From 703152775010ebfa71a7c3c99ad7100265fd57a9 Mon Sep 17 00:00:00 2001 From: doomedraven Date: Mon, 3 Feb 2025 17:01:07 +0100 Subject: [PATCH] fixes --- modules/signatures/windows/abuse_hvci.py | 2 +- modules/signatures/windows/bootkit.py | 2 +- modules/signatures/windows/bypass_uac.py | 4 +--- modules/signatures/windows/disables_windefender.py | 2 +- modules/signatures/windows/infostealer_mail.py | 6 +++--- modules/signatures/windows/office_dll_loading.py | 10 +++++----- modules/signatures/windows/rat_modi.py | 4 ++-- modules/signatures/windows/rat_nanocore.py | 12 ++++++------ modules/signatures/windows/stealth_webhistory.py | 2 +- modules/signatures/windows/trojan_ursnif.py | 2 +- 10 files changed, 22 insertions(+), 24 deletions(-) diff --git a/modules/signatures/windows/abuse_hvci.py b/modules/signatures/windows/abuse_hvci.py index 48de9387..c3e0b53d 100644 --- a/modules/signatures/windows/abuse_hvci.py +++ b/modules/signatures/windows/abuse_hvci.py @@ -92,7 +92,7 @@ def __init__(self, *args, **kwargs): self.falseProcess = ("securityhealthservice", "ikernel.exe") def on_call(self, call, process): - if not process["process_name"].lower() in self.falseProcess: + if process["process_name"].lower() not in self.falseProcess: if call["api"] in ("RegSetValueExA", "RegSetValueExW"): regKeyPath = self.get_argument(call, "FullName").lower() buf = self.get_argument(call, "Buffer") diff --git a/modules/signatures/windows/bootkit.py b/modules/signatures/windows/bootkit.py index 004ea356..4a02b650 100644 --- a/modules/signatures/windows/bootkit.py +++ b/modules/signatures/windows/bootkit.py @@ -122,7 +122,7 @@ class AccessesPrimaryPartition(Signature): def run(self): ret = False - match = self.check_write_file(pattern="^\\Device\\HarddiskVolume0\\DR0$", regex=True) + match = self.check_write_file(pattern=r"^\\Device\\HarddiskVolume0\\DR0$", regex=True) if match: self.data.append({"file": match}) ret = True diff --git a/modules/signatures/windows/bypass_uac.py b/modules/signatures/windows/bypass_uac.py index 8b763e99..a506739d 100644 --- a/modules/signatures/windows/bypass_uac.py +++ b/modules/signatures/windows/bypass_uac.py @@ -229,7 +229,7 @@ class ChecksUACStatus(Signature): def run(self): match = self.check_key( - pattern=r".*\SOFTWARE\(Wow6432Node\)?Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA$", regex=True + pattern=r".*\\SOFTWARE\(Wow6432Node\)?Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA$", regex=True ) if match: self.data.append({"regkey": match}) @@ -253,8 +253,6 @@ class UACBypassWindowsBackup(Signature): filter_apinames = set(["CreateProcessInternalW"]) def on_call(self, call, process): - pname = process["process_name"].lower() - # Checking parent process for false positives. if process["process_name"].lower() == "sdclt.exe" and call["api"] == "CreateProcessInternalW": cmdline = self.get_argument(call, "CommandLine") diff --git a/modules/signatures/windows/disables_windefender.py b/modules/signatures/windows/disables_windefender.py index f48bbf4b..6bc4ada5 100644 --- a/modules/signatures/windows/disables_windefender.py +++ b/modules/signatures/windows/disables_windefender.py @@ -127,7 +127,7 @@ def run(self): r"HKEY_CLASSES_ROOT\\Directory\\shellex\\ContextMenuHandlers\\EPP$", r"HKEY_CLASSES_ROOT\\Drive\\shellex\\ContextMenuHandlers\\EPP$", ) - pat = re.compile(".*\\shellex\\contextmenuhandlers\\epp") + pat = re.compile(r".*\\shellex\\contextmenuhandlers\\epp") for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/infostealer_mail.py b/modules/signatures/windows/infostealer_mail.py index 9cf08cba..a9267735 100644 --- a/modules/signatures/windows/infostealer_mail.py +++ b/modules/signatures/windows/infostealer_mail.py @@ -32,7 +32,7 @@ def run(self): r".*\\Thunderbird\\Profiles\\.*\.default$", r".*\\AppData\\Roaming\\Thunderbird\\profiles.ini$", ) - registry_indicators = ( + registry_indicators = [ r".*\\Microsoft\\Windows\\ Messaging\\ Subsystem\\MSMapiApps.*", r".*\\Microsoft\\Windows\\ Messaging\\ Subsystem\\Profiles.*", r".*\\Microsoft\\Windows\\ NT\\CurrentVersion\\Windows\\ Messaging\\ Subsystem\\Profiles.*", @@ -40,9 +40,9 @@ def run(self): r".*\\Microsoft\\Office\\Outlook\\OMI\\ Account\\ Manager\\Accounts.*", r".*\\Microsoft\\Internet\\ Account\\ Manager\\Accounts.*", r".*\\Software\\(Wow6432Node\\)?IncrediMail.