Remap letters in MBC IDs to match v2.0

README.md

@@ -27,7 +27,7 @@ class AntiSandboxSleep(Signature):
     categories = ["anti-sandbox"]
     authors = ["KillerInstinct"]
     minimum = "2.0"
-    ttp = ["M0003.003"]
+    ttp = ["B0003.003"]
     ...
 ```
 

modules/signatures/android/android_reflection_code.py

@@ -11,7 +11,7 @@ class AndroidReflectionCode(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
-    ttp = ["M0032"]
+    ttp = ["B0032"]
 
     def on_complete(self):
         if self.get_apkinfo("static_method_calls").get("is_reflection_code"):

modules/signatures/android/application_aborted_broadcast_receiver.py

@@ -11,7 +11,7 @@ class AndroidAbortBroadcast(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
-    ttp = ["S0006"]
+    ttp = ["F0006"]
 
     def on_complete(self):
         if "abortBroadcast" in self.get_droidmon("events", []):

modules/signatures/android/application_installed_app.py

@@ -11,7 +11,7 @@ class AndroidInstalledApps(Signature):
     categories = ["android"]
     authors = ["Check Point Software Technologies LTD"]
     minimum = "2.0"
-    ttp = ["M0023"]
+    ttp = ["B0023"]
 
     def on_complete(self):
         if "android/app/ApplicationPackageManager->installPackage" in self.get_droidmon():

modules/signatures/cross/js_suspicious.py

@@ -41,7 +41,7 @@ class AntiAnalysisJavascript(Signature):
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
     on_call_dispatch = True
-    ttp = ["M0013", "M0009"]
+    ttp = ["B0013", "B0009"]
 
     filter_apinames = "ActiveXObjectFncObj_Construct", "CImgElement_put_src"
 

modules/signatures/network/dns_cnc.py

@@ -22,7 +22,7 @@ class NetworkDNSTXTLookup(Signature):
     categories = ["dns", "cnc"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["X0011"]
+    ttp = ["C0011"]
 
     whitelist = [
             "google.com",

modules/signatures/network/dns_tld.py

@@ -12,7 +12,7 @@ class Suspicious_TLD(Signature):
     categories = ["tldwatch", "network"]
     authors = ["RedSocks", "Kevin Ross"]
     minimum = "2.0"
-    ttp = ["X0011.004"]
+    ttp = ["C0011.004"]
 
     domains_re = [
         (".*\\.by$", "Belarus domain TLD"),

modules/signatures/network/network_bind.py

@@ -22,7 +22,7 @@ class NetworkBIND(Signature):
     categories = ["bind"]
     authors = ["nex", "Accuvant"]
     minimum = "2.0"
-    ttp = ["X0001.002"]
+    ttp = ["C0001.002"]
 
     filter_apinames = "bind", "listen", "accept"
 

modules/signatures/network/network_cnc_http.py

@@ -27,7 +27,7 @@ class NetworkHTTPPOST(Signature):
     categories = ["http", "cnc"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["X0002.005"]
+    ttp = ["C0002.005"]
 
     filter_analysistypes = set(["file"])
 
@@ -58,7 +58,7 @@ class NetworkCnCHTTP(Signature):
     categories = ["http", "cnc"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["T1071.001", "M0030"]
+    ttp = ["T1071.001", "B0030"]
 
     filter_analysistypes = set(["file"])
 

modules/signatures/network/network_dyndns.py

@@ -12,7 +12,7 @@ class NetworkDynDNS(Signature):
     categories = ["dyndns"]
     authors = ["RedSocks"]
     minimum = "2.0"
-    ttp = ["X0011.003"]
+    ttp = ["C0011.003"]
 
     domains_re = [
         ".*\\.no-ip\\.",

modules/signatures/network/network_http.py

@@ -22,7 +22,7 @@ class NetworkHTTP(Signature):
     categories = ["http"]
     authors = ["nex"]
     minimum = "2.0"
-    ttp = ["X0002.003"]
+    ttp = ["C0002.003"]
 
     host_whitelist = [
         "www.msftncsi.com"

modules/signatures/network/network_icmp.py

@@ -22,7 +22,7 @@ class NetworkICMP(Signature):
     categories = ["icmp"]
     authors = ["David Maciejak"]
     minimum = "2.0"
-    ttp = ["X0014.001"]
+    ttp = ["C0014.001"]
 
     def on_complete(self):
         if self.get_net_icmp():

modules/signatures/network/network_smtp.py

@@ -22,7 +22,7 @@ class NetworkSMTP(Signature):
     categories = ["smtp", "spam"]
     authors = ["nex", "RicoVZ"]
     minimum = "2.0.0"
-    ttp = ["S0012.002"]
+    ttp = ["F0012.002"]
 
     def on_complete(self):
         for s in getattr(self, "get_net_smtp_ex", lambda: [])():

modules/signatures/windows/allocates_rwx.py

@@ -11,7 +11,7 @@ class AllocatesRWX(Signature):
     categories = ["unpacking"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["X0007"]
