From b9871dea0738566810f946e5b48f2eb7a0faba6e Mon Sep 17 00:00:00 2001
From: Sean Whalen <whalenster@gmail.com>
Date: Wed, 31 Oct 2018 15:03:51 -0400
Subject: [PATCH 1/4] Update firewall sig and remove outdated sigs

- Updated Firewall sig to detect running firewall service on Windows 7 or higher
- Remove signatures that always cause false-positives
---
 modules/signatures/windows/volatility_sig.py | 135 +++----------------
 1 file changed, 17 insertions(+), 118 deletions(-)

diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py
index 2fe8fcbfb..fda89d087 100644
--- a/modules/signatures/windows/volatility_sig.py
+++ b/modules/signatures/windows/volatility_sig.py
@@ -4,106 +4,37 @@
 
 from lib.cuckoo.common.abstracts import Signature
 
-class VolMalfind1(Signature):
-    name = "volatility_malfind_2"
-    description = "Malfind detects one or more injected processes"
-    severity = 3
-    categories = ["generic"]
-    authors = ["Thorsten Sick"]
-    minimum = "2.0"
-
-    def on_complete(self):
-        pids = set()
-        for row in self.get_volatility("malfind").get("data", []):
-            pids.add(row["process_id"])
-
-        if pids:
-            self.mark_vol("malfind", pidcount=len(pids))
-
-        return self.has_marks()
-
-class VolLdrModules1(Signature):
-    name = "volatility_ldrmodules_1"
-    description = "PEB modified to hide loaded modules. " \
-        "Dll very likely not loaded by LoadLibrary"
-    severity = 3
-    categories = ["generic"]
-    authors = ["Thorsten Sick"]
-    minimum = "2.0"
-
-    # http://mnin.blogspot.de/2011/06/examining-stuxnets-footprint-in-memory.html
-
-    def on_complete(self):
-        exceptions = ["csrss.exe"]
-
-        for row in self.get_volatility("ldrmodules").get("data", []):
-            if not row["dll_in_init"] and not row["dll_in_load"] and \
-                    not row["dll_in_mem"] and \
-                    not row["process_name"].lower() in exceptions:
-                self.mark_vol("unlinked", dll=row)
-
-        return self.has_marks()
-
-class VolLdrModules2(Signature):
-    name = "volatility_ldrmodules_2"
-    description = "PEB modified to hide loaded modules.\
-         Not path name. Dll very likely not loaded by LoadLibrary"
-    severity = 3
-    categories = ["generic"]
-    authors = ["Thorsten Sick"]
-    minimum = "2.0"
-
-    # http://mnin.blogspot.de/2011/06/examining-stuxnets-footprint-in-memory.html
-
-    def on_complete(self):
-        for row in self.get_volatility("ldrmodules").get("data", []):
-            if not row["process_name"]:
-                self.mark_vol("unlinked", dll=row)
 
-        return self.has_marks()
-
-class VolDevicetree1(Signature):
-    name = "volatility_devicetree_1"
-    description = "Device driver without name"
+class VolFirewallStopped(Signature):
+    name = "volatility_firewal_stopped"
+    description = "topped Firewall service"
     severity = 3
     categories = ["generic"]
-    authors = ["Thorsten Sick"]
-    families = ["Zero access"]
-    minimum = "2.0"
-
-    # http://mnin.blogspot.de/2011/10/zeroaccess-volatility-and-kernel-timers.html
-
-    def on_complete(self):
-        for row in self.get_volatility("devicetree").get("data", []):
-            if not row["driver_name"]:
-                self.mark_vol("unnamed_driver", driver=row)
-
-        return self.has_marks()
-
-class VolSvcscan1(Signature):
-    name = "volatility_svcscan_1"
-    description = "Stopped Firewall service"
-    severity = 3
-    categories = ["generic"]
-    authors = ["Thorsten Sick"]
-    families = ["Zero access"]
+    authors = ["Thorsten Sick", "Sean Whalen"]
     minimum = "2.0"
 
