fixes

CAPESandbox · Oct 28, 2024 · 11adf0d · 11adf0d
1 parent a6a3a2f
commit 11adf0d
Show file tree

Hide file tree

Showing 10 changed files with 147 additions and 173 deletions.
diff --git a/modules/signatures/windows/bypass_uac.py b/modules/signatures/windows/bypass_uac.py
@@ -40,7 +40,7 @@ def __init__(self, *args, **kwargs):
     def on_call(self, call, process):
         if call["api"].startswith("RegQueryValueEx"):
             pname = process["process_name"]
-            if pname.lower() == "eventvwr.exe":
+            if process["process_name"].lower() == "eventvwr.exe":
                 fullname = self.get_argument(call, "FullName")
                 data = self.get_argument(call, "Data")
                 if "\classes\mscfile\shell\open\command" in fullname.lower():
@@ -91,7 +91,7 @@ def run(self):
         ret = False
 
         keys = [
-            ".*\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute$",
+            r".*\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute$",
         ]
 
         for check in keys:
@@ -157,7 +157,7 @@ def on_call(self, call, process):
                 self.inf = True
 
     def on_complete(self):
-        cmdlines = self.results["behavior"]["summary"]["executed_commands"]
+        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
         for cmdline in cmdlines:
             lower = cmdline.lower()
             if self.inf and "cmstp" in lower and ".inf" in lower:
@@ -182,7 +182,7 @@ class UACBypassFodhelper(Signature):
 
     def run(self):
         ret = False
-        reg_indicators = ["HKEY_CURRENT_USER\\\\Software\\\\Classes\\\\ms-settings\\\\shell \\\\open\\\\command\\\\*."]
+        reg_indicators = [r"HKEY_CURRENT_USER\\Software\\Classes\\ms-settings\\shell \\open\\command\\*."]
 
         for indicator in reg_indicators:
             match = self.check_write_key(pattern=indicator, regex=True)
@@ -206,9 +206,9 @@ class UACBypassCMSTPCOM(Signature):
     def run(self):
         # CMSTPLUA, CMLUAUTIL, Connection Manager LUA Host Object
         indicators = [
-            ".*\\\\Windows\\\\(SysWOW64|System32)\\\\DllHost\.exe.*\/Processid:(\{)?3E5FC7F9-9A51-4367-9063-A120244FBEC7(\})?",
-            ".*\\\\Windows\\\\(SysWOW64|System32)\\\\DllHost\.exe.*\/Processid:(\{)?3E000D72-A845-4CD9-BD83-80C07C3B881F(\})?",
-            ".*\\\\Windows\\\\(SysWOW64|System32)\\\\DllHost\.exe.*\/Processid:(\{)?BA126F01-2166-11D1-B1D0-00805FC1270E(\})?",
+            ".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?3E5FC7F9-9A51-4367-9063-A120244FBEC7(\})?",
+            ".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?3E000D72-A845-4CD9-BD83-80C07C3B881F(\})?",
+            ".*\\Windows\\(SysWOW64|System32)\\DllHost\.exe.*\/Processid:(\{)?BA126F01-2166-11D1-B1D0-00805FC1270E(\})?",
         ]
 
         for indicator in indicators:
@@ -240,12 +240,11 @@ def on_call(self, call, process):
         pname = process["process_name"].lower()
 
         # Checking parent process for false positives.
-        if pname == "sdclt.exe":
-            if call["api"] == "CreateProcessInternalW":
-                cmdline = self.get_argument(call, "CommandLine")
-                lower = cmdline.lower()
-                if any(process in lower for process in ["control.exe", "werfault.exe", "wermgr.exe", "sdclt.exe"]):
-                    return False
+        if process["process_name"].lower() == "sdclt.exe" and call["api"] == "CreateProcessInternalW":
+            cmdline = self.get_argument(call, "CommandLine")
+            lower = cmdline.lower()
+            if any(process in lower for process in ("control.exe", "werfault.exe", "wermgr.exe", "sdclt.exe")):
+                return False
 
     def on_complete(self):
         cmdlines = self.results.get("behavior").get("summary").get("executed_commands")

