Skip to content

Commit

Permalink
Merge pull request #472 from cccs-rs/master
Browse files Browse the repository at this point in the history
Simplify fetching of YARA rules for MACO extractors
  • Loading branch information
doomedraven authored Nov 5, 2024
2 parents 693767b + 9ffad03 commit 98c9d7d
Show file tree
Hide file tree
Showing 77 changed files with 654 additions and 190 deletions.
184 changes: 182 additions & 2 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,2 +1,182 @@
test.py
.DS_Store
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class

# C extensions
*.so

# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST

# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec

# Installer logs
pip-log.txt
pip-delete-this-directory.txt

# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
*.py,cover
.hypothesis/
.pytest_cache/
cover/

# Translations
*.mo
*.pot

# Django stuff:
*.log
local_settings.py
db.sqlite3
db.sqlite3-journal

# Flask stuff:
instance/
.webassets-cache

# Scrapy stuff:
.scrapy

# Sphinx documentation
docs/_build/

# PyBuilder
.pybuilder/
target/

# Jupyter Notebook
.ipynb_checkpoints

# IPython
profile_default/
ipython_config.py

# pyenv
# For a library or package, you might want to ignore these files since the code is
# intended to run in multiple environments; otherwise, check them in:
# .python-version

# pipenv
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
# However, in case of collaboration, if having platform-specific dependencies or dependencies
# having no cross-platform support, pipenv may install dependencies that don't work, or not
# install all needed dependencies.
#Pipfile.lock

# poetry
# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
# This is especially recommended for binary packages to ensure reproducibility, and is more
# commonly ignored for libraries.
# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
#poetry.lock

# pdm
# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
#pdm.lock
# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
# in version control.
# https://pdm.fming.dev/#use-with-ide
.pdm.toml

# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
__pypackages__/

# Celery stuff
celerybeat-schedule
celerybeat.pid

# SageMath parsed files
*.sage.py

# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/

# Spyder project settings
.spyderproject
.spyproject

# Rope project settings
.ropeproject

# mkdocs documentation
/site

# mypy
.mypy_cache/
.dmypy.json
dmypy.json

# Pyre type checker
.pyre/

# pytype static type analyzer
.pytype/

# Cython debug symbols
cython_debug/

# PyCharm
# JetBrains specific template is maintained in a separate JetBrains.gitignore that can
# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
# and can be added to the global gitignore or merged into this file. For a more nuclear
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
#.idea/

### VisualStudioCode ###
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
!.vscode/*.code-snippets

# Local History for Visual Studio Code
.history/

# Built Visual Studio Code Extensions
*.vsix

### VisualStudioCode Patch ###
# Ignore all local history of files
.history
.ionide

# Ignore YARA rules that were downloaded from the core for MACO extractors
*/parsers/yara/*.yar
Empty file added modules/__init__.py
Empty file.
17 changes: 11 additions & 6 deletions modules/parsers/MACO/AgentTesla.py
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
import os

from cape_parsers.CAPE.community.AgentTesla import extract_config
from maco.extractor import Extractor
from maco.model import ExtractorModel as MACOModel
from cape_parsers.CAPE.community.AgentTesla import extract_config
from modules.parsers.utils import get_YARA_rule


def convert_to_MACO(raw_config: dict) -> MACOModel:
Expand All @@ -15,7 +14,11 @@ def convert_to_MACO(raw_config: dict) -> MACOModel:

parsed_result = MACOModel(family="AgentTesla", other=raw_config)
if protocol == "Telegram":
parsed_result.http.append(MACOModel.Http(uri=raw_config["C2"], password=raw_config["Password"], usage="c2"))
parsed_result.http.append(
MACOModel.Http(
uri=raw_config["C2"], password=raw_config["Password"], usage="c2"
)
)

