From 06ba2d22288149cfc38a5b4d251df0da1fb147e5 Mon Sep 17 00:00:00 2001 From: doomedraven Date: Sat, 28 Sep 2024 17:10:41 +0200 Subject: [PATCH 1/6] sync --- modules/signatures/all/banker_zeus_p2p.py | 2 +- .../signatures/deprecated/locker_taskmgr.py | 2 +- modules/signatures/deprecated/shifu_apis.py | 10 +- modules/signatures/deprecated/vawtrak_apis.py | 2 +- modules/signatures/loader_alien.py | 6 +- .../signatures/windows/accesses_netlogon.py | 4 +- .../windows/accesses_public_folder.py | 3 +- modules/signatures/windows/accesses_sysvol.py | 4 +- .../windows/antianalysis_detectfile.py | 74 ++--- .../windows/antianalysis_detectreg.py | 22 +- modules/signatures/windows/antiav_bypass.py | 2 +- .../signatures/windows/antiav_detectfile.py | 106 +++---- .../signatures/windows/antiav_detectreg.py | 106 +++---- modules/signatures/windows/antiav_srp.py | 2 +- .../signatures/windows/antidebug_windows.py | 2 +- .../signatures/windows/antiemu_windefend.py | 8 +- .../windows/antisandbox_cuckoo_files.py | 4 +- .../windows/antisandbox_fortinet_files.py | 6 +- .../windows/antisandbox_joe_anubis_files.py | 4 +- .../windows/antisandbox_sunbelt_files.py | 4 +- .../windows/antisandbox_threattrack_files.py | 6 +- .../signatures/windows/antivm_bochs_keys.py | 2 +- .../signatures/windows/antivm_generic_bios.py | 4 +- .../windows/antivm_generic_diskreg.py | 6 +- .../windows/antivm_generic_system.py | 2 +- .../signatures/windows/antivm_hyperv_keys.py | 2 +- .../windows/antivm_parallels_keys.py | 6 +- .../signatures/windows/antivm_vbox_files.py | 42 +-- .../signatures/windows/antivm_vbox_keys.py | 12 +- .../signatures/windows/antivm_vmware_files.py | 12 +- .../signatures/windows/antivm_vmware_keys.py | 8 +- .../signatures/windows/antivm_vpc_files.py | 4 +- modules/signatures/windows/antivm_vpc_keys.py | 4 +- modules/signatures/windows/antivm_xen_keys.py | 6 +- modules/signatures/windows/backdoor_gulpix.py | 2 +- .../windows/backdoor_ketrican_regkeys.py | 6 +- modules/signatures/windows/banker_cridex.py | 2 +- modules/signatures/windows/banker_geodo.py | 8 +- modules/signatures/windows/bootkit.py | 8 +- modules/signatures/windows/browser_addon.py | 10 +- modules/signatures/windows/browser_bho.py | 2 +- modules/signatures/windows/browser_proxy.py | 20 +- .../signatures/windows/browser_security.py | 26 +- .../signatures/windows/browser_startpage.py | 2 +- modules/signatures/windows/browser_tabs.py | 2 +- modules/signatures/windows/bypass_firewall.py | 2 +- modules/signatures/windows/bypass_uac.py | 16 +- modules/signatures/windows/carberp_mutex.py | 2 +- modules/signatures/windows/clears_logs.py | 6 +- .../windows/collects_systeminfo_cmd.py | 18 +- .../signatures/windows/credential_access.py | 2 +- .../signatures/windows/credential_dumping.py | 22 +- .../signatures/windows/darkcomet_regkeys.py | 10 +- modules/signatures/windows/datop_loader.py | 2 +- modules/signatures/windows/disables_app.py | 2 +- .../windows/disables_app_autotermination.py | 4 +- .../windows/disables_appv_virtualization.py | 6 +- .../signatures/windows/disables_backups.py | 26 +- .../windows/disables_browserwarn.py | 22 +- .../windows/disables_context_menus.py | 8 +- .../windows/disables_cpl_display.py | 4 +- .../signatures/windows/disables_crashdumps.py | 4 +- .../windows/disables_event_logging.py | 4 +- .../windows/disables_folder_options.py | 4 +- .../windows/disables_notificationcenter.py | 4 +- .../windows/disables_power_options.py | 18 +- .../windows/disables_restore_default_state.py | 4 +- .../windows/disables_run_command.py | 4 +- .../signatures/windows/disables_security.py | 30 +- .../windows/disables_smartscreen.py | 10 +- .../windows/disables_startmenu_search.py | 10 +- .../signatures/windows/disables_sysrestore.py | 10 +- modules/signatures/windows/disables_uac.py | 2 +- modules/signatures/windows/disables_wer.py | 2 +- .../windows/disables_windefender.py | 28 +- .../disables_windows_file_protection.py | 8 +- .../windows/disables_windowsupdate.py | 2 +- .../signatures/windows/downloader_cabby.py | 2 +- .../signatures/windows/downloader_guloader.py | 10 +- modules/signatures/windows/exploit_spooler.py | 4 +- .../windows/forces_mappeddrives_uac.py | 6 +- .../windows/hides_recyclebin_icon.py | 6 +- .../windows/infostealer_apocalypse.py | 10 +- .../signatures/windows/infostealer_arkei.py | 4 +- .../signatures/windows/infostealer_bitcoin.py | 76 ++--- .../signatures/windows/infostealer_browser.py | 52 ++-- .../signatures/windows/infostealer_cookies.py | 26 +- .../windows/infostealer_cryptbot.py | 16 +- .../signatures/windows/infostealer_echelon.py | 28 +- modules/signatures/windows/infostealer_ftp.py | 72 ++--- modules/signatures/windows/infostealer_im.py | 54 ++-- .../signatures/windows/infostealer_mail.py | 39 ++- .../windows/infostealer_masslogger.py | 24 +- .../windows/infostealer_poullight.py | 14 +- .../signatures/windows/infostealer_qulab.py | 12 +- modules/signatures/windows/martians_ie.py | 22 +- modules/signatures/windows/martians_office.py | 46 +-- modules/signatures/windows/mimics_filetime.py | 6 +- modules/signatures/windows/modifies_certs.py | 2 +- .../windows/modifies_dotnetclr_knobs.py | 4 +- .../signatures/windows/modifies_hostsfile.py | 2 +- modules/signatures/windows/modifies_oem.py | 10 +- .../signatures/windows/modifies_seccenter.py | 10 +- .../signatures/windows/modifies_uac_notify.py | 10 +- .../signatures/windows/modifies_wallpaper.py | 8 +- .../windows/network_dns_suspicious.py | 24 +- modules/signatures/windows/network_tor.py | 18 +- .../signatures/windows/network_tor_service.py | 2 +- .../signatures/windows/office_dll_loading.py | 9 +- .../windows/office_macro_settings.py | 8 +- modules/signatures/windows/office_security.py | 8 +- .../windows/packer_armadillo_regkey.py | 2 +- .../signatures/windows/persistence_autorun.py | 76 ++--- .../windows/persistence_bootexecute.py | 2 +- .../signatures/windows/persistence_ifeo.py | 12 +- .../windows/persistence_remotedesktop.py | 14 +- .../signatures/windows/persistence_shim.py | 12 +- .../signatures/windows/prevents_safeboot.py | 4 +- .../windows/ransomware_dmalocker.py | 2 +- .../signatures/windows/ransomware_files.py | 270 +++++++++--------- .../signatures/windows/ransomware_gandcrab.py | 2 +- .../windows/ransomware_medusalocker.py | 8 +- .../signatures/windows/ransomware_nemty.py | 2 +- .../signatures/windows/ransomware_radamant.py | 6 +- .../windows/ransomware_recyclebin.py | 2 +- .../windows/ransomware_revil_mutex.py | 36 +-- modules/signatures/windows/rat_blackremote.py | 6 +- modules/signatures/windows/rat_karagany.py | 14 +- modules/signatures/windows/rat_limerat.py | 12 +- modules/signatures/windows/rat_lodarat.py | 2 +- modules/signatures/windows/rat_modi.py | 24 +- modules/signatures/windows/rat_nanocore.py | 16 +- .../signatures/windows/rat_njrat_regkeys.py | 8 +- modules/signatures/windows/rat_oblique.py | 10 +- modules/signatures/windows/rat_pcclient.py | 8 +- modules/signatures/windows/rat_spynet.py | 4 +- modules/signatures/windows/rat_warzone.py | 12 +- modules/signatures/windows/rat_xpert.py | 6 +- .../signatures/windows/recon_fingerprint.py | 14 +- .../signatures/windows/recyclebin_access.py | 2 +- modules/signatures/windows/remcos.py | 8 +- modules/signatures/windows/remote_desktop.py | 2 +- .../windows/removes_networking_icon.py | 2 +- .../windows/removes_pinned_programs.py | 8 +- .../windows/removes_sec_maintain_icon.py | 2 +- .../windows/removes_startmenu_defaults.py | 12 +- .../windows/removes_username_startmenu.py | 2 +- .../signatures/windows/rootkit_spicyhotpot.py | 8 +- modules/signatures/windows/sniffer_winpcap.py | 2 +- .../windows/spreading_autoruninf.py | 2 +- .../windows/stealth_hiddenextension.py | 2 +- .../signatures/windows/stealth_hiddenreg.py | 10 +- .../windows/stealth_hidenotifications.py | 4 +- .../signatures/windows/stealth_webhistory.py | 6 +- modules/signatures/windows/sysinternals.py | 4 +- modules/signatures/windows/tampers_etw.py | 12 +- modules/signatures/windows/tampers_lsa.py | 2 +- .../windows/tampers_powershell_logging.py | 2 +- modules/signatures/windows/targeted_flame.py | 2 +- .../windows/territorial_disputes_sigs.py | 46 +-- modules/signatures/windows/trickbot_files.py | 5 +- modules/signatures/windows/trickbot_mutex.py | 2 +- modules/signatures/windows/trojan_ursnif.py | 14 +- modules/signatures/windows/virus_neshta.py | 2 +- modules/signatures/windows/webshell.py | 4 +- .../windows/whitelisting_bypass_dev_utils.py | 30 +- .../signatures/windows/windows_utilities.py | 6 +- modules/signatures/windows/wiper.py | 2 +- 168 files changed, 1129 insertions(+), 1179 deletions(-) diff --git a/modules/signatures/all/banker_zeus_p2p.py b/modules/signatures/all/banker_zeus_p2p.py index 6103d1dc..9ec71a42 100644 --- a/modules/signatures/all/banker_zeus_p2p.py +++ b/modules/signatures/all/banker_zeus_p2p.py @@ -38,7 +38,7 @@ class ZeusP2P(Signature): def run(self): # Check zeus synchronization-mutex. count = 0 - mutexes = self.check_mutex("^(Global|Local)\\\\\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}", regex=True, all=True) + mutexes = self.check_mutex(r"^(Global|Local)\\\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}", regex=True, all=True) if mutexes: count += len(mutexes) diff --git a/modules/signatures/deprecated/locker_taskmgr.py b/modules/signatures/deprecated/locker_taskmgr.py index 2f9ce62e..70ee61cc 100644 --- a/modules/signatures/deprecated/locker_taskmgr.py +++ b/modules/signatures/deprecated/locker_taskmgr.py @@ -31,7 +31,7 @@ class DisableTaskMgr(Signature): def run(self): if self.check_write_key( - pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskMgr$", + pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr$", regex=True, ): return True diff --git a/modules/signatures/deprecated/shifu_apis.py b/modules/signatures/deprecated/shifu_apis.py index e053d464..aeb62625 100644 --- a/modules/signatures/deprecated/shifu_apis.py +++ b/modules/signatures/deprecated/shifu_apis.py @@ -68,10 +68,10 @@ def on_call(self, call, process): def on_complete(self): file_iocs = [ - "^[A-Za-z]:\\\\sample\\\\pos.exe$", - "^[A-Za-z]:\\\\ProgramData\\\\ELBA5\\\\ELBA_data$", - "^[A-Za-z]:\\\\analysis$", - "^[A-Za-z]:\\\\tmp\\\\debug.txt$", + r"^[A-Za-z]:\\sample\\pos.exe$", + r"^[A-Za-z]:\\ProgramData\\ELBA5\\ELBA_data$", + r"^[A-Za-z]:\\analysis$", + r"^[A-Za-z]:\\tmp\\debug.txt$", ] for ioc in file_iocs: if self.check_file(pattern=ioc, regex=True): @@ -79,7 +79,7 @@ def on_complete(self): self.malscore += 1 mutex_iocs = [ - "^(Global|Local)\\\\\{[0-9a-f]{20}\}$", + r"^(Global|Local)\\\{[0-9a-f]{20}\}$", "^[0-9a-f]{16}$", ] for ioc in mutex_iocs: diff --git a/modules/signatures/deprecated/vawtrak_apis.py b/modules/signatures/deprecated/vawtrak_apis.py index a8cb7f20..1b6252db 100644 --- a/modules/signatures/deprecated/vawtrak_apis.py +++ b/modules/signatures/deprecated/vawtrak_apis.py @@ -15,7 +15,7 @@ try: import re2 as re -except: +except ImportError: import re from lib.cuckoo.common.abstracts import Signature diff --git a/modules/signatures/loader_alien.py b/modules/signatures/loader_alien.py index 9e7687c8..3527c74a 100644 --- a/modules/signatures/loader_alien.py +++ b/modules/signatures/loader_alien.py @@ -30,10 +30,10 @@ class AlienLoaderAPIs(Signature): # the downloaded payload in a new process after a sleeping time. ttps = [ # Defense Evasion - "T1497.003", # Virtualization/Sandbox Evasion – Time Based Evasion - "T1564" # Hide Artefacts – Hidden Window + "T1497.003", # Virtualization/Sandbox Evasion - Time Based Evasion + "T1564" # Hide Artefacts - Hidden Window # Command and Control - "T1071.001", # Application Layer Protocol – Web Protocols + "T1071.001", # Application Layer Protocol - Web Protocols ] evented = True diff --git a/modules/signatures/windows/accesses_netlogon.py b/modules/signatures/windows/accesses_netlogon.py index 899a714e..730a99b7 100644 --- a/modules/signatures/windows/accesses_netlogon.py +++ b/modules/signatures/windows/accesses_netlogon.py @@ -31,7 +31,7 @@ class AccessesMailslot(Signature): def run(self): indicators = [ - "\\\\MAILSLOT\\\\NET\\\\NETLOGON$", + r"\\MAILSLOT\\NET\\NETLOGON$", ] for indicator in indicators: @@ -57,7 +57,7 @@ class AccessesNetlogonRegkey(Signature): references = ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f"] def run(self): - indicators = ["HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\Netlogon\\\\.*"] + indicators = [r"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\.*"] for indicator in indicators: match = self.check_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/accesses_public_folder.py b/modules/signatures/windows/accesses_public_folder.py index 6a0d49d9..98ed127f 100644 --- a/modules/signatures/windows/accesses_public_folder.py +++ b/modules/signatures/windows/accesses_public_folder.py @@ -26,9 +26,8 @@ class AccessesPublicFolder(Signature): evented = True def run(self): - file_indicator = "C:\\\\Users\\\\Public\\\\.*" found = False - file_match = self.check_file(pattern=file_indicator, regex=True, all=True) + file_match = self.check_file(pattern=r"C:\\Users\\Public\\.*", regex=True, all=True) if file_match: for match in file_match: self.data.append({"file": match}) diff --git a/modules/signatures/windows/accesses_sysvol.py b/modules/signatures/windows/accesses_sysvol.py index ceccc17a..b831c6bc 100644 --- a/modules/signatures/windows/accesses_sysvol.py +++ b/modules/signatures/windows/accesses_sysvol.py @@ -30,7 +30,7 @@ class AccessesSysvol(Signature): mbcs += ["OC0001", "C0051"] # micro-behaviour def run(self): - indicators = [".*\\\\Windows\\\\SYSVOL\\\\.*", "\\\\sysvol\\\\.*\\\\policies\\\\.*", "\\\\sysvol\\\\.*\\\\scripts\\\\.*"] + indicators = [r".*\\Windows\\SYSVOL\\.*", r"\\sysvol\\.*\\policies\\.*", r"\\sysvol\\.*\\scripts\\.*"] for indicator in indicators: match = self.check_file(pattern=indicator, regex=True) @@ -53,7 +53,7 @@ class WritesSysvol(Signature): mbcs = ["OC0001", "C0052"] # micro-behaviour def run(self): - indicators = [".*\\\\Windows\\\\SYSVOL\\\\.*", "\\\\sysvol\\\\.*\\\\policies\\\\.*", "\\\\sysvol\\\\.*\\\\scripts\\\\.*"] + indicators = [r".*\\Windows\\SYSVOL\\.*", r"\\sysvol\\.*\\policies\\.*", r"\\sysvol\\.*\\scripts\\.*"] for indicator in indicators: match = self.check_write_file(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/antianalysis_detectfile.py b/modules/signatures/windows/antianalysis_detectfile.py index 4f13d75d..063777eb 100644 --- a/modules/signatures/windows/antianalysis_detectfile.py +++ b/modules/signatures/windows/antianalysis_detectfile.py @@ -21,43 +21,43 @@ class AntiAnalysisDetectFile(Signature): def run(self): file_indicators = [ - "^[A-Za-z]:\\\\analysis", - "^[A-Za-z]:\\\\iDEFENSE", - "^[A-Za-z]:\\\\stuff\\\\odbg110", - "^[A-Za-z]:\\\\gnu\\bin", - "^[A-Za-z]:\\\\Virus\\ Analysis", - "^[A-Za-z]:\\\\popupkiller\.exe$", - "^[A-Za-z]:\\\\tools\\\\execute\.exe$", - "^[A-Za-z]:\\\\MDS\\\\WinDump\.exe$", - "^[A-Za-z]:\\\\MDS\\\\WinDump\.exe$", - "^[A-Za-z]:\\\\guest_tools\\\\start\.bat$", - "^[A-Za-z]:\\\\tools\\\\aswsnx", - "^[A-Za-z]:\\\\tools\\\\decodezeus", - "^[A-Za-z]:\\\\tool\\\\malmon", - "^[A-Za-z]:\\\\sandcastle\\\\tools", - "^[A-Za-z]:\\\\tsl\\\\raptorclient\.exe$", - "^[A-Za-z]:\\\\kit\\\\procexp\.exe$", - "^[A-Za-z]:\\\\winap\\\\ckmon\.pyw$", - "^[A-Za-z]:\\\\vmremote\\\\vmremoteguest\.exe$", - "^[A-Za-z]:\\\\Program\\ Files(\\ \(x86\))?\\\\Fiddler", - "^[A-Za-z]:\\\\ComboFix", - "^[A-Za-z]:\\\\Program\\ Files(\\ \(x86\))?\\\\FFDec", - "^[A-Za-z]:\\\\Program\\ Files(\\ \(x86\))?\\\\Wireshark", - "^[A-Za-z]:\\\\bin\\\\AHookMonitor\.dll$", - "^[A-Za-z]:\\\\bin\\\\hookanaapp\.exe$", - "^[A-Za-z]:\\\\bsa\\\\log_api", - "^[A-Za-z]:\\\\AVCTestSuite\\\\AVCTestSuite\.exe$", - "^[A-Za-z]:\\\\ipf\\\\BDCore_U\.dll$", - "^[A-Za-z]:\\\\Kit\\\\procexp\.exe$", - "^[A-Za-z]:\\\\manual\\\\grabme\.exe$", - "^[A-Za-z]:\\\\manual\\\\SilipTCPIP\.exe$", - "^[A-Za-z]:\\\\MWS\\\\bin\\\\agent", - "^[A-Za-z]:\\\\original\\\\AutoRepGui", - "^[A-Za-z]:\\\\totalcmd\\\\gfiles", - "^[A-Za-z]:\\\\tracer\\\\FortiTracer\.exe$", - "^[A-Za-z]:\\\\tracer\\\\mdare32_0\.sys$", - "^[A-Za-z]:\\\\plugins\\\\(import|process)\\\\.*\.dll$", - "^[A-Za-z]:\\\\sandbox_svc", + r"^[A-Za-z]:\\analysis", + r"^[A-Za-z]:\\iDEFENSE", + r"^[A-Za-z]:\\stuff\\odbg110", + r"^[A-Za-z]:\\gnu\\bin", + r"^[A-Za-z]:\\Virus\\ Analysis", + r"^[A-Za-z]:\\popupkiller\.exe$", + r"^[A-Za-z]:\\tools\\execute\.exe$", + r"^[A-Za-z]:\\MDS\\WinDump\.exe$", + r"^[A-Za-z]:\\MDS\\WinDump\.exe$", + r"^[A-Za-z]:\\guest_tools\\start\.bat$", + r"^[A-Za-z]:\\tools\\aswsnx", + r"^[A-Za-z]:\\tools\\decodezeus", + r"^[A-Za-z]:\\tool\\malmon", + r"^[A-Za-z]:\\sandcastle\\tools", + r"^[A-Za-z]:\\tsl\\raptorclient\.exe$", + r"^[A-Za-z]:\\kit\\procexp\.exe$", + r"^[A-Za-z]:\\winap\\ckmon\.pyw$", + r"^[A-Za-z]:\\vmremote\\vmremoteguest\.exe$", + r"^[A-Za-z]:\\Program\\ Files(\\ \(x86\))?\\Fiddler", + r"^[A-Za-z]:\\ComboFix", + r"^[A-Za-z]:\\Program\\ Files(\\ \(x86\))?\\FFDec", + r"^[A-Za-z]:\\Program\\ Files(\\ \(x86\))?\\Wireshark", + r"^[A-Za-z]:\\bin\\AHookMonitor\.dll$", + r"^[A-Za-z]:\\bin\\hookanaapp\.exe$", + r"^[A-Za-z]:\\bsa\\log_api", + r"^[A-Za-z]:\\AVCTestSuite\\AVCTestSuite\.exe$", + r"^[A-Za-z]:\\ipf\\BDCore_U\.dll$", + r"^[A-Za-z]:\\Kit\\procexp\.exe$", + r"^[A-Za-z]:\\manual\\grabme\.exe$", + r"^[A-Za-z]:\\manual\\SilipTCPIP\.exe$", + r"^[A-Za-z]:\\MWS\\bin\\agent", + r"^[A-Za-z]:\\original\\AutoRepGui", + r"^[A-Za-z]:\\totalcmd\\gfiles", + r"^[A-Za-z]:\\tracer\\FortiTracer\.exe$", + r"^[A-Za-z]:\\tracer\\mdare32_0\.sys$", + r"^[A-Za-z]:\\plugins\\(import|process)\\.*\.dll$", + r"^[A-Za-z]:\\sandbox_svc", ] ret = False for indicator in file_indicators: diff --git a/modules/signatures/windows/antianalysis_detectreg.py b/modules/signatures/windows/antianalysis_detectreg.py index 2731f0c1..2813a407 100644 --- a/modules/signatures/windows/antianalysis_detectreg.py +++ b/modules/signatures/windows/antianalysis_detectreg.py @@ -21,17 +21,17 @@ class AntiAnalysisDetectReg(Signature): def run(self): reg_indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\App\\ Paths\\\\Wireshark\.exe$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\Wireshark$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\App\\ Paths\\\\Fiddler\.exe$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\App\\ Paths\\\\Fiddler2\.exe$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\Fiddler2$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Fiddler2$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\SOFTWARE\\\\IEInspectorSoft.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\IEHTTPAnalyzer\.HTTPAnalyzerAddon$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\IEHTTPAnalyzerStd\.HTTPAnalyzerStandAlone$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\Charles\.AMF\.Document$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?XK72\\ Ltd\\ folder$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\App\\ Paths\\Wireshark\.exe$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Uninstall\\Wireshark$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\App\\ Paths\\Fiddler\.exe$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\App\\ Paths\\Fiddler2\.exe$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Uninstall\\Fiddler2$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Fiddler2$", + r".*\\Software\\(Wow6432Node\\)?Classes\\SOFTWARE\\IEInspectorSoft.*", + r".*\\Software\\(Wow6432Node\\)?Classes\\IEHTTPAnalyzer\.HTTPAnalyzerAddon$", + r".*\\Software\\(Wow6432Node\\)?Classes\\IEHTTPAnalyzerStd\.HTTPAnalyzerStandAlone$", + r".*\\Software\\(Wow6432Node\\)?Classes\\Charles\.AMF\.Document$", + r".*\\Software\\(Wow6432Node\\)?XK72\\ Ltd\\ folder$", ] found = False for indicator in reg_indicators: diff --git a/modules/signatures/windows/antiav_bypass.py b/modules/signatures/windows/antiav_bypass.py index a7185474..6cb838bf 100644 --- a/modules/signatures/windows/antiav_bypass.py +++ b/modules/signatures/windows/antiav_bypass.py @@ -35,7 +35,7 @@ class ModifiesAttachmentManager(Signature): def run(self): reg_indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\SaveZoneInformation$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments\\SaveZoneInformation$", ] for indicator in reg_indicators: diff --git a/modules/signatures/windows/antiav_detectfile.py b/modules/signatures/windows/antiav_detectfile.py index 18d7601a..2948e08d 100644 --- a/modules/signatures/windows/antiav_detectfile.py +++ b/modules/signatures/windows/antiav_detectfile.py @@ -21,59 +21,59 @@ class AntiAVDetectFile(Signature): def run(self): file_indicators = ( - ".*\\\\AVAST\\ Software", - ".*\\\\Avira\\ GmbH", - ".*\\\\Avira", - ".*\\\\Kaspersky\\ Lab", - ".*\\\\Kaspersky\\ Lab\\ Setup\\ Files", - ".*\\\\DrWeb", - ".*\\\\Norton\\ AntiVirus", - ".*\\\\Norton\\ (Security with Backup|Internet Security)\\\\", - ".*\\\\ESET", - ".*\\\\Agnitum", - ".*\\\\Panda\\ Security", - ".*\\\\McAfee", - ".*\\\\McAfee\.com", - ".*\\\\Trend\\ Micro", - ".*\\\\BitDefender", - ".*\\\\ArcaBit", - ".*\\\\Online\\ Solutions", - ".*\\\\AnVir\\ Task\\ Manager", - ".*\\\\Alwil\\ Software", - ".*\\\\Symantec$", - ".*\\\\AVG", - ".*\\\\Xore", - ".*\\\\Symantec\\ Shared", - ".*\\\\a-squared\\ Anti-Malware", - ".*\\\\a-squared\\ HiJackFree", - ".*\\\\avg8", - ".*\\\\Doctor\\ Web", - ".*\\\\f-secure", - ".*\\\\F-Secure\\ Internet\\ Security", - ".*\\\\G\\ DATA", - ".*\\\\P\\ Tools", - ".*\\\\P\\ Tools\\ Internet\\ Security", - ".*\\\\K7\\ Computing", - ".*\\\\Vba32", - ".*\\\\Sunbelt\\ Software", - ".*\\\\FRISK\\ Software", - ".*\\\\Security\\ Task\\ Manager", - ".*\\\\Zillya\\ Antivirus", - ".*\\\\Spyware\\ Terminator", - ".*\\\\Lavasoft", - ".*\\\\BlockPost", - ".*\\\\DefenseWall\\ HIPS", - ".*\\\\DefenseWall", - ".*\\\\Microsoft\\ Antimalware", - ".*\\\\Microsoft\\ Security\\ Essentials", - ".*\\\\Sandboxie", - ".*\\\\Positive\\ Technologies", - ".*\\\\UAenter", - ".*\\\\Malwarebytes", - ".*\\\\Malwarebytes'\\ Anti-Malware", - ".*\\\\Microsoft\\ Security\\ Client", - ".*\\\\System32\\\\drivers\\\\kl1\\.sys$", - ".*\\\\System32\\\\drivers\\\\(tm((actmon|comm)\\.|e(vtmgr\\.|ext\\.)|(nciesc|tdi)\\.)|TMEBC32\\.)sys$", + r".*\\AVAST\\ Software", + r".*\\Avira\\ GmbH", + r".*\\Avira", + r".*\\Kaspersky\\ Lab", + r".*\\Kaspersky\\ Lab\\ Setup\\ Files", + r".*\\DrWeb", + r".*\\Norton\\ AntiVirus", + r".*\\Norton\\ (Security with Backup|Internet Security)\\", + r".*\\ESET", + r".*\\Agnitum", + r".*\\Panda\\ Security", + r".*\\McAfee", + r".*\\McAfee\.com", + r".*\\Trend\\ Micro", + r".*\\BitDefender", + r".*\\ArcaBit", + r".*\\Online\\ Solutions", + r".*\\AnVir\\ Task\\ Manager", + r".*\\Alwil\\ Software", + r".*\\Symantec$", + r".*\\AVG", + r".*\\Xore", + r".*\\Symantec\\ Shared", + r".*\\a-squared\\ Anti-Malware", + r".*\\a-squared\\ HiJackFree", + r".*\\avg8", + r".*\\Doctor\\ Web", + r".*\\f-secure", + r".*\\F-Secure\\ Internet\\ Security", + r".*\\G\\ DATA", + r".*\\P\\ Tools", + r".*\\P\\ Tools\\ Internet\\ Security", + r".*\\K7\\ Computing", + r".*\\Vba32", + r".*\\Sunbelt\\ Software", + r".*\\FRISK\\ Software", + r".*\\Security\\ Task\\ Manager", + r".*\\Zillya\\ Antivirus", + r".*\\Spyware\\ Terminator", + r".*\\Lavasoft", + r".*\\BlockPost", + r".*\\DefenseWall\\ HIPS", + r".*\\DefenseWall", + r".*\\Microsoft\\ Antimalware", + r".*\\Microsoft\\ Security\\ Essentials", + r".*\\Sandboxie", + r".*\\Positive\\ Technologies", + r".*\\UAenter", + r".*\\Malwarebytes", + r".*\\Malwarebytes'\\ Anti-Malware", + r".*\\Microsoft\\ Security\\ Client", + r".*\\System32\\drivers\\kl1\\.sys$", + r".*\\System32\\drivers\\(tm((actmon|comm)\\.|e(vtmgr\\.|ext\\.)|(nciesc|tdi)\\.)|TMEBC32\\.)sys$", ) found = False for indicator in file_indicators: diff --git a/modules/signatures/windows/antiav_detectreg.py b/modules/signatures/windows/antiav_detectreg.py index caa8ff5b..6d37381a 100644 --- a/modules/signatures/windows/antiav_detectreg.py +++ b/modules/signatures/windows/antiav_detectreg.py @@ -21,59 +21,59 @@ class AntiAVDetectReg(Signature): def run(self): reg_indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Avg$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?AVAST\\ Software\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Avira$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Bitdefender$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?BitDefender\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Coranti$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Data\\ Fellows\\\\F-Secure$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Doctor\\ Web$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?ESET$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?ESET\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?G\\ Data$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Symantec$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?KasperskyLab\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?McAfee\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?McAfee\.com\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Microsoft\\ Antimalware$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Network\\ Associates\\\\TVD$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Panda\\ Software$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?rising$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Softed\\\\ViGUARD$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Sophos$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Sophos\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?TrendMicro.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?VBA32$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Zone\\ Labs\\\\ZoneAlarm$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\App\\ Paths\\\\mbam.exe$", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\services\\\\Avg.*", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\services\\\\AVP.*", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\services\\\\avast!\\ Antivirus.*", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\services\\\\RsMgrSvc.*", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\services\\\\fshoster.*", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\services\\\\cmdvirth.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\AVG_UI$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\AVP$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\mcui_exe$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\mcpltui_exe$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Bdagent$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Trend\\ Micro\\ Titanium$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Trend\\ Micro\\ Client\\ Framework$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\avast$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\MSC$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\BullGuard$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Sophos\\ AutoUpdate\\ Monitor$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\SpIDerAgent$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\APVXDWIN$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\WRSVC$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\emsisoft\\ anti-malware$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ISTray$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\G\\ Data\\ AntiVirus\\ Tray.