+    ttp = ["C0007"]
 
     filter_apinames = (
         "NtAllocateVirtualMemory", "NtProtectVirtualMemory",

modules/signatures/windows/antianalysis_detectfile.py

@@ -11,7 +11,7 @@ class AntiAnalysisDetectFile(Signature):
     categories = ["anti-analysis"]
     authors = ["KillerInstinct"]
     minimum = "2.0"
-    ttp = ["M0013.008"]
+    ttp = ["B0013.008"]
 
     file_indicators = [
         "[A-Za-z]:\\\\analysis",

modules/signatures/windows/antiav_servicestop.py

@@ -16,7 +16,7 @@ class AntiAVServiceStop(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["S0004"]
+    ttp = ["F0004"]
     evented = True
 
     def __init__(self, *args, **kwargs):

modules/signatures/windows/antiav_srp.py

@@ -11,7 +11,7 @@ class AntiAVSRP(Signature):
     categories = ["anti-av"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["S0004.005", "E1478"]
+    ttp = ["F0004.005", "E1478"]
 
     regkeys_re = [
         ".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*",

modules/signatures/windows/antidbg_debuggercheck.py

@@ -23,7 +23,7 @@ class ChecksDebugger(Signature):
     categories = ["anti-debug"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["M0001"]
+    ttp = ["B0001"]
 
     filter_apinames = [
         "CheckRemoteDebuggerPresent",
@@ -43,7 +43,7 @@ class ChecksKernelDebugger(Signature):
     categories = ["anti-debug"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["M0001"]
+    ttp = ["B0001"]
 
     filter_apinames = [
         "SystemKernelDebuggerInformation",

modules/signatures/windows/antidbg_devices.py

@@ -22,7 +22,7 @@ class AntiDBGDevices(Signature):
     categories = ["anti-debug"]
     authors = ["nex"]
     minimum = "2.0"
-    ttp = ["M0001", "M0013"]
+    ttp = ["B0001", "B0013"]
 
     indicators = [
         ".*SICE$",

modules/signatures/windows/antidbg_windows.py

@@ -22,7 +22,7 @@ class AntiDBGWindows(Signature):
     categories = ["anti-debug"]
     authors = ["nex", "KillerInstinct", "Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0013.009", "M0001.004"]
+    ttp = ["B0013.009", "B0001.004"]
 
     filter_categories = "ui",
 

modules/signatures/windows/antiemu_wine.py

@@ -22,7 +22,7 @@ class WineDetect(Signature):
     categories = ["anti-emulation"]
     authors = ["nex"]
     minimum = "2.0"
-    ttp = ["M0004"]
+    ttp = ["B0004"]
 
     filter_apinames = "LdrGetProcedureAddress",
 

modules/signatures/windows/antisandbox_clipboard.py

@@ -22,7 +22,7 @@ class AntisandboxClipboard(Signature):
     categories = ["anti-sandbox"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["M0007.001"]	
+    ttp = ["B0007.001"]	
 
     filter_apinames = set(["GetClipboardData"])
 

modules/signatures/windows/antisandbox_cuckoo_files.py

@@ -22,7 +22,7 @@ class CuckooDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0007.002"]
+    ttp = ["B0007.002"]
 
     file_indicators = [
         ".*\\\\agent\\.py$",

modules/signatures/windows/antisandbox_file.py

@@ -11,7 +11,7 @@ class AntiSandboxFile(Signature):
     categories = ["anti-sandbox"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["M0007.002"]
+    ttp = ["B0007.002"]
 
     files_re = [
         "[a-zA-Z]:\\\\sample\\.exe",

modules/signatures/windows/antisandbox_forehwnd.py

@@ -20,7 +20,7 @@ class AntiSandboxForegroundWindow(Signature):
     severity = 2
     categories = ["anti-sandbox"]
     minimum = "2.0"
-    ttp = ["M0007.003"]
+    ttp = ["B0007.003"]
 
     references = [
         "https://www.virusbtn.com/virusbulletin/archive/2015/09/vb201509-custom-packer.dkb",

modules/signatures/windows/antisandbox_fortinet_files.py

@@ -22,7 +22,7 @@ class FortinetDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0007.002"]
+    ttp = ["B0007.002"]
 
     files_re = [
         "C:\\\\tracer\\\\mdare32_0\\.sys",

modules/signatures/windows/antisandbox_idletime.py

@@ -11,7 +11,7 @@ class AntiSandboxIdleTime(Signature):
     categories = ["anti-sandbox"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["M0007.009"]
+    ttp = ["B0007.009"]
 
     filter_apinames = "NtQuerySystemInformation",
 

modules/signatures/windows/antisandbox_joe_anubis_files.py

@@ -22,7 +22,7 @@ class SandboxJoeAnubisDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["M0007.002"]
+    ttp = ["B0007.002"]
 
     file_indicators = [