     def on_complete(self):
+        win7_or_higher = False
+        shared_access_service_stopped = False
+        modern_firewall_service_stopped = False
         for row in self.get_volatility("svcscan").get("data", []):
-            if row["service_name"] == "SharedAccess" and \
-                    row["service_state"] == "SERVICE_STOPPED":
-                self.mark_vol("stopped_service", service=row)
+            if row["service_name"] == "SharedAccess" and row["service_state"] == "SERVICE_STOPPED":
+                shared_access_service_stopped = True
+            if row["service_name] = "MpsSvc":
+                win7_or_higher = True
+                if rew["service_state] == "SERVICE_STOPPED":
+                    modern_firewall_service_stopped = True
+        if (not win7_or_higher and shared_access_service_stopped ==True) or modern_windows_firewall_stopped:
+            self.mark_vol("stopped_service", service=row)
 
         return self.has_marks()
 
-class VolSvcscan2(Signature):
-    name = "volatility_svcscan_2"
+class SecurityCenterStopped(Signature):
+    name = "volatility_security_center_stopped"
     description = "Stopped Security Center service"
     severity = 3
     categories = ["generic"]
     authors = ["Thorsten Sick"]
-    families = ["Zero access"]
     minimum = "2.0"
 
     def on_complete(self):
@@ -114,38 +45,6 @@ def on_complete(self):
 
         return self.has_marks()
 
-class VolSvcscan3(Signature):
-    name = "volatility_svcscan_3"
-    description = "Stopped Application Layer Gateway service"
-    severity = 3
-    categories = ["generic"]
-    authors = ["Thorsten Sick"]
-    families = ["Zero access"]
-    minimum = "2.0"
-
-    def on_complete(self):
-        for row in self.get_volatility("svcscan").get("data", []):
-            if row["service_name"] == "ALG" and \
-                    row["service_state"] == "SERVICE_STOPPED":
-                self.mark_vol("stopped_service", service=row)
-
-        return self.has_marks()
-
-class VolModscan1(Signature):
-    name = "volatility_modscan_1"
-    description = "Kernel module without a name"
-    severity = 3
-    categories = ["generic"]
-    authors = ["Thorsten Sick"]
-    families = ["Zero access"]
-    minimum = "2.0"
-
-    def on_complete(self):
-        for row in self.get_volatility("modscan").get("data", []):
-            if not row["kernel_module_name"]:
-                self.mark_vol("mysterious_kernel_module", kernel_module=row)
-
-        return self.has_marks()
 
 class VolHandles1(Signature):
     name = "volatility_handles_1"

From b12b153a2e78d02e1033740700d30f0564ce0420 Mon Sep 17 00:00:00 2001
From: Sean Whalen <whalenster@gmail.com>
Date: Wed, 31 Oct 2018 15:13:35 -0400
Subject: [PATCH 2/4] Fix typo

---
 modules/signatures/windows/volatility_sig.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py
index fda89d087..0fee69072 100644
--- a/modules/signatures/windows/volatility_sig.py
+++ b/modules/signatures/windows/volatility_sig.py
@@ -20,7 +20,7 @@ def on_complete(self):
         for row in self.get_volatility("svcscan").get("data", []):
             if row["service_name"] == "SharedAccess" and row["service_state"] == "SERVICE_STOPPED":
                 shared_access_service_stopped = True
-            if row["service_name] = "MpsSvc":
+            if row["service_name] == "MpsSvc":
                 win7_or_higher = True
                 if rew["service_state] == "SERVICE_STOPPED":
                     modern_firewall_service_stopped = True

From aa32751dc4fc6b414e0379ba406073b11e6c302a Mon Sep 17 00:00:00 2001
From: Sean Whalen <whalenster@gmail.com>
Date: Wed, 31 Oct 2018 15:39:08 -0400
Subject: [PATCH 3/4] Refactor firewall sigs

