Py3 12 deprecations #448
Py3 12 deprecations #448
Conversation
| ".*\\\\Microsoft\\ Security\\ Client", | ||
| ".*\\\\System32\\\\drivers\\\\kl1\\.sys$", | ||
| ".*\\\\System32\\\\drivers\\\\(tm((actmon|comm)\\.|e(vtmgr\\.|ext\\.)|(nciesc|tdi)\\.)|TMEBC32\\.)sys$", | ||
| r".*\\AVAST\\ Software", |
There was a problem hiding this comment.
This should be
r".*\\AVAST\ Software",
right? (Changing \\\\ to \\ and also changing \\ to \ )
If so that also applies to many of the other changes in this PR.
| r"Browsers\\Autofills\\Autofills_Google\.txt", | ||
| r"Browsers\\Downloads\\Downloads_Google\.txt", | ||
| r"Browsers\\History\\History_Google\.txt", | ||
| r"Browsers\\Passwords\\Passwords_Edge\.txt", |
There was a problem hiding this comment.
Possibly these do not need the backslash before the .txt suffix. But I could be wrong
| r".*\\FlashFXP\\.*\\Quick\.dat$", | ||
| r".*\\FileZilla\\sitemanager\.xml$", | ||
| r".*\\FileZilla\\recentservers\.xml$", | ||
| r".*\\FTPRush\\RushSite\.xml$", |
There was a problem hiding this comment.
Here also it seems to me the backslash before the period may not be needed
There was a problem hiding this comment.
Here also it seems to me the backslash before the period may not be needed
Although I am having second thoughts about that
| r".*\\Skype\\.*\\config\.xml$", | ||
| r".*\\Tencent\\ Files\\.*\\QQ\\Registry\.db$", | ||
| r".*\\Trillian\\users\\global\\accounts\.ini$", | ||
| r".*\\Xfire\\XfireUser\.ini$", |
There was a problem hiding this comment.
Also here, do we need the backslash before .ini or .txt etc ?
There was a problem hiding this comment.
Also here, do we need the backslash before
.inior.txtetc ?
Probably we do need it here I think now
| ] | ||
| indicators = ( | ||
| r"HKEY_CURRENT_USER\\\\Software\\\\Medusa", | ||
| r"HKEY_CURRENT_USER\\\\Software\\\\Medusa\\\\.*", |
There was a problem hiding this comment.
I think these two should be
r"HKEY_CURRENT_USER\\Software\\Medusa",
r"HKEY_CURRENT_USER\\Software\\Medusa\\.*",
| @@ -66,7 +66,7 @@ def __init__(self, *args, **kwargs): | |||
| def on_call(self, call, process): | |||
| if call["api"] == "RegSetValueExA": | |||
| key = self.get_argument(call, "FullName").lower() | |||
| if ".*\\software\\classes\\exefile\\shell\\open\\command.*" in key: | |||
| if r".*\\software\classes\\exefile\\shell\\open\\command.*" in key: | |||
There was a problem hiding this comment.
This doesn't look like a regular expression, just is being used with in - so it should be if r"\software\classes\exefile\shell\open\command" in key: - right?
| @@ -60,7 +60,7 @@ class WebShellFiles(Signature): | |||
| ttps += ["T1505.003"] # MITRE v7,8 | |||
|
|
|||
| def run(self): | |||
| indicators = [".*\\\\inetpub\\\\wwwroot\\\\.*", ".*\\\\System32\\\\inetsrv\\\\.*"] | |||
| indicators = [r".*\inetpub\wwwroot\.*", ".*\System32\inetsrv\.*"] | |||
There was a problem hiding this comment.
should say
indicators = (r".*\\inetpub\\wwwroot\\.*", r".*\\System32\\inetsrv\\.*")
| @@ -83,7 +83,7 @@ class OWAWebShellFiles(Signature): | |||
|
|
|||
| def run(self): | |||
| indicators = [ | |||
| "C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V[0-9]{2}\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\.*", | |||
| r"C:\\Program Files\Microsoft\Exchange Server\V[0-9]{2}\FrontEnd\HttpProxy\owa\.*", | |||
There was a problem hiding this comment.
I believe this should say
r"C:\\Program Files\\Microsoft\\Exchange Server\\V[0-9]{2}\\FrontEnd\\HttpProxy\\owa\\.*"
| re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\InstallUtil\.exe", re.IGNORECASE), | ||
| re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\mscorsvw\.exe", re.IGNORECASE), | ||
| re.compile(r"[A-Z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\CasPol\.exe", re.IGNORECASE), | ||
| re.compile(r"[A-Z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\MSBuild\.exe", re.IGNORECASE), |
There was a problem hiding this comment.
It looks like you maybe got rid of too many \\\\ on this MSBuild line
| @@ -132,8 +132,8 @@ def run(self): | |||
| return ret | |||
|
|
|||
|
|
|||
| GENERIC_CMD = '"c:\\windows\\system32\\cmd.exe" /c start /wait "" ' | |||
| SUBSEQUENT_GENERIC_CMD = "c:\\windows\\system32\\cmd.exe /k " | |||
| GENERIC_CMD = r'"c:\\windows\system32\cmd.exe" /c start /wait "" ' | |||
There was a problem hiding this comment.
The GENERIC_CMD ought to start with c:\windows I imagine
No description provided.