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ZoneAlarm$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Bkav$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\V3\\ Application$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Baidu\\ Antivirus$", + r".*\\Software\\(Wow6432Node\\)?Avg$", + r".*\\Software\\(Wow6432Node\\)?AVAST\\ Software\\.*", + r".*\\Software\\(Wow6432Node\\)?Avira$", + r".*\\Software\\(Wow6432Node\\)?Bitdefender$", + r".*\\Software\\(Wow6432Node\\)?BitDefender\\.*", + r".*\\Software\\(Wow6432Node\\)?Coranti$", + r".*\\Software\\(Wow6432Node\\)?Data\\ Fellows\\F-Secure$", + r".*\\Software\\(Wow6432Node\\)?Doctor\\ Web$", + r".*\\Software\\(Wow6432Node\\)?ESET$", + r".*\\Software\\(Wow6432Node\\)?ESET\\.*", + r".*\\Software\\(Wow6432Node\\)?G\\ Data$", + r".*\\Software\\(Wow6432Node\\)?Symantec$", + r".*\\Software\\(Wow6432Node\\)?KasperskyLab\\.*", + r".*\\Software\\(Wow6432Node\\)?McAfee\\.*", + r".*\\Software\\(Wow6432Node\\)?McAfee\.com\\.*", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Microsoft\\ Antimalware$", + r".*\\Software\\(Wow6432Node\\)?Network\\ Associates\\TVD$", + r".*\\Software\\(Wow6432Node\\)?Panda\\ Software$", + r".*\\Software\\(Wow6432Node\\)?rising$", + r".*\\Software\\(Wow6432Node\\)?Softed\\ViGUARD$", + r".*\\Software\\(Wow6432Node\\)?Sophos$", + r".*\\Software\\(Wow6432Node\\)?Sophos\\.*", + r".*\\Software\\(Wow6432Node\\)?TrendMicro.*", + r".*\\Software\\(Wow6432Node\\)?VBA32$", + r".*\\Software\\(Wow6432Node\\)?Zone\\ Labs\\ZoneAlarm$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\App\\ Paths\\mbam.exe$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\services\\Avg.*", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\services\\AVP.*", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\services\\avast!\\ Antivirus.*", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\services\\RsMgrSvc.*", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\services\\fshoster.*", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\services\\cmdvirth.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\AVG_UI$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\AVP$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\mcui_exe$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\mcpltui_exe$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\Bdagent$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\Trend\\ Micro\\ Titanium$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\Trend\\ Micro\\ Client\\ Framework$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\avast$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\MSC$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\BullGuard$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\Sophos\\ AutoUpdate\\ Monitor$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\SpIDerAgent$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\APVXDWIN$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\WRSVC$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\emsisoft\\ anti-malware$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\ISTray$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\G\\ Data\\ AntiVirus\\ Tray.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\ZoneAlarm$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\Bkav$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\V3\\ Application$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\Baidu\\ Antivirus$", ] found = False for indicator in reg_indicators: diff --git a/modules/signatures/windows/antiav_srp.py b/modules/signatures/windows/antiav_srp.py index bdebf69e..5384ad81 100644 --- a/modules/signatures/windows/antiav_srp.py +++ b/modules/signatures/windows/antiav_srp.py @@ -21,7 +21,7 @@ class AntiAVSRP(Signature): def run(self): match_key = self.check_write_key( - ".*\\\\Policies\\\\Microsoft\\\\Windows\\\\Safer\\\\CodeIdentifiers\\\\0\\\\Paths\\\\.*", regex=True, all=True + r".*\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths\\.*", regex=True, all=True ) if match_key: for match in match_key: diff --git a/modules/signatures/windows/antidebug_windows.py b/modules/signatures/windows/antidebug_windows.py index 0596e455..b92b47b5 100644 --- a/modules/signatures/windows/antidebug_windows.py +++ b/modules/signatures/windows/antidebug_windows.py @@ -58,7 +58,7 @@ def on_call(self, call, process): "C:\\Program Files\\Wireshark\\dumpcap.exe", "C:\\wireshark\\dumpcap.exe", "C:\\SandCastle\\tools\\FakeServer.exe", - "C:\\\\Python27\\\\python.exe", + r"C:\\Python27\\python.exe", "start.bat - C:\Manual\auto.bat", "Fortinet Sunbox", "PEiD v0.95", diff --git a/modules/signatures/windows/antiemu_windefend.py b/modules/signatures/windows/antiemu_windefend.py index cd98a784..eefb5228 100644 --- a/modules/signatures/windows/antiemu_windefend.py +++ b/modules/signatures/windows/antiemu_windefend.py @@ -31,10 +31,10 @@ class AntiEmuWinDefend(Signature): def run(self): indicators = [ - "C:\\\\aaa_TouchMeNot_.txt$", - "C:\\\\Mirc\\\\mirc.ini$", - "C:\\\\Mirc\\\\script.ini$", - "C:\\\\Windows\\\\msdfmap.ini$", + r"C:\\aaa_TouchMeNot_.txt$", + r"C:\\Mirc\\mirc.ini$", + r"C:\\Mirc\\script.ini$", + r"C:\\Windows\\msdfmap.ini$", ] for indicator in indicators: diff --git a/modules/signatures/windows/antisandbox_cuckoo_files.py b/modules/signatures/windows/antisandbox_cuckoo_files.py index 2d6dbcb6..daf8e743 100644 --- a/modules/signatures/windows/antisandbox_cuckoo_files.py +++ b/modules/signatures/windows/antisandbox_cuckoo_files.py @@ -29,8 +29,8 @@ class CuckooDetectFiles(Signature): def run(self): indicators = [ - "C:\\\\agent\\\\agent\.pyw$", - "C:\\\\cuckoo\\\\dll$", + r"C:\\agent\\agent\.pyw$", + r"C:\\cuckoo\\dll$", ] for indicator in indicators: diff --git a/modules/signatures/windows/antisandbox_fortinet_files.py b/modules/signatures/windows/antisandbox_fortinet_files.py index 47304dcf..f9590a09 100644 --- a/modules/signatures/windows/antisandbox_fortinet_files.py +++ b/modules/signatures/windows/antisandbox_fortinet_files.py @@ -29,9 +29,9 @@ class FortinetDetectFiles(Signature): def run(self): indicators = [ - "^C:\\\\tracer\\\\mdare32_0\.sys$", - "^C:\\\\tracer\\\\fortitracer\.exe$", - "^C:\\\\manual\\\\sunbox\.exe$", + r"^C:\\tracer\\mdare32_0\.sys$", + r"^C:\\tracer\\fortitracer\.exe$", + r"^C:\\manual\\sunbox\.exe$", ] for indicator in indicators: diff --git a/modules/signatures/windows/antisandbox_joe_anubis_files.py b/modules/signatures/windows/antisandbox_joe_anubis_files.py index 94b08840..5cb5eb3b 100644 --- a/modules/signatures/windows/antisandbox_joe_anubis_files.py +++ b/modules/signatures/windows/antisandbox_joe_anubis_files.py @@ -29,8 +29,8 @@ class SandboxJoeAnubisDetectFiles(Signature): def run(self): indicators = [ - "C\:\\\\sample\.exe$", - "C\:\\\\InsideTm\\\\.*", + r"C\:\\sample\.exe$", + r"C\:\\InsideTm\\.*", ] for indicator in indicators: diff --git a/modules/signatures/windows/antisandbox_sunbelt_files.py b/modules/signatures/windows/antisandbox_sunbelt_files.py index 165e81fa..90852fad 100644 --- a/modules/signatures/windows/antisandbox_sunbelt_files.py +++ b/modules/signatures/windows/antisandbox_sunbelt_files.py @@ -29,8 +29,8 @@ class SunbeltDetectFiles(Signature): def run(self): indicators = [ - ".*\\\\SandboxStarter\.exe$", - "^C\:\\\\analysis\\\\.*", + r".*\\SandboxStarter\.exe$", + r"^C\:\\analysis\\.*", ] for indicator in indicators: diff --git a/modules/signatures/windows/antisandbox_threattrack_files.py b/modules/signatures/windows/antisandbox_threattrack_files.py index 26e6f33e..cee86aa1 100644 --- a/modules/signatures/windows/antisandbox_threattrack_files.py +++ b/modules/signatures/windows/antisandbox_threattrack_files.py @@ -29,9 +29,9 @@ class ThreatTrackDetectFiles(Signature): def run(self): indicators = [ - "^C:\\\\cwsandbox", - "^C:\\\\gfisandbox", - "^C:\\\\sandbox\\\\starter\.exe$", + r"^C:\\cwsandbox", + r"^C:\\gfisandbox", + r"^C:\\sandbox\\starter\.exe$", ] for indicator in indicators: diff --git a/modules/signatures/windows/antivm_bochs_keys.py b/modules/signatures/windows/antivm_bochs_keys.py index 22b1c3b4..e038f546 100644 --- a/modules/signatures/windows/antivm_bochs_keys.py +++ b/modules/signatures/windows/antivm_bochs_keys.py @@ -30,7 +30,7 @@ class BochsDetectKeys(Signature): def run(self): indicators = [ - ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS_.*", + r".*\\HARDWARE\\ACPI\\(DSDT|FADT|RSDT)\\BOCHS_.*", ] for indicator in indicators: if self.check_key(pattern=indicator, regex=True): diff --git a/modules/signatures/windows/antivm_generic_bios.py b/modules/signatures/windows/antivm_generic_bios.py index fe650f4b..1d746357 100644 --- a/modules/signatures/windows/antivm_generic_bios.py +++ b/modules/signatures/windows/antivm_generic_bios.py @@ -30,8 +30,6 @@ class AntiVMBios(Signature): mbcs += ["OC0008", "C0036", "C0036.005"] # micro-behaviour def run(self): - if self.check_read_key( - pattern=".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\(SystemBiosVersion|VideoBiosVersion)$", regex=True - ): + if self.check_read_key(pattern=r".*\\HARDWARE\\DESCRIPTION\\System\\(SystemBiosVersion|VideoBiosVersion)$", regex=True): return True return False diff --git a/modules/signatures/windows/antivm_generic_diskreg.py b/modules/signatures/windows/antivm_generic_diskreg.py index c86b8ed8..e58a14f4 100644 --- a/modules/signatures/windows/antivm_generic_diskreg.py +++ b/modules/signatures/windows/antivm_generic_diskreg.py @@ -32,9 +32,9 @@ class AntiVMDiskReg(Signature): def run(self): indicators = [ - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE$", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Services\\\\Disk\\\\Enum\\\\.*", - ".*\\\\HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi\ Port\ 0\\\\Scsi\ Bus\ 0\\\\Target\ Id\ 0\\\\Logical\ Unit\ Id\ 0$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\IDE$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\Disk\\Enum\\.*", + r".*\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi\ Port\ 0\\Scsi\ Bus\ 0\\Target\ Id\ 0\\Logical\ Unit\ Id\ 0$", ] for indicator in indicators: if self.check_key(pattern=indicator, regex=True): diff --git a/modules/signatures/windows/antivm_generic_system.py b/modules/signatures/windows/antivm_generic_system.py index cba852de..4b85f750 100644 --- a/modules/signatures/windows/antivm_generic_system.py +++ b/modules/signatures/windows/antivm_generic_system.py @@ -55,7 +55,7 @@ def on_call(self, call, process): else: match = self.check_argument_call( call, - pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\SystemInformation\\\\SystemManufacturer$", + pattern=r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\SystemInformation\\SystemManufacturer$", category="registry", regex=True, ) diff --git a/modules/signatures/windows/antivm_hyperv_keys.py b/modules/signatures/windows/antivm_hyperv_keys.py index 6ce7ba8e..ad872f2c 100644 --- a/modules/signatures/windows/antivm_hyperv_keys.py +++ b/modules/signatures/windows/antivm_hyperv_keys.py @@ -31,7 +31,7 @@ class HyperVDetectKeys(Signature): def run(self): indicators = [ - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\Hyper_V_Gen_Counter_V1$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\ACPI\\Hyper_V_Gen_Counter_V1$", ] for indicator in indicators: diff --git a/modules/signatures/windows/antivm_parallels_keys.py b/modules/signatures/windows/antivm_parallels_keys.py index bb751ebf..03e0fd77 100644 --- a/modules/signatures/windows/antivm_parallels_keys.py +++ b/modules/signatures/windows/antivm_parallels_keys.py @@ -31,9 +31,9 @@ class ParallelsDetectKeys(Signature): def run(self): indicators = [ - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_1AB8&DEV_4000&SUBSYS_04001AB8&REV_00$", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_1AB8&DEV_4005&SUBSYS_04001AB8&REV_00$", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_1AB8&DEV_4006&SUBSYS_04061AB8&REV_00$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\PCI\\VEN_1AB8&DEV_4000&SUBSYS_04001AB8&REV_00$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\PCI\\VEN_1AB8&DEV_4005&SUBSYS_04001AB8&REV_00$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\PCI\\VEN_1AB8&DEV_4006&SUBSYS_04061AB8&REV_00$", ] for indicator in indicators: if self.check_key(pattern=indicator, regex=True): diff --git a/modules/signatures/windows/antivm_vbox_files.py b/modules/signatures/windows/antivm_vbox_files.py index 186f38cc..ddbe5aa7 100644 --- a/modules/signatures/windows/antivm_vbox_files.py +++ b/modules/signatures/windows/antivm_vbox_files.py @@ -29,27 +29,27 @@ class VBoxDetectFiles(Signature): def run(self): file_indicators = [ - ".*\\\\VBoxDisp\.dll$", - ".*\\\\VBoxHook\.dll$", - ".*\\\\VBoxMRXNP\.dll$", - ".*\\\\VBoxOGL\.dll$", - ".*\\\\VBoxOGLarrayspu\.dll$", - ".*\\\\VBoxOGLcrutil\.dll$", - ".*\\\\VBoxOGLerrorspu\.dll$", - ".*\\\\VBoxOGLfeedbackspu\.dll$", - ".*\\\\VBoxOGLpackspu\.dll$", - ".*\\\\VBoxOGLpassthroughspu\.dll$", - ".*\\\\VBoxSF\.sys$", - ".*\\\\VBoxControl\.exe$", - ".*\\\\VBoxService\.exe$", - ".*\\\\VBoxTray\.exe$", - ".*\\\\VBoxDrvInst\.exe$", - ".*\\\\VBoxWHQLFake\.exe$", - ".*\\\\VBoxGuest\.[a-zA-Z]{3}$", - ".*\\\\VBoxMouse\.[a-zA-Z]{3}$", - ".*\\\\VBoxVideo\.[a-zA-Z]{3}$", - ".*\\\\VirtualBox\\ Guest\\ Additions\\\\.+\\.(exe|dll)$", - ".*\\\\drivers\\\\vboxdrv\\.sys$", + r".*\\VBoxDisp\.dll$", + r".*\\VBoxHook\.dll$", + r".*\\VBoxMRXNP\.dll$", + r".*\\VBoxOGL\.dll$", + r".*\\VBoxOGLarrayspu\.dll$", + r".*\\VBoxOGLcrutil\.dll$", + r".*\\VBoxOGLerrorspu\.dll$", + r".*\\VBoxOGLfeedbackspu\.dll$", + r".*\\VBoxOGLpackspu\.dll$", + r".*\\VBoxOGLpassthroughspu\.dll$", + r".*\\VBoxSF\.sys$", + r".*\\VBoxControl\.exe$", + r".*\\VBoxService\.exe$", + r".*\\VBoxTray\.exe$", + r".*\\VBoxDrvInst\.exe$", + r".*\\VBoxWHQLFake\.exe$", + r".*\\VBoxGuest\.[a-zA-Z]{3}$", + r".*\\VBoxMouse\.[a-zA-Z]{3}$", + r".*\\VBoxVideo\.[a-zA-Z]{3}$", + r".*\\VirtualBox\\ Guest\\ Additions\\.+\\.(exe|dll)$", + r".*\\drivers\\vboxdrv\\.sys$", ] found = False for indicator in file_indicators: diff --git a/modules/signatures/windows/antivm_vbox_keys.py b/modules/signatures/windows/antivm_vbox_keys.py index 41415584..b9a8f908 100644 --- a/modules/signatures/windows/antivm_vbox_keys.py +++ b/modules/signatures/windows/antivm_vbox_keys.py @@ -30,12 +30,12 @@ class VBoxDetectKeys(Signature): def run(self): indicators = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Oracle\\\\VirtualBox\\ Guest\\ Additions$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Uninstall\\\\Oracle\\ VM\\ VirtualBox\\ Guest\\ Additions$", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00$", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00$", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\VirtualDeviceDrivers$", - ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\VBOX__.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Oracle\\VirtualBox\\ Guest\\ Additions$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Uninstall\\Oracle\\ VM\\ VirtualBox\\ Guest\\ Additions$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\PCI\\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\PCI\\VEN_80EE&DEV_CAFE&SUBSYS_00000000&REV_00$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\VirtualDeviceDrivers$", + r".*\\HARDWARE\\ACPI\\(DSDT|FADT|RSDT)\\VBOX__.*", ] for indicator in indicators: if self.check_key(pattern=indicator, regex=True): diff --git a/modules/signatures/windows/antivm_vmware_files.py b/modules/signatures/windows/antivm_vmware_files.py index f5f8d532..ea8c78f3 100644 --- a/modules/signatures/windows/antivm_vmware_files.py +++ b/modules/signatures/windows/antivm_vmware_files.py @@ -29,12 +29,12 @@ class VMwareDetectFiles(Signature): def run(self): indicators = [ - ".*\\\\drivers\\\\vmmouse\.sys$", - ".*\\\\drivers\\\\vmhgfs\.sys$", - ".*\\\\vmguestlib\.dll$", - ".*\\\\VMware\\ Tools\\\\TPAutoConnSvc\.exe$", - ".*\\\\VMware\\ Tools\\\\TPAutoConnSvc\.exe\.dll$", - ".*\\\\Program\\ Files(\\ \(x86\))?\\\\VMware\\\\VMware\\ Tools.*", + r".*\\drivers\\vmmouse\.sys$", + r".*\\drivers\\vmhgfs\.sys$", + r".*\\vmguestlib\.dll$", + r".*\\VMware\\ Tools\\TPAutoConnSvc\.exe$", + r".*\\VMware\\ Tools\\TPAutoConnSvc\.exe\.dll$", + r".*\\Program\\ Files(\\ \(x86\))?\\VMware\\VMware\\ Tools.*", ] for indicator in indicators: diff --git a/modules/signatures/windows/antivm_vmware_keys.py b/modules/signatures/windows/antivm_vmware_keys.py index feff0451..51950174 100644 --- a/modules/signatures/windows/antivm_vmware_keys.py +++ b/modules/signatures/windows/antivm_vmware_keys.py @@ -30,10 +30,10 @@ class VMwareDetectKeys(Signature): def run(self): indicators = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?VMWare,\\ Inc\..*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Clients\\\\StartMenuInternet\\\\VMWAREHOSTOPEN.EXE$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?\\\\Microsoft\\\\ESENT\\\\Process\\\\vmtoolsd$", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\CriticalDeviceDatabase\\\\root#vmwvmcihostdev$", + r".*\\SOFTWARE\\(Wow6432Node\\)?VMWare,\\ Inc\..*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Clients\\StartMenuInternet\\VMWAREHOSTOPEN.EXE$", + r".*\\SOFTWARE\\(Wow6432Node\\)?\\Microsoft\\ESENT\\Process\\vmtoolsd$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\CriticalDeviceDatabase\\root#vmwvmcihostdev$", ] for indicator in indicators: diff --git a/modules/signatures/windows/antivm_vpc_files.py b/modules/signatures/windows/antivm_vpc_files.py index bfc587d3..275ddd63 100644 --- a/modules/signatures/windows/antivm_vpc_files.py +++ b/modules/signatures/windows/antivm_vpc_files.py @@ -29,8 +29,8 @@ class VPCDetectFiles(Signature): def run(self): indicators = [ - ".*\\\\drivers\\\\vpc-s3\.sys$", - ".*\\\\drivers\\\\vpcubus\.sys$", + r".*\\drivers\\vpc-s3\.sys$", + r".*\\drivers\\vpcubus\.sys$", ] for indicator in indicators: diff --git a/modules/signatures/windows/antivm_vpc_keys.py b/modules/signatures/windows/antivm_vpc_keys.py index 48c128d6..8d7dbc45 100644 --- a/modules/signatures/windows/antivm_vpc_keys.py +++ b/modules/signatures/windows/antivm_vpc_keys.py @@ -30,8 +30,8 @@ class VPCDetectKeys(Signature): def run(self): indicators = [ - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\PCI\\\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00$", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Services\\\\vpc-s3$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\PCI\\VEN_5333&DEV_8811&SUBSYS_00000000&REV_00$", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\vpc-s3$", ] for indicator in indicators: if self.check_key(pattern=indicator, regex=True): diff --git a/modules/signatures/windows/antivm_xen_keys.py b/modules/signatures/windows/antivm_xen_keys.py index 06fdd860..316b44d0 100644 --- a/modules/signatures/windows/antivm_xen_keys.py +++ b/modules/signatures/windows/antivm_xen_keys.py @@ -30,9 +30,9 @@ class XenDetectKeys(Signature): def run(self): indicators = [ - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\ACPI\\\\XEN0000.*", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\XEN.*", - ".*\\\\HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\Xen.*", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\ACPI\\XEN0000.*", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Enum\\XEN.*", + r".*\\HARDWARE\\ACPI\\(DSDT|FADT|RSDT)\\Xen.*", ] for indicator in indicators: if self.check_key(pattern=indicator, regex=True): diff --git a/modules/signatures/windows/backdoor_gulpix.py b/modules/signatures/windows/backdoor_gulpix.py index 49f963e2..62e871b5 100644 --- a/modules/signatures/windows/backdoor_gulpix.py +++ b/modules/signatures/windows/backdoor_gulpix.py @@ -38,7 +38,7 @@ def run(self): return True indicators = [ - ".*\\\\AppData\\\\Roaming\\\\NvSmartMax\.(dat|dll)", + r".*\\AppData\\Roaming\\NvSmartMax\.(dat|dll)", ] for indicator in indicators: diff --git a/modules/signatures/windows/backdoor_ketrican_regkeys.py b/modules/signatures/windows/backdoor_ketrican_regkeys.py index 869de6ee..f221eeb2 100644 --- a/modules/signatures/windows/backdoor_ketrican_regkeys.py +++ b/modules/signatures/windows/backdoor_ketrican_regkeys.py @@ -29,9 +29,9 @@ class KetricanRegkeys(Signature): def run(self): score = 0 indicators = [ - ".*\\\\Software\\\\Microsoft\\\\Internet\ Explorer\\\\Main\\\\Check_Associations", - ".*\\\\Software\\\\Microsoft\\\\Internet\ Explorer\\\\Main\\\\DisableFirstRunCustomize", - ".*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\ Settings\\\\ZoneMap\\\\IE[Hh]arden", + r".*\\Software\\Microsoft\\Internet\ Explorer\\Main\\Check_Associations", + r".*\\Software\\Microsoft\\Internet\ Explorer\\Main\\DisableFirstRunCustomize", + r".*\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings\\ZoneMap\\IE[Hh]arden", ] for indicator in indicators: diff --git a/modules/signatures/windows/banker_cridex.py b/modules/signatures/windows/banker_cridex.py index db7a71a3..f67298e9 100644 --- a/modules/signatures/windows/banker_cridex.py +++ b/modules/signatures/windows/banker_cridex.py @@ -38,7 +38,7 @@ def run(self): indicators = [".*Local.QM.*", ".*Local.XM.*"] match_file = self.check_file(pattern=".*\\\KB[0-9]{8}\.exe", regex=True) - match_batch_file = self.check_file(pattern=".*\\\\Temp\\\\\S{4}\.tmp\.bat", regex=True) + match_batch_file = self.check_file(pattern=r".*\\Temp\\\S{4}\.tmp\.bat", regex=True) if match_file and match_batch_file: self.data.append({"file": match_file}) diff --git a/modules/signatures/windows/banker_geodo.py b/modules/signatures/windows/banker_geodo.py index e45e367c..fdbb137e 100644 --- a/modules/signatures/windows/banker_geodo.py +++ b/modules/signatures/windows/banker_geodo.py @@ -20,18 +20,18 @@ class Geodo(Signature): def run(self): match_file = self.check_file( - pattern=".*\\\\Application\\ Data\\\\Microsoft\\\\[a-z]{3}(api32|audio|bios|boot|cap32|common|config|crypt|edit32|error|mgr32|serial|setup|share|sock|system|update|video|windows)\.exe$", + pattern=r".*\\Application\\ Data\\Microsoft\\[a-z]{3}(api32|audio|bios|boot|cap32|common|config|crypt|edit32|error|mgr32|serial|setup|share|sock|system|update|video|windows)\.exe$", regex=True, all=True, ) - match_batch_file = self.check_file(pattern=".*\\\\Application\\ Data\\\\\d{1,10}\.bat$", regex=True, all=True) + match_batch_file = self.check_file(pattern=r".*\\Application\\ Data\\\d{1,10}\.bat$", regex=True, all=True) match_runkey = self.check_key( - pattern=".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\[a-z]{3}(api32|audio|bios|boot|cap32|common|config|crypt|edit32|error|mgr32|serial|setup|share|sock|system|update|video|windows)\.exe$", + pattern=r".*\\Microsoft\\Windows\\CurrentVersion\\Run\\[a-z]{3}(api32|audio|bios|boot|cap32|common|config|crypt|edit32|error|mgr32|serial|setup|share|sock|system|update|video|windows)\.exe$", regex=True, all=True, ) match_otherkey = self.check_key( - pattern=".*\\\\Microsoft\\\\Office\\\\Common\\\\(?P[A-F0-9]+)\\\\(?P=hex)(CS|PS|SS|RS)", regex=True, all=True + pattern=r".*\\Microsoft\\Office\\Common\\(?P[A-F0-9]+)\\(?P=hex)(CS|PS|SS|RS)", regex=True, all=True ) match_mutex = self.check_mutex(pattern="^[A-F0-9]{1,8}(I|M|RM)$", regex=True, all=True) if match_file: diff --git a/modules/signatures/windows/bootkit.py b/modules/signatures/windows/bootkit.py index ed16b775..004ea356 100644 --- a/modules/signatures/windows/bootkit.py +++ b/modules/signatures/windows/bootkit.py @@ -99,7 +99,7 @@ class DirectHDDAccess(Signature): def run(self): ret = False - match = self.check_write_file(pattern="^\\\\Device\\\\HarddiskVolume.*", regex=True) + match = self.check_write_file(pattern=r"^\\Device\\HarddiskVolume.*", regex=True) if match: self.data.append({"file": match}) ret = True @@ -122,7 +122,7 @@ class AccessesPrimaryPartition(Signature): def run(self): ret = False - match = self.check_write_file(pattern="^\\\\Device\\\\HarddiskVolume0\\\\DR0$", regex=True) + match = self.check_write_file(pattern="^\\Device\\HarddiskVolume0\\DR0$", regex=True) if match: self.data.append({"file": match}) ret = True @@ -145,7 +145,7 @@ class PhysicalDriveAccess(Signature): def run(self): ret = False - matches = self.check_write_file(pattern="^\\\\\?\?\\\\PhysicalDrive.*", regex=True, all=True) + matches = self.check_write_file(pattern=r"^\\\?\?\\PhysicalDrive.*", regex=True, all=True) if matches: for match in matches: self.data.append({"physical drive write attempt": match}) @@ -170,7 +170,7 @@ class EnumeratesPhysicalDrives(Signature): def run(self): enumerateddrives = 0 ret = False - matches = self.check_file(pattern="^\\\\\?\?\\\\PhysicalDrive.*", regex=True, all=True) + matches = self.check_file(pattern=r"^\\\?\?\\PhysicalDrive.*", regex=True, all=True) if matches: for match in matches: self.data.append({"physical drive access": match}) diff --git a/modules/signatures/windows/browser_addon.py b/modules/signatures/windows/browser_addon.py index c7118e89..1fe884f2 100644 --- a/modules/signatures/windows/browser_addon.py +++ b/modules/signatures/windows/browser_addon.py @@ -34,13 +34,13 @@ class BrowserAddon(Signature): def run(self): reg_indicators = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Toolbar\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Mozilla\\\\Firefox\\\\Extensions\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?MozillaPlugins\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Google\\\\Chrome\\\\Extensions\\\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Internet\\ Explorer\\Toolbar\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Mozilla\\Firefox\\Extensions\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?MozillaPlugins\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Google\\Chrome\\Extensions\\.*", ] whitelist = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Toolbar\\\\Locked$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Internet\\ Explorer\\Toolbar\\Locked$", ] found = False for indicator in reg_indicators: diff --git a/modules/signatures/windows/browser_bho.py b/modules/signatures/windows/browser_bho.py index aeb1e75c..aa1d3bcd 100644 --- a/modules/signatures/windows/browser_bho.py +++ b/modules/signatures/windows/browser_bho.py @@ -29,7 +29,7 @@ class BrowserHelperObject(Signature): def run(self): if self.check_write_key( - pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Browser\\ Helper\\ Objects\\\\.*", + pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser\\ Helper\\ Objects\\.*", regex=True, ): return True diff --git a/modules/signatures/windows/browser_proxy.py b/modules/signatures/windows/browser_proxy.py index f8ce530a..55b63a3f 100644 --- a/modules/signatures/windows/browser_proxy.py +++ b/modules/signatures/windows/browser_proxy.py @@ -49,18 +49,18 @@ def __init__(self, *args, **kwargs): "ai.exe", ] self.indicators = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\ProxyEnable$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\ProxyServer$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\ZoneMap\\\\ProxyBypass$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\ProxyOverride$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\Wpad\\\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\ProxyEnable$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\ProxyServer$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\ZoneMap\\ProxyBypass$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\ProxyOverride$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\Wpad\\.