elif protocol in ["HTTP(S)", "Discord"]:
parsed_result.http.append(MACOModel.Http(uri=raw_config["C2"], usage="c2"))
Expand Down Expand Up @@ -43,7 +46,9 @@ def convert_to_MACO(raw_config: dict) -> MACOModel:
parsed_result.smtp.append(MACOModel.SMTP(**smtp))

if "Persistence_Filename" in raw_config:
parsed_result.paths.append(MACOModel.Path(path=raw_config["Persistence_Filename"], usage="storage"))
parsed_result.paths.append(
MACOModel.Path(path=raw_config["Persistence_Filename"], usage="storage")
)

if "ExternalIPCheckServices" in raw_config:
for service in raw_config["ExternalIPCheckServices"]:
Expand All @@ -57,7 +62,7 @@ class AgentTesla(Extractor):
family = "AgentTesla"
last_modified = "2024-10-20"
sharing = "TLP:CLEAR"
yara_rule = open(os.path.join(os.path.dirname(__file__).split("/modules", 1)[0], f"data/yara/CAPE/{family}.yar")).read()
yara_rule = get_YARA_rule(family)

def run(self, stream, matches):
return convert_to_MACO(extract_config(stream.read()))
24 changes: 19 additions & 5 deletions modules/parsers/MACO/AsyncRAT.py
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
import os

from cape_parsers.CAPE.community.AsyncRAT import extract_config
from maco.extractor import Extractor
from maco.model import ExtractorModel as MACOModel
from cape_parsers.CAPE.community.AsyncRAT import extract_config
from modules.parsers.utils import get_YARA_rule


def convert_to_MACO(raw_config: dict) -> MACOModel:
Expand All @@ -25,16 +26,29 @@ def convert_to_MACO(raw_config: dict) -> MACOModel:

# Installation Path
if raw_config.get("Folder"):
parsed_result.paths.append(MACOModel.Path(path=os.path.join(raw_config["Folder"], raw_config["Filename"]), usage="install"))
parsed_result.paths.append(
MACOModel.Path(
path=os.path.join(raw_config["Folder"], raw_config["Filename"]),
usage="install",
)
)

# C2s
for i in range(len(raw_config.get("C2s", []))):
parsed_result.http.append(MACOModel.Http(hostname=raw_config["C2s"][i], port=int(raw_config["Ports"][i]), usage="c2"))
parsed_result.http.append(
MACOModel.Http(
hostname=raw_config["C2s"][i],
port=int(raw_config["Ports"][i]),
usage="c2",
)
)
# Pastebin
if raw_config.get("Pastebin") not in ["null", None]:
# TODO: Is it used to download the C2 information if not embedded?
# Ref: https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader
parsed_result.http.append(MACOModel.Http(uri=raw_config["Pastebin"], usage="download"))
parsed_result.http.append(
MACOModel.Http(uri=raw_config["Pastebin"], usage="download")
)

return parsed_result

Expand All @@ -44,7 +58,7 @@ class AsyncRAT(Extractor):
family = "AsyncRAT"
last_modified = "2024-10-26"
sharing = "TLP:CLEAR"
yara_rule = open(os.path.join(os.path.dirname(__file__).split("/modules", 1)[0], f"data/yara/CAPE/{family}.yar")).read()
yara_rule = get_YARA_rule(family)

def run(self, stream, matches):
return convert_to_MACO(extract_config(stream.read()))
7 changes: 3 additions & 4 deletions modules/parsers/MACO/AuroraStealer.py
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
import os

from cape_parsers.CAPE.community.AuroraStealer import extract_config
from maco.extractor import Extractor
from maco.model import ExtractorModel as MACOModel
from cape_parsers.CAPE.community.AuroraStealer import extract_config
from modules.parsers.utils import get_YARA_rule


def convert_to_MACO(raw_config: dict):
Expand All @@ -22,7 +21,7 @@ class AuroraStealer(Extractor):
family = "AuroraStealer"
last_modified = "2024-10-26"
sharing = "TLP:CLEAR"
yara_rule = open(os.path.join(os.path.dirname(__file__).split("/modules", 1)[0], f"data/yara/CAPE/{family}.yar")).read()
yara_rule = get_YARA_rule(family)

