Giter Club home page Giter Club logo

Comments (5)

wasbt avatar wasbt commented on July 18, 2024 1

@kevoreilly I suggest to fix [Accessed credential storage registry keys] while analysing pdf using adobe reader is to reduce the severity using

class RegistryCredentialStoreAccess(Signature):
    name = "registry_credential_store_access"
    description = "Accessed credential storage registry keys"
    severity = 3
    categories = ["persistence", "lateral", "credential_dumping"]
    authors = ["Kevin Ross"]
    minimum = "1.3"
    evented = True
    ttps = ["T1003"]  # MITRE v6,7,8
    ttps += ["T1003.002"]  # MITRE v7,8
    mbcs = ["OB0005"]

    def run(self):
        ret = False
        reg_indicators = [
            "HKEY_LOCAL_MACHINE\\\\SAM$",
            "HKEY_LOCAL_MACHINE\\\\SYSTEM$",
        ]

        for indicator in reg_indicators:
            match = self.check_key(pattern=indicator, regex=True)
            if match:
                self.data.append({"regkey": match})
                ret = True
        # Tweak
        if "PDF" in self.results["target"]["file"].get("type", ""):
            self.severity = 1
        return ret

And also i created a new pdf annot url checker because the https://github.com/CAPESandbox/community/blob/master/modules/signatures/all/pdf_annot_urls.py not working anymore


from lib.cuckoo.common.abstracts import Signature

class PDF_Annot_URLs_Checker(Signature):
    name = "pdf_annot_urls_checker"
    description = "The PDF contains a Link Annotation"
    severity = 2  # Default severity
    categories = ["static"]
    authors = ["Wassime BATTA"]
    minimum = "0.5"

    filter_analysistypes = set(["file","static"])

    malicious_tlds_file = "/opt/CAPEv2/data/malicioustlds.txt"

    def __init__(self, *args, **kwargs):
        super(PDF_Annot_URLs_Checker, self).__init__(*args, **kwargs)
        self.malicious_tlds = self.load_malicious_tlds()

    def load_malicious_tlds(self):
        malicious_tlds = set()
        with open(self.malicious_tlds_file, "r") as f:
            for line in f:
                line = line.strip()
                if line.startswith("."):
                    malicious_tlds.add(line)
        return malicious_tlds

    def run(self):
        found_malicious_extension = False
        found_malicious_domain = False
        found_domain_only = False
        suspect = False

        if "PDF" in self.results["target"]["file"].get("type", ""):
            if "Annot_URLs" in self.results["target"]["file"]["pdf"]:
                for entry in self.results["target"]["file"]["pdf"]["Annot_URLs"]:
                    entry_lower = entry.lower()
                    self.data.append({"url": entry})
                    if entry_lower.endswith((".exe", ".php", ".bat", ".cmd", ".js", ".jse", ".vbs", ".vbe", ".ps1", ".psm1", ".sh")) \
                            and not entry_lower.startswith("mailto:"):
                        found_malicious_extension = True

                    if entry_lower.startswith("http://") or entry_lower.startswith("https://"):
                        domain_start = entry_lower.find("//") + 2
                        domain_end = entry_lower.find("/", domain_start)
                        if domain_end == -1:
                            domain = entry_lower[domain_start:]
                        else:
                            domain = entry_lower[domain_start:domain_end]

                        for malicious_tld in self.malicious_tlds:
                            if domain.endswith(malicious_tld):
                                found_malicious_domain = True
                                break
                        else:
                            # If no malicious TLDs detected, set found_domain_only to True
                            found_domain_only = True

            if found_malicious_domain or found_malicious_extension:
                self.severity = 6
                self.description = "The PDF contains a Malicious Link Annotation"
                suspect = True
            elif found_domain_only:
                self.severity = 2
                self.description = "The PDF contains a Link Annotation"
                suspect = True

        return suspect

And a malicious/suspect tld in /opt/CAPEv2/data/malicioustlds.txt

.link
.cam
.bar
.surf
.xyz
.click
.buzz
.gq
.ga
.rest
.ml
.cc
.cfd
.cyou
.accountant
.ar
.bg
.bid
.biz
.biz.ua
.br
.camera
.cf
.club
.co
.co.ua
.co.in
.co.mz
.co.nz
.com.au
.com.tw
.computer
.cricket
.date
.diet
.download
.email
.es
.faith
.gdn
.global
.guru
.help
.in
.info
.kz
.lol
.loan
.media
.men
.news
.ninja
.nyc
.party
.photography
.pt
.pw
.racing
.reise
.review
.rocks
.ru
.science
.site
.solutions
.space
.stream
.tech
.today
.top
.tr
.trade
.uno
.us
.vn
.webcam
.website
.win
.work
.africa
.autos
.best
.bet
.bio
.boats
.bond
.boston
.boutique
.center
.charity
.christmas
.coupons
.dance
.finance
.fishing
.giving
.hair
.haus
.homes
.icu
.kim
.lat
.llp
.loans
.love
.ltd
.mom
.motorcycles
.name
.okinawa
.promo
.rehab
.rugby
.run
.sale
.sew
.skin
.store
.sz
.tattoo
.tokyo
.voto
.wang
.wf
.yachts
.you

The new script is working well with dyanmic and static scan (tested in Win10 and adobe reader 9)
image

from capev2.

wasbt avatar wasbt commented on July 18, 2024 1

Sometimes CAPE suricata Alert trigger "AKAMAI-AS" as malicious severity 3, i suggest also to add commenting
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:misc-activity; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
in suricata.rules will disable this false positive, in docs

from capev2.

doomedraven avatar doomedraven commented on July 18, 2024

from capev2.

kevoreilly avatar kevoreilly commented on July 18, 2024

Which score are you referring to? If it's malscore, this is a legacy cuckoo feature which is not enabled in CAPE by default for exactly this reason.

The difficulty is in how to avoid scoring actions like these but still catch malicious actions that use the same or similar API. I would be interested to hear any proposal to solve this problem - failing that as I mentioned this is exactly why malscore is not enabled by default. My advice would be to disable it.

from capev2.

kevoreilly avatar kevoreilly commented on July 18, 2024

@wasbt thank you for your suggestions - I have created a PR with these changes as I am very keen to welcome contributions. We would however appreciate PRs in future as it saves unnecessary effort.

CAPESandbox/community#430

from capev2.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.