*", ] self.whitelist = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\Wpad\\\\WpadLastNetwork$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\Wpad\\\\[^\\\\]*\\\\WpadDecisionReason$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\Wpad\\\\[^\\\\]*\\\\WpadDecisionTime$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\Wpad\\\\[^\\\\]*\\\\WpadDecision$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\Wpad\\\\[^\\\\]*\\\\WpadNetworkName$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\Wpad\\WpadLastNetwork$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\Wpad\\[^\\]*\\WpadDecisionReason$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\Wpad\\[^\\]*\\WpadDecisionTime$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\Wpad\\[^\\]*\\WpadDecision$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\Wpad\\[^\\]*\\WpadNetworkName$", ] def on_call(self, call, process): diff --git a/modules/signatures/windows/browser_security.py b/modules/signatures/windows/browser_security.py index 4279264b..77d5f6b9 100644 --- a/modules/signatures/windows/browser_security.py +++ b/modules/signatures/windows/browser_security.py @@ -34,19 +34,19 @@ def run(self): safelist = ["zoom.exe"] - reg_indicators = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Privacy\\\\EnableInPrivateMode$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\PhishingFilter\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\Zones\\\\[0-4]\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\ZoneMap\\\\Domains\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\ZoneMap\\\\EscDomains\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\ZoneMap\\\\EscRanges\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\ZoneMap\\\\IEHarden$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\CertificateRevocation$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Main\\\\NoUpdateCheck$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Security\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Main\\\\FeatureControl\\\\.*", - ] + reg_indicators = ( + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Internet\\ Explorer\\Privacy\\EnableInPrivateMode$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Internet\\ Explorer\\PhishingFilter\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\Zones\\[0-4]\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\ZoneMap\\Domains\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\ZoneMap\\EscDomains\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\ZoneMap\\EscRanges\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\ZoneMap\\IEHarden$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\CertificateRevocation$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Internet\\ Explorer\\Main\\NoUpdateCheck$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Internet\\ Explorer\\Security\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Internet\\ Explorer\\Main\\FeatureControl\\.*", + ) for indicator in reg_indicators: regkeys = self.check_write_key(pattern=indicator, regex=True, all=True) diff --git a/modules/signatures/windows/browser_startpage.py b/modules/signatures/windows/browser_startpage.py index b750e99a..c644b8d4 100644 --- a/modules/signatures/windows/browser_startpage.py +++ b/modules/signatures/windows/browser_startpage.py @@ -29,7 +29,7 @@ class browser_startpage(Signature): def run(self): if self.check_write_key( - pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Main\\\\Start\\ Page$", regex=True + pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Internet\\ Explorer\\Main\\Start\\ Page$", regex=True ): return True diff --git a/modules/signatures/windows/browser_tabs.py b/modules/signatures/windows/browser_tabs.py index fa4a9a7a..bd00e1eb 100644 --- a/modules/signatures/windows/browser_tabs.py +++ b/modules/signatures/windows/browser_tabs.py @@ -53,7 +53,7 @@ class IEDisablesProcessPerTab(Signature): def run(self): indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet Explorer\\\\Main\\\\TabProcGrowth$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Internet Explorer\\Main\\TabProcGrowth$", ] for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/bypass_firewall.py b/modules/signatures/windows/bypass_firewall.py index 23fe14bb..5cea7e4d 100644 --- a/modules/signatures/windows/bypass_firewall.py +++ b/modules/signatures/windows/bypass_firewall.py @@ -33,6 +33,6 @@ class BypassFirewall(Signature): def run(self): return self.check_key( - pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\.*", + pattern=r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\.*", regex=True, ) diff --git a/modules/signatures/windows/bypass_uac.py b/modules/signatures/windows/bypass_uac.py index ba40b998..47959376 100644 --- a/modules/signatures/windows/bypass_uac.py +++ b/modules/signatures/windows/bypass_uac.py @@ -90,9 +90,7 @@ def run(self): regkey = False ret = False - keys = [ - ".*\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute$", - ] + keys = (r".*\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute$",) for check in keys: match = self.check_write_key(pattern=check, regex=True) @@ -182,7 +180,7 @@ class UACBypassFodhelper(Signature): def run(self): ret = False - reg_indicators = ["HKEY_CURRENT_USER\\\\Software\\\\Classes\\\\ms-settings\\\\shell \\\\open\\\\command\\\\*."] + reg_indicators = (r"HKEY_CURRENT_USER\\Software\\Classes\\ms-settings\\shell \\open\\command\\*.",) for indicator in reg_indicators: match = self.check_write_key(pattern=indicator, regex=True) @@ -205,11 +203,11 @@ class UACBypassCMSTPCOM(Signature): def run(self): # CMSTPLUA, CMLUAUTIL, Connection Manager LUA Host Object - indicators = [ - ".*\\\\Windows\\\\(SysWOW64|System32)\\\\DllHost\.exe.*\/Processid:(\{)?3E5FC7F9-9A51-4367-9063-A120244FBEC7(\})?", - ".*\\\\Windows\\\\(SysWOW64|System32)\\\\DllHost\.exe.*\/Processid:(\{)?3E000D72-A845-4CD9-BD83-80C07C3B881F(\})?", - ".*\\\\Windows\\\\(SysWOW64|System32)\\\\DllHost\.exe.*\/Processid:(\{)?BA126F01-2166-11D1-B1D0-00805FC1270E(\})?", - ] + indicators = ( + r".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?3E5FC7F9-9A51-4367-9063-A120244FBEC7(\})?", + r".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?3E000D72-A845-4CD9-BD83-80C07C3B881F(\})?", + r".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?BA126F01-2166-11D1-B1D0-00805FC1270E(\})?", + ) for indicator in indicators: match = self.check_executed_command(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/carberp_mutex.py b/modules/signatures/windows/carberp_mutex.py index 6538d145..c4f578b6 100644 --- a/modules/signatures/windows/carberp_mutex.py +++ b/modules/signatures/windows/carberp_mutex.py @@ -28,7 +28,7 @@ class CarberpMutexes(Signature): mbcs = ["OC0003", "C0042"] # micro-behaviour def run(self): - if self.check_mutex(pattern="^(Global\\\\)?(UAC|INS|BD)NTFS\d+$", regex=True): + if self.check_mutex(pattern=r"^(Global\\)?(UAC|INS|BD)NTFS\d+$", regex=True): return True return False diff --git a/modules/signatures/windows/clears_logs.py b/modules/signatures/windows/clears_logs.py index 736d74ae..e92b958f 100644 --- a/modules/signatures/windows/clears_logs.py +++ b/modules/signatures/windows/clears_logs.py @@ -33,9 +33,9 @@ class ClearsLogs(Signature): def run(self): file_indicators = [ - ".*\\\\Windows\\\\Logs.*", - ".*\\\\inetpub\\\\logs\\\\LogFiles.*", - ".*\\\\Windows\\\\System32\\\\Winevt.*", + r".*\\Windows\\Logs.*", + r".*\\inetpub\\logs\\LogFiles.*", + r".*\\Windows\\System32\\Winevt.*", ".*\.etl$", ".*\.evt$", ".*\.evtx$", diff --git a/modules/signatures/windows/collects_systeminfo_cmd.py b/modules/signatures/windows/collects_systeminfo_cmd.py index e98b6390..2855a3d8 100644 --- a/modules/signatures/windows/collects_systeminfo_cmd.py +++ b/modules/signatures/windows/collects_systeminfo_cmd.py @@ -29,9 +29,9 @@ class SystemInfoDiscoveryCMD(Signature): def on_complete(self): indicators = [ - "([A-Za-z]:\\\\Windows\\\\System32\\\\)?hostname(.exe)?.*", - "([A-Za-z]:\\\\Windows\\\\System32\\\\)?systeminfo(.exe)?.*", - "([A-Za-z]:\\\\Windows\\\\System32\\\\)?net(.exe)?\sconfig(Server|Workstation)", + r"([A-Za-z]:\\Windows\\System32\\)?hostname(.exe)?.*", + r"([A-Za-z]:\\Windows\\System32\\)?systeminfo(.exe)?.*", + r"([A-Za-z]:\\Windows\\System32\\)?net(.exe)?\sconfig(Server|Workstation)", ] for indicator in indicators: @@ -56,7 +56,7 @@ class SystemUserDiscoveryCMD(Signature): def on_complete(self): indicators = [ - "([A-Za-z]:\\\\Windows\\\\System32\\\\)?whoami(.exe)?.*", + r"([A-Za-z]:\\Windows\\System32\\)?whoami(.exe)?.*", ] for indicator in indicators: @@ -107,11 +107,11 @@ class SystemNetworkDiscoveryCMD(Signature): def on_complete(self): indicators = [ - "([A-Za-z]:\\\\Windows\\\\System32\\\\)?route(.exe)?.*", - '.*netsh(")?\swlan\sshow\s(profile|networks).*', - "([A-Za-z]:\\\\Windows\\\\System32\\\\)?ipconfig(.exe)?.*", - "([A-Za-z]:\\\\Windows\\\\System32\\\\)?nltest(.exe)?.*", - ".*net\sview.*", + r"([A-Za-z]:\\Windows\\System32\\)?route(.exe)?.*", + r'.*netsh(")?\swlan\sshow\s(profile|networks).*', + r"([A-Za-z]:\\Windows\\System32\\)?ipconfig(.exe)?.*", + r"([A-Za-z]:\\Windows\\System32\\)?nltest(.exe)?.*", + r".*net\sview.*", ] for indicator in indicators: diff --git a/modules/signatures/windows/credential_access.py b/modules/signatures/windows/credential_access.py index 29bab6bb..1007f689 100644 --- a/modules/signatures/windows/credential_access.py +++ b/modules/signatures/windows/credential_access.py @@ -29,7 +29,7 @@ class EnablesWDigest(Signature): def run(self): ret = False - reg_indicators = [".*\\\\Control\\\\SecurityProviders\\\\Wdigest\\\\UseLogonCredential$"] + reg_indicators = [r".*\\Control\\SecurityProviders\\Wdigest\\UseLogonCredential$"] for indicator in reg_indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/credential_dumping.py b/modules/signatures/windows/credential_dumping.py index db1d397b..54c43c0e 100644 --- a/modules/signatures/windows/credential_dumping.py +++ b/modules/signatures/windows/credential_dumping.py @@ -118,10 +118,10 @@ class RegistryCredentialStoreAccess(Signature): def run(self): ret = False - reg_indicators = [ - "HKEY_LOCAL_MACHINE\\\\SAM$", - "HKEY_LOCAL_MACHINE\\\\SYSTEM$", - ] + reg_indicators = ( + r"HKEY_LOCAL_MACHINE\\SAM$", + r"HKEY_LOCAL_MACHINE\\SYSTEM$", + ) for indicator in reg_indicators: match = self.check_key(pattern=indicator, regex=True) @@ -148,7 +148,7 @@ class RegistryLSASecretsAccess(Signature): def run(self): indicators = [ - "HKEY_LOCAL_MACHINE\\\\SECURITY\\\\Policy\\\\Secrets$", + r"HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets$", ] for indicator in indicators: @@ -174,9 +174,9 @@ class FileCredentialStoreAccess(Signature): def run(self): indicators = [ - ".*\\\\Windows\\\\repair\\\\sam", - ".*\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\SAM", - ".*\\\\Windows\\\\system32\\\\config\\\\SAM", + r".*\\Windows\\repair\\sam", + r".*\\Windows\\System32\\config\\RegBack\\SAM", + r".*\\Windows\\system32\\config\\SAM", ] for indicator in indicators: @@ -202,9 +202,9 @@ class FileCredentialStoreWrite(Signature): def run(self): indicators = [ - ".*\\\\Windows\\\\repair\\\\sam", - ".*\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\SAM", - ".*\\\\Windows\\\\system32\\\\config\\\\SAM", + r".*\\Windows\\repair\\sam", + r".*\\Windows\\System32\\config\\RegBack\\SAM", + r".*\\Windows\\system32\\config\\SAM", ] for indicator in indicators: diff --git a/modules/signatures/windows/darkcomet_regkeys.py b/modules/signatures/windows/darkcomet_regkeys.py index eee50f39..db8c074d 100644 --- a/modules/signatures/windows/darkcomet_regkeys.py +++ b/modules/signatures/windows/darkcomet_regkeys.py @@ -28,11 +28,11 @@ class DarkCometRegkeys(Signature): def run(self): dc_keys = False - indicators = [ - ".*\\\\Software\\\\DC3_FEXEC$", - ".*\\\\Software\\\\DC3_FEXEC\\\\.*", - ".*\\\\Software\\\\DC2_USERS$", - ] + indicators = ( + r".*\\\\Software\\\\DC3_FEXEC$", + r".*\\\\Software\\\\DC3_FEXEC\\\\.*", + r".*\\\\Software\\\\DC2_USERS$", + ) for indicator in indicators: match = self.check_key(pattern=indicator, regex=True) if match: diff --git a/modules/signatures/windows/datop_loader.py b/modules/signatures/windows/datop_loader.py index f5fb8934..f26ecbe7 100644 --- a/modules/signatures/windows/datop_loader.py +++ b/modules/signatures/windows/datop_loader.py @@ -27,7 +27,7 @@ class DatopLoader(Signature): evented = True def run(self): - indicators = ["[A-Z]:\\\\Datop\\\\.*"] + indicators = (r"[A-Z]:\\Datop\\.*",) for indicator in indicators: match = self.check_write_file(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_app.py b/modules/signatures/windows/disables_app.py index 3e5b52af..05ad960b 100644 --- a/modules/signatures/windows/disables_app.py +++ b/modules/signatures/windows/disables_app.py @@ -20,7 +20,7 @@ class DisablesAppLaunch(Signature): def run(self): if self.check_write_key( - pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun$", + pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun$", regex=True, ): return True diff --git a/modules/signatures/windows/disables_app_autotermination.py b/modules/signatures/windows/disables_app_autotermination.py index eda87e3a..c9e686d8 100644 --- a/modules/signatures/windows/disables_app_autotermination.py +++ b/modules/signatures/windows/disables_app_autotermination.py @@ -29,9 +29,7 @@ class DisablesAutomaticAppTermination(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\AllowBlockingAppsAtShutdown", - ] + indicators = (r"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System\\AllowBlockingAppsAtShutdown",) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_appv_virtualization.py b/modules/signatures/windows/disables_appv_virtualization.py index ea4bfbe4..e4c3a8ff 100644 --- a/modules/signatures/windows/disables_appv_virtualization.py +++ b/modules/signatures/windows/disables_appv_virtualization.py @@ -29,9 +29,9 @@ class DisablesAppVirtualiztion(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\AppV\\\\Client\\\\Virtualization\\\\EnableDynamicVirtualization", - ] + indicators = ( + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\AppV\\Client\\Virtualization\\EnableDynamicVirtualization", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_backups.py b/modules/signatures/windows/disables_backups.py index 8776d3c1..66efa16d 100644 --- a/modules/signatures/windows/disables_backups.py +++ b/modules/signatures/windows/disables_backups.py @@ -29,19 +29,19 @@ class DisablesBackups(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Backup\\\\Client\\\\DisableBackupToDisk", - ".*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Backup\\\\Client\\\\DisableBackupToNetwork", - ".*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Backup\\\\Client\\\\DisableBackupToOptical", - ".*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Backup\\\\Client\\\\DisableBackupLauncher", - ".*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Backup\\\\Client\\\\DisableRestoreUI", - ".*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Backup\\\\Client\\\\DisableBackupUI", - ".*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Backup\\\\Client\\\\DisableSystemBackupUI", - ".*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Backup\\\\Client\\\\NoBackupToDisk", - ".*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Backup\\\\Client\\\\NoBackupToNetwork", - ".*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Backup\\\\Client\\\\NoBackupToOptical", - ".*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Backup\\\\Client\\\\NoRunNowBackup", - ] + indicators = ( + r".*\\Software\\Policies\\Microsoft\\Windows\\Backup\\Client\\DisableBackupToDisk", + r".*\\Software\\Policies\\Microsoft\\Windows\\Backup\\Client\\DisableBackupToNetwork", + r".*\\Software\\Policies\\Microsoft\\Windows\\Backup\\Client\\DisableBackupToOptical", + r".*\\Software\\Policies\\Microsoft\\Windows\\Backup\\Client\\DisableBackupLauncher", + r".*\\Software\\Policies\\Microsoft\\Windows\\Backup\\Client\\DisableRestoreUI", + r".*\\Software\\Policies\\Microsoft\\Windows\\Backup\\Client\\DisableBackupUI", + r".*\\Software\\Policies\\Microsoft\\Windows\\Backup\\Client\\DisableSystemBackupUI", + r".*\\Software\\Policies\\Microsoft\\Windows\\Backup\\Client\\NoBackupToDisk", + r".*\\Software\\Policies\\Microsoft\\Windows\\Backup\\Client\\NoBackupToNetwork", + r".*\\Software\\Policies\\Microsoft\\Windows\\Backup\\Client\\NoBackupToOptical", + r".*\\Software\\Policies\\Microsoft\\Windows\\Backup\\Client\\NoRunNowBackup", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_browserwarn.py b/modules/signatures/windows/disables_browserwarn.py index 48611014..3e47dbfd 100644 --- a/modules/signatures/windows/disables_browserwarn.py +++ b/modules/signatures/windows/disables_browserwarn.py @@ -19,17 +19,17 @@ class DisablesBrowserWarn(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnBadCertRecving$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnBadCertSending$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnHTTPSToHTTPRedirect$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnZoneCrossing$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\WarnOnPostRedirect$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet\\ Settings\\\\IEHardenIENoWarn$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Main\\\\NoProtectedModeBanner$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Main\\\\IE9RunOncePerInstallCompleted$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Internet\\ Explorer\\\\Main\\\\IE9TourShown$", - ] + indicators = ( + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\WarnOnBadCertRecving$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\WarnOnBadCertSending$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\WarnOnHTTPSToHTTPRedirect$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\WarnOnZoneCrossing$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\WarnOnPostRedirect$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Internet\\ Settings\\IEHardenIENoWarn$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Internet\\ Explorer\\Main\\NoProtectedModeBanner$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Internet\\ Explorer\\Main\\IE9RunOncePerInstallCompleted$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Internet\\ Explorer\\Main\\IE9TourShown$", + ) found_match = False for indicator in indicators: key_match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_context_menus.py b/modules/signatures/windows/disables_context_menus.py index a2dc3c48..4988406c 100644 --- a/modules/signatures/windows/disables_context_menus.py +++ b/modules/signatures/windows/disables_context_menus.py @@ -29,10 +29,10 @@ class DisablesContextMenus(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoTrayContextMenu", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisableContextMenusInStart", - ] + indicators = ( + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoTrayContextMenu", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisableContextMenusInStart", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_cpl_display.py b/modules/signatures/windows/disables_cpl_display.py index ccc6448d..1d849dcb 100644 --- a/modules/signatures/windows/disables_cpl_display.py +++ b/modules/signatures/windows/disables_cpl_display.py @@ -29,9 +29,7 @@ class DisablesCPLDisplay(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\NoDispCPL", - ] + indicators = (r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL",) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_crashdumps.py b/modules/signatures/windows/disables_crashdumps.py index a7ecdaf4..446d6a2d 100644 --- a/modules/signatures/windows/disables_crashdumps.py +++ b/modules/signatures/windows/disables_crashdumps.py @@ -30,9 +30,7 @@ class DisablesCrashdumps(Signature): def run(self): ret = False - keys = [ - ".*\\\\SYSTEM\\\\(Wow6432Node\\\\)?ControlSet001\\\\Control\\\\CrashControl\\\\CrashDumpEnabled$", - ] + keys = (r".*\\SYSTEM\\(Wow6432Node\\)?ControlSet001\\Control\\CrashControl\\CrashDumpEnabled$",) for check in keys: match = self.check_write_key(pattern=check, regex=True) diff --git a/modules/signatures/windows/disables_event_logging.py b/modules/signatures/windows/disables_event_logging.py index 7b19a798..3bfc8c35 100644 --- a/modules/signatures/windows/disables_event_logging.py +++ b/modules/signatures/windows/disables_event_logging.py @@ -30,9 +30,7 @@ class DisablesEventLogging(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\EventLog-.*", - ] + indicators = (r".*\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\EventLog-.*",) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_folder_options.py b/modules/signatures/windows/disables_folder_options.py index 8712063d..c9003e2d 100644 --- a/modules/signatures/windows/disables_folder_options.py +++ b/modules/signatures/windows/disables_folder_options.py @@ -28,9 +28,7 @@ class DisableFolderOptions(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFolderOptions$", - ] + indicators = (r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions$",) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_notificationcenter.py b/modules/signatures/windows/disables_notificationcenter.py index 8813fc1b..ec063162 100644 --- a/modules/signatures/windows/disables_notificationcenter.py +++ b/modules/signatures/windows/disables_notificationcenter.py @@ -30,9 +30,7 @@ class DisablesNotificationCenter(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\Explorer\\\\DisableNotificationCenter$", - ] + indicators = (r".*\\Explorer\\DisableNotificationCenter$",) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_power_options.py b/modules/signatures/windows/disables_power_options.py index ba780e66..fdfd22a0 100644 --- a/modules/signatures/windows/disables_power_options.py +++ b/modules/signatures/windows/disables_power_options.py @@ -29,15 +29,15 @@ class DisablesPowerOptions(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\StartMenuLogOff", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\NoClose", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\NoLogoff", - "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Power\\\\CsEnabled", - ] + indicators = ( + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\StartMenuLogOff", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoClose", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableChangePassword", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoLogoff", + r"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Power\\CsEnabled", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_restore_default_state.py b/modules/signatures/windows/disables_restore_default_state.py index f6ac7fdd..4d644b3d 100644 --- a/modules/signatures/windows/disables_restore_default_state.py +++ b/modules/signatures/windows/disables_restore_default_state.py @@ -29,9 +29,7 @@ class DisablesRestoreDefaultState(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\WinRE\\\\DisableSetup", - ] + indicators = (r"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRE\\DisableSetup",) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_run_command.py b/modules/signatures/windows/disables_run_command.py index 77f014b8..2f4ba7ba 100644 --- a/modules/signatures/windows/disables_run_command.py +++ b/modules/signatures/windows/disables_run_command.py @@ -30,9 +30,7 @@ class DisableRunCommand(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun.*", - ] + indicators = (r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun.*",) for indicator in indicators: reg_match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_security.py b/modules/signatures/windows/disables_security.py index 8b002977..88a4f343 100644 --- a/modules/signatures/windows/disables_security.py +++ b/modules/signatures/windows/disables_security.py @@ -20,60 +20,60 @@ def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.regkeys_re = [ ( - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA", + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA", "attempts to disable user access control", ), ( - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\AntiVirusOverride", + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Security\\ Center\\AntiVirusOverride", "attempts to disable antivirus notifications", ), ( - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\AntiVirusDisableNotify", + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Security\\ Center\\AntiVirusDisableNotify", "attempts to disable antivirus notifications", ), ( - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\FirewallDisableNotify", + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Security\\ Center\\FirewallDisableNotify", "attempts to disable firewall notifications", ), ( - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\FirewallOverride", + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Security\\ Center\\FirewallOverride", "attempts to disable firewall notifications", ), ( - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\UpdatesDisableNotify", + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Security\\ Center\\UpdatesDisableNotify", "attempts to disable windows update notifications", ), ( - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\UacDisableNotify", + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Security\\ Center\\UacDisableNotify", "disables user access control notifications", ), ( - "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\StandardProfile\\\\EnableFirewall", + r"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\EnableFirewall", "attempts to disable windows firewall", ), ( - "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\StandardProfile\\\\DoNotAllowExceptions", + r"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DoNotAllowExceptions", "attempts to disable firewall exceptions", ), ( - "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\StandardProfile\\\\DisableNotifications", + r"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\DisableNotifications", "attempts to disable firewall notifications", ), - (".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Windows\\ Defender\\\\.*", "attempts to disable windows defender"), + (r".*\\SOFTWARE\\(Wow6432Node\\)?Windows\\ Defender\\.*", "attempts to disable windows defender"), ( - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\ Defender\\\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Policies\\Microsoft\\Windows\\ Defender\\.*", "attempts to modify windows defender policies", ), ( - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\services\\\\WinDefend\\\\.*", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\services\\WinDefend\\.