diff --git a/modules/signatures/windows/credential_access.py b/modules/signatures/windows/credential_access.py
@@ -109,13 +109,12 @@ def on_call(self, call, process):
             if call["api"] == "CreateProcessInternalW":
                 cmdline = self.get_argument(call, "CommandLine")
                 lower = cmdline.lower()
-                if any(arg in lower for arg in ["passwordvault", "retrievepassword", "retrieveall"]):
+                if any(arg in lower for arg in ("passwordvault", "retrievepassword", "retrieveall")):
                     return False
 
     def on_complete(self):
-        cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
-            if "powershell" in lower and any(arg in lower for arg in ["passwordvault", "retrievepassword", "retrieveall"]):
+            if "powershell" in lower and any(arg in lower for arg in ("passwordvault", "retrievepassword", "retrieveall")):
                 return True
         return False
diff --git a/modules/signatures/windows/credential_dumping.py b/modules/signatures/windows/credential_dumping.py
@@ -118,10 +118,10 @@ class RegistryCredentialStoreAccess(Signature):
 
     def run(self):
         ret = False
-        reg_indicators = [
-            "HKEY_LOCAL_MACHINE\\\\SAM$",
-            "HKEY_LOCAL_MACHINE\\\\SYSTEM$",
-        ]
+        reg_indicators = (
+            r"HKEY_LOCAL_MACHINE\\SAM$",
+            r"HKEY_LOCAL_MACHINE\\SYSTEM$",
+        )
 
         for indicator in reg_indicators:
             match = self.check_key(pattern=indicator, regex=True)
@@ -147,9 +147,9 @@ class RegistryLSASecretsAccess(Signature):
     mbcs = ["OB0005"]
 
     def run(self):
-        indicators = [
-            "HKEY_LOCAL_MACHINE\\\\SECURITY\\\\Policy\\\\Secrets$",
-        ]
+        indicators = (
+            r"HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets$",
+        )
 
         for indicator in indicators:
             match = self.check_key(pattern=indicator, regex=True)
@@ -173,11 +173,11 @@ class FileCredentialStoreAccess(Signature):
     mbcs = ["OB0005"]
 
     def run(self):
-        indicators = [
-            ".*\\\\Windows\\\\repair\\\\sam",
-            ".*\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\SAM",
-            ".*\\\\Windows\\\\system32\\\\config\\\\SAM",
-        ]
+        indicators = (
+            r".*\\Windows\\repair\\sam",
+            r".*\\Windows\\System32\\config\\RegBack\\SAM",
+            r".*\\Windows\\system32\\config\\SAM",
+        )
 
         for indicator in indicators:
             match = self.check_file(pattern=indicator, regex=True)
@@ -201,11 +201,11 @@ class FileCredentialStoreWrite(Signature):
     mbcs = ["OB0005"]
 
     def run(self):
-        indicators = [
-            ".*\\\\Windows\\\\repair\\\\sam",
-            ".*\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\SAM",
-            ".*\\\\Windows\\\\system32\\\\config\\\\SAM",
-        ]
+        indicators = (
+            r".*\\Windows\\repair\\sam",
+            r".*\\Windows\\System32\\config\\RegBack\\SAM",
+            r".*\\Windows\\system32\\config\\SAM",
+        )
 
         for indicator in indicators:
             match = self.check_write_file(pattern=indicator, regex=True)
@@ -232,14 +232,11 @@ class DumpLSAViaWindowsErrorReporting(Signature):
     filter_apinames = set(["NtCreateFile"])
 
     def on_call(self, call, process):
-        pname = process["process_name"].lower()
-
         # Checking parent process for false positives.
-        if pname in ["WerFaultSecure.exe", "WerFault.exe"]:
-            if call["api"] == "NtCreateFile":
-                filename = self.get_argument(call, "FileName")
-                if filename.endswith(".dmp") and "lsass_" in filename:
-                    return True
+        if process["process_name"].lower() in ("WerFaultSecure.exe", "WerFault.exe") and call["api"] == "NtCreateFile":
+            filename = self.get_argument(call, "FileName")
+            if filename.endswith(".dmp") and "lsass_" in filename:
+                return True
 
 
 class KerberosCredentialAccessViaRubeus(Signature):
@@ -256,12 +253,11 @@ class KerberosCredentialAccessViaRubeus(Signature):
     ]
 
