Comments (5)
@kevoreilly I suggest to fix [Accessed credential storage registry keys] while analysing pdf using adobe reader is to reduce the severity using
class RegistryCredentialStoreAccess(Signature):
name = "registry_credential_store_access"
description = "Accessed credential storage registry keys"
severity = 3
categories = ["persistence", "lateral", "credential_dumping"]
authors = ["Kevin Ross"]
minimum = "1.3"
evented = True
ttps = ["T1003"] # MITRE v6,7,8
ttps += ["T1003.002"] # MITRE v7,8
mbcs = ["OB0005"]
def run(self):
ret = False
reg_indicators = [
"HKEY_LOCAL_MACHINE\\\\SAM$",
"HKEY_LOCAL_MACHINE\\\\SYSTEM$",
]
for indicator in reg_indicators:
match = self.check_key(pattern=indicator, regex=True)
if match:
self.data.append({"regkey": match})
ret = True
# Tweak
if "PDF" in self.results["target"]["file"].get("type", ""):
self.severity = 1
return ret
And also i created a new pdf annot url checker because the https://github.com/CAPESandbox/community/blob/master/modules/signatures/all/pdf_annot_urls.py not working anymore
from lib.cuckoo.common.abstracts import Signature
class PDF_Annot_URLs_Checker(Signature):
name = "pdf_annot_urls_checker"
description = "The PDF contains a Link Annotation"
severity = 2 # Default severity
categories = ["static"]
authors = ["Wassime BATTA"]
minimum = "0.5"
filter_analysistypes = set(["file","static"])
malicious_tlds_file = "/opt/CAPEv2/data/malicioustlds.txt"
def __init__(self, *args, **kwargs):
super(PDF_Annot_URLs_Checker, self).__init__(*args, **kwargs)
self.malicious_tlds = self.load_malicious_tlds()
def load_malicious_tlds(self):
malicious_tlds = set()
with open(self.malicious_tlds_file, "r") as f:
for line in f:
line = line.strip()
if line.startswith("."):
malicious_tlds.add(line)
return malicious_tlds
def run(self):
found_malicious_extension = False
found_malicious_domain = False
found_domain_only = False
suspect = False
if "PDF" in self.results["target"]["file"].get("type", ""):
if "Annot_URLs" in self.results["target"]["file"]["pdf"]:
for entry in self.results["target"]["file"]["pdf"]["Annot_URLs"]:
entry_lower = entry.lower()
self.data.append({"url": entry})
if entry_lower.endswith((".exe", ".php", ".bat", ".cmd", ".js", ".jse", ".vbs", ".vbe", ".ps1", ".psm1", ".sh")) \
and not entry_lower.startswith("mailto:"):
found_malicious_extension = True
if entry_lower.startswith("http://") or entry_lower.startswith("https://"):
domain_start = entry_lower.find("//") + 2
domain_end = entry_lower.find("/", domain_start)
if domain_end == -1:
domain = entry_lower[domain_start:]
else:
domain = entry_lower[domain_start:domain_end]
for malicious_tld in self.malicious_tlds:
if domain.endswith(malicious_tld):
found_malicious_domain = True
break
else:
# If no malicious TLDs detected, set found_domain_only to True
found_domain_only = True
if found_malicious_domain or found_malicious_extension:
self.severity = 6
self.description = "The PDF contains a Malicious Link Annotation"
suspect = True
elif found_domain_only:
self.severity = 2
self.description = "The PDF contains a Link Annotation"
suspect = True
return suspect
And a malicious/suspect tld in /opt/CAPEv2/data/malicioustlds.txt
.link
.cam
.bar
.surf
.xyz
.click
.buzz
.gq
.ga
.rest
.ml
.cc
.cfd
.cyou
.accountant
.ar
.bg
.bid
.biz
.biz.ua
.br
.camera
.cf
.club
.co
.co.ua
.co.in
.co.mz
.co.nz
.com.au
.com.tw
.computer
.cricket
.date
.diet
.download
.email
.es
.faith
.gdn
.global
.guru
.help
.in
.info
.kz
.lol
.loan
.media
.men
.news
.ninja
.nyc
.party
.photography
.pt
.pw
.racing
.reise
.review
.rocks
.ru
.science
.site
.solutions
.space
.stream
.tech
.today
.top
.tr
.trade
.uno
.us
.vn
.webcam
.website
.win
.work
.africa
.autos
.best
.bet
.bio
.boats
.bond
.boston
.boutique
.center
.charity
.christmas
.coupons
.dance
.finance
.fishing
.giving
.hair
.haus
.homes
.icu
.kim
.lat
.llp
.loans
.love
.ltd
.mom
.motorcycles
.name
.okinawa
.promo
.rehab
.rugby
.run
.sale
.sew
.skin
.store
.sz
.tattoo
.tokyo
.voto
.wang
.wf
.yachts
.you
The new script is working well with dyanmic and static scan (tested in Win10 and adobe reader 9)
from capev2.
Sometimes CAPE suricata Alert trigger "AKAMAI-AS" as malicious severity 3, i suggest also to add commenting
#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent"; flow:established,to_server; http.user_agent; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; depth:42; endswith; nocase; fast_pattern; classtype:misc-activity; sid:2027390; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2019_05_28, deployment Perimeter, former_category USER_AGENTS, performance_impact Low, signature_severity Informational, updated_at 2020_09_17;)
in suricata.rules will disable this false positive, in docs
from capev2.
from capev2.
Which score are you referring to? If it's malscore, this is a legacy cuckoo feature which is not enabled in CAPE by default for exactly this reason.
The difficulty is in how to avoid scoring actions like these but still catch malicious actions that use the same or similar API. I would be interested to hear any proposal to solve this problem - failing that as I mentioned this is exactly why malscore is not enabled by default. My advice would be to disable it.
from capev2.
@wasbt thank you for your suggestions - I have created a PR with these changes as I am very keen to welcome contributions. We would however appreciate PRs in future as it saves unnecessary effort.
from capev2.
Related Issues (20)
- MongoDB reporting exception? HOT 15
- Cloning project runs into an error HOT 3
- CAPE parser: Zloader HOT 1
- Clarification: Does CAPEv2 automatically create VMs? HOT 1
- Endless processing / Task #failed: Analysis X HOT 26
- Interactive Session CAPE / Guacamole Connection HOT 2
- Failed_processing with Flare_capa HOT 1
- No Behavioral analysis (volatility instantiation failure) HOT 2
- Cannot integrate MISP with CAPE HOT 11
- tasks stuck in processing HOT 1
- I receive 429 for “tasks/view” api queries even I increased limits in api.conf HOT 3
- [Bug] With URI extraction in peepdf==0.4.2 HOT 1
- Azure NSG Setup HOT 7
- stop() module functions not executed/reached? HOT 4
- Azure instance lacking 4 character HOT 1
- trid files permissions HOT 3
- Windows 11 guest machine HOT 1
- potential signature confidence issue HOT 2
- [Errno 13] Permission denied: 'C:\\tmpnnvioog4\\dll\\536.ini' HOT 21
- Linux guest analysis HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from capev2.