Merge pull request #485 from kevross33/patch-76

Add signature for Mavinject Lolbin

Author: doomedraven

modules/signatures/windows/windows_utilities.py

@@ -32,11 +32,10 @@ class UsesWindowsUtilitiesScheduler(Signature):
 
     def on_call(self, _, process):
         if process["process_name"].lower() in self.filter_processnames:
+            # ToDo this doesn't apply MITRE map conversion for newer versions
             self.ttps += ["T1053.005"] if process["process_name"].lower() == "schtasks" else ["T1053.002"]  # MITRE v7,8
-            cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-            for cmdline in cmdlines:
-                lower = cmdline.lower()
-                if re.search(process["process_name"].lower(), lower):
+            for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
+                if re.search(process["process_name"].lower(), cmdline.lower()):
                     self.data.append({"command": cmdline})
             return True
         return False
@@ -116,8 +115,7 @@ def run(self):
             r"Internet Explorer",
         ]
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility in utilities:
                 if re.search(utility, lower):
@@ -206,8 +204,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility_regex in utilities:
                 if re.search(utility_regex, lower):
@@ -239,8 +236,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility in utilities:
                 if utility in lower:
@@ -265,8 +261,7 @@ class SuspiciousPingUse(Signature):
 
     def run(self):
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             if "ping" in lower and ("-n" in lower or "/n" in lower):
                 ret = True
@@ -313,8 +308,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             if "wmic" in lower:
                 for argument in self.arguments:
@@ -397,8 +391,7 @@ class SuspiciousCertutilUse(Signature):
 
     def run(self):
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             if "certutil" in lower and ("urlcache" in lower or "encode" in lower or "decode" in lower or "addstore" in lower):
                 ret = True
@@ -468,8 +461,7 @@ class DotNETCSCBuild(Signature):
 
     def run(self):
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             if "csc " in lower or "csc.exe" in lower:
                 ret = True
@@ -545,8 +537,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility in utilities:
                 if utility in lower:
@@ -574,8 +565,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility in utilities:
                 if utility in lower:
@@ -604,8 +594,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility in utilities:
                 if utility in lower:
@@ -635,8 +624,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility in utilities:
                 if utility in lower:
@@ -658,20 +646,18 @@ class UsesWindowsUtilitiesCurl(Signature):
     mbcs = ["OB0009", "E1203.m06"]
 
     def run(self):
-        utilities = [
+        utilities = (
             "curl ",
             "curl.exe ",
-        ]
+        )
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility in utilities:
                 if utility in lower:
                     ret = True
                     self.data.append({"command": cmdline})
-
         return ret
 
 
@@ -721,8 +707,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility in utilities:
                 if utility in lower:
@@ -749,8 +734,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility in utilities:
                 if utility in lower:
@@ -778,8 +762,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility in utilities:
                 if utility in lower:
@@ -809,8 +792,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for utility in utilities:
                 if utility in lower:
@@ -1002,3 +984,23 @@ def on_complete(self):
         if self.detected:
             return True
         return False
+
+class MavInjectLolbin(Signature):
+    name = "mavinject_lolbin"
+    description = "Uses mavinject to inject code"
+    severity = 3
+    categories = ["injection", "anti-av", "lolbin"]
+    authors = ["Kevin Ross"]
+    minimum = "1.3"
+    evented = True
+    ttps = ["T1218.013"]
+
+    def run(self):
+        ret = False
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
+            lower = cmdline.lower()
+            if "mavinject" in lower and ("injectrunning" in lower or "hmodule" in lower):
+                ret = True
+                self.data.append({"command": cmdline})
+
+        return ret