---
 modules/signatures/windows/volatility_sig.py | 97 ++++++++++++++++++++
 1 file changed, 97 insertions(+)

diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py
index 0fee69072..1c7ec3e2f 100644
--- a/modules/signatures/windows/volatility_sig.py
+++ b/modules/signatures/windows/volatility_sig.py
@@ -1,10 +1,107 @@
 # Copyright (C) 2010-2013 Cuckoo Sandbox Developers.
+# This file# Copyright (C) 2010-2013 Cuckoo Sandbox Developers.
 # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 # See the file 'docs/LICENSE' for copying permission.
 
 from lib.cuckoo.common.abstracts import Signature
 
 
+class VolFirewallStopped(Signature):
+    name = "volatility_firewal_stopped"
+    description = "Stopped Firewall service"
+    severity = 3
+    categories = ["generic"]
+    authors = ["Thorsten Sick", "Sean Whalen"]
+    minimum = "2.0"
+
+    def on_complete(self):
+        win7_or_higher = False
+        shared_access_service_stopped = False
+        modern_firewall_service_stopped = False
+        shared_access_row = None
+        modern_firewall_row = None
+        for row in self.get_volatility("svcscan").get("data", []):
+            if row["service_name"] == "SharedAccess":
+                shared_access_row = row
+                shared_access_service_stopped = True
+            if row["service_name"] == "MpsSvc":
+                win7_or_higher = True
+                shared_access_row = row
+                if row["service_state"] == "SERVICE_STOPPED":
+                    modern_firewall_service_stopped = True
+        if not win7_or_higher and shared_access_service_stopped ==True:
+                self.mark_vol("stopped_service", service=shared_access_row)
+        if modern_firewall_service_stopped:
+            self.mark_vol("stopped_service", service=modern_firewall_row)
+
+        return self.has_marks()
+
+class VolALGStopped(Signature):
+    name = "volatility_ALG_stopped"
+    description = "Stopped Application Layer Gateway service"
+    severity = 3
+    categories = ["generic"]
+    authors = ["Thorsten Sick", "Sean Whalen"]
+    minimum = "2.0"
+
+    def on_complete(self):
+        win7_or_higher = False
+        alg_service_stopped = False
+        alg_row = None
+        for row in self.get_volatility("svcscan").get("data", []):
+            if row["service_name"] == "ALG":
+                alg_row = row
+                if row["service_state"] == "SERVICE_STOPPED":
+                    alg_service_stopped = True
+            if row["service_name"] == "MpsSvc":
+                win7_or_higher = True
+        if not win7_or_higher and alg_service_stopped == True:
+                self.mark_vol("stopped_service", service=alg_row)
+
+class SecurityCenterStopped(Signature):
+    name = "volatility_security_center_stopped"
+    description = "Stopped Security Center service"
+    severity = 3
+    categories = ["generic"]
+    authors = ["Thorsten Sick"]
+    minimum = "2.0"
+
+    def on_complete(self):
+        for row in self.get_volatility("svcscan").get("data", []):
+            if row["service_name"] == "wscsvc" and \
+                    row["service_state"] == "SERVICE_STOPPED":
+                self.mark_vol("stopped_service", service=row)
+
+        return self.has_marks()
+
+
+class VolHandles1(Signature):
+    name = "volatility_handles_1"
+    description = "One or more thread handles in other processes"
+    severity = 2
+    categories = ["generic"]
+    authors = ["Thorsten Sick"]
+    minimum = "2.0"
+
+    def on_complete(self):
+        threads = set()
+
+        for row in self.get_volatility("handles").get("data", []):
+            if row["handle_type"] == "Thread":
+                w1, t1, w2, p1 = row["handle_name"].split(" ")
+                if int(p1) != row["process_id"]:
+                    threads.add("%d -> %s/%s" % (row["process_id"], p1, t1))
+
+        if threads:
+            self.mark_vol("injections", threads=list(threads))
+
+        return self.has_marks()
+ is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
+# See the file 'docs/LICENSE' for copying permission.
+
+from lib.cuckoo.common.abstracts import Signature
+
+
 class VolFirewallStopped(Signature):
     name = "volatility_firewal_stopped"
     description = "topped Firewall service"

