttp = ["E1486", "C0016.002"] indicators = [ (".*\\\\help_decrypt\.html$", ["CryptoWall"]), diff --git a/modules/signatures/windows/self_delete_bat.py b/modules/signatures/windows/self_delete_bat.py index 42085bff..09a73c3d 100644 --- a/modules/signatures/windows/self_delete_bat.py +++ b/modules/signatures/windows/self_delete_bat.py @@ -13,7 +13,7 @@ class SelfDeleteBat(Signature): categories = ["trojan"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["S0007"] + ttp = ["F0007"] indicator = ( "@echo.*off.*" diff --git a/modules/signatures/windows/smtp_gmail.py b/modules/signatures/windows/smtp_gmail.py index e510f29a..8c98b50a 100644 --- a/modules/signatures/windows/smtp_gmail.py +++ b/modules/signatures/windows/smtp_gmail.py @@ -12,7 +12,7 @@ class Smtp_GMail(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0012.001"] + ttp = ["C0012.001"] domains = [ "smtp.gmail.com", diff --git a/modules/signatures/windows/smtp_live.py b/modules/signatures/windows/smtp_live.py index 473caa14..1f06ab85 100644 --- a/modules/signatures/windows/smtp_live.py +++ b/modules/signatures/windows/smtp_live.py @@ -12,7 +12,7 @@ class Smtp_Live(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0012.001"] + ttp = ["C0012.001"] domains = [ "smtp.live.com", diff --git a/modules/signatures/windows/smtp_mailru.py b/modules/signatures/windows/smtp_mailru.py index 5a7216b5..c7a61630 100644 --- a/modules/signatures/windows/smtp_mailru.py +++ b/modules/signatures/windows/smtp_mailru.py @@ -12,7 +12,7 @@ class Smtp_Mail_Ru(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0012.001"] + ttp = ["C0012.001"] ipaddrs = [ "94.100.180.160", diff --git a/modules/signatures/windows/smtp_yahoo.py b/modules/signatures/windows/smtp_yahoo.py index bf4bdc04..1ea46a4d 100644 --- a/modules/signatures/windows/smtp_yahoo.py +++ b/modules/signatures/windows/smtp_yahoo.py @@ -12,7 +12,7 @@ class Smtp_Yahoo(Signature): categories = ["smtp"] authors = ["RedSocks"] minimum = "2.0" - ttp = ["X0012.001"] + ttp = ["C0012.001"] domains = [ "smtp.mail.yahoo.com", diff --git a/modules/signatures/windows/sniffer_winpcap.py b/modules/signatures/windows/sniffer_winpcap.py index a21a01f5..a810c65d 100644 --- a/modules/signatures/windows/sniffer_winpcap.py +++ b/modules/signatures/windows/sniffer_winpcap.py @@ -22,7 +22,7 @@ class InstallsWinpcap(Signature): categories = ["sniffer"] authors = ["Thomas Birn", "nex"] minimum = "2.0" - ttp = ["M0023", "T1040"] + ttp = ["B0023", "T1040"] indicators = [ ".*\\\\packet\\.dll$", diff --git a/modules/signatures/windows/stealth_hidenotifications.py b/modules/signatures/windows/stealth_hidenotifications.py index 25c1816c..b4f14b77 100644 --- a/modules/signatures/windows/stealth_hidenotifications.py +++ b/modules/signatures/windows/stealth_hidenotifications.py @@ -11,7 +11,7 @@ class StealthHideNotifications(Signature): categories = ["stealth"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["S0006", "E1112"] + ttp = ["F0006", "E1112"] regkeys_re = [ ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth$", diff --git a/modules/signatures/windows/suspicious_process.py b/modules/signatures/windows/suspicious_process.py index d43ed3d0..0d95e45c 100644 --- a/modules/signatures/windows/suspicious_process.py +++ b/modules/signatures/windows/suspicious_process.py @@ -11,7 +11,7 @@ class CreatesSuspiciousProcess(Signature): categories = ["packer"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["X0017"] + ttp = ["C0017"] processes = [ "svchost", "powershell", "regsvr32", "bcdedit", "mshta", "schtasks", diff --git a/modules/signatures/windows/terminates_process.py b/modules/signatures/windows/terminates_process.py index 11ca8f38..f7ba812d 100644 --- a/modules/signatures/windows/terminates_process.py +++ b/modules/signatures/windows/terminates_process.py @@ -23,7 +23,7 @@ class TerminatesRemoteProcess(Signature): authors = ["Kevin Ross"] minimum = "2.0" evented = True - ttp = ["X0018"] + ttp = ["C0018"] filter_apinames = "NtTerminateProcess", diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py index b2d5766f..64b94a42 100644 --- a/modules/signatures/windows/volatility_sig.py +++ b/modules/signatures/windows/volatility_sig.py @@ -73,7 +73,7 @@ class VolDevicetree1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["S0010.001"] + ttp = ["F0010.001"] # http://mnin.blogspot.de/2011/10/zeroaccess-volatility-and-kernel-timers.html @@ -92,7 +92,7 @@ class VolSvcscan1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -110,7 +110,7 @@ class VolSvcscan2(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -128,7 +128,7 @@ class VolSvcscan3(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["S0004"] + ttp = ["F0004"] def on_complete(self): for row in self.get_volatility("svcscan").get("data", []): @@ -146,7 +146,7 @@ class VolModscan1(Signature): authors = ["Thorsten Sick"] families = ["Zero access"] minimum = "2.0" - ttp = ["S0010"] + ttp = ["F0010"] def on_complete(self): for row in self.get_volatility("modscan").get("data", []): diff --git a/modules/signatures/windows/wmi.py b/modules/signatures/windows/wmi.py index 1db5ffdd..bbb75cb3 100644 --- a/modules/signatures/windows/wmi.py +++ b/modules/signatures/windows/wmi.py @@ -33,7 +33,7 @@ class Win32ProcessCreate(Signature): categories = ["wmi"] authors = ["Cuckoo Technologies"] minimum = "2.0" - ttp = ["T1047", "X0017.002"] + ttp = ["T1047", "C0017.002"] filter_apinames = [ "IWbemServices_ExecMethod", @@ -53,7 +53,7 @@ class WMIAntiVM(Signature): categories = ["wmi", "anti-vm"] authors = ["Kevin Ross"] minimum = "2.0" - ttp = ["M0009", "T1047", "T1497"] + ttp = ["B0009", "T1047", "T1497"] antivm = [ "win32_processor",