From abad1be48bd5d6c03fdce522da16174c0c359a85 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Fri, 4 Oct 2024 15:59:17 +0100 Subject: [PATCH 1/3] Add signature for .tls section Add signature for threat local storage PE section being present https://attack.mitre.org/techniques/T1055/005/ --- modules/signatures/all/antianalysis_tls.py | 43 ++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 modules/signatures/all/antianalysis_tls.py diff --git a/modules/signatures/all/antianalysis_tls.py b/modules/signatures/all/antianalysis_tls.py new file mode 100644 index 00000000..1260fa68 --- /dev/null +++ b/modules/signatures/all/antianalysis_tls.py @@ -0,0 +1,43 @@ +# Copyright (C) 2024 Kevin Ross +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from lib.cuckoo.common.abstracts import Signature + + +class AntiAnalysisTLSSection(Signature): + name = "antianalysis_tls_section" + description = "Contains .tls (Thread Local Storage) section" + severity = 2 + categories = ["anti-analysis"] + authors = ["Kevin Ross"] + minimum = "1.3" + ttps = ["T1055"] # MITRE v6 + ttps += ["T1055"] # MITRE v6,7,8 + ttps += ["T1055.005"] # MITRE v7,8 + mbcs = ["B0002", "B0003", "E1055"] + + def run(self): + ret = False + + target = self.results.get("target", {}) + if target.get("category") in ("file", "static") and target.get("file"): + pe = self.results["target"]["file"].get("pe", []) + if pe: + for section in pe["sections"]: + if section["name"].lower() == ".tls": + self.data.append({"thread local storage": section}) + ret= True + + return ret From b1ccb9e1182aff7b679ca2c3476fece928dd5daf Mon Sep 17 00:00:00 2001 From: kevross33 Date: Fri, 4 Oct 2024 16:11:00 +0100 Subject: [PATCH 2/3] Update antianalysis_tls.py --- modules/signatures/all/antianalysis_tls.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/signatures/all/antianalysis_tls.py b/modules/signatures/all/antianalysis_tls.py index 1260fa68..5f96aedd 100644 --- a/modules/signatures/all/antianalysis_tls.py +++ b/modules/signatures/all/antianalysis_tls.py @@ -38,6 +38,6 @@ def run(self): for section in pe["sections"]: if section["name"].lower() == ".tls": self.data.append({"thread local storage": section}) - ret= True + ret = True return ret From f055eb07888baccf8a68a49ba1bae8b42a027859 Mon Sep 17 00:00:00 2001 From: kevross33 Date: Fri, 4 Oct 2024 16:17:46 +0100 Subject: [PATCH 3/3] Update antianalysis_tls.py --- modules/signatures/all/antianalysis_tls.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/signatures/all/antianalysis_tls.py b/modules/signatures/all/antianalysis_tls.py index 5f96aedd..3f3c826a 100644 --- a/modules/signatures/all/antianalysis_tls.py +++ b/modules/signatures/all/antianalysis_tls.py @@ -36,8 +36,8 @@ def run(self): pe = self.results["target"]["file"].get("pe", []) if pe: for section in pe["sections"]: - if section["name"].lower() == ".tls": - self.data.append({"thread local storage": section}) + if section["name"].lower().startswith(".tls"): + self.data.append({"section": section}) ret = True return ret