From 7c26fff85610b2037be4472033c91ed33b866e70 Mon Sep 17 00:00:00 2001 From: car062636 <64392464+car062636@users.noreply.github.com> Date: Wed, 29 Apr 2020 15:25:57 +0800 Subject: [PATCH] Add signature for reg.exe called from command shell MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit What did you create/change? I have added a new signature for windows, this signature is based on https://car.mitre.org/analytics/CAR-2013-03-001/ which is an Analytic, it will be triggered when the built-in utility reg.exe is called from the command shell. According to CAR, I completed a signature code which can traverse the processtree by DFS to capture the reg.exe call from command shell event.  What is the goal of this addition/change? I want to integrate the analytics of Cyber Analytics Repository into the Cuckoo report, but the analytics are based on the sensor like Sysmon, so I should map the event recorded by these sensors to the cuckoo report. Did you test your addition/change? I have verified this signature by the following method. First, I created a Windows application that adds a registry key by calling reg.exe from the command shell and downloaded Sysmon to record its event log. Secondly, by observing the event log manually, I confirmed that my windows application can trigger the analytic CAR-2013-03-001. After getting the cuckoo report of this application, I found that the processtree in the report indicates this analytic should have been triggered during the execution of the application. I also tested my signature on the malware sample(MD5:b5d77d9e5a93848aaf59cd6115e54732)which contains the behavior of query the registry.   Thirdly, I submit these samples again, the cuckoo new recorded report shows that my signature can capture this event correctly. --- .../windows/regexe_call_from_cmd.py | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 modules/signatures/windows/regexe_call_from_cmd.py diff --git a/modules/signatures/windows/regexe_call_from_cmd.py b/modules/signatures/windows/regexe_call_from_cmd.py new file mode 100644 index 000000000..01a4aa057 --- /dev/null +++ b/modules/signatures/windows/regexe_call_from_cmd.py @@ -0,0 +1,40 @@ +# Copyright (C) 2016 Cuckoo Foundation. +# This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org +# See the file 'docs/LICENSE' for copying permission. + +from lib.cuckoo.common.abstracts import Signature + +class RegCallfromCMD(Signature): + + name = "reg_called_from_cmd" + description = "Reg.exe called from Command Shell" + severity = 3 + categories = ["analytic"] + authors = ["ZW"] + minimum = "2.0" + reference = ["https://car.mitre.org/analytics/CAR-2013-03-001/"] + ttp = [""] + + def on_complete(self): + + for process in self.get_results("behavior", {}).get("processtree", []): + stack = [process] + traversed_path = [] + + while stack: + process_visit = stack.pop() + + if process_visit["process_name"] == "reg.exe": + for visited_process_find_parent in traversed_path: + if process_visit["ppid"] == visited_process_find_parent["pid"] and visited_process_find_parent["process_name"] == "cmd.exe": + for visited_process_find_GP in traversed_path: + if visited_process_find_parent["ppid"] == visited_process_find_GP["pid"] and visited_process_find_GP["process_name"] != "explorer.exe": + self.mark(marked_process = process) + + return self.has_marks() + + traversed_path.append(process_visit) + stack.extend(process_visit['children']) + + + \ No newline at end of file