*", "attempts to disable windows defender", ), ( - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Notifications\\\\Settings\\\\Windows\\.Defender\\.SecurityCenter\\\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Notifications\\Settings\\Windows\\.Defender\\.SecurityCenter\\.*", "attempts to modify windows defender notifications", ), ( - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\\\System\\\\EnableSmartScreen", + r".*\\SOFTWARE\\(Wow6432Node\\)?Policies\\Microsoft\\Windows\\System\\EnableSmartScreen", "attempts to modify windows system-level smart-screen", ), ] diff --git a/modules/signatures/windows/disables_smartscreen.py b/modules/signatures/windows/disables_smartscreen.py index d4ce6c0e..3c64670a 100644 --- a/modules/signatures/windows/disables_smartscreen.py +++ b/modules/signatures/windows/disables_smartscreen.py @@ -32,11 +32,11 @@ class DisablesSmartScreen(Signature): def run(self): re_match = False cmd_match = False - indicators = [ - ".*\\\\Windows\\\\CurrentVersion\\\\explorer\\\\SmartScreenEnabled$", - ".*\\\\Windows\\\\CurrentVersion\\\\AppHost\\\\SmartScreenEnabled$", - ".*\\\\MicrosoftEdge\\\\PhishingFilter$", - ] + indicators = ( + r".*\\\\Windows\\\\CurrentVersion\\\\explorer\\\\SmartScreenEnabled$", + r".*\\\\Windows\\\\CurrentVersion\\\\AppHost\\\\SmartScreenEnabled$", + r".*\\\\MicrosoftEdge\\\\PhishingFilter$", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_startmenu_search.py b/modules/signatures/windows/disables_startmenu_search.py index 8f63431f..1883f14f 100644 --- a/modules/signatures/windows/disables_startmenu_search.py +++ b/modules/signatures/windows/disables_startmenu_search.py @@ -29,11 +29,11 @@ class DisablesStartMenuSearch(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSearchFilesInStartMenu", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSearchProgramsInStartMenu", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoStartMenuMorePrograms", - ] + indicators = ( + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSearchFilesInStartMenu", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSearchProgramsInStartMenu", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoStartMenuMorePrograms", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_sysrestore.py b/modules/signatures/windows/disables_sysrestore.py index 50b6cff8..f0336538 100644 --- a/modules/signatures/windows/disables_sysrestore.py +++ b/modules/signatures/windows/disables_sysrestore.py @@ -17,11 +17,11 @@ class DisablesSystemRestore(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - keys = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\SystemRestore\\\\DisableSR$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\ NT\\\\SystemRestore\\\\DisableSR$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\ NT\\\\SystemRestore\\\\DisableConfig$", - ] + keys = ( + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\ NT\\CurrentVersion\\SystemRestore\\DisableSR$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Policies\\Microsoft\\Windows\\ NT\\SystemRestore\\DisableSR$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Policies\\Microsoft\\Windows\\ NT\\SystemRestore\\DisableConfig$", + ) for check in keys: if self.check_write_key(pattern=check, regex=True): return True diff --git a/modules/signatures/windows/disables_uac.py b/modules/signatures/windows/disables_uac.py index 9588943c..b48d254f 100644 --- a/modules/signatures/windows/disables_uac.py +++ b/modules/signatures/windows/disables_uac.py @@ -20,7 +20,7 @@ class DisablesUAC(Signature): def run(self): if self.check_write_key( - pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA$", + pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA$", regex=True, ): return True diff --git a/modules/signatures/windows/disables_wer.py b/modules/signatures/windows/disables_wer.py index 3b2ce487..e61eeeae 100644 --- a/modules/signatures/windows/disables_wer.py +++ b/modules/signatures/windows/disables_wer.py @@ -20,7 +20,7 @@ class DisablesWER(Signature): def run(self): if self.check_write_key( - pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ Error\\ Reporting\\\\Disabled$", + pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\Windows\\ Error\\ Reporting\\Disabled$", regex=True, ): return True diff --git a/modules/signatures/windows/disables_windefender.py b/modules/signatures/windows/disables_windefender.py index 15e1676d..e29d6ab4 100644 --- a/modules/signatures/windows/disables_windefender.py +++ b/modules/signatures/windows/disables_windefender.py @@ -21,11 +21,11 @@ class DisablesWindowsDefender(Signature): def run(self): ret = False - keys = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Windows\\ Defender\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\ Defender\\\\.*", - ".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\services\\\\WinDefend\\\\.*", - ] + keys = ( + r".*\\SOFTWARE\\(Wow6432Node\\)?Windows\\ Defender\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Policies\\Microsoft\\Windows\\ Defender\\.*", + r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\services\\WinDefend\\.*", + ) cmds = [ "disableantispyware", @@ -122,12 +122,12 @@ class RemovesWindowsDefenderContextMenu(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_CLASSES_ROOT\\\\\*\\\\shellex\\\\ContextMenuHandlers\\\\EPP$", - "HKEY_CLASSES_ROOT\\\\Directory\\\\shellex\\\\ContextMenuHandlers\\\\EPP$", - "HKEY_CLASSES_ROOT\\\\Drive\\\\shellex\\\\ContextMenuHandlers\\\\EPP$", - ] - pat = re.compile(".*\\\\shellex\\\\contextmenuhandlers\\\\epp") + indicators = ( + r"HKEY_CLASSES_ROOT\\\*\\shellex\\ContextMenuHandlers\\EPP$", + r"HKEY_CLASSES_ROOT\\Directory\\shellex\\ContextMenuHandlers\\EPP$", + r"HKEY_CLASSES_ROOT\\Drive\\shellex\\ContextMenuHandlers\\EPP$", + ) + pat = re.compile(".*\\shellex\\contextmenuhandlers\\epp") for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) @@ -158,10 +158,8 @@ class DisablesWindowsDefenderLogging(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\Defender(Api|Audit)Logger", - ] - pat = re.compile(".*\\\\system\\\\currentcontrolset\\\\control\\\\wmi\\\\autologger\\\\defender(api|audit)logger") + indicators = (r".*\\System\\CurrentControlSet\\Control\\WMI\\Autologger\\Defender(Api|Audit)Logger",) + pat = re.compile(r".*\\system\\currentcontrolset\\control\\wmi\\autologger\\defender(api|audit)logger") for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/disables_windows_file_protection.py b/modules/signatures/windows/disables_windows_file_protection.py index ebf93b42..42d59f2b 100644 --- a/modules/signatures/windows/disables_windows_file_protection.py +++ b/modules/signatures/windows/disables_windows_file_protection.py @@ -28,10 +28,10 @@ class DisablesWindowsFileProtection(Signature): def run(self): ret = False - keys = [ - ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\SFCDisable$", - ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\SFCScan$", - ] + keys = ( + r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\Winlogon\\SFCDisable$", + r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\Winlogon\\SFCScan$", + ) for check in keys: match = self.check_write_key(pattern=check, regex=True) diff --git a/modules/signatures/windows/disables_windowsupdate.py b/modules/signatures/windows/disables_windowsupdate.py index 2c88262c..67aafb3b 100644 --- a/modules/signatures/windows/disables_windowsupdate.py +++ b/modules/signatures/windows/disables_windowsupdate.py @@ -18,7 +18,7 @@ class DisablesWindowsUpdate(Signature): def run(self): if self.check_write_key( - pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\(AU\\\\NoAutoUpdate|Auto\\ Update\\\\AUOptions)$", + pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?Policies\\Microsoft\\Windows\\WindowsUpdate\\(AU\\NoAutoUpdate|Auto\\ Update\\AUOptions)$", regex=True, ): return True diff --git a/modules/signatures/windows/downloader_cabby.py b/modules/signatures/windows/downloader_cabby.py index 834ee97f..83b5b854 100644 --- a/modules/signatures/windows/downloader_cabby.py +++ b/modules/signatures/windows/downloader_cabby.py @@ -37,7 +37,7 @@ def run(self): else: return False - match_cab_file = self.check_file(pattern=".*\\\\Temp\\\\temp_cab_[0-9]*\.cab", regex=True) + match_cab_file = self.check_file(pattern=r".*\\Temp\\temp_cab_[0-9]*\.cab", regex=True) if match_cab_file: self.data.append({"cab_file": match_cab_file}) diff --git a/modules/signatures/windows/downloader_guloader.py b/modules/signatures/windows/downloader_guloader.py index 2f13eff7..3e1268dc 100644 --- a/modules/signatures/windows/downloader_guloader.py +++ b/modules/signatures/windows/downloader_guloader.py @@ -38,11 +38,11 @@ class GuLoaderAPIs(Signature): def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.regpattern = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors" - self.filepatterns = [ - "^[A-Z]:\\\\ProgramData\\\\qemu-ga\\\\qga.state$", - "^[A-Z]:\\\\Program\sFiles(\s\(x86\))?\\\\Qemu-ga\\\\qemu-ga.exe$", - "^[A-Z]:\\\\Program\sFiles(\s\(x86\))?\\\\qga\\\\qga.exe$", - ] + self.filepatterns = ( + r"^[A-Z]:\\ProgramData\\qemu-ga\\qga.state$", + r"^[A-Z]:\\Program\sFiles(\s\(x86\))?\\Qemu-ga\\qemu-ga.exe$", + r"^[A-Z]:\\Program\sFiles(\s\(x86\))?\\qga\\qga.exe$", + ) self.uapattern = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" self.useragent = str() self.regmatch = False diff --git a/modules/signatures/windows/exploit_spooler.py b/modules/signatures/windows/exploit_spooler.py index 63785dd7..9a482b16 100644 --- a/modules/signatures/windows/exploit_spooler.py +++ b/modules/signatures/windows/exploit_spooler.py @@ -52,9 +52,7 @@ class SpoolerAccess(Signature): minimum = "0.5" def run(self): - indicators = [ - ".*\\\\Windows\\\\System32\\\\spool\\\\.*", - ] + indicators = (r".*\\Windows\\System32\\spool\\.*",) for indicator in indicators: match = self.check_write_file(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/forces_mappeddrives_uac.py b/modules/signatures/windows/forces_mappeddrives_uac.py index 519010d1..b1f21b44 100644 --- a/modules/signatures/windows/forces_mappeddrives_uac.py +++ b/modules/signatures/windows/forces_mappeddrives_uac.py @@ -26,9 +26,9 @@ class MappedDrivesUAC(Signature): mbcs = ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections$", - ] + indicators = ( + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections$", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/hides_recyclebin_icon.py b/modules/signatures/windows/hides_recyclebin_icon.py index 8e21f7a3..6a7b9120 100644 --- a/modules/signatures/windows/hides_recyclebin_icon.py +++ b/modules/signatures/windows/hides_recyclebin_icon.py @@ -29,9 +29,9 @@ class HidesRecycleBinIcon(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\NonEnum\\\\\{645FF040-5081-101B-9F08-00AA002F954E\}", - ] + indicators = ( + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\\{645FF040-5081-101B-9F08-00AA002F954E\}", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/infostealer_apocalypse.py b/modules/signatures/windows/infostealer_apocalypse.py index 2b459306..da512aba 100644 --- a/modules/signatures/windows/infostealer_apocalypse.py +++ b/modules/signatures/windows/infostealer_apocalypse.py @@ -33,11 +33,11 @@ class ApocalypseStealerFileBehavior(Signature): def run(self): score = 0 - file_indicators = [ - ".*\\\\AppData\\\\Local\\\\Temp\\\\browser(Passwords|Cookies|CreditCards)$", - ".*\\\\AppData\\\\Roaming\\\\(Google|Firefox)\\\\(Passwords|Cookies)\.txt$", - ".*\\\\AppData\\\\Roaming\\\\Clipboard.txt$", - ] + file_indicators = ( + r".*\\AppData\\Local\\Temp\\browser(Passwords|Cookies|CreditCards)$", + r".*\\AppData\\Roaming\\(Google|Firefox)\\(Passwords|Cookies)\.txt$", + r".*\\AppData\\Roaming\\Clipboard.txt$", + ) for indicator in file_indicators: match = self.check_write_file(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/infostealer_arkei.py b/modules/signatures/windows/infostealer_arkei.py index cd9a7127..2d83d5e0 100644 --- a/modules/signatures/windows/infostealer_arkei.py +++ b/modules/signatures/windows/infostealer_arkei.py @@ -27,9 +27,7 @@ class ArkeiFiles(Signature): mbcs = ["OC0001", "C0016", "C0046"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\ProgramData\\\\Arkei-.*", - ] + indicators = (r".*\\ProgramData\\Arkei-.*",) for indicator in indicators: match = self.check_file(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/infostealer_bitcoin.py b/modules/signatures/windows/infostealer_bitcoin.py index 7b65f2a0..dfc3bdfa 100644 --- a/modules/signatures/windows/infostealer_bitcoin.py +++ b/modules/signatures/windows/infostealer_bitcoin.py @@ -16,44 +16,44 @@ class BitcoinWallet(Signature): mbcs = ["OB0003", "B0028", "B0028.001"] def run(self): - indicators = [ - ".*\\\\wallet\.dat$", - ".*\\\\Bitcoin\\\\.*", - ".*\\\\Electrum\\\\.*", - ".*\\\\MultiBit\\\\.*", - ".*\\\\Litecoin\\\\.*", - ".*\\\\Namecoin\\\\.*", - ".*\\\\Terracoin\\\\.*", - ".*\\\\PPCoin\\\\.*", - ".*\\\\Primecoin\\\\.*", - ".*\\\\Feathercoin\\\\.*", - ".*\\\\Novacoin\\\\.*", - ".*\\\\Freicoin\\\\.*", - ".*\\\\Devcoin\\\\.*", - ".*\\\\Franko\\\\.*", - ".*\\\\ProtoShares\\\\.*", - ".*\\\\Megacoin\\\\.*", - ".*\\\\Quarkcoin\\\\.*", - ".*\\\\Worldcoin\\\\.*", - ".*\\\\Infinitecoin\\\\.*", - ".*\\\\Ixcoin\\\\.*", - ".*\\\\Anoncoin\\\\.*", - ".*\\\\BBQcoin\\\\.*", - ".*\\\\Digitalcoin\\\\.*", - ".*\\\\Mincoin\\\\.*", - ".*\\\\GoldCoin\\ \(GLD\)\\\\.*", - ".*\\\\Yacoin\\\\.*", - ".*\\\\Zetacoin\\\\.*", - ".*\\\\Fastcoin\\\\.*", - ".*\\\\I0coin\\\\.*", - ".*\\\\Tagcoin\\\\.*", - ".*\\\\Bytecoin\\\\.*", - ".*\\\\Florincoin\\\\.*", - ".*\\\\Phoenixcoin\\\\.*", - ".*\\\\Luckycoin\\\\.*", - ".*\\\\Craftcoin\\\\.*", - ".*\\\\Junkcoin\\\\.*", - ] + indicators = ( + r".*\\wallet\.dat$", + r".*\\Bitcoin\\.*", + r".*\\Electrum\\.*", + r".*\\MultiBit\\.*", + r".*\\Litecoin\\.*", + r".*\\Namecoin\\.*", + r".*\\Terracoin\\.*", + r".*\\PPCoin\\.*", + r".*\\Primecoin\\.*", + r".*\\Feathercoin\\.*", + r".*\\Novacoin\\.*", + r".*\\Freicoin\\.*", + r".*\\Devcoin\\.*", + r".*\\Franko\\.*", + r".*\\ProtoShares\\.*", + r".*\\Megacoin\\.*", + r".*\\Quarkcoin\\.*", + r".*\\Worldcoin\\.*", + r".*\\Infinitecoin\\.*", + r".*\\Ixcoin\\.*", + r".*\\Anoncoin\\.*", + r".*\\BBQcoin\\.*", + r".*\\Digitalcoin\\.*", + r".*\\Mincoin\\.*", + r".*\\GoldCoin\\ \(GLD\)\\.*", + r".*\\Yacoin\\.*", + r".*\\Zetacoin\\.*", + r".*\\Fastcoin\\.*", + r".*\\I0coin\\.*", + r".*\\Tagcoin\\.*", + r".*\\Bytecoin\\.*", + r".*\\Florincoin\\.*", + r".*\\Phoenixcoin\\.*", + r".*\\Luckycoin\\.*", + r".*\\Craftcoin\\.*", + r".*\\Junkcoin\\.*", + ) found_match = False for indicator in indicators: diff --git a/modules/signatures/windows/infostealer_browser.py b/modules/signatures/windows/infostealer_browser.py index fbec0509..cbc10ad9 100644 --- a/modules/signatures/windows/infostealer_browser.py +++ b/modules/signatures/windows/infostealer_browser.py @@ -42,32 +42,32 @@ def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.filematches = set() self.saw_stealer = False - self.indicators = [ - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\signons\.sqlite$", re.I), - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\secmod\.db$", re.I), - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\cert8\.db$", re.I), - re.compile(".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\.default\\\\key3\.db$", re.I), - re.compile(".*\\\\History\\\\History\.IE5\\\\index\.dat$", re.I), - re.compile(".*\\\\Cookies\\\\.*", re.I), - re.compile(".*\\\\Temporary\\ Internet\\ Files\\\\Content\.IE5\\\\index\.dat$", re.I), - re.compile(".*\\\\Application\\ Data\\\\Google\\\\Chrome\\\\.*", re.I), - re.compile(".*\\\\Local\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Mozilla\\\\Firefox\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Opera\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Roaming\\\\Opera\\\\Opera\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Chromium\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\Chromium\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\ChromePlus\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\MapleStudio\\\\ChromePlus\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Nichrome\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Bromium\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\RockMelt\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Flock\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\Flock\\\\.*", re.I), - re.compile(".*\\\\Application\\ Data\\\\Comodo\\\\Dragon\\\\.*", re.I), - re.compile(".*\\\\AppData\\\\Local\\\\Comodo\\\\Dragon\\\\.*", re.I), - ] + self.indicators = ( + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\signons\.sqlite$", re.I), + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\secmod\.db$", re.I), + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\cert8\.db$", re.I), + re.compile(r".*\\Mozilla\\Firefox\\Profiles\\.*\\.default\\key3\.db$", re.I), + re.compile(r".*\\History\\History\.IE5\\index\.dat$", re.I), + re.compile(r".*\\Cookies\\.*", re.I), + re.compile(r".*\\Temporary\\ Internet\\ Files\\Content\.IE5\\index\.dat$", re.I), + re.compile(r".*\\Application\\ Data\\Google\\Chrome\\.*", re.I), + re.compile(r".*\\Local\\Google\\Chrome\\User\\ Data\\Default\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Mozilla\\Firefox\\.*", re.I), + re.compile(r".*\\AppData\\Roaming\\Mozilla\\Firefox\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Opera\\.*", re.I), + re.compile(r".*\\AppData\\Roaming\\Opera\\Opera\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Chromium\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Chromium\\.*", re.I), + re.compile(r".*\\Application\\ Data\\ChromePlus\\.*", re.I), + re.compile(r".*\\AppData\\Local\\MapleStudio\\ChromePlus\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Nichrome\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Bromium\\.*", re.I), + re.compile(r".*\\Application\\ Data\\RockMelt\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Flock\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Flock\\.*", re.I), + re.compile(r".*\\Application\\ Data\\Comodo\\Dragon\\.*", re.I), + re.compile(r".*\\AppData\\Local\\Comodo\\Dragon\\.*", re.I), + ) def on_call(self, call, process): # If the current process appears to be a browser, continue. diff --git a/modules/signatures/windows/infostealer_cookies.py b/modules/signatures/windows/infostealer_cookies.py index ffcdb7bb..2ef74b42 100644 --- a/modules/signatures/windows/infostealer_cookies.py +++ b/modules/signatures/windows/infostealer_cookies.py @@ -31,19 +31,19 @@ class CookiesStealer(Signature): def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.data = [] - self.indicators = [ - ".*\\\\Chromium\\\\User Data\\\\.*\\\\Cookies$", - ".*\\\\Google\\\\Chrome\\\\User Data\\\\.*\\\\Cookies$", - ".*\\\\Microsoft\\\\Windows\\\\INetCookies$", - ".*\\\\Packages\\\\.*\\\\AC\\\\.*\\\\MicrosoftEdge\\\\Cookies$", - ".*\\\\UCBrowser\\\\User Data_i18n\\\\.*\\\\Cookies.9$", - ".*\\\\Yandex\\\\YandexBrowser\\\\User Data\\\\.*\\\\Cookies$", - ".*\\\\Apple Computer\\\\Safari\\\\Cookies\\\\Cookies.binarycookies$", - ".*\\\\Microsoft\\\\Windows\\\\Cookies$", - ".*\\\\Mozilla\\\\Firefox\\\\Profiles\\\\.*\\\\cookies.sqlite$", - ".*\\\\Opera Software\\\\Opera Stable\\\\Cookies$", - ".*\\\\Brave-Browser\\\\User Data\\\\.*\\\\Cookies$", - ] + self.indicators = ( + r".*\\Chromium\\User Data\\.*\\Cookies$", + r".*\\Google\\Chrome\\User Data\\.*\\Cookies$", + r".*\\Microsoft\\Windows\\INetCookies$", + r".*\\Packages\\.*\\AC\\.*\\MicrosoftEdge\\Cookies$", + r".*\\UCBrowser\\User Data_i18n\\.*\\Cookies.9$", + r".*\\Yandex\\YandexBrowser\\User Data\\.*\\Cookies$", + r".*\\Apple Computer\\Safari\\Cookies\\Cookies.binarycookies$", + r".*\\Microsoft\\Windows\\Cookies$", + r".*\\Mozilla\\Firefox\\Profiles\\.*\\cookies.sqlite$", + r".*\\Opera Software\\Opera Stable\\Cookies$", + r".*\\Brave-Browser\\User Data\\.*\\Cookies$", + ) self.safe_indicators = [ "chrome.exe", "firefox.exe", diff --git a/modules/signatures/windows/infostealer_cryptbot.py b/modules/signatures/windows/infostealer_cryptbot.py index bec654b4..9d9aa09e 100644 --- a/modules/signatures/windows/infostealer_cryptbot.py +++ b/modules/signatures/windows/infostealer_cryptbot.py @@ -28,14 +28,14 @@ class CryptBotFiles(Signature): def run(self): score = 0 - indicators = [ - ".*AppData\\\\Local\\\\Temp\\\\.*\\\\(_Files|files_)\\\\_AllForms_list\.txt$", - ".*AppData\\\\Local\\\\Temp\\\\.*\\\\(_Files|files_)\\\\_Screen_Desktop\.jpeg$", - ".*AppData\\\\Local\\\\Temp\\\\.*\\\\(_Files|files_)\\\\_Information\.txt$", - ".*AppData\\\\Local\\\\Temp\\\\.*\\\\(_Files|files_)\\\\screenshot\.jpg$", - ".*AppData\\\\Local\\\\Temp\\\\.*\\\\(_Files|files_)\\\\system_info\.txt$", - ".*AppData\\\\Local\\\\Temp\\\\.*\\\\(_Files|files_)\\\\forms\.txt$", - ] + indicators = ( + r".*AppData\\Local\\Temp\\.*\\(_Files|files_)\\_AllForms_list\.txt$", + r".*AppData\\Local\\Temp\\.*\\(_Files|files_)\\_Screen_Desktop\.jpeg$", + r".*AppData\\Local\\Temp\\.*\\(_Files|files_)\\_Information\.txt$", + r".*AppData\\Local\\Temp\\.*\\(_Files|files_)\\screenshot\.jpg$", + r".*AppData\\Local\\Temp\\.*\\(_Files|files_)\\system_info\.txt$", + r".*AppData\\Local\\Temp\\.*\\(_Files|files_)\\forms\.txt$", + ) for indicator in indicators: match = self.check_write_file(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/infostealer_echelon.py b/modules/signatures/windows/infostealer_echelon.py index 9b95639a..72acfb5e 100644 --- a/modules/signatures/windows/infostealer_echelon.py +++ b/modules/signatures/windows/infostealer_echelon.py @@ -33,20 +33,20 @@ class EchelonFiles(Signature): def run(self): score = 0 - fpath = ".*\\\\AppData\\\\Roaming\\\\.*\\\\" - flist = [ - "Processes\.txt", - "Computer\.txt", - "Clipboard\.txt", - "Screenshot\.jpeg", - "Browsers\\\\Cards\\\\Cards_Google\.txt", - "Browsers\\\\Cookies\\\\Cookies_Google\.txt", - "Browsers\\\\Passwords\\\\Passwords_Google\.txt", - "Browsers\\\\Autofills\\\\Autofills_Google\.txt", - "Browsers\\\\Downloads\\\\Downloads_Google\.txt", - "Browsers\\\\History\\\\History_Google\.txt", - "Browsers\\\\Passwords\\\\Passwords_Edge\.txt", - ] + fpath = r".*\\AppData\\Roaming\\.*\\" + flist = ( + r"Processes\.txt", + r"Computer\.txt", + r"Clipboard\.txt", + r"Screenshot\.jpeg", + r"Browsers\\Cards\\Cards_Google\.txt", + r"Browsers\\Cookies\\Cookies_Google\.txt", + r"Browsers\\Passwords\\Passwords_Google\.txt", + r"Browsers\\Autofills\\Autofills_Google\.txt", + r"Browsers\\Downloads\\Downloads_Google\.txt", + r"Browsers\\History\\History_Google\.txt", + r"Browsers\\Passwords\\Passwords_Edge\.txt", + ) for lfile in flist: indicator = fpath + lfile diff --git a/modules/signatures/windows/infostealer_ftp.py b/modules/signatures/windows/infostealer_ftp.py index f4200893..aba72d7f 100644 --- a/modules/signatures/windows/infostealer_ftp.py +++ b/modules/signatures/windows/infostealer_ftp.py @@ -30,44 +30,44 @@ class FTPStealer(Signature): def run(self): file_indicators = [ - ".*\\\\CuteFTP\\\\sm\.dat$", - ".*\\\\FlashFXP\\\\.*\\\\Sites\.dat$", - ".*\\\\FlashFXP\\\\.*\\\\Quick\.dat$", - ".*\\\\FileZilla\\\\sitemanager\.xml$", - ".*\\\\FileZilla\\\\recentservers\.xml$", - ".*\\\\FTPRush\\\\RushSite\.xml$", - ".*\\\\VanDyke\\\\Config\\\\Sessions\\\\.*", - ".*\\\\Far\\ Manager\\\\.*", - ".*\\\\FTP\\ Explorer\\\\.*", - ".*\\\\FTP\\ Commander.*", - ".*\\\\SmartFTP\\\\.*", - ".*\\\\TurboFTP\\\\.*", - ".*\\\\FTPRush\\\\.*", - ".*\\\\LeapFTP\\\\.*", - ".*\\\\FTPGetter\\\\.*", - ".*\\\\ALFTP\\\\.*", - ".*\\\\Ipswitch\\\\WS_FTP\\\\.*", - ".*\\\\cftp\\\\ftplist.txt$", + r".*\\CuteFTP\\sm\.dat$", + r".*\\FlashFXP\\.*\\Sites\.dat$", + r".*\\FlashFXP\\.*\\Quick\.dat$", + r".*\\FileZilla\\sitemanager\.xml$", + r".*\\FileZilla\\recentservers\.xml$", + r".*\\FTPRush\\RushSite\.xml$", + r".*\\VanDyke\\Config\\Sessions\\.*", + r".*\\Far\\ Manager\\.*", + r".*\\FTP\\ Explorer\\.*", + r".*\\FTP\\ Commander.*", + r".*\\SmartFTP\\.*", + r".*\\TurboFTP\\.*", + r".*\\FTPRush\\.*", + r".*\\LeapFTP\\.*", + r".*\\FTPGetter\\.*", + r".*\\ALFTP\\.*", + r".*\\Ipswitch\\WS_FTP\\.*", + r".*\\cftp\\ftplist.txt$", ] registry_indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Far.*\\\\Hosts$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Far.*\\\\FTPHost$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?GlobalSCAPE\\\\CuteFTP.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Ghisler\\\\Windows Commander.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Ghisler\\\\Total Commander.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?BPFTP\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?FileZilla.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?TurboFTP.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Sota\\\\FFFTP.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?FTPWare\\\\CoreFTP\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?FTP\\ Explorer\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?FTPClient\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?LinasFTP\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Robo-FTP.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?MAS-Soft\\\\FTPInfo\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?SoftX\.org\\\\FTPClient\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?NCH\\ Software\\\\CoreFTP\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?BulletProof Software\\\\BulletProof FTP Client.*", + r".*\\Software\\(Wow6432Node\\)?Far.*\\Hosts$", + r".*\\Software\\(Wow6432Node\\)?Far.*\\FTPHost$", + r".*\\Software\\(Wow6432Node\\)?GlobalSCAPE\\CuteFTP.*", + r".*\\Software\\(Wow6432Node\\)?Ghisler\\Windows Commander.*", + r".*\\Software\\(Wow6432Node\\)?Ghisler\\Total Commander.*", + r".*\\Software\\(Wow6432Node\\)?BPFTP\\.*", + r".*\\Software\\(Wow6432Node\\)?FileZilla.*", + r".*\\Software\\(Wow6432Node\\)?TurboFTP.*", + r".*\\Software\\(Wow6432Node\\)?Sota\\FFFTP.*", + r".*\\Software\\(Wow6432Node\\)?FTPWare\\CoreFTP\\.*", + r".*\\Software\\(Wow6432Node\\)?FTP\\ Explorer\\.*", + r".*\\Software\\(Wow6432Node\\)?FTPClient\\.*", + r".*\\Software\\(Wow6432Node\\)?LinasFTP\\.*", + r".*\\Software\\(Wow6432Node\\)?Robo-FTP.*", + r".*\\Software\\(Wow6432Node\\)?MAS-Soft\\FTPInfo\\.*", + r".*\\Software\\(Wow6432Node\\)?SoftX\.org\\FTPClient\\.*", + r".*\\Software\\(Wow6432Node\\)?NCH\\ Software\\CoreFTP\\.*", + r".*\\Software\\(Wow6432Node\\)?BulletProof Software\\BulletProof FTP Client.*", ] found_stealer = False for indicator in file_indicators: diff --git a/modules/signatures/windows/infostealer_im.py b/modules/signatures/windows/infostealer_im.py index 5b0068b1..6930c8e1 100644 --- a/modules/signatures/windows/infostealer_im.py +++ b/modules/signatures/windows/infostealer_im.py @@ -18,33 +18,33 @@ class IMStealer(Signature): mbcs = ["OB0003", "OB0005"] def run(self): - file_indicators = [ - ".*\\\\AIM\\\\aimx\.bin$", - ".*\\\\Digsby\\\\loginfo\.yaml$", - ".*\\\\Digsby\\\\Digsby\.dat$", - ".*\\\\Meebo\\\\MeeboAccounts\.txt$", - ".*\\\\Miranda\\\\.*\.dat$", - ".*\\\\MySpace\\\\IM\\\\users\.txt$", - ".*\\\\\.purple\\\\Accounts\.xml$", - ".*\\\\Application\\ Data\\\\Miranda\\\\.*", - ".*\\\\AppData\\\\Roaming\\\\Miranda\\\\.*", - ".*\\\\Skype\\\\.*\\\\config\.xml$", - ".*\\\\Tencent\\ Files\\\\.*\\\\QQ\\\\Registry\.db$", - ".