-
Notifications
You must be signed in to change notification settings - Fork 175
/
powershell_reg.py
44 lines (37 loc) · 1.48 KB
/
powershell_reg.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Copyright (C) 2017 Cuckoo Foundation.
# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
# See the file 'docs/LICENSE' for copying permission.
import re
import shlex
from lib.cuckoo.common.abstracts import Signature
class PowershellRegAdd(Signature):
name = "powershell_reg_add"
description = "Powershell script adds registry entries"
severity = 3
categories = ["script", "powershell"]
authors = ["FDD", "Cuckoo Technologies"]
minimum = "2.0.4"
ttp = ["T1086"]
def on_complete(self):
lower = "".join(self.get_command_lines()).lower()
if "powershell" in lower and "reg add" in lower:
self.mark_ioc("cmd", lower)
return True
encre = re.compile("\-[e^]{1,2}[ncodema^]+")
for cmdline in self.get_command_lines():
lower = cmdline.lower()
if encre.search(lower):
# Powershell is b64 encoded
script, args = None, shlex.split(cmdline)
for idx, arg in enumerate(args):
if not encre.search(arg.lower()):
# Not the encoded argument
continue
try:
script = args[idx+1].decode("base64").decode("utf16")
if "reg add" in script.lower():
self.mark_ioc("cmd", script)
return True
except:
pass
return False