         "C:\\\\sample\\.exe",

modules/signatures/windows/antisandbox_mouse_hook.py

@@ -22,7 +22,7 @@ class HookMouse(Signature):
     categories = ["hooking", "anti-sandbox"]
     authors = ["nex"]
     minimum = "2.0"
-    ttp = ["M0007.003", "S0003.003"]
+    ttp = ["B0007.003", "F0003.003"]
 
     filter_apinames = "SetWindowsHookExA", "SetWindowsHookExW"
 

modules/signatures/windows/antisandbox_restart.py

@@ -12,7 +12,7 @@ class AntiSandboxRestart(Signature):
     categories = ["anti-sandbox"]
     authors = ["Cuckoo Technologies", "Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0003.010"]
+    ttp = ["B0003.010"]
 
     filter_apinames = (
         "InitiateSystemShutdownExW", "InitiateSystemShutdownExA",

modules/signatures/windows/antisandbox_sleep.py

@@ -22,7 +22,7 @@ class AntiSandboxSleep(Signature):
     categories = ["anti-sandbox"]
     authors = ["KillerInstinct"]
     minimum = "2.0"
-    ttp = ["M0003.003"]
+    ttp = ["B0003.003"]
 
     filter_apinames = "NtDelayExecution",
 

modules/signatures/windows/antisandbox_sunbelt.py

@@ -11,7 +11,7 @@ class SunBeltSandboxDetect(Signature):
     categories = ["anti-vm"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["M0007"]
+    ttp = ["B0007"]
 
     dlls_re = [
         ".*api_log(\\.dll)?$",

modules/signatures/windows/antisandbox_sunbelt_files.py

@@ -22,7 +22,7 @@ class SunbeltDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["M0007.002"]
+    ttp = ["B0007.002"]
 
     file_indicators = [
         ".*\\\\SandboxStarter\\.exe$",

modules/signatures/windows/antisandbox_threattrack_files.py

@@ -22,7 +22,7 @@ class ThreatTrackDetectFiles(Signature):
     categories = ["anti-sandbox"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0007.002"]
+    ttp = ["B0007.002"]
 
     files_re = [
         "C:\\\\cwsandbox",

modules/signatures/windows/antisandbox_unhook.py

@@ -22,7 +22,7 @@ class Unhook(Signature):
     categories = ["anti-sandbox"]
     authors = ["nex"]
     minimum = "2.0"
-    ttp = ["M0003.008"]
+    ttp = ["B0003.008"]
 
     filter_apinames = "__anomaly__",
 

modules/signatures/windows/antivm_bochs_keys.py

@@ -22,7 +22,7 @@ class BochsDetectKeys(Signature):
     categories = ["anti-vm"]
     authors = ["Brad Spengler"]
     minimum = "2.0"
-    ttp = ["M0009.005", "T1012"]
+    ttp = ["B0009.005", "T1012"]
 
     regkeys_re = [
         ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS_.*",

modules/signatures/windows/antivm_computername.py

@@ -22,7 +22,7 @@ class AntiVMComputernameQuery(Signature):
     categories = ["AntiVM"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["M0009", "T1082"]
+    ttp = ["B0009", "T1082"]
 
     filter_apinames = [
         "GetComputerNameA",

modules/signatures/windows/antivm_disksize.py

@@ -22,7 +22,7 @@ class AntiVMDiskSize(Signature):
     categories = ["anti-vm"]
     authors = ["Kevin Ross"]
     minimum = "2.0"
-    ttp = ["M0009.015"]
+    ttp = ["B0009.015"]
 
     evented = True
 

modules/signatures/windows/antivm_generic_bios.py

@@ -22,7 +22,7 @@ class AntiVMBios(Signature):
     categories = ["anti-vm"]
     authors = ["nex"]
     minimum = "2.0"
-    ttp = ["M0009.024", "M0009.005", "T1012"]
+    ttp = ["B0009.024", "B0009.005", "T1012"]
 
     regkeys_re = [
         ".*SystemBiosVersion",

modules/signatures/windows/antivm_generic_cpu.py

@@ -22,7 +22,7 @@ class AntiVMCPU(Signature):
     categories = ["anti-vm"]
     authors = ["Optiv"]
     minimum = "2.0"
-    ttp = ["M0009.026", "M0009.005", "T1012"]
+    ttp = ["B0009.026", "B0009.005", "T1012"]
 
     regkeys_re = [
         ".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\.*\\\\ProcessorNameString",

modules/signatures/windows/antivm_generic_disk.py

@@ -22,7 +22,7 @@ class DiskInformation(Signature):
     categories = ["anti-vm"]
     authors = ["nex"]
     minimum = "2.0"
-    ttp = ["M0009.005", "T1012"]
+    ttp = ["B0009.005", "T1012"]
 
     filter_apinames = [
         "NtCreateFile",

modules/signatures/windows/antivm_generic_firmware.py

@@ -11,7 +11,7 @@ class VMFirmware(Signature):
     categories = ["anti-vm"]
     authors = ["Cuckoo Technologies"]
     minimum = "2.0"
-    ttp = ["M0009.023"]
+    ttp = ["B0009.023"]
 
     filter_apinames = "NtQuerySystemInformation",