*\\\\Trillian\\\\users\\\\global\\\\accounts\.ini$", - ".*\\\\Xfire\\\\XfireUser\.ini$", - ] - registry_indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?America\\ Online\\\\AIM6\\\\Passwords.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?AIM\\\\AIMPRO\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Beyluxe\\ Messenger\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?BigAntSoft\\\\BigAntMessenger\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Camfrog\\\\Client\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Google\\\\Google\\ Talk\\\\Accounts.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?IMVU\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Nimbuzz\\\\PCClient\\\\Application\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Paltalk.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Yahoo\\\\Pager\\\\.*", - ] + file_indicators = ( + r".*\\AIM\\aimx\.bin$", + r".*\\Digsby\\loginfo\.yaml$", + r".*\\Digsby\\Digsby\.dat$", + r".*\\Meebo\\MeeboAccounts\.txt$", + r".*\\Miranda\\.*\.dat$", + r".*\\MySpace\\IM\\users\.txt$", + r".*\\\.purple\\Accounts\.xml$", + r".*\\Application\\ Data\\Miranda\\.*", + r".*\\AppData\\Roaming\\Miranda\\.*", + r".*\\Skype\\.*\\config\.xml$", + r".*\\Tencent\\ Files\\.*\\QQ\\Registry\.db$", + r".*\\Trillian\\users\\global\\accounts\.ini$", + r".*\\Xfire\\XfireUser\.ini$", + ) + registry_indicators = ( + r".*\\Software\\(Wow6432Node\\)?America\\ Online\\AIM6\\Passwords.*", + r".*\\Software\\(Wow6432Node\\)?AIM\\AIMPRO\\.*", + r".*\\Software\\(Wow6432Node\\)?Beyluxe\\ Messenger\\.*", + r".*\\Software\\(Wow6432Node\\)?BigAntSoft\\BigAntMessenger\\.*", + r".*\\Software\\(Wow6432Node\\)?Camfrog\\Client\\.*", + r".*\\Software\\(Wow6432Node\\)?Google\\Google\\ Talk\\Accounts.*", + r".*\\Software\\(Wow6432Node\\)?IMVU\\.*", + r".*\\Software\\(Wow6432Node\\)?Nimbuzz\\PCClient\\Application\\.*", + r".*\\Software\\(Wow6432Node\\)?Paltalk.*", + r".*\\Software\\(Wow6432Node\\)?Yahoo\\Pager\\.*", + ) found_stealer = False for indicator in file_indicators: file_match = self.check_file(pattern=indicator, regex=True, all=True) diff --git a/modules/signatures/windows/infostealer_mail.py b/modules/signatures/windows/infostealer_mail.py index 64794f29..9cf08cba 100644 --- a/modules/signatures/windows/infostealer_mail.py +++ b/modules/signatures/windows/infostealer_mail.py @@ -22,28 +22,27 @@ def run(self): if any(e in self.results["info"]["package"] for e in office_pkgs): return False - file_indicators = [ + file_indicators = ( ".*\.pst$", - ".*\\\\Microsoft\\\\Windows\\ Live\\ Mail.*", - ".*\\\\Microsoft\\\\Address\\ Book\\\\.*\.wab$", - ".*\\\\Microsoft\\\\Outlook\\ Express\\\\.*\.dbx$", - ".*\\\\Foxmail\\\\mail\\\\.*\\\\Account\.stg$", - ".*\\\\Foxmail.*\\\\Accounts\.tdat$", - ".*\\\\Thunderbird\\\\Profiles\\\\.*\.default$", - ".*\\\\AppData\\\\Roaming\\\\Thunderbird\\\\profiles.ini$", - ] - registry_indicators = [ - ".*\\\\Microsoft\\\\Windows\\ Messaging\\ Subsystem\\\\MSMapiApps.*", - ".*\\\\Microsoft\\\\Windows\\ Messaging\\ Subsystem\\\\Profiles.*", - ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\ Messaging\\ Subsystem\\\\Profiles.*", - ".*\\\\Microsoft\\\\Office\\\\.*\\\\Outlook\\\\Profiles\\\\Outlook.*", - ".*\\\\Microsoft\\\\Office\\\\Outlook\\\\OMI\\ Account\\ Manager\\\\Accounts.*", - ".*\\\\Microsoft\\\\Internet\\ Account\\ Manager\\\\Accounts.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?IncrediMail.*" - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\ Live\\ Mail.*", - ] + r".*\\Microsoft\\Windows\\ Live\\ Mail.*", + r".*\\Microsoft\\Address\\ Book\\.*\.wab$", + r".*\\Microsoft\\Outlook\\ Express\\.*\.dbx$", + r".*\\Foxmail\\mail\\.*\\Account\.stg$", + r".*\\Foxmail.*\\Accounts\.tdat$", + r".*\\Thunderbird\\Profiles\\.*\.default$", + r".*\\AppData\\Roaming\\Thunderbird\\profiles.ini$", + ) + registry_indicators = ( + r".*\\Microsoft\\Windows\\ Messaging\\ Subsystem\\MSMapiApps.*", + r".*\\Microsoft\\Windows\\ Messaging\\ Subsystem\\Profiles.*", + r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\Windows\\ Messaging\\ Subsystem\\Profiles.*", + r".*\\Microsoft\\Office\\.*\\Outlook\\Profiles\\Outlook.*", + r".*\\Microsoft\\Office\\Outlook\\OMI\\ Account\\ Manager\\Accounts.*", + r".*\\Microsoft\\Internet\\ Account\\ Manager\\Accounts.*", + r".*\\Software\\(Wow6432Node\\)?IncrediMail.*" r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\ Live\\ Mail.*", + ) if self.results.get("target", {}).get("category", "") == "file": - registry_indicators.append(".*\\\\Software\\\\(Wow6432Node\\\\)?Clients\\\\Mail.*") + registry_indicators.append(".*\\Software\\(Wow6432Node\\)?Clients\\Mail.*") found_stealer = False for indicator in file_indicators: diff --git a/modules/signatures/windows/infostealer_masslogger.py b/modules/signatures/windows/infostealer_masslogger.py index d428f85c..ded04338 100644 --- a/modules/signatures/windows/infostealer_masslogger.py +++ b/modules/signatures/windows/infostealer_masslogger.py @@ -36,7 +36,7 @@ class MassLoggerVersion(Signature): def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) - self.pathpat = "[A-Z]:\\\\.*\\\\AppData\\\\Local\\\\Temp\\\\[A-F0-9]{10}\\\\Log\.txt$" + self.pathpat = r"[A-Z]:\\.*\\AppData\\Local\\Temp\\[A-F0-9]{10}\\Log\.txt$" self.verpats = [ "MassLogger\sv\d+\.\d+\.\d+\.\d+", "<\|\|\s(v)?\d+\.\d+\.\d+\.\d+\s\|\|>", @@ -72,10 +72,10 @@ class MassLoggerArtifacts(Signature): def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) - self.artifacts = [ - "[A-Z]:\\\\Windows\\\\assembly\\\\NativeImages_v.*\\\\MassBin.*", - "[A-Z]:\\\\Windows\\\\assembly\\\\NativeImages_v.*\\\\MassLoggerBin.*", - ] + self.artifacts = ( + r"[A-Z]:\\Windows\\assembly\\NativeImages_v.*\\MassBin.*", + r"[A-Z]:\\Windows\\assembly\\NativeImages_v.*\\MassLoggerBin.*", + ) def on_call(self, call, process): if call["api"] == "FindFirstFileExW": @@ -110,18 +110,16 @@ class MassLoggerFiles(Signature): def run(self): user = self.get_environ_entry(self.get_initial_process(), "UserName") - indicators = [ - ".*\\\\AppData\\\\Local\\\\Temp\\\\[A-F0-9]{10}\\\\Log\.txt$", - ".*\\\\AppData\\\\Local\\\\Temp\\\\[A-F0-9]{10}\\\\Screenshot\.jpeg$", - ".*\\\\AppData\\\\Local\\\\Temp\\\\[A-F0-9]{10}\\\\DotNetZip-.*\.tmp$", - ] + indicators = ( + r".*\\AppData\\Local\\Temp\\[A-F0-9]{10}\\Log\.txt$", + r".*\\AppData\\Local\\Temp\\[A-F0-9]{10}\\Screenshot\.jpeg$", + r".*\\AppData\\Local\\Temp\\[A-F0-9]{10}\\DotNetZip-.*\.tmp$", + ) score = 0 try: indicators.append( - ".*\\\\AppData\\\\Local\\\\Temp\\\\[A-F0-9]{10}\\\\" - + user.decode("utf-8") - + "_.*_[A-F0-9]{10}_\d{2}-\d{2}-\d{4}\s.*.zip" + ".*\\AppData\\Local\\Temp\\[A-F0-9]{10}\\" + user.decode("utf-8") + "_.*_[A-F0-9]{10}_\d{2}-\d{2}-\d{4}\s.*.zip" ) except Exception: return False diff --git a/modules/signatures/windows/infostealer_poullight.py b/modules/signatures/windows/infostealer_poullight.py index 8d97d36a..02ae20c4 100644 --- a/modules/signatures/windows/infostealer_poullight.py +++ b/modules/signatures/windows/infostealer_poullight.py @@ -31,18 +31,18 @@ class PoullightFiles(Signature): def run(self): score = 0 - fpath = ".*\\\\AppData\\\\Local\\\\[a-z0-9]{8}\\\\" + fpath = r".*\\AppData\\Local\\[a-z0-9]{8}\\" flist = [ "system\.txt", "processlist\.txt", "copyboard\.txt", "screenshot\.png", - "Grabber\\\\.*", - "FileZilla\\\\data\.txt", - "Pidgin\\\\data\.txt", - "Discord\\\\data\.txt", - "Telegram\\\\data\.txt", - "Steam\\\\data\.txt", + r"Grabber\\.*", + r"FileZilla\\data\.txt", + r"Pidgin\\data\.txt", + r"Discord\\data\.txt", + r"Telegram\\data\.txt", + r"Steam\\data\.txt", "webcam\.jpg", "accountlogin\.txt", ] diff --git a/modules/signatures/windows/infostealer_qulab.py b/modules/signatures/windows/infostealer_qulab.py index af381d21..96fa9379 100644 --- a/modules/signatures/windows/infostealer_qulab.py +++ b/modules/signatures/windows/infostealer_qulab.py @@ -51,12 +51,12 @@ class QulabFiles(Signature): mbcs = ["OC0001", "C0016"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\(x86|amd6)_microsoft-windows-.*\\\\(Screen\.jpg|Information\.txt|ShortInformation\.txt)$", - ".*\\\\(x86|amd6)_microsoft-windows-.*\\\\Desktop\sTXT\sFiles\\\\.*", - ".*\\\\(x86|amd6)microsoft-windows-.*\\\\.*sqlite3\.module\.dll$", - ".*\\\\(x86|amd6)microsoft-windows-.*\\\\ENU_[A-F0-9]{20}$", - ] + indicators = ( + r".*\\\\(x86|amd6)_microsoft-windows-.*\\\\(Screen\.jpg|Information\.txt|ShortInformation\.txt)$", + r".*\\\\(x86|amd6)_microsoft-windows-.*\\\\Desktop\sTXT\sFiles\\\\.*", + r".*\\\\(x86|amd6)microsoft-windows-.*\\\\.*sqlite3\.module\.dll$", + r".*\\\\(x86|amd6)microsoft-windows-.*\\\\ENU_[A-F0-9]{20}$", + ) score = 0 for indicator in indicators: diff --git a/modules/signatures/windows/martians_ie.py b/modules/signatures/windows/martians_ie.py index 9c4993c9..c93bfae7 100644 --- a/modules/signatures/windows/martians_ie.py +++ b/modules/signatures/windows/martians_ie.py @@ -23,17 +23,17 @@ ie_paths_re = re.compile(r"^c:\\program files(?:\s\(x86\))?\\internet explorer\\iexplore.exe$", re.I) # run through re.escape() white_list_re = [ - "^C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Adobe\\\\Reader\\ \\d+\\.\\d+\\\\Reader\\\\AcroRd32\\.exe$", - "^C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Java\\\\jre\\d+\\\\bin\\\\j(?:avaw?|p2launcher)\\.exe$", - "^C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Microsoft SilverLight\\\\(?:\\d+\\.)+\\d\\\\agcp.exe$", - "^C\\:\\\\Windows\\\\System32\\\\ntvdm\\.exe$", - "^C\\:\\\\Windows\\\\system32\\\\rundll32\\.exe$", - "^C\\:\\\\Windows\\\\syswow64\\\\rundll32\\.exe$", - "^C\\:\\\\Windows\\\\system32\\\\drwtsn32\\.exe$", - "^C\\:\\\\Windows\\\\syswow64\\\\drwtsn32\\.exe$", - "^C\\:\\\\Windows\\\\system32\\\\dwwin\\.exe$", - "^C\\:\\\\Windows\\\\system32\\\\WerFault\\.exe$", - "^C\\:\\\\Windows\\\\syswow64\\\\WerFault\\.exe$", + r"^C\\:\\Program Files(?:\s\\(x86\\))?\\Adobe\\Reader\\ \\d+\\.\\d+\\Reader\\AcroRd32\\.exe$", + r"^C\\:\\Program Files(?:\s\\(x86\\))?\\Java\\jre\\d+\\bin\\j(?:avaw?|p2launcher)\\.exe$", + r"^C\\:\\Program Files(?:\s\\(x86\\))?\\Microsoft SilverLight\\(?:\\d+\\.)+\\d\\agcp.exe$", + r"^C\\:\\Windows\\System32\\ntvdm\\.exe$", + r"^C\\:\\Windows\\system32\\rundll32\\.exe$", + r"^C\\:\\Windows\\syswow64\\rundll32\\.exe$", + r"^C\\:\\Windows\\system32\\drwtsn32\\.exe$", + r"^C\\:\\Windows\\syswow64\\drwtsn32\\.exe$", + r"^C\\:\\Windows\\system32\\dwwin\\.exe$", + r"^C\\:\\Windows\\system32\\WerFault\\.exe$", + r"^C\\:\\Windows\\syswow64\\WerFault\\.exe$", ] # means we can be evaded but also means we can have relatively tight paths between 32-bit and 64-bit white_list_re_compiled = [] diff --git a/modules/signatures/windows/martians_office.py b/modules/signatures/windows/martians_office.py index 2210ed4e..7cf07251 100644 --- a/modules/signatures/windows/martians_office.py +++ b/modules/signatures/windows/martians_office.py @@ -20,6 +20,28 @@ from lib.cuckoo.common.abstracts import Signature +# run through re.escape() +############################################# +# YOU MAY HAVE TO CUSTOMIZE THIS FOR YOUR ENV# +############################################# +white_list_re = ( + r"C\\:\\Program Files(?:\s\\(x86\\))?\\Adobe\\Reader\\ \\d+\\.\\d+\\Reader\\AcroRd32\\.exe$", + r"C\\:\\Program Files(?:\s\\(x86\\))?\\Java\\jre\\d+\\bin\\j(?:avaw?|p2launcher)\\.exe$", + r"C\\:\\Program Files(?:\s\\(x86\\))?\\Microsoft SilverLight\\(?:\\d+\\.)+\\d\\agcp\\.exe$", + r"C\\:\\Windows\\System32\\ntvdm\\.exe$", + r"C\\:\\Windows\\System32\\svchost\\.exe$", + r"C\\:\\Program Files(?:\s\\(x86\\))?\\internet explorer\\iexplore\.exe$", + # remove this one at some point + r"C\\:\\Windows\\System32\\rundll32\\.exe$", + r"C\\:\\Windows\\System32\\drwtsn32\\.exe$", + r"C\\:\\Windows\\splwow64\\.exe$", + r"C\\:\\Program Files(?:\s\\(x86\\))?\\Common Files\\Microsoft Shared\\office1[1-6]\\off(?:lb|diag)\\.exe$", + r"C\\:\\Program Files(?:\s\\(x86\\))?\\Common Files\\Microsoft Shared\\dw\\dw(?:20)?\\.exe$", + r"C\\:\\Windows\\system32\\dwwin\\.exe$", + r"C\\:\\Windows\\system32\\WerFault\\.exe$", + r"C\\:\\Windows\\syswow64\\WerFault\\.exe$", +) + class MartiansOffice(Signature): name = "office_martian_children" @@ -65,30 +87,10 @@ def run(self): r"^[A-Z]\:\\Program Files(?:\s\(x86\))?\\Microsoft Office\\(?:Office1[1-5]\\)?(?:WINWORD|OUTLOOK|POWERPNT|EXCEL|WORDVIEW)\.EXE$", re.I, ) - # run through re.escape() - ############################################# - # YOU MAY HAVE TO CUSTOMIZE THIS FOR YOUR ENV# - ############################################# - self.white_list_re = [ - "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Adobe\\\\Reader\\ \\d+\\.\\d+\\\\Reader\\\\AcroRd32\\.exe$", - "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Java\\\\jre\\d+\\\\bin\\\\j(?:avaw?|p2launcher)\\.exe$", - "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Microsoft SilverLight\\\\(?:\\d+\\.)+\\d\\\\agcp\\.exe$", - "C\\:\\\\Windows\\\\System32\\\\ntvdm\\.exe$", - "C\\:\\\\Windows\\\\System32\\\\svchost\\.exe$", - "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\internet explorer\\\\iexplore\.exe$", - # remove this one at some point - "C\\:\\\\Windows\\\\System32\\\\rundll32\\.exe$", - "C\\:\\\\Windows\\\\System32\\\\drwtsn32\\.exe$", - "C\\:\\\\Windows\\\\splwow64\\.exe$", - "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Common Files\\\\Microsoft Shared\\\\office1[1-6]\\\\off(?:lb|diag)\\.exe$", - "C\\:\\\\Program Files(?:\s\\(x86\\))?\\\\Common Files\\\\Microsoft Shared\\\\dw\\\\dw(?:20)?\\.exe$", - "C\\:\\\\Windows\\\\system32\\\\dwwin\\.exe$", - "C\\:\\\\Windows\\\\system32\\\\WerFault\\.exe$", - "C\\:\\\\Windows\\\\syswow64\\\\WerFault\\.exe$", - ] + # means we can be evaded but also means we can have relatively tight paths between 32-bit and 64-bit self.white_list_re_compiled = [] - for entry in self.white_list_re: + for entry in white_list_re: try: self.white_list_re_compiled.append(re.compile(entry, re.I)) except Exception as e: diff --git a/modules/signatures/windows/mimics_filetime.py b/modules/signatures/windows/mimics_filetime.py index 37e63903..2e16d937 100644 --- a/modules/signatures/windows/mimics_filetime.py +++ b/modules/signatures/windows/mimics_filetime.py @@ -99,7 +99,7 @@ def on_call(self, call, process): try: self.old_handles.append(self.handles[handle]) del self.handles[handle] - except: + except Exception: pass elif call["api"] == "NtQueryInformationFile": handle = int(self.get_argument(call, "FileHandle"), 16) @@ -108,7 +108,7 @@ def on_call(self, call, process): try: obj = self.handles[handle] obj.set_file_times(self.get_raw_argument(call, "FileInformation")) - except: + except Exception: pass elif call["api"] == "NtSetInformationFile": handle = int(self.get_argument(call, "FileHandle"), 16) @@ -118,7 +118,7 @@ def on_call(self, call, process): try: obj = self.handles[handle] obj.set_file_times(self.get_raw_argument(call, "FileInformation")) - except: + except Exception: return None for val in self.handles.itervalues(): filename = obj.check_file_times(val) diff --git a/modules/signatures/windows/modifies_certs.py b/modules/signatures/windows/modifies_certs.py index c710853f..fc6f4b45 100644 --- a/modules/signatures/windows/modifies_certs.py +++ b/modules/signatures/windows/modifies_certs.py @@ -20,7 +20,7 @@ class ModifiesCerts(Signature): def run(self): if self.check_write_key( - pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\SystemCertificates\\\\.*\\\\Certificates\\\\.*", regex=True + pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\SystemCertificates\\.*\\Certificates\\.*", regex=True ): return True diff --git a/modules/signatures/windows/modifies_dotnetclr_knobs.py b/modules/signatures/windows/modifies_dotnetclr_knobs.py index 292c7ee9..9e40e8db 100644 --- a/modules/signatures/windows/modifies_dotnetclr_knobs.py +++ b/modules/signatures/windows/modifies_dotnetclr_knobs.py @@ -28,9 +28,7 @@ class DotNetCLRUsageLogKnob(Signature): references = ["https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/"] def run(self): - indicators = [ - "(HKEY_CURRENT_USER|HKEY_LOCAL_MACHINE)\\\\SOFTWARE\\\\\.NETFramework\\\\NGenAssemblyUsageLog", - ] + indicators = (r"(HKEY_CURRENT_USER|HKEY_LOCAL_MACHINE)\\SOFTWARE\\\.NETFramework\\NGenAssemblyUsageLog",) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True, all=True) diff --git a/modules/signatures/windows/modifies_hostsfile.py b/modules/signatures/windows/modifies_hostsfile.py index 4d39a841..db69e67e 100644 --- a/modules/signatures/windows/modifies_hostsfile.py +++ b/modules/signatures/windows/modifies_hostsfile.py @@ -28,7 +28,7 @@ class Modifies_HostFile(Signature): def run(self): ret = False - match = self.check_write_file(pattern=".*\\\\Windows\\\\(System32|SysWow64)\\\\drivers\\\\etc\\\\hosts$", regex=True) + match = self.check_write_file(pattern=r".*\\Windows\\(System32|SysWow64)\\drivers\\etc\\hosts$", regex=True) if match: ret = True hfile = match.lower() diff --git a/modules/signatures/windows/modifies_oem.py b/modules/signatures/windows/modifies_oem.py index fd4060d6..8da3a727 100644 --- a/modules/signatures/windows/modifies_oem.py +++ b/modules/signatures/windows/modifies_oem.py @@ -29,11 +29,11 @@ class ModifiesOEMInformation(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\OEMInformation\\\\Manufacturer", - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\OEMInformation\\\\SupportHours", - "HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\legalnoticecaption", - ] + indicators = ( + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OEMInformation\\Manufacturer", + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\OEMInformation\\SupportHours", + r"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\legalnoticecaption", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/modifies_seccenter.py b/modules/signatures/windows/modifies_seccenter.py index 28ad6894..f5b3ec2f 100644 --- a/modules/signatures/windows/modifies_seccenter.py +++ b/modules/signatures/windows/modifies_seccenter.py @@ -18,11 +18,11 @@ class ModifySecurityCenterWarnings(Signature): mbcs = ["OB0006", "E1112", "F0004", "F0011"] def run(self): - indicators = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Security\\ Center\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\ NT\\\\Security\\ Center\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\explorer\\\\ShellServiceObjects\\\\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}$", - ] + indicators = ( + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Security\\ Center\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Policies\\Microsoft\\Windows\\ NT\\Security\\ Center\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\explorer\\ShellServiceObjects\\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}$", + ) for indicator in indicators: if self.check_write_key(pattern=indicator, regex=True): return True diff --git a/modules/signatures/windows/modifies_uac_notify.py b/modules/signatures/windows/modifies_uac_notify.py index fbf097f9..97d33ecf 100644 --- a/modules/signatures/windows/modifies_uac_notify.py +++ b/modules/signatures/windows/modifies_uac_notify.py @@ -18,11 +18,11 @@ class ModifiesUACNotify(Signature): mbcs = ["E1112"] def run(self): - reg_indicators = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorUser$", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop$", - ] + reg_indicators = ( + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorUser$", + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\System\\PromptOnSecureDesktop$", + ) for indicator in reg_indicators: if self.check_write_key(pattern=indicator, regex=True): diff --git a/modules/signatures/windows/modifies_wallpaper.py b/modules/signatures/windows/modifies_wallpaper.py index f5a5cb04..e59936b7 100644 --- a/modules/signatures/windows/modifies_wallpaper.py +++ b/modules/signatures/windows/modifies_wallpaper.py @@ -38,10 +38,10 @@ def on_call(self, call, process): return True def on_complete(self): - reg_indicators = [ - ".*\\\\Control\\ Panel\\\\Desktop\\\\Wallpaper$", - ".*\\\\Internet\\ Explorer\\\\Desktop\\\\General\\\\Wallpaper$", - ] + reg_indicators = ( + r".*\\Control\\ Panel\\Desktop\\Wallpaper$", + r".*\\Internet\\ Explorer\\Desktop\\General\\Wallpaper$", + ) for indicator in reg_indicators: if self.check_write_key(pattern=indicator, regex=True): return True diff --git a/modules/signatures/windows/network_dns_suspicious.py b/modules/signatures/windows/network_dns_suspicious.py index 9034a225..3b375b1b 100644 --- a/modules/signatures/windows/network_dns_suspicious.py +++ b/modules/signatures/windows/network_dns_suspicious.py @@ -557,18 +557,18 @@ class Suspicious_TLD(Signature): def run(self): domains_re = [ - (".*\\.by$", "Belarus domain TLD"), - (".*\\.cc$", "Cocos Islands domain TLD"), - (".*\\.onion$", "TOR hidden services domain TLD"), - (".*\\.pw$", "Palau domain TLD"), - (".*\\.ru$", "Russian Federation domain TLD"), - (".*\\.su$", "Soviet Union domain TLD"), - (".*\\.top$", "Generic top level domain TLD"), - (".*\\.tk$", "Tokelau domain TLD"), - (".*\\.ua$", "Ukraine domain TLD"), - (".*\\.xyz$", "Generic top level domain TLD"), - (".*\\.za$", "South Africa domain TLD"), - (".*\\.ng$", "Nigeria domain TLD"), + (r".*\.by$", "Belarus domain TLD"), + (r".*\.cc$", "Cocos Islands domain TLD"), + (r".*\.onion$", "TOR hidden services domain TLD"), + (r".*\.pw$", "Palau domain TLD"), + (r".*\.ru$", "Russian Federation domain TLD"), + (r".*\.su$", "Soviet Union domain TLD"), + (r".*\.top$", "Generic top level domain TLD"), + (r".*\.tk$", "Tokelau domain TLD"), + (r".*\.ua$", "Ukraine domain TLD"), + (r".*\.xyz$", "Generic top level domain TLD"), + (r".*\.za$", "South Africa domain TLD"), + (r".*\.ng$", "Nigeria domain TLD"), ] queried_domains = [] diff --git a/modules/signatures/windows/network_tor.py b/modules/signatures/windows/network_tor.py index 384d2d5b..9533b73c 100644 --- a/modules/signatures/windows/network_tor.py +++ b/modules/signatures/windows/network_tor.py @@ -36,15 +36,15 @@ def on_call(self, call, process): return True def on_complete(self): - indicators = [ - ".*\\\\tor\\\\cached-certs$", - ".*\\\\tor\\\\cached-consensus$", - ".*\\\\tor\\\\cached-descriptors$", - ".*\\\\tor\\\\geoip$", - ".*\\\\tor\\\\lock$", - ".*\\\\tor\\\\state$", - ".*\\\\tor\\\\torrc$", - ] + indicators = ( + r".*\\tor\\cached-certs$", + r".*\\tor\\cached-consensus$", + r".*\\tor\\cached-descriptors$", + r".*\\tor\\geoip$", + r".*\\tor\\lock$", + r".*\\tor\\state$", + r".*\\tor\\torrc$", + ) for indicator in indicators: if self.check_file(pattern=indicator, regex=True): diff --git a/modules/signatures/windows/network_tor_service.py b/modules/signatures/windows/network_tor_service.py index b054fa77..37b7b8dc 100644 --- a/modules/signatures/windows/network_tor_service.py +++ b/modules/signatures/windows/network_tor_service.py @@ -29,7 +29,7 @@ class TorHiddenService(Signature): ttps += ["U0903"] # Unprotect def run(self): - indicators = [".*\\\\tor\\\\hidden_service\\\\private_key$", ".*\\\\tor\\\\hidden_service\\\\hostname$"] + indicators = (r".*\\tor\\hidden_service\\private_key$", r".*\\tor\\hidden_service\\hostname$") for indicator in indicators: if self.check_file(pattern=indicator, regex=True): diff --git a/modules/signatures/windows/office_dll_loading.py b/modules/signatures/windows/office_dll_loading.py index 0ae67ba7..d0e62029 100644 --- a/modules/signatures/windows/office_dll_loading.py +++ b/modules/signatures/windows/office_dll_loading.py @@ -61,7 +61,7 @@ class OfficePerfKey(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = ["HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf$"] + indicators = ["HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf$"] for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) @@ -72,9 +72,6 @@ def run(self): return False -from lib.cuckoo.common.abstracts import Signature - - class OfficeVBLLoad(Signature): name = "office_vb_load" description = "Office loads VB DLLs, indicative of Office Macros" @@ -186,8 +183,8 @@ def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.officeprocs = ["winword.exe", "excel.exe", "powerpnt.exe"] self.dotnetpaths = [ - "[A-Z]:\\\\Windows\\\\assembly\\\\.*", - "[A-Z]:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC_MSIL.*", + r"[A-Z]:\\Windows\\assembly\\.*", + r"[A-Z]:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL.*", ] def on_call(self, call, process): diff --git a/modules/signatures/windows/office_macro_settings.py b/modules/signatures/windows/office_macro_settings.py index c5dad514..ac2965bf 100644 --- a/modules/signatures/windows/office_macro_settings.py +++ b/modules/signatures/windows/office_macro_settings.py @@ -27,9 +27,7 @@ class DisablesVBATrustAccess(Signature): def run(self): ret = False - keys = [ - ".*\\\\Microsoft\\\\Office\\\\.*\\\\Security\\\\Access\\\\VBOM$", - ] + keys = (r".*\\Microsoft\\Office\\.*\\Security\\Access\\VBOM$",) for check in keys: match = self.check_write_key(pattern=check, regex=True) @@ -51,9 +49,7 @@ class ChangesTrustCenter_settings(Signature): def run(self): ret = False - keys = [ - ".*\\\\Microsoft\\\\Office\\\\.*\\\\Security\\\\Trusted Documents\\\\TrustRecords$", - ] + keys = (r".*\\Microsoft\\Office\\.*\\Security\\Trusted Documents\\TrustRecords$",) for check in keys: match = self.check_write_key(pattern=check, regex=True) diff --git a/modules/signatures/windows/office_security.py b/modules/signatures/windows/office_security.py index a1428fbc..cfa9313d 100644 --- a/modules/signatures/windows/office_security.py +++ b/modules/signatures/windows/office_security.py @@ -34,10 +34,10 @@ def run(self): if any(e in self.results["info"]["package"] for e in office_pkgs): return False - reg_indicators = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Office\\\\.*\\\\Security\\\\.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Office\\\\.*\\\\Security\\\\.*", - ] + reg_indicators = ( + r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Office\\.*\\Security\\.*", + r".*\\SOFTWARE\\(Wow6432Node\\)?Policies\\Microsoft\\Office\\.*\\Security\\.*", + ) for indicator in reg_indicators: if self.check_write_key(pattern=indicator, regex=True): diff --git a/modules/signatures/windows/packer_armadillo_regkey.py b/modules/signatures/windows/packer_armadillo_regkey.py index b0b530c6..4fdbac79 100644 --- a/modules/signatures/windows/packer_armadillo_regkey.py +++ b/modules/signatures/windows/packer_armadillo_regkey.py @@ -29,7 +29,7 @@ class ArmadilloRegKey(Signature): mbcs = ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [".*\\\\The\\ Silicon\\ Realms\\ Toolworks\\\\Armadillo$"] + indicators = (r".*\\The\\ Silicon\\ Realms\\ Toolworks\\Armadillo$",) for indicator in indicators: match = self.check_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/persistence_autorun.py b/modules/signatures/windows/persistence_autorun.py index 69ce46b6..c5cb18e6 100644 --- a/modules/signatures/windows/persistence_autorun.py +++ b/modules/signatures/windows/persistence_autorun.py @@ -62,13 +62,13 @@ def on_call(self, call, process): self.mark_call() def on_complete(self): - indicators = [ - ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\SharedTaskScheduler\\\\.