def process_event(self, process): if all(token in process.command.lower() for token in self._vssadmin_tokens): self.events = mapping(self.events, process) self.trigger() if all(token in process.command.lower() for token in self._wmic_tokens): self.events = mapping(self.events, process) self.trigger()
def process_event(self, file): for pat in self.file_pattern: if self.check_value(pattern=pat, subject=file.srcpath, regex=True, all=True): self.events = mapping(self.events, file) self.trigger()
def process_event(self, process): for proc in self.proc_indicators: if self.check_value(pattern=proc, subject=process.command, regex=True, all=True): self.events = mapping(self.events, process) self.trigger()
def registry_event(self, registry): for reg in self.reg_indicators: if self.check_value(pattern=reg, subject=registry.path, regex=True, all=True): self.events = mapping(self.events, registry) self.trigger()
def file_event(self, file): for f in self.file_indicators: if self.check_value(pattern=f, subject=file.srcpath, regex=True, all=True): self.events = mapping(self.events, file) self.trigger()
def file_event(self, file): if ":" in file.srcpath.split("\\")[-1]: if not file.srcpath.lower().startswith( "c:\\dosdevices\\") and not file.srcpath[-1] == ":": if not file.srcpath.startswith( "\\??\\http://" ) and not file.srcpath.endswith( ":Zone.Identifier" ) and not re.match( r'^[A-Z]?:\\(Users|Documents and Settings)\\[^\\]+\\Favorites\\Links\\Suggested Sites\.url:favicon$', file.srcpath, re.IGNORECASE): self.events = mapping(self.events, file) self.trigger()
def process_event(self, process): lower = "".join(process.command).lower() if "powershell" in lower and "reg add" in lower: self.events = mapping(self.events, process) self.trigger() encre = re.compile("\-[e^]{1,2}[ncodema^]+") lower = process.command.lower() if encre.search(lower): # Powershell is b64 encoded script, args = None, shlex.split(process.command) for idx, arg in enumerate(args): if not encre.search(arg.lower()): # Not the encoded argument continue try: script = args[idx+1].decode("base64").decode("utf16") if "reg add" in script.lower(): self.events = mapping(self.events, process) self.trigger() except: pass
def registry_event(self, registry): if self.dll_name in registry.path.lower(): self.events = mapping(self.events, registry) self.trigger()
def process_event(self, process): if process.command.lower().startswith("net") and "localgroup administrators" in process.command.lower(): self.events = mapping(self.events, process) self.trigger()
def registry_event(self, registry): if "\\microsoft\\windows\\currentversion\\uninstall" in registry.path.lower( ): self.events = mapping(self.events, registry) self.trigger()
def registry_event(self, registry): if registry.values.startswith(self.null_byte): self.events = mapping(self.events, registry) self.trigger()
def process_event(self, process): if process.orig == False: self.events = mapping(self.events, process) self.trigger()
def checkfrequency(self, file): self.fileops += 1 if self.fileops > self.threshold: self.events = mapping(self.events, file) self.trigger()
def process_event(self, process): lowercommand = process.command.lower() if "netsh" in lowercommand or "advfirewall" in lowercommand: self.events = mapping(self.events, process) self.trigger()
def file_event(self, file): if file.srcpath.lower().endswith(":zone.identifier"): self.events = mapping(self.events, file) self.trigger()
def registry_event(self, registry): for reg in self.regkeys_re: if self.check_value(pattern=reg, subject=registry.path, regex=True, all=True): print("REG TRIGGERED") self.events = mapping(self.events, registry) self.trigger()
def mutant_event(self, mutant): for m in self.mutexes_re: if self.check_value(pattern=m, subject=mutant.path, regex=True, all=True): self.events = mapping(self.events, mutant) self.trigger()
def process_event(self, process): if all(c in process.command.lower() for c in self.bypass_indicators): self.events = mapping(self.events, process) self.trigger()
def registry_event(self, registry): if "javascript:" in registry.values.lower(): self.events = mapping(self.events, registry) self.trigger()
def registry_event(self, registry): if registry.values.lower() in ("powershell.exe", "powershell "): self.events = mapping(self.events, registry) self.trigger()
def registry_event(self, registry): if self._regkey in registry.path: self.events = mapping(self.events, registry) self.trigger()
def registry_event(self, registry): if self.filter_apinames in registry.path: self.events = mapping(self.events, registry) self.trigger()
def process_event(self, process): if self._wmipath in process.command: self.events = mapping(self.events, process) self.trigger()
def file_event(self, file): if file.srcpath[0].isalpha(): for i in self.file_indicators: if i in file.srcpath: self.events = mapping(self.events, file) self.trigger()
def registry_event(self, registry): for reg in self.reg_indicators: if reg in registry.path: self.events = mapping(self.events, registry) self.trigger()
def process_event(self, process): for u in sysinternals: if u in process.command.lower(): self.events = mapping(self.events, process) self.trigger()
def process_event(self, process): for u in self.utilities: if u in process.command.lower(): self.events = mapping(self.events, process) self.trigger()
def process_event(self, process): if process.command.lower().startswith("net") and "user /add" in process.command.lower(): self.events = mapping(self.events, process) self.trigger()
def suspicious_event(self, suspicious): self.events = mapping(self.events, suspicious) self.trigger()
def suspicious_event(self, suspicious): if self.filter_suspicious in suspicious.event: self.events = mapping(self.events, suspicious) self.trigger()