Update misc.py

CAPESandbox · Oct 31, 2024 · bd09c8d · bd09c8d
1 parent 64cceca
commit bd09c8d
Showing 1 changed file with 113 additions and 2 deletions.
diff --git a/modules/signatures/windows/misc.py b/modules/signatures/windows/misc.py
@@ -257,7 +257,7 @@ def __init__(self, *args, **kwargs):
         self.detected = False
 
     def on_call(self, call, process):
-        if process["process_name"] in ("wscript.exe", "cscript.exe") and call["api"] == "CreateProcessInternalW":
+        if process["process_name"].lower() in ("wscript.exe", "cscript.exe") and call["api"] == "CreateProcessInternalW":
             cmdline = self.get_argument(call, "CommandLine")
             lower = cmdline.lower()
             if (
@@ -268,4 +268,115 @@ def on_call(self, call, process):
                 self.detected = True
 
     def on_complete(self):
-        return self.detected
+        if self.detected:
+            return True
+        return False
+
+class AMSIBypassViaCOMRegistry(Signature):
+    name = "amsi_bypass_via_com_registry"
+    description = "Attempts to disable the Microsoft Antimalware Scan Interface via registry"
+    severity = 3
+    categories = ["evasion"]
+    authors = ["@para0x0dise"]
+    minimum = "0.5"
+    evented = True
+    ttps = ["T1562"]
+    references = [
+        "https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/defense_evasion_amsi_bypass_via_com_registry_modification.toml",
+        "https://blog.sonicwall.com/en-us/2023/03/asyncrat-variant-includes-cryptostealer-capabilites/"
+    ]
+
+    filter_apinames = set(["RegSetValueExA", "RegSetValueExW"])
+
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+        self.detected = False
+
+    def on_call(self, call, _):
+        if call["api"] in ("RegSetValueExA", "RegSetValueExW"):
+            regKeyPath = self.get_argument(call, "FullName").lower()
+            buf = self.get_argument(call, "Buffer")
+            if "{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\inprocserver" in regKeyPath and buf != "amsi.dll":
+                self.data.append({"Value": buf})
+                self.detected = True
+
+    def on_complete(self):
+        if self.detected:
+            return True
+        return False
+
+class LoadDLLViaControlPanel(Signature):
+    name = "load_dll_via_control_panel"
+    description = "Attempt to load malicious DLL when Control Panel is executed"
+    severity = 3
+    categories = ["evasion", "bypass"]
+    authors = ["@para0x0dise"]
+    minimum = "0.5"
+    evented = True
+    ttps = ["T1218"]
+    references = [
+        "https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/defense_evasion_dll_control_panel_items_registry_modification.toml"
+    ]
+
+    filter_apinames = set(["RegSetValueExA", "RegSetValueExW"])
+
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+        self.detected = False
+        self.falseProcess = (
+            "svchost.exe", "drvinst.exe", "msiexec.exe"
+        )
+
+    def on_call(self, call, process):
+        if not (process["process_name"].lower in self.falseProcess or
+                "windows\\system32\\driverstore\\filerepository" in process["module_path"].lower):
+
+            if call["api"] in ("RegSetValueExA", "RegSetValueExW"):
+                regKeyPath = self.get_argument(call, "FullName").lower()
+                buf = self.get_argument(call, "Buffer")
+                type = self.get_argument(call, "Type")
+
+                if any(key in regKeyPath for key in ("software\\microsoft\\windows\\currentversion\\control panel\\cpls","software\\microsoft\\windows\\currentversion\\control panel\\cpls\\")) and not buf != '' and not type != '4':
+                    self.data.append({"regkey": regKeyPath})
+                    self.detected = True
+
+    def on_complete(self):
+        if self.detected:
+            return True
+        return False
+
+class DLLHijackingViaWaaSMedicSvcCOMTypeLib(Signature):
+    name = "dll_hijacking_via_waas_medic_svc_com_typelib"
+    description = "Attempts to load malicious DLL via WaaSMedicSvc COM TypeLib"
+    severity = 3
+    categories = ["evasion", "persistence"]
+    authors = ["@para0x0dise"]
+    minimum = "0.5"
+    evented = True
+    ttps = ["T1546"]
+    references = [
+        "https://blog.scrt.ch/2023/03/17/bypassing-ppl-in-userland-again/",
+        "https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/defense_evasion_waasmedicsvc_com_type_lib_hijack.toml"
+
+    ]
+
+    filter_apinames = set(["RegSetValueExA", "RegSetValueExW"])
+
+    def __init__(self, *args, **kwargs):
+        Signature.__init__(self, *args, **kwargs)
+        self.detected = False
+
+    def on_call(self, call, process):
+        if not "\\Windows\\System32\\svchost.exe" in process["module_name"]:
+            if call["api"] in ("RegSetValueExA", "RegSetValueExW"):
+                regKeyPath = self.get_argument(call, "FullName").lower()
+                buf = self.get_argument(call, "Buffer")
+                if ("\\software\\classes\\typelib\\{3ff1aab8-f3d8-11d4-825d-00104b3646c0}\\" in regKeyPath and
+                        buf.endswith(".dll")) and not buf.endswith("WaaSMedicPS.dll"):
+                    self.data.append({"Value": buf})
+                    self.detected = True
+
+    def on_complete(self):
+        if self.detected:
+            return True
+        return False