*", - ] - whitelists = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\clsid\\\\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\\\\InprocServer32\\\\.*", - # ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\clsid\\\\[^\\\\]*\\\\InprocServer32\\\\ThreadingModel$", - ] + indicators = ( + r".*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler\\.*", + ) + whitelists = ( + r".*\\Software\\(Wow6432Node\\)?Classes\\clsid\\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\\InprocServer32\\.*", + # ".*\\Software\\(Wow6432Node\\)?Classes\\clsid\\[^\\]*\\InprocServer32\\ThreadingModel$", + ) for indicator in indicators: match_key = self.check_write_key(pattern=indicator, regex=True, all=True) @@ -87,7 +87,7 @@ def on_complete(self): self.data.append({"data": data}) self.found_autorun = True - indicators = [".*\\\\WINDOWS\\\\Tasks\\\\.*"] + indicators = [r".*\\WINDOWS\\Tasks\\.*"] for indicator in indicators: if "dropped" in self.results and len(self.results.get("dropped", [])): @@ -149,33 +149,33 @@ def on_call(self, call, process): self.mark_call() def on_complete(self): - indicators = [ - ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\.*", - ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\.*", - ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices\\\\.*", - ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\.*", - ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce\\\\.*", - ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\.*", - ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit$", - ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\.*", - ".*\\\\Microsoft\\\\Active\\ Setup\\\\Installed Components\\\\.*", - ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Windows\\\\AppInit_DLLs$", - ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Image\\ File\\ Execution\\ Options\\\\[^\\\\]*\\\\\Debugger$", - ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Shell$", - ".*\\\\System\\\\(CurrentControlSet|ControlSet001)\\\\Services\\\\[^\\\\]*\\\\ImagePath$", - ".*\\\\System\\\\(CurrentControlSet|ControlSet001)\\\\Services\\\\[^\\\\]*\\\\Parameters\\\\ServiceDLL$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\Exefile\\\\Shell\\\\Open\\\\Command\\\\\(Default\)$", - ".*\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\load$", - ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\ShellServiceObjectDelayLoad\\\\.*", - ".*\\\\System\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\Session\\ Manager\\\\AppCertDlls\\\\.*", - # ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\clsid\\\\[^\\\\]*\\\\InprocServer32\\\\.*", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\clsid\\\\[^\\\\]*\\\\LocalServer32\\\\.*", - ".*\\\\Microsoft\\\\Command\\ Processor\\\\AutoRun$", - ".*\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User\ Shell\ Folders\\\\Startup$", - ] + indicators = ( + r".*\\Microsoft\\Windows\\CurrentVersion\\Run\\.*", + r".*\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\.*", + r".*\\Microsoft\\Windows\\CurrentVersion\\RunServices\\.*", + r".*\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\.*", + r".*\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\\.*", + r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\Winlogon\\Notify\\.*", + r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\Winlogon\\Userinit$", + r".*\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\.*", + r".*\\Microsoft\\Active\\ Setup\\Installed Components\\.*", + r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\Windows\\AppInit_DLLs$", + r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\Image\\ File\\ Execution\\ Options\\[^\\]*\\\Debugger$", + r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\Winlogon\\Shell$", + r".*\\System\\(CurrentControlSet|ControlSet001)\\Services\\[^\\]*\\ImagePath$", + r".*\\System\\(CurrentControlSet|ControlSet001)\\Services\\[^\\]*\\Parameters\\ServiceDLL$", + r".*\\Software\\(Wow6432Node\\)?Classes\\Exefile\\Shell\\Open\\Command\\\(Default\)$", + r".*\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load$", + r".*\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\\.*", + r".*\\System\\(CurrentControlSet|ControlSet001)\\Control\\Session\\ Manager\\AppCertDlls\\.*", + r# ".*\\Software\\(Wow6432Node\\)?Classes\\clsid\\[^\\]*\\InprocServer32\\.*", + r".*\\Software\\(Wow6432Node\\)?Classes\\clsid\\[^\\]*\\LocalServer32\\.*", + r".*\\Microsoft\\Command\\ Processor\\AutoRun$", + r".*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User\ Shell\ Folders\\Startup$", + ) whitelists = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\clsid\\\\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\\\\InprocServer32\\\\.*", - # ".*\\\\Software\\\\(Wow6432Node\\\\)?Classes\\\\clsid\\\\[^\\\\]*\\\\InprocServer32\\\\ThreadingModel$", + r".*\\Software\\(Wow6432Node\\)?Classes\\clsid\\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}\\InprocServer32\\.*", + # r".*\\Software\\(Wow6432Node\\)?Classes\\clsid\\[^\\]*\\InprocServer32\\ThreadingModel$", ] for indicator in indicators: @@ -196,9 +196,9 @@ def on_complete(self): self.found_autorun = True indicators = [ - ".*\\\\win\.ini$", - ".*\\\\system\.ini$", - ".*\\\\Start Menu\\\\Programs\\\\Startup\\\\.*", + r".*\\win\.ini$", + r".*\\system\.ini$", + r".*\\Start Menu\\Programs\\Startup\\.*", ] for indicator in indicators: @@ -232,7 +232,7 @@ class PersistenceSafeBoot(Signature): def run(self): indicators = [ - ".*\\\\System\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\SafeBoot\\\\Minimal\\\\.*", + r".*\\System\\(CurrentControlSet|ControlSet001)\\Control\\SafeBoot\\Minimal\\.*", ] for indicator in indicators: diff --git a/modules/signatures/windows/persistence_bootexecute.py b/modules/signatures/windows/persistence_bootexecute.py index d39957fb..178ef863 100644 --- a/modules/signatures/windows/persistence_bootexecute.py +++ b/modules/signatures/windows/persistence_bootexecute.py @@ -44,7 +44,7 @@ def on_call(self, call, process): def on_complete(self): match_key = self.check_write_key( - pattern=".*\\\\SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\Session\\ Manager\\\\(BootExecute|SetupExecute|Execute|S0InitialCommand)$", + pattern=r".*\\SYSTEM\\(CurrentControlSet|ControlSet001)\\Control\\Session\\ Manager\\(BootExecute|SetupExecute|Execute|S0InitialCommand)$", regex=True, all=True, ) diff --git a/modules/signatures/windows/persistence_ifeo.py b/modules/signatures/windows/persistence_ifeo.py index a9aa2c57..6a728955 100644 --- a/modules/signatures/windows/persistence_ifeo.py +++ b/modules/signatures/windows/persistence_ifeo.py @@ -32,9 +32,9 @@ class PersistenceIFEO(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\sNT\\\\CurrentVersion\\\\Image\sFile\sExecution\sOptions\\\\.*", - ] + indicators = ( + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\sNT\\CurrentVersion\\Image\sFile\sExecution\sOptions\\.*", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) @@ -60,9 +60,9 @@ class PersistenceSilentProcessExit(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\sNT\\\\CurrentVersion\\\\SilentProcessExit\\\\.*", - ] + indicators = ( + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\sNT\\CurrentVersion\\SilentProcessExit\\.*", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/persistence_remotedesktop.py b/modules/signatures/windows/persistence_remotedesktop.py index 1c6c9cc4..a03867e5 100644 --- a/modules/signatures/windows/persistence_remotedesktop.py +++ b/modules/signatures/windows/persistence_remotedesktop.py @@ -31,11 +31,11 @@ class PersistenceRDPRegistry(Signature): def run(self): ret = False - reg_indicators = [ - ".*\\\\Control\\\\Terminal Server\\\\fSingleSessionPerUser$", - ".*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections$", - ".*\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp$", - ] + reg_indicators = ( + r".*\\Control\\Terminal Server\\fSingleSessionPerUser$", + r".*\\Control\\Terminal Server\\fDenyTSConnections$", + r".*\\Control\\Terminal Server\\fAllowToGetHelp$", + ) for indicator in reg_indicators: match = self.check_write_key(pattern=indicator, regex=True) @@ -59,9 +59,7 @@ class PersistenceRDPShadowing(Signature): def run(self): ret = False - reg_indicators = [ - ".*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services$", - ] + reg_indicators = (r".*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services$",) for indicator in reg_indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/persistence_shim.py b/modules/signatures/windows/persistence_shim.py index 72d03e8c..50a5f8a2 100644 --- a/modules/signatures/windows/persistence_shim.py +++ b/modules/signatures/windows/persistence_shim.py @@ -35,14 +35,12 @@ class PersistenceShimDatabase(Signature): def run(self): ret = False - reg_indicators = [ - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom.*", - ".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB.*", - ] + reg_indicators = ( + r".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom.*", + r".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\Windows\\ NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB.*", + ) - file_indicators = [ - ".*\\\\Windows\\\\AppPatch\\\\Custom\\\\Custom64\\\\.*\.sdb$", - ] + file_indicators = (r".*\\\\Windows\\\\AppPatch\\\\Custom\\\\Custom64\\\\.*\.sdb$",) for indicator in reg_indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/prevents_safeboot.py b/modules/signatures/windows/prevents_safeboot.py index 7e90167a..5d26f712 100644 --- a/modules/signatures/windows/prevents_safeboot.py +++ b/modules/signatures/windows/prevents_safeboot.py @@ -17,8 +17,6 @@ class PreventsSafeboot(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - if self.check_delete_key( - pattern=".*\\\\System\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\SafeBoot\\\\.*", regex=True - ): + if self.check_delete_key(pattern=r".*\\System\\(CurrentControlSet|ControlSet001)\\Control\\SafeBoot\\.*", regex=True): return True return False diff --git a/modules/signatures/windows/ransomware_dmalocker.py b/modules/signatures/windows/ransomware_dmalocker.py index 0bf97059..3d05b524 100644 --- a/modules/signatures/windows/ransomware_dmalocker.py +++ b/modules/signatures/windows/ransomware_dmalocker.py @@ -38,7 +38,7 @@ class RansomwareDMALocker(Signature): def on_call(self, call, process): if call["api"] == "RegSetValueExA" and call["status"]: - key = re.compile(".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\cryptedinfo$") + key = re.compile(r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\cryptedinfo$") buff = self.get_argument(call, "Buffer").lower() fullname = self.get_argument(call, "FullName") if buff == "notepad c:\programdata\cryptinfo.txt" and key.match(fullname): diff --git a/modules/signatures/windows/ransomware_files.py b/modules/signatures/windows/ransomware_files.py index b82c5935..8d5b4176 100644 --- a/modules/signatures/windows/ransomware_files.py +++ b/modules/signatures/windows/ransomware_files.py @@ -33,141 +33,141 @@ def run(self): # List of tuples with a regex pattern for the file name and a list of # family names correlating to the ransomware. If the family is unknown # just use [""]. - file_list = [ - (".*\\\\help_decrypt\.html$", ["CryptoWall"]), - (".*\\\\decrypt_instruction\.html$", ["CryptoWall"]), - (".*\\\\help_your_files\.png$", ["CryptoWall"]), - (".*\\\\decrypt_instructions\.txt$", ["CryptoLocker"]), - (".*\\\\vault\.(key|txt)$", ["CrypVault"]), - (".*\\\\!Decrypt-All-Files.*\.(txt|bmp)$", ["CTB-Locker"]), - (".*\\\\help_restore_files\.txt$", ["TeslaCrypt", "AlphaCrypt"]), - (".*\\\\help_to_save_files\.(txt|bmp)$", ["TeslaCrypt", "AlphaCrypt"]), - (".*\\\\recovery_(file|key)\.txt$", ["TeslaCrypt", "AlphaCrypt"]), - (".*\\\\restore_files_.*\.(txt|html)$", ["TeslaCrypt", "AlphaCrypt"]), - (".*\\\\howto_restore_files.*\.(txt|html)$", ["TeslaCrypt", "AlphaCrypt"]), - (".*\\\\+-xxx-HELP-xxx-+.*\.(png|txt|html)$", ["TeslaCrypt", "AlphaCrypt"]), - (".*\\\\HELP_RECOVER_instructions\+.*\.(txt|html)$", ["TeslaCrypt", "AlphaCrypt"]), - # (".*\\\\YOUR_FILES_ARE_ENCRYPTED\.HTML$", ["Chimera"]), - (".*\\\\_?how_recover.*\.(txt|html)$", ["TeslaCrypt", "AlphaCrypt"]), - (".*\\\\cl_data.*\.bak$", ["WinPlock"]), - (".*\\\\READ\ ME\ FOR\ DECRYPT\.txt$", ["Fakben"]), - (".*\\\\YOUR_FILES.url$", ["Radamant"]), - (".*\\\\_How\ to\ decrypt\ LeChiffre\ files\.html$", ["LeChiffre"]), - (".*\\\\cryptinfo\.txt$", ["DMALocker"]), - (".*\\\\README_DECRYPT_HYDRA_ID_.*(\.txt|\.jpg)$", ["HydraCrypt"]), - (".*\\\\_Locky_recover_instructions\.txt$", ["Locky"]), - (".*\\\\_DECRYPT_INFO_[a-z]{4,6}\.html$", ["Maktub"]), - (".*\\\\de_crypt_readme\.(html|txt|bmp)$", ["CryptXXX"]), - (".*\\\\HELP_YOUR_FILES\.(html|txt)$", ["CryptFile2"]), - (".*\\\\READ_IT\.txt$", ["MMLocker"]), - (".*\\\\#\ DECRYPT\ MY\ FILES\ #\.(txt|html|vbs)$", ["Cerber"]), - (".*\\\\!satana!\.txt$", ["Satana"]), - (".*\\\\HOW_TO_UNLOCK_FILES_README_\([0-9a-f]+\)\.(txt|html|bmp)$", ["WildFire"]), - (".*\\\\HELP_DECRYPT_YOUR_FILES\.(html|txt)$", ["CryptFile2"]), - (".*\\\\!!!\ Readme\ For\ Decrypt\ !!!\.txt$", ["MarsJoke"]), - (".*_HOWDO_text\.(html|bmp)$", ["Locky"]), - (".*\\\\!!_RECOVERY_instructions_!!\.(html|txt)$", ["Nuke"]), - (".*\\\\DECRYPT_YOUR_FILES\.HTML$", ["Fantom"]), - (".*\\\\README_RECOVER_FILES_.*\.(html|txt|png)$", ["HadesLocker"]), - (".*\\\\README\.hta$", ["Cerber"]), - (".*\\\\RESTORE-FILES!.*txt$", ["Comrade-Circle"]), - (".*_WHAT_is\.(html|bmp)$", ["Locky"]), - (".*\\\\decrypt\ explanations\.html$", ["n1n1n1"]), - (".*\\\\ransomed\.html$", ["Alcatraz-Locker"]), - (".*\\\\CHIP_FILES\.txt$", ["CHIP"]), - (".*\\\\(?:|_\d\-|\-)INSTRUCTION\.(html|bmp)$", ["Locky"]), - (".*\\\\_README(\.hta|_.*_\.hta)$", ["Cerber"]), - (".*\\\\DesktopOSIRIS\.(bmp|htm)$", ["Locky"]), - (".*\\\\OSIRIS\-[a-f0-9]{4}\.htm$", ["Locky"]), - ("C:\\[a-z]{8}\.tsv$", ["MegaCortex"]), - ("C:\\!!!_READ_ME_!!!.txt$", ["MegaCortex"]), - (".*\\\\README_LOCKED\.txt$", ["LockerGoga"]), - (".*\\\\README-NOW.txt\.txt$", ["LockerGoga"]), - (".*\\\\!-GET_MY_FILES-!\.txt$", ["Aurora", "Zorro"]), - (".*\\\\#RECOVERY-PC#\.txt$", ["Aurora", "Zorro"]), - (".*\\\\@_RESTORE-FILES_@\.txt$", ["Aurora", "Zorro"]), - (".*\\\\HOW_TO_DECRYPT\.txt$", ["BasilisqueLocker"]), - (".*\\\\!!!\ YOUR\ FILES\ ARE\ ENCRYPTED\ !!!\.TXT$", ["Buran"]), - (".*\\\\!!!CHEKYSHKA_DECRYPT_README\.TXT$", ["Chekyshka"]), - (".*\\\\HOW_TO_BACK_YOUR_FILES\.txt$", ["ChineseRarypt"]), - (".*\\\\CIopReadMe\.txt$", ["Clop-CryptoMix"]), - (".*\\\\_HELP_INSTRUCTION\.TXT$", ["CryptoMix"]), - (".*\\\\!=How_recovery_files=!\.html$", ["Everbe"]), - (".*\\\\\.FreezedByMagic\.README\.txt$", ["FreeMe"]), - ("C:\\\\ProgramData\\\.FreezedByMagic.LOG$", ["FreeMe"]), - (".*\\\\#\ DECRYPT\ MY\ FILES\ #\.txt$", ["GetCrypt"]), - (".*\\\\RECOVER-FILES\.html$", ["GlobeImposter"]), - (".*\\\\READ_IT\.html$", ["GlobeImposter"]), - (".*\\\\Read___ME\.html$", ["GlobeImposter"]), - (".*\\\\how_to_back_files\.html$", ["GlobeImposter"]), - (".*\\\\How\ to\ restore\ your\ files\.hta$", ["GlobeImposter"]), - (".*\\\\#NEW_WAVE\.html$", ["GlobeImposter"]), - (".*\\\\YOU_FILES_HERE\.html$", ["GlobeImposter"]), - (".*\\\\#\ instructions-[A-Z0-9]{5}\ #\.(txt|jpg|vbs)$", ["GoldenAxe"]), - (".*\\\\README_DECRYPT\.txt$", ["Gpgqwerty"]), - (".*\\\\DECRYPT_INFORMATION\.html$", ["Hermes"]), - (".*\\\\precist\.html$", ["JoeGo"]), - (".*\\\\JSWORM-DECRYPT\.(hta|html)$", ["JSWorm"]), - (".*\\\\READ-ME-NOW\.txt$", ["LockerGoga"]), - (".*\\\\@Please_Read_Me\.txt$", ["LooCipher"]), - (".*\\\\!INSTRUCTI0NS!\.TXT$", ["Maoloa"]), - (".*\\\\DECRYPT-FILES\.(html|txt)$", ["Maze"]), - (".*\\\\help\ to\ decrypt\.html$", ["MorrisBatchCrypt"]), - (".*\\\\_Decrypt_Files\.html$", ["Robbinhood"]), - (".*\\\\_Help_Help_Help\.html$", ["Robbinhood"]), - (".*\\\\_Help_Important\.html$", ["Robbinhood"]), - (".*\\\\_Decryption_ReadMe\.html$", ["Robbinhood"]), - (".*\\\\RyukReadMe\.txt$", ["Ryuk"]), - ("C:\\[a-z0-9]{6,9}-HOW-TO-DECRYPT\.txt$", ["Sodinokibi", "REvil"]), - ("C:\\[a-z0-9]{6,9}-readme\.txt$", ["Sodinokibi", "REvil"]), - (".*\\\\#NEWRAR_README#\.TXT$", ["VSSDestroy"]), - (".*\\\\#DECRYPT_MY_FILES#\.txt$", ["Aurora", "Zorro", "Dragon"]), - (".*\\\\@\ READ\ ME\ TO\ RECOVER\ FILES\ @\.txt", ["Eris"]), - (".*\\\\[A-Z0-9]{4,9}-MANUAL\.txt", ["GandCrab"]), - (".*\\\\NEMTY-DECRYPT\.txt$", ["Nemty"]), - (".*\\\\README-VIAGRA-[A-Za-z0-9]{8}\.HTML$", ["Viagra"]), - (".*\\\\PLAGUE[0-9]{2}\.txt$", ["Plague"]), - (".*\\\\READ\ ME\.(hta|TXT)$", ["Scarab-Dharma"]), - (".*\\\\FIX_Instructions\.(txt|hta)$", ["Relock"]), - (".*\\\\Readme_now\.txt$", ["Syrk"]), - (".*\\\\!_Notice_!\.txt$", ["TFlower"]), - (".*\\\\@Please_Read_Me@\.txt$", ["WannaCry"]), - (".*\\\\_readme\.txt$", ["STOP-Djvu"]), - (".*\\\\#FOX_README#\.rtf$", ["Fox"]), - (".*\\\\Restore-My-Files\.txt$", ["LockBit"]), - (".*\\\\HOW_DECRYPT_FILES\.txt$", ["Estemani"]), - (".*\\\\[A-Z0-9]{6}-Readme\.txt$", ["Koko", "Mailto"]), - (".*\\\\#README\.lilocked$", ["Lilocked"]), - (".*\\\\SGUARD-README\.(txt|TXT)$", ["SGuard"]), - (".*\\\\RyukReadMe\.html$", ["Ryuk"]), - (".*\\\\HOW_TO_RECOVER_DATA\.html$", ["MedusaLocker"]), - (".*\\\\ClopReadMe\.txt$", ["Clop-CryptoMix"]), - (".*\\\\Fix-Your-Files\.txt$", ["SNAKE"]), - (".*\\\\__________WHY FILES NOT WORK__________\.txt$", ["Hydra"]), - (".*\\\\.readme2unlock\.txt$", ["DoppelPaymer"]), - (".*\\\\How_To_Decrypt_My_Files\.txt$", ["Ragnarok"]), - (".*\\\\RGNR_[A-Z0-9]{8}\.txt$", ["RagnarLocker"]), - (".*\\\\H0w_T0_Rec0very_Files\.txt$", ["PwndLocker"]), - (".*\\\\\[HOW TO RECOVER FILES\]\.txt$", ["ProLock"]), - (".*\\\\CONTI_README\.txt$", ["Conti"]), - (".*\\\\!*_read_me!\.txt$", ["RansomEXX"]), - (".*\\\\!\$R4GN4R_[A-Z0-9]{8}\$!\.txt$", ["RagnarLocker"]), - (".*\\\\[0-9]{6}-readme.html$", ["Avaddon"]), - (".*\\\\[A-Za-z]{6}_readme.txt$", ["Avaddon"]), - (".*\\\\[A-Z0-9]{6}-Readme.txt$", ["NetWalker"]), - (".*\\\\[a-z]{5}_readme.txt$", ["Avaddon"]), - (".*\\\\conti\.txt$", ["Conti"]), - (".*\\\\!!_FILES_ENCRYPTED_\.txt$", ["Sfile-Escal"]), - (".*\\\\payment request\.(txt|html)$", ["Jackpot"]), - (".*\\\\r3adm3\.txt$", ["ContiV2"]), - (".*\\\\HACKED\.txt$", ["Smaug"]), - (".*\\\\YOUR_FILES_ARE_ENCRYPTED\.HTML$", ["SunCrypt"]), - (".*\\\\RecoveryManual\.html$", ["MountLocker"]), - (".*\\\\Readme\.README$", ["PYSA"]), - (".*\\\\How\sTo\sRestore\sYour\sFiles\.txt$", ["Babuk"]), - (".*\\\\PHOENIX-HELP\.txt", ["PhoenixCryptoLocker"]), - (".*\\\\BlackByte_restoremyfiles.txt", ["BlackByte"]), - ] + file_list = ( + (r".*\\help_decrypt\.html$", ["CryptoWall"]), + (r".*\\decrypt_instruction\.html$", ["CryptoWall"]), + (r".*\\help_your_files\.png$", ["CryptoWall"]), + (r".*\\decrypt_instructions\.txt$", ["CryptoLocker"]), + (r".*\\vault\.(key|txt)$", ["CrypVault"]), + (r".*\\!Decrypt-All-Files.*\.(txt|bmp)$", ["CTB-Locker"]), + (r".*\\help_restore_files\.txt$", ["TeslaCrypt", "AlphaCrypt"]), + (r".*\\help_to_save_files\.(txt|bmp)$", ["TeslaCrypt", "AlphaCrypt"]), + (r".*\\recovery_(file|key)\.txt$", ["TeslaCrypt", "AlphaCrypt"]), + (r".*\\restore_files_.*\.(txt|html)$", ["TeslaCrypt", "AlphaCrypt"]), + (r".*\\howto_restore_files.*\.(txt|html)$", ["TeslaCrypt", "AlphaCrypt"]), + (r".*\\+-xxx-HELP-xxx-+.*\.(png|txt|html)$", ["TeslaCrypt", "AlphaCrypt"]), + (r".*\\HELP_RECOVER_instructions\+.*\.(txt|html)$", ["TeslaCrypt", "AlphaCrypt"]), + # r (".*\\YOUR_FILES_ARE_ENCRYPTED\.HTML$", ["Chimera"]), + (r".*\\_?how_recover.*\.(txt|html)$", ["TeslaCrypt", "AlphaCrypt"]), + (r".*\\cl_data.*\.bak$", ["WinPlock"]), + (r".*\\READ\ ME\ FOR\ DECRYPT\.txt$", ["Fakben"]), + (r".*\\YOUR_FILES.url$", ["Radamant"]), + (r".*\\_How\ to\ decrypt\ LeChiffre\ files\.html$", ["LeChiffre"]), + (r".*\\cryptinfo\.txt$", ["DMALocker"]), + (r".*\\README_DECRYPT_HYDRA_ID_.*(\.txt|\.jpg)$", ["HydraCrypt"]), + (r".*\\_Locky_recover_instructions\.txt$", ["Locky"]), + (r".*\\_DECRYPT_INFO_[a-z]{4,6}\.html$", ["Maktub"]), + (r".*\\de_crypt_readme\.(html|txt|bmp)$", ["CryptXXX"]), + (r".*\\HELP_YOUR_FILES\.(html|txt)$", ["CryptFile2"]), + (r".*\\READ_IT\.txt$", ["MMLocker"]), + (r".*\\#\ DECRYPT\ MY\ FILES\ #\.(txt|html|vbs)$", ["Cerber"]), + (r".*\\!satana!\.txt$", ["Satana"]), + (r".*\\HOW_TO_UNLOCK_FILES_README_\([0-9a-f]+\)\.(txt|html|bmp)$", ["WildFire"]), + (r".*\\HELP_DECRYPT_YOUR_FILES\.(html|txt)$", ["CryptFile2"]), + (r".*\\!!!\ Readme\ For\ Decrypt\ !!!\.txt$", ["MarsJoke"]), + (r".*_HOWDO_text\.(html|bmp)$", ["Locky"]), + (r".*\\!!_RECOVERY_instructions_!!\.(html|txt)$", ["Nuke"]), + (r".*\\DECRYPT_YOUR_FILES\.HTML$", ["Fantom"]), + (r".*\\README_RECOVER_FILES_.*\.(html|txt|png)$", ["HadesLocker"]), + (r".*\\README\.hta$", ["Cerber"]), + (r".*\\RESTORE-FILES!.*txt$", ["Comrade-Circle"]), + (r".*_WHAT_is\.(html|bmp)$", ["Locky"]), + (r".*\\decrypt\ explanations\.html$", ["n1n1n1"]), + (r".*\\ransomed\.html$", ["Alcatraz-Locker"]), + (r".*\\CHIP_FILES\.txt$", ["CHIP"]), + (r".*\\(?:|_\d\-|\-)INSTRUCTION\.(html|bmp)$", ["Locky"]), + (r".*\\_README(\.hta|_.*_\.hta)$", ["Cerber"]), + (r".*\\DesktopOSIRIS\.(bmp|htm)$", ["Locky"]), + (r".*\\OSIRIS\-[a-f0-9]{4}\.htm$", ["Locky"]), + (r"C:\\[a-z]{8}\.tsv$", ["MegaCortex"]), + (r"C:\\!!!_READ_ME_!!!.txt$", ["MegaCortex"]), + (r".*\\README_LOCKED\.txt$", ["LockerGoga"]), + (r".*\\README-NOW.txt\.txt$", ["LockerGoga"]), + (r".*\\!-GET_MY_FILES-!\.txt$", ["Aurora", "Zorro"]), + (r".*\\#RECOVERY-PC#\.txt$", ["Aurora", "Zorro"]), + (r".*\\@_RESTORE-FILES_@\.txt$", ["Aurora", "Zorro"]), + (r".*\\HOW_TO_DECRYPT\.txt$", ["BasilisqueLocker"]), + (r".*\\!!!\ YOUR\ FILES\ ARE\ ENCRYPTED\ !!!\.TXT$", ["Buran"]), + (r".*\\!!!CHEKYSHKA_DECRYPT_README\.TXT$", ["Chekyshka"]), + (r".*\\HOW_TO_BACK_YOUR_FILES\.txt$", ["ChineseRarypt"]), + (r".*\\CIopReadMe\.txt$", ["Clop-CryptoMix"]), + (r".*\\_HELP_INSTRUCTION\.TXT$", ["CryptoMix"]), + (r".*\\!=How_recovery_files=!\.html$", ["Everbe"]), + (r".*\\\.FreezedByMagic\.README\.txt$", ["FreeMe"]), + (r"C:\\ProgramData\\\.FreezedByMagic.LOG$", ["FreeMe"]), + (r".*\\#\ DECRYPT\ MY\ FILES\ #\.txt$", ["GetCrypt"]), + (r".*\\RECOVER-FILES\.html$", ["GlobeImposter"]), + (r".*\\READ_IT\.html$", ["GlobeImposter"]), + (r".*\\Read___ME\.html$", ["GlobeImposter"]), + (r".*\\how_to_back_files\.html$", ["GlobeImposter"]), + (r".*\\How\ to\ restore\ your\ files\.hta$", ["GlobeImposter"]), + (r".*\\#NEW_WAVE\.html$", ["GlobeImposter"]), + (r".*\\YOU_FILES_HERE\.html$", ["GlobeImposter"]), + (r".*\\#\ instructions-[A-Z0-9]{5}\ #\.(txt|jpg|vbs)$", ["GoldenAxe"]), + (r".*\\README_DECRYPT\.txt$", ["Gpgqwerty"]), + (r".*\\DECRYPT_INFORMATION\.html$", ["Hermes"]), + (r".*\\precist\.html$", ["JoeGo"]), + (r".*\\JSWORM-DECRYPT\.(hta|html)$", ["JSWorm"]), + (r".*\\READ-ME-NOW\.txt$", ["LockerGoga"]), + (r".*\\@Please_Read_Me\.txt$", ["LooCipher"]), + (r".*\\!INSTRUCTI0NS!\.TXT$", ["Maoloa"]), + (r".*\\DECRYPT-FILES\.(html|txt)$", ["Maze"]), + (r".*\\help\ to\ decrypt\.html$", ["MorrisBatchCrypt"]), + (r".*\\_Decrypt_Files\.html$", ["Robbinhood"]), + (r".*\\_Help_Help_Help\.html$", ["Robbinhood"]), + (r".*\\_Help_Important\.html$", ["Robbinhood"]), + (r".*\\_Decryption_ReadMe\.html$", ["Robbinhood"]), + (r".*\\RyukReadMe\.txt$", ["Ryuk"]), + (r"C:\\[a-z0-9]{6,9}-HOW-TO-DECRYPT\.txt$", ["Sodinokibi", "REvil"]), + (r"C:\\[a-z0-9]{6,9}-readme\.txt$", ["Sodinokibi", "REvil"]), + (r".*\\#NEWRAR_README#\.TXT$", ["VSSDestroy"]), + (r".*\\#DECRYPT_MY_FILES#\.txt$", ["Aurora", "Zorro", "Dragon"]), + (r".*\\@\ READ\ ME\ TO\ RECOVER\ FILES\ @\.txt", ["Eris"]), + (r".*\\[A-Z0-9]{4,9}-MANUAL\.txt", ["GandCrab"]), + (r".*\\NEMTY-DECRYPT\.txt$", ["Nemty"]), + (r".*\\README-VIAGRA-[A-Za-z0-9]{8}\.HTML$", ["Viagra"]), + (r".*\\PLAGUE[0-9]{2}\.txt$", ["Plague"]), + (r".*\\READ\ ME\.(hta|TXT)$", ["Scarab-Dharma"]), + (r".*\\FIX_Instructions\.(txt|hta)$", ["Relock"]), + (r".*\\Readme_now\.txt$", ["Syrk"]), + (r".*\\!_Notice_!\.txt$", ["TFlower"]), + (r".*\\@Please_Read_Me@\.txt$", ["WannaCry"]), + (r".*\\_readme\.txt$", ["STOP-Djvu"]), + (r".*\\#FOX_README#\.rtf$", ["Fox"]), + (r".*\\Restore-My-Files\.txt$", ["LockBit"]), + (r".*\\HOW_DECRYPT_FILES\.txt$", ["Estemani"]), + (r".*\\[A-Z0-9]{6}-Readme\.txt$", ["Koko", "Mailto"]), + (r".*\\#README\.lilocked$", ["Lilocked"]), + (r".*\\SGUARD-README\.(txt|TXT)$", ["SGuard"]), + (r".*\\RyukReadMe\.html$", ["Ryuk"]), + (r".*\\HOW_TO_RECOVER_DATA\.html$", ["MedusaLocker"]), + (r".*\\ClopReadMe\.txt$", ["Clop-CryptoMix"]), + (r".*\\Fix-Your-Files\.txt$", ["SNAKE"]), + (r".*\\__________WHY FILES NOT WORK__________\.txt$", ["Hydra"]), + (r".*\\.readme2unlock\.txt$", ["DoppelPaymer"]), + (r".*\\How_To_Decrypt_My_Files\.txt$", ["Ragnarok"]), + (r".*\\RGNR_[A-Z0-9]{8}\.txt$", ["RagnarLocker"]), + (r".*\\H0w_T0_Rec0very_Files\.txt$", ["PwndLocker"]), + (r".*\\\[HOW TO RECOVER FILES\]\.txt$", ["ProLock"]), + (r".*\\CONTI_README\.txt$", ["Conti"]), + (r".*\\!*_read_me!\.txt$", ["RansomEXX"]), + (r".*\\!\$R4GN4R_[A-Z0-9]{8}\$!\.txt$", ["RagnarLocker"]), + (r".*\\[0-9]{6}-readme.html$", ["Avaddon"]), + (r".*\\[A-Za-z]{6}_readme.txt$", ["Avaddon"]), + (r".*\\[A-Z0-9]{6}-Readme.txt$", ["NetWalker"]), + (r".*\\[a-z]{5}_readme.txt$", ["Avaddon"]), + (r".*\\conti\.txt$", ["Conti"]), + (r".*\\!!_FILES_ENCRYPTED_\.txt$", ["Sfile-Escal"]), + (r".*\\payment request\.(txt|html)$", ["Jackpot"]), + (r".*\\r3adm3\.txt$", ["ContiV2"]), + (r".*\\HACKED\.txt$", ["Smaug"]), + (r".*\\YOUR_FILES_ARE_ENCRYPTED\.HTML$", ["SunCrypt"]), + (r".*\\RecoveryManual\.html$", ["MountLocker"]), + (r".*\\Readme\.README$", ["PYSA"]), + (r".*\\How\sTo\sRestore\sYour\sFiles\.txt$", ["Babuk"]), + (r".*\\PHOENIX-HELP\.txt", ["PhoenixCryptoLocker"]), + (r".*\\BlackByte_restoremyfiles.txt", ["BlackByte"]), + ) for ioc in file_list: if self.check_write_file(pattern=ioc[0], regex=True): diff --git a/modules/signatures/windows/ransomware_gandcrab.py b/modules/signatures/windows/ransomware_gandcrab.py index e0ba12f9..25a17ae6 100644 --- a/modules/signatures/windows/ransomware_gandcrab.py +++ b/modules/signatures/windows/ransomware_gandcrab.py @@ -30,7 +30,7 @@ class GandCrabMutexes(Signature): def run(self): indicators = [ "AversSucksForever$", - "\\\\Sessions\\\\1\\\\BaseNamedObjects\\\\AversSucksForever$", + r"\\Sessions\\1\\BaseNamedObjects\\AversSucksForever$", ] for indicator in indicators: diff --git a/modules/signatures/windows/ransomware_medusalocker.py b/modules/signatures/windows/ransomware_medusalocker.py index ff1aa805..74d3d22a 100644 --- a/modules/signatures/windows/ransomware_medusalocker.py +++ b/modules/signatures/windows/ransomware_medusalocker.py @@ -56,10 +56,10 @@ class MedusaLockerRegkeys(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Medusa", - "HKEY_CURRENT_USER\\\\Software\\\\Medusa\\\\.*", - ] + indicators = ( + r"HKEY_CURRENT_USER\\\\Software\\\\Medusa", + r"HKEY_CURRENT_USER\\\\Software\\\\Medusa\\\\.*", + ) for indicator in indicators: match = self.check_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/ransomware_nemty.py b/modules/signatures/windows/ransomware_nemty.py index 830cefa4..39eda3fc 100644 --- a/modules/signatures/windows/ransomware_nemty.py +++ b/modules/signatures/windows/ransomware_nemty.py @@ -53,7 +53,7 @@ class NemtyRegkeys(Signature): def run(self): indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\NEMTY.*", + r"HKEY_CURRENT_USER\\Software\\NEMTY.