diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml index a6e7858a..ae364d0e 100644 --- a/.github/workflows/python-package.yml +++ b/.github/workflows/python-package.yml @@ -12,14 +12,14 @@ jobs: timeout-minutes: 20 strategy: matrix: - python-version: [3.8] + python-version: [3.11] steps: - name: Check out repository code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v3 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} @@ -39,15 +39,15 @@ jobs: timeout-minutes: 20 strategy: matrix: - python-version: [3.8] + python-version: [3.11] if: ${{ github.ref == 'refs/heads/master' }} steps: - name: Check out repository code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v3 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} diff --git a/.github/workflows/update-mitre-files.yml b/.github/workflows/update-mitre-files.yml index feb29ffe..b64206a6 100644 --- a/.github/workflows/update-mitre-files.yml +++ b/.github/workflows/update-mitre-files.yml @@ -11,14 +11,14 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: [3.8] + python-version: [3.11] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: ref: ${{ github.head_ref }} - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v3 + uses: actions/setup-python@v4 with: python-version: ${{ matrix.python-version }} - name: Update mitre files diff --git a/modules/signatures/windows/asyncrat_mutex.py b/modules/signatures/windows/asyncrat_mutex.py index 58dadc8e..fa020fab 100644 --- a/modules/signatures/windows/asyncrat_mutex.py +++ b/modules/signatures/windows/asyncrat_mutex.py @@ -18,7 +18,7 @@ class AsyncRatMutex(Signature): name = "asyncrat_mutex" - description = "Creates known AsyncRat mutexe" + description = "Creates known AsyncRat mutex" severity = 3 categories = ["infostealer", "keylogger", "rat"] families = ["AsyncRat"] diff --git a/modules/signatures/windows/credential_access.py b/modules/signatures/windows/credential_access.py index 2ca6ec51..29bab6bb 100644 --- a/modules/signatures/windows/credential_access.py +++ b/modules/signatures/windows/credential_access.py @@ -38,3 +38,49 @@ def run(self): ret = True return ret + + +class VaultCmd(Signature): + name = "vaultcmd_credentialaccess" + description = "Lists credentials using VaultCmd" + severity = 3 + categories = ["credentials", "credential_access"] + authors = ["bartblaze"] + minimum = "1.3" + evented = True + ttps = ["T1555"] + reference = ["https://attack.mitre.org/techniques/T1555/004/"] + + def run(self): + ret = False + cmdlines = self.results["behavior"]["summary"]["executed_commands"] + for cmdline in cmdlines: + lower = cmdline.lower() + if "vaultcmd" in lower and "list" in lower: + ret = True + self.data.append({"command": cmdline}) + + return ret + + +class CredWiz(Signature): + name = "credwiz_credentialaccess" + description = "Exports credentials using CredWiz" + severity = 3 + categories = ["credentials", "credential_access"] + authors = ["bartblaze"] + minimum = "1.3" + evented = True + ttps = ["T1555"] + reference = ["https://attack.mitre.org/techniques/T1555/"] + + def run(self): + ret = False + cmdlines = self.results["behavior"]["summary"]["executed_commands"] + for cmdline in cmdlines: + lower = cmdline.lower() + if "credwiz" in lower and "keymgr" in lower: + ret = True + self.data.append({"command": cmdline}) + + return ret