Merge pull request #404 from bartblaze/master

Additions and edits

.github/workflows/python-package.yml

@@ -12,14 +12,14 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.11]
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -39,15 +39,15 @@ jobs:
     timeout-minutes: 20
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.11]
     if: ${{ github.ref == 'refs/heads/master' }}
 
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python-version }}
 

.github/workflows/update-mitre-files.yml

@@ -11,14 +11,14 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.11]
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         ref: ${{ github.head_ref }}
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@v4
       with:
         python-version: ${{ matrix.python-version }}
     - name: Update mitre files

modules/signatures/windows/asyncrat_mutex.py

@@ -18,7 +18,7 @@
 
 class AsyncRatMutex(Signature):
     name = "asyncrat_mutex"
-    description = "Creates known AsyncRat mutexe"
+    description = "Creates known AsyncRat mutex"
     severity = 3
     categories = ["infostealer", "keylogger", "rat"]
     families = ["AsyncRat"]

modules/signatures/windows/credential_access.py

@@ -38,3 +38,49 @@ def run(self):
                 ret = True
 
         return ret
+
+
+class VaultCmd(Signature):
+    name = "vaultcmd_credentialaccess"
+    description = "Lists credentials using VaultCmd"
+    severity = 3
+    categories = ["credentials", "credential_access"]
+    authors = ["bartblaze"]
+    minimum = "1.3"
+    evented = True
+    ttps = ["T1555"]
+    reference = ["https://attack.mitre.org/techniques/T1555/004/"]
+
+    def run(self):
+        ret = False
+        cmdlines = self.results["behavior"]["summary"]["executed_commands"]
+        for cmdline in cmdlines:
+            lower = cmdline.lower()
+            if "vaultcmd" in lower and "list" in lower:
+                ret = True
+                self.data.append({"command": cmdline})
+
+        return ret
+
+
+class CredWiz(Signature):
+    name = "credwiz_credentialaccess"
+    description = "Exports credentials using CredWiz"
+    severity = 3
+    categories = ["credentials", "credential_access"]
+    authors = ["bartblaze"]
+    minimum = "1.3"
+    evented = True
+    ttps = ["T1555"]
+    reference = ["https://attack.mitre.org/techniques/T1555/"]
+
+    def run(self):
+        ret = False
+        cmdlines = self.results["behavior"]["summary"]["executed_commands"]
+        for cmdline in cmdlines:
+            lower = cmdline.lower()
+            if "credwiz" in lower and "keymgr" in lower:
+                ret = True
+                self.data.append({"command": cmdline})
+
+        return ret