     def run(self):
-        cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             if "rebeus" in lower and any(
                 arg in lower
-                for arg in [
+                for arg in (
                     "asreproast",
                     "dump /service:krbtgt",
                     "dump /luid",
@@ -283,7 +279,7 @@ def run(self):
                     "golden /aes128",
                     "golden /aes256",
                     "changpw /ticket",
-                ]
+                )
             ):
                 return True
         return False
diff --git a/modules/signatures/windows/deletes_consolehost_history.py b/modules/signatures/windows/deletes_consolehost_history.py
@@ -19,7 +19,7 @@ class DeletesExecutedFiles(Signature):
     def __init__(self, *args, **kwargs):
         Signature.__init__(self, *args, **kwargs)
         self.isDeleted = False
-        self.blacklistedApps = [
+        self.blacklistedApps = (
             "powershell.exe",
             "rundll32.exe",
             "regsvr32.exe",
@@ -29,11 +29,11 @@ def __init__(self, *args, **kwargs):
             "mshta.exe",
             "winword.exe",
             "excel.exe",
-        ]
+        )
         self.blacklistedPaths = ["\\users\\", "\\windows\\temp\\", "\\programdata\\", "\\windows\\microsoft.net\\"]
 
     def on_call(self, call, process):
-        if call["api"] == "NtDeleteFile" or call["api"] == "DeleteFileA" or call["api"] == "DeleteFileW":
+        if call["api"] in ("NtDeleteFile", "DeleteFileA", "DeleteFileW"):
             if "ConsoleHost_history.txt" in self.get_argument(call, "FileName"):
                 self.isDeleted = True
                 if self.pid:
@@ -44,7 +44,7 @@ def on_complete(self):
 
         # Verify True Positives
         if self.isDeleted:
-            for proc in self.results.get("behavior").get("processtree"):
+            for proc in self.results.get("behavior", {}).get("processtree", []):
                 if proc.get("name") in self.blacklistedApps or proc["module_path"].lower() in self.blacklistedPaths:
                     return True
         return False
diff --git a/modules/signatures/windows/exploit_spooler.py b/modules/signatures/windows/exploit_spooler.py
@@ -32,8 +32,7 @@ def run(self):
         ]
 
         ret = False
-        cmdlines = self.results["behavior"]["summary"]["executed_commands"]
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
             for spool in spooler:
                 if spool in lower:
@@ -79,14 +78,13 @@ class EscalatePrivilegeViaNTLMRelay(Signature):
     evented = True
 
     def run(self):
-        cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
-        for cmdline in cmdlines:
+        for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
             lower = cmdline.lower()
 
             if (
                 "rundll32.exe" in lower
-                and any(arg in lower for arg in ["davclnt.dll,davsetcookie"])
-                and any(arg in lower for arg in ["/print/pipe/", "/pipe/spoolss", "/pipe/srvsvc"])
+                and any(arg in lower for arg in ("davclnt.dll,davsetcookie"))
+                and any(arg in lower for arg in ("/print/pipe/", "/pipe/spoolss", "/pipe/srvsvc"))
             ):
                 return True
         return False
diff --git a/modules/signatures/windows/ipc_namedpipe.py b/modules/signatures/windows/ipc_namedpipe.py
@@ -117,17 +117,17 @@ def on_call(self, call, process):
         pname = process["process_name"].lower()
 
         # Checking parent process for false positives.
-        if pname in ["chrome.exe", "msedge.exe"] and call["api"] == "CreateProcessInternalW":
+        if pname in ("chrome.exe", "msedge.exe") and call["api"] == "CreateProcessInternalW":
             cmdline = self.get_argument(call, "CommandLine")
             lower = cmdline.lower()
             if (
-                any(process in lower for process in ["cmd.exe", "powershell.exe", "sc.exe", "schtasks.exe"])
+                any(process in lower for process in ("cmd.exe", "powershell.exe", "sc.exe", "schtasks.exe"))
                 and "\\\\.\\pipe\\" in lower
             ):
                 return False
 
     def on_complete(self):
-        cmdlines = self.results.get("behavior").get("summary").get("executed_commands")
+        cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
         for cmdline in cmdlines:
             lower = cmdline.lower()
             if (