From 6561c026fe17beb8d3fda1ed0492da570d9f8e90 Mon Sep 17 00:00:00 2001
From: Sean Whalen <whalenster@gmail.com>
Date: Wed, 31 Oct 2018 15:41:22 -0400
Subject: [PATCH 4/4] Fix copy/paste error

---
 modules/signatures/windows/volatility_sig.py | 69 --------------------
 1 file changed, 69 deletions(-)

diff --git a/modules/signatures/windows/volatility_sig.py b/modules/signatures/windows/volatility_sig.py
index 1c7ec3e2f..204108898 100644
--- a/modules/signatures/windows/volatility_sig.py
+++ b/modules/signatures/windows/volatility_sig.py
@@ -1,5 +1,4 @@
 # Copyright (C) 2010-2013 Cuckoo Sandbox Developers.
-# This file# Copyright (C) 2010-2013 Cuckoo Sandbox Developers.
 # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
 # See the file 'docs/LICENSE' for copying permission.
 
@@ -75,74 +74,6 @@ def on_complete(self):
         return self.has_marks()
 
 
-class VolHandles1(Signature):
-    name = "volatility_handles_1"
-    description = "One or more thread handles in other processes"
-    severity = 2
-    categories = ["generic"]
-    authors = ["Thorsten Sick"]
-    minimum = "2.0"
-
-    def on_complete(self):
-        threads = set()
-
-        for row in self.get_volatility("handles").get("data", []):
-            if row["handle_type"] == "Thread":
-                w1, t1, w2, p1 = row["handle_name"].split(" ")
-                if int(p1) != row["process_id"]:
-                    threads.add("%d -> %s/%s" % (row["process_id"], p1, t1))
-
-        if threads:
-            self.mark_vol("injections", threads=list(threads))
-
-        return self.has_marks()
- is part of Cuckoo Sandbox - http://www.cuckoosandbox.org
-# See the file 'docs/LICENSE' for copying permission.
-
-from lib.cuckoo.common.abstracts import Signature
-
-
-class VolFirewallStopped(Signature):
-    name = "volatility_firewal_stopped"
-    description = "topped Firewall service"
-    severity = 3
-    categories = ["generic"]
-    authors = ["Thorsten Sick", "Sean Whalen"]
-    minimum = "2.0"
-
-    def on_complete(self):
-        win7_or_higher = False
-        shared_access_service_stopped = False
-        modern_firewall_service_stopped = False
-        for row in self.get_volatility("svcscan").get("data", []):
-            if row["service_name"] == "SharedAccess" and row["service_state"] == "SERVICE_STOPPED":
-                shared_access_service_stopped = True
-            if row["service_name] == "MpsSvc":
-                win7_or_higher = True
-                if rew["service_state] == "SERVICE_STOPPED":
-                    modern_firewall_service_stopped = True
-        if (not win7_or_higher and shared_access_service_stopped ==True) or modern_windows_firewall_stopped:
-            self.mark_vol("stopped_service", service=row)
-
-        return self.has_marks()
-
-class SecurityCenterStopped(Signature):
-    name = "volatility_security_center_stopped"
-    description = "Stopped Security Center service"
-    severity = 3
-    categories = ["generic"]
-    authors = ["Thorsten Sick"]
-    minimum = "2.0"
-
-    def on_complete(self):
-        for row in self.get_volatility("svcscan").get("data", []):
-            if row["service_name"] == "wscsvc" and \
-                    row["service_state"] == "SERVICE_STOPPED":
-                self.mark_vol("stopped_service", service=row)
-
-        return self.has_marks()
-
-
 class VolHandles1(Signature):
     name = "volatility_handles_1"
     description = "One or more thread handles in other processes"