def process_event(self, process):
if all(token in process.command.lower()
for token in self._vssadmin_tokens):
self.events = mapping(self.events, process)
self.trigger()
if all(token in process.command.lower()
for token in self._wmic_tokens):
self.events = mapping(self.events, process)
self.trigger()
def process_event(self, file):
for pat in self.file_pattern:
if self.check_value(pattern=pat,
subject=file.srcpath,
regex=True,
all=True):
self.events = mapping(self.events, file)
self.trigger()
def process_event(self, process):
for proc in self.proc_indicators:
if self.check_value(pattern=proc,
subject=process.command,
regex=True,
all=True):
self.events = mapping(self.events, process)
self.trigger()
def registry_event(self, registry):
for reg in self.reg_indicators:
if self.check_value(pattern=reg,
subject=registry.path,
regex=True,
all=True):
self.events = mapping(self.events, registry)
self.trigger()
def file_event(self, file):
for f in self.file_indicators:
if self.check_value(pattern=f,
subject=file.srcpath,
regex=True,
all=True):
self.events = mapping(self.events, file)
self.trigger()
def file_event(self, file):
if ":" in file.srcpath.split("\\")[-1]:
if not file.srcpath.lower().startswith(
"c:\\dosdevices\\") and not file.srcpath[-1] == ":":
if not file.srcpath.startswith(
"\\??\\http://"
) and not file.srcpath.endswith(
":Zone.Identifier"
) and not re.match(
r'^[A-Z]?:\\(Users|Documents and Settings)\\[^\\]+\\Favorites\\Links\\Suggested Sites\.url:favicon$',
file.srcpath, re.IGNORECASE):
self.events = mapping(self.events, file)
self.trigger()
def process_event(self, process):
lower = "".join(process.command).lower()
if "powershell" in lower and "reg add" in lower:
self.events = mapping(self.events, process)
self.trigger()
encre = re.compile("\-[e^]{1,2}[ncodema^]+")
lower = process.command.lower()
if encre.search(lower):
# Powershell is b64 encoded
script, args = None, shlex.split(process.command)
for idx, arg in enumerate(args):
if not encre.search(arg.lower()):
# Not the encoded argument
continue
try:
script = args[idx+1].decode("base64").decode("utf16")
if "reg add" in script.lower():
self.events = mapping(self.events, process)
self.trigger()
except:
pass
def registry_event(self, registry):
if self.dll_name in registry.path.lower():
self.events = mapping(self.events, registry)
self.trigger()
def process_event(self, process):
if process.command.lower().startswith("net") and "localgroup administrators" in process.command.lower():
self.events = mapping(self.events, process)
self.trigger()
def registry_event(self, registry):
if "\\microsoft\\windows\\currentversion\\uninstall" in registry.path.lower(
):
self.events = mapping(self.events, registry)
self.trigger()
def registry_event(self, registry):
if registry.values.startswith(self.null_byte):
self.events = mapping(self.events, registry)
self.trigger()
def process_event(self, process):
if process.orig == False:
self.events = mapping(self.events, process)
self.trigger()
def checkfrequency(self, file):
self.fileops += 1
if self.fileops > self.threshold:
self.events = mapping(self.events, file)
self.trigger()
def process_event(self, process):
lowercommand = process.command.lower()
if "netsh" in lowercommand or "advfirewall" in lowercommand:
self.events = mapping(self.events, process)
self.trigger()
def file_event(self, file):
if file.srcpath.lower().endswith(":zone.identifier"):
self.events = mapping(self.events, file)
self.trigger()
def registry_event(self, registry):
for reg in self.regkeys_re:
if self.check_value(pattern=reg, subject=registry.path, regex=True, all=True):
print("REG TRIGGERED")
self.events = mapping(self.events, registry)
self.trigger()
def mutant_event(self, mutant):
for m in self.mutexes_re:
if self.check_value(pattern=m, subject=mutant.path, regex=True, all=True):
self.events = mapping(self.events, mutant)
self.trigger()
def process_event(self, process):
if all(c in process.command.lower() for c in self.bypass_indicators):
self.events = mapping(self.events, process)
self.trigger()
def registry_event(self, registry):
if "javascript:" in registry.values.lower():
self.events = mapping(self.events, registry)
self.trigger()
def registry_event(self, registry):
if registry.values.lower() in ("powershell.exe", "powershell "):
self.events = mapping(self.events, registry)
self.trigger()
def registry_event(self, registry):
if self._regkey in registry.path:
self.events = mapping(self.events, registry)
self.trigger()
def registry_event(self, registry):
if self.filter_apinames in registry.path:
self.events = mapping(self.events, registry)
self.trigger()
def process_event(self, process):
if self._wmipath in process.command:
self.events = mapping(self.events, process)
self.trigger()
def file_event(self, file):
if file.srcpath[0].isalpha():
for i in self.file_indicators:
if i in file.srcpath:
self.events = mapping(self.events, file)
self.trigger()
def registry_event(self, registry):
for reg in self.reg_indicators:
if reg in registry.path:
self.events = mapping(self.events, registry)
self.trigger()
def process_event(self, process):
for u in sysinternals:
if u in process.command.lower():
self.events = mapping(self.events, process)
self.trigger()
def process_event(self, process):
for u in self.utilities:
if u in process.command.lower():
self.events = mapping(self.events, process)
self.trigger()
def process_event(self, process):
if process.command.lower().startswith("net") and "user /add" in process.command.lower():
self.events = mapping(self.events, process)
self.trigger()
def suspicious_event(self, suspicious):
self.events = mapping(self.events, suspicious)
self.trigger()
def suspicious_event(self, suspicious):
if self.filter_suspicious in suspicious.event:
self.events = mapping(self.events, suspicious)
self.trigger()