*" r".*\\Software\\(Wow6432Node\\)?Microsoft\\Windows\\ Live\\ Mail.*", - ) + ] if self.results.get("target", {}).get("category", "") == "file": - registry_indicators.append(".*\\Software\\(Wow6432Node\\)?Clients\\Mail.*") + registry_indicators.append(r".*\\Software\\(Wow6432Node\\)?Clients\\Mail.*") found_stealer = False for indicator in file_indicators: diff --git a/modules/signatures/windows/office_dll_loading.py b/modules/signatures/windows/office_dll_loading.py index d0e62029..af71d227 100644 --- a/modules/signatures/windows/office_dll_loading.py +++ b/modules/signatures/windows/office_dll_loading.py @@ -34,10 +34,10 @@ class OfficeAddinLoading(Signature): def run(self): indicators = [ - ".*\\AppData\\Roaming\\Microsoft\\Word\\startup\\*.wll", - ".*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*.xll", - ".*\\AppData\\Roaming\\Microsoft\\AddIns\\*.xlam", - ".*\\AppData\\Roaming\\Microsoft\\AddIns\\*.xla", + r".*\\AppData\\Roaming\\Microsoft\\Word\\startup\\*.wll", + r".*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*.xll", + r".*\\AppData\\Roaming\\Microsoft\\AddIns\\*.xlam", + r".*\\AppData\\Roaming\\Microsoft\\AddIns\\*.xla", ] for indicator in indicators: @@ -61,7 +61,7 @@ class OfficePerfKey(Signature): mbcs += ["OC0008", "C0036"] # micro-behaviour def run(self): - indicators = ["HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf$"] + indicators = [r"HKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf$"] for indicator in indicators: match = self.check_write_key(pattern=indicator, regex=True) diff --git a/modules/signatures/windows/rat_modi.py b/modules/signatures/windows/rat_modi.py index ac6d6de3..225da996 100644 --- a/modules/signatures/windows/rat_modi.py +++ b/modules/signatures/windows/rat_modi.py @@ -28,8 +28,8 @@ class ModiRATBehavior(Signature): def run(self): reg_indicators = ( - "HKEY_CURRENT_USER\\Software\\FFMPEG_URL.*", - "HKEY_CURRENT_USER\\Software\\Telegram_Notifier.*", + r"HKEY_CURRENT_USER\\Software\\FFMPEG_URL.*", + r"HKEY_CURRENT_USER\\Software\\Telegram_Notifier.*", ) file_indicators = ( r"[A-Z]:\\ProgramData\\ffmpeg\.exe$", diff --git a/modules/signatures/windows/rat_nanocore.py b/modules/signatures/windows/rat_nanocore.py index e6a860a1..6b78df59 100644 --- a/modules/signatures/windows/rat_nanocore.py +++ b/modules/signatures/windows/rat_nanocore.py @@ -53,13 +53,13 @@ def on_call(self, call, process): def on_complete(self): badness = 0 - guid = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}" "-[0-9a-fA-F]{12}" + guid = r"[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}" "-[0-9a-fA-F]{12}" fileiocs = ( - r".*\\" + guid + "\\run\.dat$", - r".*\\" + guid + "\\task\.dat$", - r".*\\" + guid + "\\catelog\.dat$", - r".*\\" + guid + "\\storage\.dat$", - r".*\\" + guid + "\\settings\.bin$", + r".*\\" + guid + r"\\run\.dat$", + r".*\\" + guid + r"\\task\.dat$", + r".*\\" + guid + r"\\catelog\.dat$", + r".*\\" + guid + r"\\storage\.dat$", + r".*\\" + guid + r"\\settings\.bin$", ) for ioc in fileiocs: if self.check_write_file(pattern=ioc, regex=True): diff --git a/modules/signatures/windows/stealth_webhistory.py b/modules/signatures/windows/stealth_webhistory.py index d90a437f..c7b7b1a8 100644 --- a/modules/signatures/windows/stealth_webhistory.py +++ b/modules/signatures/windows/stealth_webhistory.py @@ -20,7 +20,7 @@ def run(self): r".*\\Temporary\\ Internet\\ Files\\Content\.IE5\\.*", ] if self.results.get("target", {}).get("category", "") == "file": - file_indicators.append(".*\\Cookies\\.*") + file_indicators.append(r".*\\Cookies\\.*") found_cleaner = False for indicator in file_indicators: file_match = self.check_delete_file(pattern=indicator, regex=True, all=True) diff --git a/modules/signatures/windows/trojan_ursnif.py b/modules/signatures/windows/trojan_ursnif.py index 7c453188..f38e5da3 100644 --- a/modules/signatures/windows/trojan_ursnif.py +++ b/modules/signatures/windows/trojan_ursnif.py @@ -43,7 +43,7 @@ def run(self): mutex_indicators = r"^Local\\\{[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}\}$" for rkey in regkeys: - registry_indicators.append(regpath + "\\" + guid + "\\" + rkey + "$") + registry_indicators.append(regpath + r"\\" + guid + r"\\" + rkey + "$") registry_indicators.append(r".*\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnableSPDY3_0$")