Merge pull request #471 from para0x0dise/update

update
CAPESandbox · Nov 2, 2024 · 852ba06 · 852ba06
2 parents ef2ab08 + f65d7cb
commit 852ba06
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/modules/signatures/windows/lolbas.py b/modules/signatures/windows/lolbas.py
@@ -111,7 +111,8 @@ def run(self):
         cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
         for cmdline in cmdlines:
             lower = cmdline.lower()
-            if any(process in lower for process in ("cmd /c", "powershell", "script", "mshta", "curl")):
+            if ("conhost.exe" in lower and
+                    any(process in lower for process in ("cmd /c", "powershell", "script", "mshta", "curl"))):
                 self.data.append({"command": cmdline})
                 return True
         return False

diff --git a/modules/signatures/windows/misc.py b/modules/signatures/windows/misc.py
@@ -330,7 +330,7 @@ def __init__(self, *args, **kwargs):
     def on_call(self, call, process):
         if not (
             process["process_name"].lower in self.falseProcess
-            or "windows\\system32\\driverstore\\filerepository" in process["module_path"].lower
+            or "windows\\system32\\driverstore\\filerepository" in process["module_path"].lower()
         ):
 
             if call["api"] in ("RegSetValueExA", "RegSetValueExW"):
@@ -379,7 +379,7 @@ def __init__(self, *args, **kwargs):
         self.detected = False
 
     def on_call(self, call, process):
-        if not "\\Windows\\System32\\svchost.exe" in process["module_name"]:
+        if not "\\Windows\\System32\\svchost.exe" in process["module_path"]:
             if call["api"] in ("RegSetValueExA", "RegSetValueExW"):
                 regKeyPath = self.get_argument(call, "FullName").lower()
                 buf = self.get_argument(call, "Buffer")