*", ] for indicator in indicators: diff --git a/modules/signatures/windows/ransomware_radamant.py b/modules/signatures/windows/ransomware_radamant.py index 870f3989..50cae86a 100644 --- a/modules/signatures/windows/ransomware_radamant.py +++ b/modules/signatures/windows/ransomware_radamant.py @@ -40,16 +40,16 @@ def run(self): # Check for creation of Autorun if self.check_write_key( - pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\(svchost|DirectX)$", + pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\(svchost|DirectX)$", regex=True, - ) and self.check_write_file(pattern=".*\\\\Windows\\\\dirextx.exe$", regex=True): + ) and self.check_write_file(pattern=r".*\\Windows\\dirextx.exe$", regex=True): self.ttps += ["T1112"] # MITRE v6,7,8 self.mbcs += ["E1112"] self.mbcs += ["OC0008", "C0036"] # micro-behaviour return True # Check for creation of ransom message file - if self.check_write_file(pattern=".*\\\\YOUR_FILES.url$", regex=True): + if self.check_write_file(pattern=r".*\\YOUR_FILES.url$", regex=True): self.mbcs += ["OC0001", "C0016"] # micro-behaviour return True diff --git a/modules/signatures/windows/ransomware_recyclebin.py b/modules/signatures/windows/ransomware_recyclebin.py index 129937b9..5731ba32 100644 --- a/modules/signatures/windows/ransomware_recyclebin.py +++ b/modules/signatures/windows/ransomware_recyclebin.py @@ -17,6 +17,6 @@ class RansomwareRecyclebin(Signature): mbcs += ["OC0001", "C0047"] # micro-behaviour def run(self): - if self.check_delete_file(pattern="C:\\\\RECYCLER\\\\.*", regex=True): + if self.check_delete_file(pattern=r"C:\\RECYCLER\\.*", regex=True): return True return False diff --git a/modules/signatures/windows/ransomware_revil_mutex.py b/modules/signatures/windows/ransomware_revil_mutex.py index b65fb1ff..c4bc60fc 100644 --- a/modules/signatures/windows/ransomware_revil_mutex.py +++ b/modules/signatures/windows/ransomware_revil_mutex.py @@ -29,24 +29,24 @@ class RevilMutexes(Signature): def run(self): indicators = [ - "^(Global|Local)\\\\112983B0-B4C9-4F9B-96C4-E5394FB8A5B4$", - "^(Global|Local)\\\\1DB960B8-E5C3-F077-5D68-EEE2E637EE0B$", - "^(Global|Local)\\\\206D87E0-0E60-DF25-DD8F-8E4E7D1E3BF0$", - "^(Global|Local)\\\\3555A3D6-37B3-0919-F7BE-F3AAB5B6644A$", - # "^(Global|Local)\\\\552FFA80-3393-423d-8671-7BA046BB5906$", - "^(Global|Local)\\\\6CAC559B-02B4-D929-3675-2706BBB8CF66$", - "^(Global|Local)\\\\859B4E91-BAF1-3DBB-E616-E9E99E851136$", - "^(Global|Local)\\\\879EBE58-4C9F-A6BE-96A3-4C51826CEC2F$", - "^(Global|Local)\\\\95B97D2B-4513-2041-E8A5-AC7446F12075$", - "^(Global|Local)\\\\BF29B630-7648-AADF-EC8A-94647D2349D6$", - "^(Global|Local)\\\\C126B3B3-6B51-F91C-6FDF-DD2C70FA45E6$", - "^(Global|Local)\\\\C19C0A84-FA11-3F9C-C3BC-0BCB16922ABF$", - "^(Global|Local)\\\\C817795D-7756-05BF-A69E-6ED0CE91EAC4$", - "^(Global|Local)\\\\D382D713-AA87-457D-DDD3-C3DDD8DFBC96$", - "^(Global|Local)\\\\DAE678E1-967E-6A19-D564-F7FCA6E7AEBC$", - "^(Global|Local)\\\\FB864EC7-B361-EA6D-545C-E1A167CCBE95$", - "^(Global|Local)\\\\FDC9FA6E-8257-3E98-2600-E72145612F09$", - "^(Global|Local)\\\\FDF2DD18-A4C1-27D9-3CED-9440FC2281FA$", + r"^(Global|Local)\\112983B0-B4C9-4F9B-96C4-E5394FB8A5B4$", + r"^(Global|Local)\\1DB960B8-E5C3-F077-5D68-EEE2E637EE0B$", + r"^(Global|Local)\\206D87E0-0E60-DF25-DD8F-8E4E7D1E3BF0$", + r"^(Global|Local)\\3555A3D6-37B3-0919-F7BE-F3AAB5B6644A$", + # "^(Global|Local)\\552FFA80-3393-423d-8671-7BA046BB5906$", + r"^(Global|Local)\\6CAC559B-02B4-D929-3675-2706BBB8CF66$", + r"^(Global|Local)\\859B4E91-BAF1-3DBB-E616-E9E99E851136$", + r"^(Global|Local)\\879EBE58-4C9F-A6BE-96A3-4C51826CEC2F$", + r"^(Global|Local)\\95B97D2B-4513-2041-E8A5-AC7446F12075$", + r"^(Global|Local)\\BF29B630-7648-AADF-EC8A-94647D2349D6$", + r"^(Global|Local)\\C126B3B3-6B51-F91C-6FDF-DD2C70FA45E6$", + r"^(Global|Local)\\C19C0A84-FA11-3F9C-C3BC-0BCB16922ABF$", + r"^(Global|Local)\\C817795D-7756-05BF-A69E-6ED0CE91EAC4$", + r"^(Global|Local)\\D382D713-AA87-457D-DDD3-C3DDD8DFBC96$", + r"^(Global|Local)\\DAE678E1-967E-6A19-D564-F7FCA6E7AEBC$", + r"^(Global|Local)\\FB864EC7-B361-EA6D-545C-E1A167CCBE95$", + r"^(Global|Local)\\FDC9FA6E-8257-3E98-2600-E72145612F09$", + r"^(Global|Local)\\FDF2DD18-A4C1-27D9-3CED-9440FC2281FA$", ] for indicator in indicators: diff --git a/modules/signatures/windows/rat_blackremote.py b/modules/signatures/windows/rat_blackremote.py index 01c3a20b..648dea0c 100644 --- a/modules/signatures/windows/rat_blackremote.py +++ b/modules/signatures/windows/rat_blackremote.py @@ -66,7 +66,7 @@ def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.match = False self.score = int() - self.regpat = re.compile("^HKEY_CURRENT_USER\\\\[\x00-\xFF]{0,500}[^\x00-\x7F]{1,}", re.UNICODE) + self.regpat = re.compile(r"^HKEY_CURRENT_USER\\[\x00-\xFF]{0,500}[^\x00-\x7F]{1,}", re.UNICODE) def on_call(self, call, process): if call["api"] == "RegSetValueExW": @@ -153,8 +153,8 @@ def __init__(self, *args, **kwargs): self.cryptmz = False self.rtldecmz = False self.score = int() - self.msbuild = re.compile(".*\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\MSBuild.exe$") - self.regasm = re.compile(".*\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\RegAsm.exe$") + self.msbuild = re.compile(r".*\\Microsoft\.NET\\Framework\\v.*\\MSBuild.exe$") + self.regasm = re.compile(r".*\\Microsoft\.NET\\Framework\\v.*\\RegAsm.exe$") def on_call(self, call, process): if call["api"] == "RtlDecompressBuffer": diff --git a/modules/signatures/windows/rat_karagany.py b/modules/signatures/windows/rat_karagany.py index a9f87dd4..3279e88f 100644 --- a/modules/signatures/windows/rat_karagany.py +++ b/modules/signatures/windows/rat_karagany.py @@ -66,13 +66,13 @@ class KaraganyFiles(Signature): mbcs += ["OC0001", "C0016"] # micro-behaviour def on_complete(self): - indicators = [ - ".*\\\\up_stat.txt$", - ".*\\\\stat_ag.txt$", - ".*\\\\serv_stat.txt$", - ".*\\\\svchost\d+\.txt$", - ".*\\\\Update\\\\Tmp\\\\.*", - ] + indicators = ( + r".*\\up_stat.txt$", + r".*\\stat_ag.txt$", + r".*\\serv_stat.txt$", + r".*\\svchost\d+\.txt$", + r".*\\Update\\Tmp\\.*", + ) for indicator in indicators: match = self.check_write_file(patten=indicator, regex=True, all=True) diff --git a/modules/signatures/windows/rat_limerat.py b/modules/signatures/windows/rat_limerat.py index 2b277cf3..998f3501 100644 --- a/modules/signatures/windows/rat_limerat.py +++ b/modules/signatures/windows/rat_limerat.py @@ -56,12 +56,12 @@ class LimeRATRegkeys(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\3862E8D73699\\\\Flood$", - "HKEY_CURRENT_USER\\\\Software\\\\3862E8D73699\\\\Rans-Status$", - "HKEY_CURRENT_USER\\\\Software\\\\0E1513CB5D0B\\\\Flood$", - "HKEY_CURRENT_USER\\\\Software\\\\0E1513CB5D0B\\\\Rans-Status$", - ] + indicators = ( + r"HKEY_CURRENT_USER\\Software\\3862E8D73699\\Flood$", + r"HKEY_CURRENT_USER\\Software\\3862E8D73699\\Rans-Status$", + r"HKEY_CURRENT_USER\\Software\\0E1513CB5D0B\\Flood$", + r"HKEY_CURRENT_USER\\Software\\0E1513CB5D0B\\Rans-Status$", + ) for indicator in indicators: match = self.check_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/rat_lodarat.py b/modules/signatures/windows/rat_lodarat.py index 9b4ae333..868d2c51 100644 --- a/modules/signatures/windows/rat_lodarat.py +++ b/modules/signatures/windows/rat_lodarat.py @@ -29,7 +29,7 @@ class LodaRATFileBehavior(Signature): def run(self): file_indicators = [ - ".*\\\\AppData\\\\Roaming\\\\Windata\\\\([A-Za-z]{6}|svchost)\.exe$", + r".*\\AppData\\Roaming\\Windata\\([A-Za-z]{6}|svchost)\.exe$", ] for indicator in file_indicators: diff --git a/modules/signatures/windows/rat_modi.py b/modules/signatures/windows/rat_modi.py index a9e44280..ac6d6de3 100644 --- a/modules/signatures/windows/rat_modi.py +++ b/modules/signatures/windows/rat_modi.py @@ -27,18 +27,18 @@ class ModiRATBehavior(Signature): minimum = "1.3" def run(self): - reg_indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\FFMPEG_URL.*", - "HKEY_CURRENT_USER\\\\Software\\\\Telegram_Notifier.*", - ] - file_indicators = [ - "[A-Z]:\\\\ProgramData\\\\ffmpeg\.exe$", - "[A-Z]:\\\\.*\\\\AppData\\\\Roaming\\\\WindowsCodecs\.dll$", - "[A-Z]:\\\\.*\\\\AppData\\\\Roaming\\\\Lanceur\.vbs$", - "[A-Z]:\\\\.*\\\\AppData\\\\Roaming\\\\LeFichier\.txt$", - "[A-Z]:\\\\.*\\\\AppData\\\\Roaming\\\\txt\.txt$", - "[A-Z]:\\\\.*\\\\AppData\\\\Roaming\\\\MSBuild\.exe$", - ] + reg_indicators = ( + "HKEY_CURRENT_USER\\Software\\FFMPEG_URL.*", + "HKEY_CURRENT_USER\\Software\\Telegram_Notifier.*", + ) + file_indicators = ( + r"[A-Z]:\\ProgramData\\ffmpeg\.exe$", + r"[A-Z]:\\.*\\AppData\\Roaming\\WindowsCodecs\.dll$", + r"[A-Z]:\\.*\\AppData\\Roaming\\Lanceur\.vbs$", + r"[A-Z]:\\.*\\AppData\\Roaming\\LeFichier\.txt$", + r"[A-Z]:\\.*\\AppData\\Roaming\\txt\.txt$", + r"[A-Z]:\\.*\\AppData\\Roaming\\MSBuild\.exe$", + ) score = int() for rindicator in reg_indicators: diff --git a/modules/signatures/windows/rat_nanocore.py b/modules/signatures/windows/rat_nanocore.py index f9046ace..e6a860a1 100644 --- a/modules/signatures/windows/rat_nanocore.py +++ b/modules/signatures/windows/rat_nanocore.py @@ -54,19 +54,19 @@ def on_call(self, call, process): def on_complete(self): badness = 0 guid = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}" "-[0-9a-fA-F]{12}" - fileiocs = [ - ".*\\\\" + guid + "\\\\run\.dat$", - ".*\\\\" + guid + "\\\\task\.dat$", - ".*\\\\" + guid + "\\\\catelog\.dat$", - ".*\\\\" + guid + "\\\\storage\.dat$", - ".*\\\\" + guid + "\\\\settings\.bin$", - ] + fileiocs = ( + r".*\\" + guid + "\\run\.dat$", + r".*\\" + guid + "\\task\.dat$", + r".*\\" + guid + "\\catelog\.dat$", + r".*\\" + guid + "\\storage\.dat$", + r".*\\" + guid + "\\settings\.bin$", + ) for ioc in fileiocs: if self.check_write_file(pattern=ioc, regex=True): self.mbcs += ["OC0001", "C0016"] # micro-behaviour badness += 1 - mutex = "(Global|Local)\\\\\{" + guid + "\}$" + mutex = r"(Global|Local)\\\{" + guid + r"\}$" if self.check_mutex(pattern=mutex, regex=True): self.mbcs += ["OC0003", "C0042"] # micro-behaviour badness += 1 diff --git a/modules/signatures/windows/rat_njrat_regkeys.py b/modules/signatures/windows/rat_njrat_regkeys.py index 7bfcd4ca..627c2669 100644 --- a/modules/signatures/windows/rat_njrat_regkeys.py +++ b/modules/signatures/windows/rat_njrat_regkeys.py @@ -31,10 +31,10 @@ class NjratRegkeys(Signature): def run(self): njrat_keys = False - indicators = [ - "HKEY_CURRENT_USER\\\\di$", - "HKEY_CURRENT_USER\\\\.*\\\\\[kl\]$", - ] + indicators = ( + r"HKEY_CURRENT_USER\\di$", + r"HKEY_CURRENT_USER\\.*\\\[kl\]$", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/rat_oblique.py b/modules/signatures/windows/rat_oblique.py index 8f12e8e5..d1de5b49 100644 --- a/modules/signatures/windows/rat_oblique.py +++ b/modules/signatures/windows/rat_oblique.py @@ -55,11 +55,11 @@ class ObliquekRATFiles(Signature): mbcs += ["OC0001", "C0016"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\ProgramData\\\\System\\\\Dump.*", - ".*\\\\ProgramData\\\\auto.txt$", - ".*\\\\ProgramData\\\\a.txt$", - ] + indicators = ( + r".*\\\\ProgramData\\\\System\\\\Dump.*", + r".*\\\\ProgramData\\\\auto.txt$", + r".*\\\\ProgramData\\\\a.txt$", + ) for indicator in indicators: match = self.check_file(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/rat_pcclient.py b/modules/signatures/windows/rat_pcclient.py index 6b5bfd4c..f8cffd13 100644 --- a/modules/signatures/windows/rat_pcclient.py +++ b/modules/signatures/windows/rat_pcclient.py @@ -40,10 +40,10 @@ def run(self): return True indicators = [ - ".*\\\\syslog.dat", - ".*\\\\.*_lang.ini", - ".*\\\\[0-9]+_lang.dll", - ".*\\\\[0-9]+_res.tmp", + r".*\\syslog.dat", + r".*\\.*_lang.ini", + r".*\\[0-9]+_lang.dll", + r".*\\[0-9]+_res.tmp", ] for indicator in indicators: diff --git a/modules/signatures/windows/rat_spynet.py b/modules/signatures/windows/rat_spynet.py index 4190a9a9..5a3794d7 100644 --- a/modules/signatures/windows/rat_spynet.py +++ b/modules/signatures/windows/rat_spynet.py @@ -55,10 +55,10 @@ def run(self): return True keys = [ - ".*\\\\SpyNet\\\\.*", + r".*\\SpyNet\\.*", ] whitelist = [ - ".*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\.*", + r".*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\.*", ] for key in keys: keymatch = self.check_write_key(pattern=key, regex=True) diff --git a/modules/signatures/windows/rat_warzone.py b/modules/signatures/windows/rat_warzone.py index 2a291127..df28c82b 100644 --- a/modules/signatures/windows/rat_warzone.py +++ b/modules/signatures/windows/rat_warzone.py @@ -29,10 +29,10 @@ class WarzoneRATRegkeys(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\[A-Z0-9]{10}\\\\[a-z]{4}$", - "HKEY_CURRENT_USER\\\\Software\\\\_rptls\\\\Install$", - ] + indicators = ( + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\[A-Z0-9]{10}\\[a-z]{4}$", + r"HKEY_CURRENT_USER\\Software\\_rptls\\Install$", + ) for indicator in indicators: match = self.check_key(pattern=indicator, regex=True) @@ -57,8 +57,8 @@ class WarzoneRATFiles(Signature): def run(self): indicators = [ - ".*\\\\Program Files\\\\Microsoft DN1.*", - ".*\\\\AppData\\\\Local\\\\Microsoft Vision\\\\", + r".*\\Program Files\\Microsoft DN1.*", + r".*\\AppData\\Local\\Microsoft Vision\\", ] for indicator in indicators: diff --git a/modules/signatures/windows/rat_xpert.py b/modules/signatures/windows/rat_xpert.py index 078936d3..e236e1ca 100644 --- a/modules/signatures/windows/rat_xpert.py +++ b/modules/signatures/windows/rat_xpert.py @@ -68,12 +68,12 @@ def run(self): guid = "[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}" try: - indicators.append(".*\\\\AppData\\\\Local\\\\Temp\\\\" + user.decode("utf-8") + "\.bmp") + indicators.append(r".*\\AppData\\Local\\Temp\\" + user.decode("utf-8") + "\.bmp") except Exception: return False - indicators.append(".*\\\\AppData\\\\Roaming\\\\" + guid + "\\\\ut$") - indicators.append(".*\\\\AppData\\\\Roaming\\\\" + guid + "\\\\" + guid + "\.(exe|pas)") + indicators.append(r".*\\AppData\\Roaming\\" + guid + "\\ut$") + indicators.append(r".*\\AppData\\Roaming\\" + guid + "\\" + guid + "\.(exe|pas)") for indicator in indicators: match = self.check_write_file(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/recon_fingerprint.py b/modules/signatures/windows/recon_fingerprint.py index 4c0c9086..7d0d3a92 100644 --- a/modules/signatures/windows/recon_fingerprint.py +++ b/modules/signatures/windows/recon_fingerprint.py @@ -29,13 +29,13 @@ class Fingerprint(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\DigitalProductId$", - ".*\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\ProductId$", - ".*\\\\Microsoft\\\\Internet\\ Explorer\\\\Registration\\\\ProductId$", - ".*\\\\Microsoft\\\\Cryptography\\\\MachineGuid$", - ".*\\\\HARDWARE\\\\DESCRIPTION\\\\System\\\\SystemBIOSDate$", - ] + indicators = ( + r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\DigitalProductId$", + r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\ProductId$", + r".*\\Microsoft\\Internet\\ Explorer\\Registration\\ProductId$", + r".*\\Microsoft\\Cryptography\\MachineGuid$", + r".*\\HARDWARE\\DESCRIPTION\\System\\SystemBIOSDate$", + ) for indicator in indicators: match = self.check_read_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/recyclebin_access.py b/modules/signatures/windows/recyclebin_access.py index 8092e664..8938aaa6 100644 --- a/modules/signatures/windows/recyclebin_access.py +++ b/modules/signatures/windows/recyclebin_access.py @@ -36,7 +36,7 @@ class Accesses_RecycleBin(Signature): def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) - self.filepattern = "^[A-Z]:\\\\\$Recycle.Bin\\\\*" + self.filepattern = r"^[A-Z]:\\\$Recycle.Bin\\*" self.filematch = False self.filenames = list() diff --git a/modules/signatures/windows/remcos.py b/modules/signatures/windows/remcos.py index 31879412..117e7db5 100644 --- a/modules/signatures/windows/remcos.py +++ b/modules/signatures/windows/remcos.py @@ -30,8 +30,8 @@ class RemcosFiles(Signature): def run(self): indicators = [ - ".*\\\\AppData\\\\Roaming\\\\[Ll]ogs\\\\.*\.dat$", - ".*\\\\AppData\\\\Roaming\\\\remcos.*", + r".*\\AppData\\Roaming\\[Ll]ogs\\.*\.dat$", + r".*\\AppData\\Roaming\\remcos.*", ] for indicator in indicators: @@ -86,8 +86,8 @@ class RemcosRegkeys(Signature): def run(self): indicators = [ - ".*\\\\Software\\\\Remcos-[A-Z0-9]{6}.*", - ".*\\\\Software\\\\remcos[-_].*", + r".*\\Software\\Remcos-[A-Z0-9]{6}.*", + r".*\\Software\\remcos[-_].*", ] for indicator in indicators: diff --git a/modules/signatures/windows/remote_desktop.py b/modules/signatures/windows/remote_desktop.py index b4eff5b6..68917415 100644 --- a/modules/signatures/windows/remote_desktop.py +++ b/modules/signatures/windows/remote_desktop.py @@ -89,7 +89,7 @@ class RDPTCPKey(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [".*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp"] + indicators = [r".*\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp"] for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/removes_networking_icon.py b/modules/signatures/windows/removes_networking_icon.py index 6d46d7b1..f83f5de4 100644 --- a/modules/signatures/windows/removes_networking_icon.py +++ b/modules/signatures/windows/removes_networking_icon.py @@ -30,7 +30,7 @@ class RemovesNetworkingIcon(Signature): def run(self): indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCANetwork", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCANetwork", ] for indicator in indicators: diff --git a/modules/signatures/windows/removes_pinned_programs.py b/modules/signatures/windows/removes_pinned_programs.py index 7bea6ae5..f1129ec8 100644 --- a/modules/signatures/windows/removes_pinned_programs.py +++ b/modules/signatures/windows/removes_pinned_programs.py @@ -29,10 +29,10 @@ class RemovesPinnedPrograms(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\TaskbarNoPinnedList", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoStartMenuPinnedList", - ] + indicators = ( + r"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer\\TaskbarNoPinnedList", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoStartMenuPinnedList", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/removes_sec_maintain_icon.py b/modules/signatures/windows/removes_sec_maintain_icon.py index 71ad6329..4abf6bfa 100644 --- a/modules/signatures/windows/removes_sec_maintain_icon.py +++ b/modules/signatures/windows/removes_sec_maintain_icon.py @@ -30,7 +30,7 @@ class RemovesSecurityAndMaintenanceIcon(Signature): def run(self): indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth", ] for indicator in indicators: diff --git a/modules/signatures/windows/removes_startmenu_defaults.py b/modules/signatures/windows/removes_startmenu_defaults.py index 411ac1b8..72c2392b 100644 --- a/modules/signatures/windows/removes_startmenu_defaults.py +++ b/modules/signatures/windows/removes_startmenu_defaults.py @@ -29,12 +29,12 @@ class RemovesStartMenuDefaults(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSMConfigurePrograms", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSMMyDocs", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSMMyPictures", - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoNetworkConnections", - ] + indicators = ( + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSMConfigurePrograms", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSMMyDocs", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSMMyPictures", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetworkConnections", + ) for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/removes_username_startmenu.py b/modules/signatures/windows/removes_username_startmenu.py index adfc8b35..98d1375a 100644 --- a/modules/signatures/windows/removes_username_startmenu.py +++ b/modules/signatures/windows/removes_username_startmenu.py @@ -30,7 +30,7 @@ class RemovesUsernameStartMenu(Signature): def run(self): indicators = [ - "HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoUserNameInStartMenu", + r"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoUserNameInStartMenu", ] for indicator in indicators: diff --git a/modules/signatures/windows/rootkit_spicyhotpot.py b/modules/signatures/windows/rootkit_spicyhotpot.py index e31e6705..d36cf366 100644 --- a/modules/signatures/windows/rootkit_spicyhotpot.py +++ b/modules/signatures/windows/rootkit_spicyhotpot.py @@ -38,10 +38,10 @@ def run(self): score += 1 self.data.append({"mutex": match}) - indicators = [ - ".*\\\\Microsoft\\\\(WindowsApps|Media\sPlayer)\\\\(KMDF_LOOK|KMDF_Protect)\.sys", - ".*\\\\Microsoft\\\\Event\sViewer\\\\(wccenter|wdlogin|wrme|wuhost)\.exe", - ] + indicators = ( + r".*\\Microsoft\\(WindowsApps|Media\sPlayer)\\(KMDF_LOOK|KMDF_Protect)\.sys", + r".*\\Microsoft\\Event\sViewer\\(wccenter|wdlogin|wrme|wuhost)\.exe", + ) for indicator in indicators: match = self.check_write_file(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/sniffer_winpcap.py b/modules/signatures/windows/sniffer_winpcap.py index 854117cd..22aee115 100644 --- a/modules/signatures/windows/sniffer_winpcap.py +++ b/modules/signatures/windows/sniffer_winpcap.py @@ -28,7 +28,7 @@ class InstallsWinpcap(Signature): mbcs = ["OB0009", "B0023"] def run(self): - indicators = [".*\\\\packet\.dll$", ".*\\\\npf\.sys$", ".*\\\\wpcap\.dll$"] + indicators = (r".*\\packet\.dll$", r".*\npf\.sys$", ".*\wpcap\.dll$") for indicator in indicators: file_path = self.check_file(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/spreading_autoruninf.py b/modules/signatures/windows/spreading_autoruninf.py index 9addaad5..6e826d2a 100644 --- a/modules/signatures/windows/spreading_autoruninf.py +++ b/modules/signatures/windows/spreading_autoruninf.py @@ -27,4 +27,4 @@ class CreatesAutorunInf(Signature): mbcs = ["OC0001", "C0016"] # micro-behaviour def run(self): - return self.check_file(pattern=".*\\\\autorun\.inf$", regex=True) + return self.check_file(pattern=r".*\\autorun\.inf$", regex=True) diff --git a/modules/signatures/windows/stealth_hiddenextension.py b/modules/signatures/windows/stealth_hiddenextension.py index a01a250a..c22f1970 100644 --- a/modules/signatures/windows/stealth_hiddenextension.py +++ b/modules/signatures/windows/stealth_hiddenextension.py @@ -31,7 +31,7 @@ class StealthHiddenExtension(Signature): def run(self): if self.check_write_key( - pattern=".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt$", + pattern=r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt$", regex=True, all=True, ): diff --git a/modules/signatures/windows/stealth_hiddenreg.py b/modules/signatures/windows/stealth_hiddenreg.py index fed6f275..613e9b91 100644 --- a/modules/signatures/windows/stealth_hiddenreg.py +++ b/modules/signatures/windows/stealth_hiddenreg.py @@ -19,11 +19,11 @@ class StealthHiddenReg(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - reg_indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\SuperHidden$", - ] + reg_indicators = ( + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SuperHidden$", + ) for indicator in reg_indicators: reg_match = self.check_write_key(pattern=indicator, regex=True, all=True) diff --git a/modules/signatures/windows/stealth_hidenotifications.py b/modules/signatures/windows/stealth_hidenotifications.py index 82461d9d..ae064efa 100644 --- a/modules/signatures/windows/stealth_hidenotifications.py +++ b/modules/signatures/windows/stealth_hidenotifications.py @@ -20,8 +20,8 @@ class StealthHideNotifications(Signature): def run(self): reg_indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth$", - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Advanced\\\\TaskbarNoNotification$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\HideSCAHealth$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Advanced\\TaskbarNoNotification$", ] for indicator in reg_indicators: diff --git a/modules/signatures/windows/stealth_webhistory.py b/modules/signatures/windows/stealth_webhistory.py index 5fbe94f4..d90a437f 100644 --- a/modules/signatures/windows/stealth_webhistory.py +++ b/modules/signatures/windows/stealth_webhistory.py @@ -16,11 +16,11 @@ class StealthWebHistory(Signature): def run(self): file_indicators = [ - ".*\\\\History\\\\History\.IE5\\\\.*", - ".*\\\\Temporary\\\\ Internet\\ Files\\\\Content\.IE5\\\\.*", + r".*\\History\\History\.IE5\\.*", + r".*\\Temporary\\ Internet\\ Files\\Content\.IE5\\.*", ] if self.results.get("target", {}).get("category", "") == "file": - file_indicators.append(".*\\\\Cookies\\\\.*") + file_indicators.append(".*\\Cookies\\.*") found_cleaner = False for indicator in file_indicators: file_match = self.check_delete_file(pattern=indicator, regex=True, all=True) diff --git a/modules/signatures/windows/sysinternals.py b/modules/signatures/windows/sysinternals.py index 54fd860b..333ca4eb 100644 --- a/modules/signatures/windows/sysinternals.py +++ b/modules/signatures/windows/sysinternals.py @@ -29,7 +29,7 @@ class sysinternals_tools(Signature): def run(self): reg_indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Sysinternals\\\\.*", + r".*\\Software\\(Wow6432Node\\)?Sysinternals\\.*", ] for indicator in reg_indicators: @@ -54,7 +54,7 @@ class sysinternals_psexec(Signature): def run(self): reg_indicators = [ - ".*\\\\Software\\\\(Wow6432Node\\\\)?Sysinternals\\\\PsExec\\\\.*", + r".*\\Software\\(Wow6432Node\\)?Sysinternals\\PsExec\\.*", ] for indicator in reg_indicators: diff --git a/modules/signatures/windows/tampers_etw.py b/modules/signatures/windows/tampers_etw.py index 6b598994..00bc8c2f 100644 --- a/modules/signatures/windows/tampers_etw.py +++ b/modules/signatures/windows/tampers_etw.py @@ -30,13 +30,13 @@ class TampersETW(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - reg_indicators = [ - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft\.NETFramework\\\\ETWEnabled", - "HKEY_CURRENT_USER\\\\Environment\\\\COMPlus_ETWEnabled", - "HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\Environment\\\\COMPlus_ETWEnabled", - ] + reg_indicators = ( + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Microsoft\.NETFramework\\ETWEnabled", + r"HKEY_CURRENT_USER\\Environment\\COMPlus_ETWEnabled", + r"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment\\COMPlus_ETWEnabled", + ) - cmd_indicators = [".*set\scomplus_etwenabled.*", ".*env:complus_etwenabled.*", ".*etwenabled.*(value|\/d)\s0.*"] + cmd_indicators = (".*set\scomplus_etwenabled.*", ".*env:complus_etwenabled.*", ".*etwenabled.*(value|\/d)\s0.*") for rindicator in reg_indicators: match = self.check_write_key(pattern=rindicator, regex=True) diff --git a/modules/signatures/windows/tampers_lsa.py b/modules/signatures/windows/tampers_lsa.py index adf8965e..3454ba8b 100644 --- a/modules/signatures/windows/tampers_lsa.py +++ b/modules/signatures/windows/tampers_lsa.py @@ -33,7 +33,7 @@ def run(self): ret = False keys = [ - ".*\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\.*", + r".*\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\.*", ] for check in keys: diff --git a/modules/signatures/windows/tampers_powershell_logging.py b/modules/signatures/windows/tampers_powershell_logging.py index e66ed3bc..79049ea6 100644 --- a/modules/signatures/windows/tampers_powershell_logging.py +++ b/modules/signatures/windows/tampers_powershell_logging.py @@ -31,7 +31,7 @@ class TampersPowerShellLogging(Signature): def run(self): indicators = [ - "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\(Wow6432Node\\\\)?Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\.*", + r"HKEY_LOCAL_MACHINE\\SOFTWARE\\(Wow6432Node\\)?Policies\\Microsoft\\Windows\\PowerShell\\.*", ] for indicator in indicators: diff --git a/modules/signatures/windows/targeted_flame.py b/modules/signatures/windows/targeted_flame.py index fb80db47..1e4af732 100644 --- a/modules/signatures/windows/targeted_flame.py +++ b/modules/signatures/windows/targeted_flame.py @@ -38,7 +38,7 @@ def run(self): self.mbcs += ["OC0003", "C0042"] # micro-behaviour return True - indicators = [".*\\\\Microsoft Shared\\\\MSSecurityMgr\\\\.*", ".*\\\\Ef_trace\.log$"] + indicators = (r".*\\Microsoft Shared\\MSSecurityMgr\\.*", r".*\\Ef_trace\.log$") for indicator in indicators: if self.check_file(pattern=indicator, regex=True): diff --git a/modules/signatures/windows/territorial_disputes_sigs.py b/modules/signatures/windows/territorial_disputes_sigs.py index 0e54a69d..14feace6 100644 --- a/modules/signatures/windows/territorial_disputes_sigs.py +++ b/modules/signatures/windows/territorial_disputes_sigs.py @@ -28,44 +28,44 @@ class TerritorialDisputeSIGs(Signature): def run(self): registry_indicators = [ - (".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\StrtdCfg$", ["SIG1"]), - (".*\\\\System\\\\CurrentControlSet\\\\Control\\\\CrashImage$", ["SIG2"]), - (".*\\\\System\\\\CurrentControlSet\\\\Services\\\\systmmgmt\\\\Paramaters\\\\ServiceDll$", ["SIG5"]), + (r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\StrtdCfg$", ["SIG1"]), + (r".*\\System\\CurrentControlSet\\Control\\CrashImage$", ["SIG2"]), + (r".*\\System\\CurrentControlSet\\Services\\systmmgmt\\Paramaters\\ServiceDll$", ["SIG5"]), ( - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\ipmontr$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\ipmontr$", ["SIG6"], ), - (".*\\\\Software\\\\Microsoft\\\\WinKernel\\\\Explorer\\\\Run\\\\ipmontr$", ["SIG6"]), + (r".*\\Software\\Microsoft\\WinKernel\\Explorer\\Run\\ipmontr$", ["SIG6"]), ( - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\Internet32$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\Internet32$", ["SIG7"], ), - (".*\\\\System\\\\CurrentControlSet\\\\Control\\\\timezoneinformation\\\\standard(date|time)bias$", ["SIG10"]), - (".*\\\\System\\\\(Wow6432Node\\\\)?Microsoft\\\\MSFix$", ["SIG12"]), + (r".*\\System\\CurrentControlSet\\Control\\timezoneinformation\\standard(date|time)bias$", ["SIG10"]), + (r".*\\System\\(Wow6432Node\\)?Microsoft\\MSFix$", ["SIG12"]), ( - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\WindowsFirewallSecurityServ$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\WindowsFirewallSecurityServ$", ["SIG14"], ), - (".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\slidebar$", ["SIG14"]), - (".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\MSDeviceDriver$", ["SIG14"]), - (".*\\\\Software\\\\Postman$", ["SIG15"]), - (".*\\\\System\\\\(Wow6432Node\\\\)?Microsoft\\\\WinMI$", ["SIG19"]), - (".*\\\\Software\\\\Sun\\\\.*(AppleTlk|IsoTp)$", ["SIG22"]), - (".*\\\\System\\\\(Wow6432Node\\\\)?Microsoft\\\\NetWin$", ["SIG23"]), - (".*\\\\Software\\\\Adobe\\\\Fix$", ["SIG26"]), + (r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\slidebar$", ["SIG14"]), + (r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\MSDeviceDriver$", ["SIG14"]), + (r".*\\Software\\Postman$", ["SIG15"]), + (r".*\\System\\(Wow6432Node\\)?Microsoft\\WinMI$", ["SIG19"]), + (r".*\\Software\\Sun\\.*(AppleTlk|IsoTp)$", ["SIG22"]), + (r".*\\System\\(Wow6432Node\\)?Microsoft\\NetWin$", ["SIG23"]), + (r".*\\Software\\Adobe\\Fix$", ["SIG26"]), ( - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Streams\\\\Desktop\\\\Default\s(Statusbar|MenuBars|Taskbar|Zone)(\sSign)?", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Explorer\\Streams\\Desktop\\Default\s(Statusbar|MenuBars|Taskbar|Zone)(\sSign)?", ["SIG31"], ), - (".*\\\\System\\\\CurrentControlSet\\\\Services\\\\Installer\sManagement$", ["SIG34"]), - (".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\MS\sQAG\\\\U\d{2}$", ["SIG39"]), + (r".*\\System\\CurrentControlSet\\Services\\Installer\sManagement$", ["SIG34"]), + (r".*\\Software\\(Wow6432Node\\)?Microsoft\\MS\sQAG\\U\d{2}$", ["SIG39"]), ( - ".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\ShellServiceObjectDelayLoad(\\\\NetIDS)?$", + r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad(\\NetIDS)?$", ["SIG40"], ), - (".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\sNT\\\\CurrentVersion\\\\winlogo\\\\Userinit$", ["SIG40"]), - (".*\\\\System\\\\CurrentControlSet\\\\Control\\\\DType\d$", ["SIG43"]), - (".*\\\\Software\\\\(Wow6432Node\\\\)?Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Internet$", ["SIG45"]), + (r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\sNT\\CurrentVersion\\winlogo\\Userinit$", ["SIG40"]), + (r".*\\System\\CurrentControlSet\\Control\\DType\d$", ["SIG43"]), + (r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\CurrentVersion\\Run\\Internet$", ["SIG45"]), ] for indicator in registry_indicators: diff --git a/modules/signatures/windows/trickbot_files.py b/modules/signatures/windows/trickbot_files.py index 8f27e59d..6c265e77 100644 --- a/modules/signatures/windows/trickbot_files.py +++ b/modules/signatures/windows/trickbot_files.py @@ -21,10 +21,7 @@ class TrickBotTaskDelete(Signature): def on_call(self, call, process): if call["api"] == ("DeleteFileW") and ( - self.get_argument(call, "FileName").endswith("TrickBot.job") - or self.get_argument(call, "FileName").endswith("TrickBot") - or self.get_argument(call, "FileName").endswith("Drivers update.job") - or self.get_argument(call, "FileName").endswith("Tasks\\Bot.job") + self.get_argument(call, "FileName").endswith(("TrickBot.job", "TrickBot", "Drivers update.job", "Tasks\\Bot.job")) ): self.data.append({"file": self.get_argument(call, "FileName")}) if self.pid: diff --git a/modules/signatures/windows/trickbot_mutex.py b/modules/signatures/windows/trickbot_mutex.py index b2be051d..1dfd6d68 100644 --- a/modules/signatures/windows/trickbot_mutex.py +++ b/modules/signatures/windows/trickbot_mutex.py @@ -13,7 +13,7 @@ class TrickBotMutexes(Signature): mbcs = ["OC0003", "C0042"] # micro-behaviour def run(self): - if self.check_mutex("Global\\TrickBot") or self.check_mutex("Global\\MGlob"): + if self.check_mutex(r"Global\TrickBot") or self.check_mutex(r"Global\MGlob"): return True return False diff --git a/modules/signatures/windows/trojan_ursnif.py b/modules/signatures/windows/trojan_ursnif.py index 91876594..b0e380a7 100644 --- a/modules/signatures/windows/trojan_ursnif.py +++ b/modules/signatures/windows/trojan_ursnif.py @@ -31,23 +31,21 @@ class UrsnifBehavior(Signature): def run(self): score = 0 - guid = "[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}" - regpath = "HKEY_CURRENT_USER\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft" + guid = r"[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}" + regpath = r"HKEY_CURRENT_USER\\Software\\AppDataLow\\Software\\Microsoft" regkeys = [ "Client", "Client32", "Client64", ] registry_indicators = [] - file_indicators = [".*\\\\mailslot\\\\[a-z]?(sl)[a-z0-9]{1,}$", ".*\\\\AppData\\\\Roaming\\\\Microsoft\\\\.*\\\\.*.dll$"] - mutex_indicators = "^Local\\\\\{[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}\}$" + file_indicators = (r".*\\mailslot\\[a-z]?(sl)[a-z0-9]{1,}$", r".*\\AppData\\Roaming\\Microsoft\\.*\\.*.dll$") + mutex_indicators = r"^Local\\\{[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}\}$" for rkey in regkeys: - registry_indicators.append(regpath + "\\\\" + guid + "\\\\" + rkey + "$") + registry_indicators.append(regpath + "\\" + guid + "\\" + rkey + "$") - registry_indicators.append( - ".*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\EnableSPDY3_0$" - ) + registry_indicators.append(r".*\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnableSPDY3_0$") for rindicator in registry_indicators: match = self.check_write_key(pattern=rindicator, regex=True) diff --git a/modules/signatures/windows/virus_neshta.py b/modules/signatures/windows/virus_neshta.py index 109e330e..4511b738 100644 --- a/modules/signatures/windows/virus_neshta.py +++ b/modules/signatures/windows/virus_neshta.py @@ -66,7 +66,7 @@ def __init__(self, *args, **kwargs): def on_call(self, call, process): if call["api"] == "RegSetValueExA": key = self.get_argument(call, "FullName").lower() - if ".*\\software\\classes\\exefile\\shell\\open\\command.*" in key: + if r".*\\software\classes\\exefile\\shell\\open\\command.*" in key: buf = self.get_argument(call, "Buffer").lower() if re.match(r"^c:\\windows\\svchost.com\ \"%1\"\ %\*$", buf): self.match = True diff --git a/modules/signatures/windows/webshell.py b/modules/signatures/windows/webshell.py index 51e15643..12bd355f 100644 --- a/modules/signatures/windows/webshell.py +++ b/modules/signatures/windows/webshell.py @@ -60,7 +60,7 @@ class WebShellFiles(Signature): ttps += ["T1505.003"] # MITRE v7,8 def run(self): - indicators = [".*\\\\inetpub\\\\wwwroot\\\\.*", ".*\\\\System32\\\\inetsrv\\\\.*"] + indicators = [r".*\inetpub\wwwroot\.*", ".*\System32\inetsrv\.*"] for indicator in indicators: match = self.check_write_file(pattern=indicator, regex=True) @@ -83,7 +83,7 @@ class OWAWebShellFiles(Signature): def run(self): indicators = [ - "C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V[0-9]{2}\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\.*", + r"C:\\Program Files\Microsoft\Exchange Server\V[0-9]{2}\FrontEnd\HttpProxy\owa\.*", ] for indicator in indicators: diff --git a/modules/signatures/windows/whitelisting_bypass_dev_utils.py b/modules/signatures/windows/whitelisting_bypass_dev_utils.py index ad8982c7..e9cab279 100644 --- a/modules/signatures/windows/whitelisting_bypass_dev_utils.py +++ b/modules/signatures/windows/whitelisting_bypass_dev_utils.py @@ -38,10 +38,10 @@ class PersistsDotNetDevUtility(Signature): def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.devtools = [ - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\RegAsm\.exe", re.IGNORECASE), - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\MSBuild\.exe", re.IGNORECASE), - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\RegSvcs\.exe", re.IGNORECASE), - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\InstallUtil\.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\RegAsm\.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\MSBuild\.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\RegSvcs\.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\InstallUtil\.exe", re.IGNORECASE), ] self.sname = str() self.dname = str() @@ -90,18 +90,16 @@ class SpwansDotNetDevUtiliy(Signature): def __init__(self, *args, **kwargs): Signature.__init__(self, *args, **kwargs) self.devtools = [ - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\RegAsm\.exe", re.IGNORECASE), - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\MSBuild\.exe", re.IGNORECASE), - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\RegSvcs\.exe", re.IGNORECASE), - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\InstallUtil\.exe", re.IGNORECASE), - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\mscorsvw\.exe", re.IGNORECASE), - re.compile("[A-Z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\CasPol\.exe", re.IGNORECASE), - re.compile( - "[A-Z]:\\\\\\\\Windows\\\\\\\\Microsoft\.NET\\\\\\\\Framework\\\\\\\\v.*\\\\\\\\MSBuild\.exe", re.IGNORECASE - ), - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\AppLaunch\.exe", re.IGNORECASE), - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\aspnet_regbrowsers\.exe", re.IGNORECASE), - re.compile("[A-Za-z]:\\\\Windows\\\\Microsoft\.NET\\\\Framework\\\\v.*\\\\ilasm.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\RegAsm\.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\MSBuild\.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\RegSvcs\.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\InstallUtil\.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\mscorsvw\.exe", re.IGNORECASE), + re.compile(r"[A-Z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\CasPol\.exe", re.IGNORECASE), + re.compile(r"[A-Z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\MSBuild\.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\AppLaunch\.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\aspnet_regbrowsers\.exe", re.IGNORECASE), + re.compile(r"[A-Za-z]:\\Windows\\Microsoft\.NET\\Framework\\v.*\\ilasm.exe", re.IGNORECASE), ] self.sname = str() self.dname = str() diff --git a/modules/signatures/windows/windows_utilities.py b/modules/signatures/windows/windows_utilities.py index 98307c08..1529758f 100644 --- a/modules/signatures/windows/windows_utilities.py +++ b/modules/signatures/windows/windows_utilities.py @@ -132,8 +132,8 @@ def run(self): return ret -GENERIC_CMD = '"c:\\windows\\system32\\cmd.exe" /c start /wait "" ' -SUBSEQUENT_GENERIC_CMD = "c:\\windows\\system32\\cmd.exe /k " +GENERIC_CMD = r'"c:\\windows\system32\cmd.exe" /c start /wait "" ' +SUBSEQUENT_GENERIC_CMD = r"c:\windows\system32\cmd.exe /k " class SuspiciousCommandTools(Signature): @@ -491,7 +491,7 @@ class SuspiciousMpCmdRunUse(Signature): def run(self): indicators = [ - ".*MpCmdRun(\.exe)?.*-url.*", + r".*MpCmdRun(\.exe)?.*-url.*", ] for indicator in indicators: diff --git a/modules/signatures/windows/wiper.py b/modules/signatures/windows/wiper.py index 9f63f8db..d15f9b25 100644 --- a/modules/signatures/windows/wiper.py +++ b/modules/signatures/windows/wiper.py @@ -48,7 +48,7 @@ def on_call(self, call, process): return buff = buff.lower() - regex = re.compile("^[\\x00\.]+$") + regex = re.compile(r"^[\x00\.]+$") if len(buff) > 30 and regex.match(buff): self.lastfile = filepath self.wipecount += 1 From 84347aa5ff92da0eefe9e08ade1980cbbeeb7d6a Mon Sep 17 00:00:00 2001 From: doomedraven Date: Sat, 28 Sep 2024 17:11:03 +0200 Subject: [PATCH 2/6] Update script_misc.py --- modules/signatures/windows/script_misc.py | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/signatures/windows/script_misc.py b/modules/signatures/windows/script_misc.py index 37db1f0e..878d21fd 100644 --- a/modules/signatures/windows/script_misc.py +++ b/modules/signatures/windows/script_misc.py @@ -13,7 +13,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -import re from lib.cuckoo.common.abstracts import Signature From 93e52993dce9d3cb55f46ada2fb12c17f6b1a2af Mon Sep 17 00:00:00 2001 From: doomedraven Date: Sat, 28 Sep 2024 17:13:35 +0200 Subject: [PATCH 3/6] sync --- analyzer/windows/modules/auxiliary/autoruns.py | 7 +++---- modules/signatures/windows/persistence_autorun.py | 2 +- utils/download_yara.py | 1 - 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/analyzer/windows/modules/auxiliary/autoruns.py b/analyzer/windows/modules/auxiliary/autoruns.py index fdd767b8..0997950e 100644 --- a/analyzer/windows/modules/auxiliary/autoruns.py +++ b/analyzer/windows/modules/auxiliary/autoruns.py @@ -4,6 +4,7 @@ import platform import shlex import subprocess +from contextlib import suppress from winreg import HKEY_CURRENT_USER, KEY_ALL_ACCESS, REG_DWORD, CreateKeyEx, SetValueEx from lib.common.abstracts import Auxiliary @@ -34,11 +35,9 @@ def __init__(self, options, config): if not os.path.exists(self.output_dir): os.makedirs(self.output_dir) # reg.exe ADD "HKCU\Software\Sysinternals\Autoruns" /v EulaAccepted /t REG_DWORD /d 1 /f - try: + with suppress(OSError): with CreateKeyEx(HKEY_CURRENT_USER, "Software\Sysinternals\Autoruns", 0, KEY_ALL_ACCESS) as key: SetValueEx(key, "EulaAccepted", 0, REG_DWORD, 1) - except OSError as e: - pass bin_path = os.path.join(os.getcwd(), "bin") # First figure out what architecture the system in running (64 or 86) @@ -112,7 +111,7 @@ def stop(self): else: log.debug("Diff file is empty") except Exception as e: - log.debug("Diff file doesn't seem to exist") + log.debug("Diff file doesn't seem to exist: %s", str(e)) # Upload the autoruns diff file to the host. log.debug(files_to_upload) diff --git a/modules/signatures/windows/persistence_autorun.py b/modules/signatures/windows/persistence_autorun.py index c5cb18e6..b97d1ee5 100644 --- a/modules/signatures/windows/persistence_autorun.py +++ b/modules/signatures/windows/persistence_autorun.py @@ -168,7 +168,7 @@ def on_complete(self): r".*\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load$", r".*\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad\\.*", r".*\\System\\(CurrentControlSet|ControlSet001)\\Control\\Session\\ Manager\\AppCertDlls\\.*", - r# ".*\\Software\\(Wow6432Node\\)?Classes\\clsid\\[^\\]*\\InprocServer32\\.*", + # ".*\\Software\\(Wow6432Node\\)?Classes\\clsid\\[^\\]*\\InprocServer32\\.*", r".*\\Software\\(Wow6432Node\\)?Classes\\clsid\\[^\\]*\\LocalServer32\\.*", r".*\\Microsoft\\Command\\ Processor\\AutoRun$", r".*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User\ Shell\ Folders\\Startup$", diff --git a/utils/download_yara.py b/utils/download_yara.py index 3d31de4f..0e11129f 100644 --- a/utils/download_yara.py +++ b/utils/download_yara.py @@ -5,7 +5,6 @@ import requests from bs2json import BS2Json -from bs4 import BeautifulSoup ROOT = "/opt/CAPEv2" From a88a60922ded5c60eafe060aaf0553f6aa839a0b Mon Sep 17 00:00:00 2001 From: doomedraven Date: Sat, 28 Sep 2024 18:25:03 +0200 Subject: [PATCH 4/6] sync --- modules/signatures/all/polymorphic.py | 2 +- modules/signatures/all/static_pe_anomaly.py | 2 +- modules/signatures/deprecated/betabot_apis.py | 16 ++++++++-------- modules/signatures/deprecated/codelux_apis.py | 8 ++++---- modules/signatures/deprecated/dyre_apis.py | 4 ++-- modules/signatures/deprecated/hawkeye_apis.py | 10 +++++----- modules/signatures/deprecated/kazybot_apis.py | 8 ++++---- modules/signatures/deprecated/kibex_apis.py | 12 ++++++------ modules/signatures/deprecated/locker_regedit.py | 2 +- 9 files changed, 32 insertions(+), 32 deletions(-) diff --git a/modules/signatures/all/polymorphic.py b/modules/signatures/all/polymorphic.py index 52daaadd..8726dae2 100644 --- a/modules/signatures/all/polymorphic.py +++ b/modules/signatures/all/polymorphic.py @@ -69,7 +69,7 @@ def run(self): for path in drop["guest_paths"]: self.data.append({"file": path}) self.data.append({"percent_match": percent}) - except: + except Exception: continue return found_polymorphic diff --git a/modules/signatures/all/static_pe_anomaly.py b/modules/signatures/all/static_pe_anomaly.py index 26fa6f2e..9fbf2533 100644 --- a/modules/signatures/all/static_pe_anomaly.py +++ b/modules/signatures/all/static_pe_anomaly.py @@ -209,7 +209,7 @@ def run(self): self.description = "The PE file contains a suspicious PDB path" break - regex = re.compile("[a-zA-Z]:\\\\[\x00-\xFF]{0,500}[^\x00-\x7F]{1,}[\x00-\xFF]{0,500}\.pdb") + regex = re.compile(r"[a-zA-Z]:\\[\x00-\xFF]{0,500}[^\x00-\x7F]{1,}[\x00-\xFF]{0,500}\.pdb") if re.match(regex, pdbpath): if self.severity != 2 and self.severity != 3: self.severity = 2 diff --git a/modules/signatures/deprecated/betabot_apis.py b/modules/signatures/deprecated/betabot_apis.py index 1cc47f83..9a7e0e73 100644 --- a/modules/signatures/deprecated/betabot_apis.py +++ b/modules/signatures/deprecated/betabot_apis.py @@ -59,8 +59,8 @@ def on_complete(self): # Check for ADS deletion path (Always in hidden ProgramData) # TODO: make this use environ info ads_paths = [ - "C:\\\\ProgramData\\\\.*:Zone\.Identifier$", - "C:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft\\\\.*:Zone\.Identifier$", + r"C:\\ProgramData\\.*:Zone\.Identifier$", + r"C:\\Program\\ Files\\Common\\ Files\\Microsoft\\.*:Zone\.Identifier$", ] for indicator in ads_paths: if self.check_delete_file(pattern=indicator, regex=True): @@ -69,10 +69,10 @@ def on_complete(self): # Check for known filesystem behavior # TODO: make these use environ info file_paths = [ - ".*\\\\jagexcache$", - ".*\\\\AppData\\\\Roaming\\\\\.minecraft$", - ".*\\\\Application\\ Data\\\\\.minecraft$", - ".*\\\\League\\ of\\ Legends$", + r".*\\jagexcache$", + r".*\\AppData\\Roaming\\\.minecraft$", + r".*\\Application\\ Data\\\.minecraft$", + r".*\\League\\ of\\ Legends$", ] for indicator in file_paths: if self.check_file(pattern=indicator, regex=True): @@ -80,8 +80,8 @@ def on_complete(self): # Check for known registry behavior reg_paths = [ - ".*\\\\SOFTWARE\\\\Classes\\\\origin$", - ".*\\\\SOFTWARE\\\\Blizzard\\ Entertainment$", + r".*\\SOFTWARE\\Classes\\origin$", + r".*\\SOFTWARE\\Blizzard\\ Entertainment$", ] for indicator in reg_paths: if self.check_key(pattern=indicator, regex=True): diff --git a/modules/signatures/deprecated/codelux_apis.py b/modules/signatures/deprecated/codelux_apis.py index c901e574..d305ab0d 100644 --- a/modules/signatures/deprecated/codelux_apis.py +++ b/modules/signatures/deprecated/codelux_apis.py @@ -27,10 +27,10 @@ class CodeLux_APIs(Signature): def run(self): queryattribs = [ - ".*\\\\CodeluxRunPE.resources.dll$", - ".*\\\\CodeluxRunPE.resources.exe$", - ".*\\\\CodeluxVisionStub.resources.exe$", - ".*\\\\CodeluxVisionStub.resources.dll$", + r".*\\CodeluxRunPE.resources.dll$", + r".*\\CodeluxRunPE.resources.exe$", + r".*\\CodeluxVisionStub.resources.exe$", + r".*\\CodeluxVisionStub.resources.dll$", ] for ioc in queryattribs: diff --git a/modules/signatures/deprecated/dyre_apis.py b/modules/signatures/deprecated/dyre_apis.py index 3f5f0330..c8d9a495 100644 --- a/modules/signatures/deprecated/dyre_apis.py +++ b/modules/signatures/deprecated/dyre_apis.py @@ -94,8 +94,8 @@ def on_complete(self): extract_c2s = True mutexs = [ - "^(Global|Local)\\\\pen3j3832h$", - "^(Global|Local)\\\\u1nyj3rt20", + r"^(Global|Local)\\pen3j3832h$", + r"^(Global|Local)\\u1nyj3rt20", ] for mutex in mutexs: if self.check_mutex(pattern=mutex, regex=True): diff --git a/modules/signatures/deprecated/hawkeye_apis.py b/modules/signatures/deprecated/hawkeye_apis.py index 23bdf8ac..6b3d71a4 100644 --- a/modules/signatures/deprecated/hawkeye_apis.py +++ b/modules/signatures/deprecated/hawkeye_apis.py @@ -15,7 +15,7 @@ try: import re2 as re -except: +except ImportError: import re from lib.cuckoo.common.abstracts import Signature @@ -119,13 +119,13 @@ def on_call(self, call, process): self.lastcall = call["api"] def on_complete(self): - if self.check_file(pattern=".*\\\\pid.txt$", regex=True): + if self.check_file(pattern=r".*\\pid.txt$", regex=True): self.badness += 2 - if self.check_file(pattern=".*\\\\pidloc.txt$", regex=True): + if self.check_file(pattern=r".*\\pidloc.txt$", regex=True): self.badness += 2 - if self.check_file(pattern=".*\\\\holdermail.txt$", regex=True): + if self.check_file(pattern=r".*\\holdermail.txt$", regex=True): self.badness += 4 - if self.check_file(pattern=".*\\\\holderwb.txt$", regex=True): + if self.check_file(pattern=r".*\\holderwb.txt$", regex=True): self.badness += 4 if self.evmatch: self.badness += 5 diff --git a/modules/signatures/deprecated/kazybot_apis.py b/modules/signatures/deprecated/kazybot_apis.py index d444423a..6114d202 100644 --- a/modules/signatures/deprecated/kazybot_apis.py +++ b/modules/signatures/deprecated/kazybot_apis.py @@ -58,10 +58,10 @@ def on_call(self, call, process): def on_complete(self): module_paths = [ - ".*\\\\SharedCode\\\\SharedCode.dll$", - ".*\\\\SharedCode\\\\SharedCode.exe$", - ".*\\\\PluginServer\\\\PluginServer.dll$", - ".*\\\\PluginServer\\\\PluginServer.exe$", + r".*\\SharedCode\\SharedCode.dll$", + r".*\\SharedCode\\SharedCode.exe$", + r".*\\PluginServer\\PluginServer.dll$", + r".*\\PluginServer\\PluginServer.exe$", ] for indicator in module_paths: if self.check_file(pattern=indicator, regex=True): diff --git a/modules/signatures/deprecated/kibex_apis.py b/modules/signatures/deprecated/kibex_apis.py index 132f5408..6cf81676 100644 --- a/modules/signatures/deprecated/kibex_apis.py +++ b/modules/signatures/deprecated/kibex_apis.py @@ -60,9 +60,9 @@ def on_call(self, call, process): def on_complete(self): bad_score = self.keylog_inits file_iocs = [ - ".*\\\\ProgramData\\\\Browsers\.txt$", - ".*\\\\ProgramData\\\\Mails\.txt$", - ".*\\\\Temp\\\\\d{9,10}\.xml$", + r".*\\ProgramData\\Browsers\.txt$", + r".*\\ProgramData\\Mails\.txt$", + r".*\\Temp\\\d{9,10}\.xml$", ] for ioc in file_iocs: match = self.check_file(pattern=ioc, regex=True) @@ -70,9 +70,9 @@ def on_complete(self): bad_score += 3 stealer_regkeys = [ - ".*\\\\Google\\\\Google\\ Talk\\\\Accounts$", - ".*\\\\Google\\\\Google\\ Desktop\\\\Mailboxes$", - ".*\\\\Microsoft\\\\Internet\\ Account\\ Manager\\\\Accounts$", + r".*\\Google\\Google\\ Talk\\Accounts$", + r".*\\Google\\Google\\ Desktop\\Mailboxes$", + r".*\\Microsoft\\Internet\\ Account\\ Manager\\Accounts$", ] for ioc in stealer_regkeys: match = self.check_key(pattern=ioc, regex=True) diff --git a/modules/signatures/deprecated/locker_regedit.py b/modules/signatures/deprecated/locker_regedit.py index 62f0ec30..353443d0 100644 --- a/modules/signatures/deprecated/locker_regedit.py +++ b/modules/signatures/deprecated/locker_regedit.py @@ -31,7 +31,7 @@ class DisableRegedit(Signature): def run(self): if self.check_write_key( - pattern=".*\\\\SOFTWARE\\\\(Wow6432Node\\\\)?\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools$", + pattern=r".*\\SOFTWARE\\(Wow6432Node\\)?\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools$", regex=True, ): return True From 087dfb1609eb43c7f69846c7957badb68164d917 Mon Sep 17 00:00:00 2001 From: doomedraven Date: Sat, 28 Sep 2024 18:28:16 +0200 Subject: [PATCH 5/6] Update credential_access_phishingkit.py --- modules/signatures/all/credential_access_phishingkit.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/signatures/all/credential_access_phishingkit.py b/modules/signatures/all/credential_access_phishingkit.py index f408bfcf..667c7e50 100644 --- a/modules/signatures/all/credential_access_phishingkit.py +++ b/modules/signatures/all/credential_access_phishingkit.py @@ -20,7 +20,7 @@ try: from chepy import Chepy except ImportError: - raise ImportError("Please install chepy") + raise ImportError("Optional! Missed dependency. Run: poetry run pip install chepy") import base64 From 0042b3254f0875ddfa3f25b5c29ff062a393aecc Mon Sep 17 00:00:00 2001 From: doomedraven Date: Sat, 5 Oct 2024 11:16:59 +0200 Subject: [PATCH 6/6] Update bypass_uac.py --- modules/signatures/windows/bypass_uac.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/modules/signatures/windows/bypass_uac.py b/modules/signatures/windows/bypass_uac.py index 47959376..3a36dcc7 100644 --- a/modules/signatures/windows/bypass_uac.py +++ b/modules/signatures/windows/bypass_uac.py @@ -216,3 +216,21 @@ def run(self): return True return False + + +class ChecksUACStatus(Signature): + name = "checks_uac_status" + description = "Checks if UAC (User Access Control) is enabled" + severity = 2 + categories = ["uac"] + authors = ["Kevin Ross"] + minimum = "0.5" + ttps = ["T1548"] # MITRE v6,7,8 + + def run(self): + match = self.check_key(pattern=r".*\SOFTWARE\(Wow6432Node\)?Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA$", regex=True) + if match: + self.data.append({"regkey": match}) + return True + + return False