def run(self, stream, matches):
return convert_to_MACO(extract_config(stream.read()))
11 changes: 8 additions & 3 deletions modules/parsers/MACO/Azorult.py
Original file line number Diff line number Diff line change
@@ -1,21 +1,26 @@
from cape_parsers.CAPE.core.Azorult import extract_config, rule_source
from maco.extractor import Extractor
from maco.model import ExtractorModel as MACOModel
from cape_parsers.CAPE.core.Azorult import extract_config, rule_source
from modules.parsers.utils import get_YARA_rule


def convert_to_MACO(raw_config: dict):
if not raw_config:
return None

return MACOModel(family="Azorult", http=[MACOModel.Http(hostname=raw_config["address"])], other=raw_config)
return MACOModel(
family="Azorult",
http=[MACOModel.Http(hostname=raw_config["address"])],
other=raw_config,
)


class Azorult(Extractor):
author = "kevoreilly"
family = "Azorult"
last_modified = "2024-10-26"
sharing = "TLP:CLEAR"
yara_rule = rule_source
yara_rule = get_YARA_rule(family) or rule_source

def run(self, stream, matches):
return convert_to_MACO(extract_config(stream.read()))
8 changes: 6 additions & 2 deletions modules/parsers/MACO/BackOffLoader.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
from cape_parsers.CAPE.community.BackOffLoader import extract_config
from maco.extractor import Extractor
from maco.model import ExtractorModel as MACOModel
from cape_parsers.CAPE.community.BackOffLoader import extract_config
from modules.parsers.utils import get_YARA_rule


def convert_to_MACO(raw_config: dict):
Expand All @@ -14,7 +15,9 @@ def convert_to_MACO(raw_config: dict):

# Encryption details
parsed_result.encryption.append(
MACOModel.Encryption(algorithm="rc4", key=raw_config["EncryptionKey"], seed=raw_config["RC4Seed"])
MACOModel.Encryption(
algorithm="rc4", key=raw_config["EncryptionKey"], seed=raw_config["RC4Seed"]
)
)
for url in raw_config["URLs"]:
parsed_result.http.append(MACOModel.Http(url=url))
Expand All @@ -27,6 +30,7 @@ class BackOffLoader(Extractor):
family = "BackOffLoader"
last_modified = "2024-10-26"
sharing = "TLP:CLEAR"
yara_rule = get_YARA_rule(family)

def run(self, stream, matches):
return convert_to_MACO(extract_config(stream.read()))
8 changes: 6 additions & 2 deletions modules/parsers/MACO/BackOffPOS.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
from cape_parsers.CAPE.community.BackOffPOS import extract_config
from maco.extractor import Extractor
from maco.model import ExtractorModel as MACOModel
from cape_parsers.CAPE.community.BackOffPOS import extract_config
from modules.parsers.utils import get_YARA_rule


def convert_to_MACO(raw_config: dict):
Expand All @@ -14,7 +15,9 @@ def convert_to_MACO(raw_config: dict):

# Encryption details
parsed_result.encryption.append(
MACOModel.Encryption(algorithm="rc4", key=raw_config["EncryptionKey"], seed=raw_config["RC4Seed"])
MACOModel.Encryption(
algorithm="rc4", key=raw_config["EncryptionKey"], seed=raw_config["RC4Seed"]
)
)
for url in raw_config["URLs"]:
parsed_result.http.append(MACOModel.Http(url=url))
Expand All @@ -27,6 +30,7 @@ class BackOffPOS(Extractor):
family = "BackOffPOS"
last_modified = "2024-10-26"
sharing = "TLP:CLEAR"
yara_rule = get_YARA_rule(family)

def run(self, stream, matches):
return convert_to_MACO(extract_config(stream.read()))
Loading

0 comments on commit 98c9d7d

Please sign in to comment.