Skip to content

Commit

Permalink
style: Automatic code formatting
Browse files Browse the repository at this point in the history
  • Loading branch information
@actions-user
actions-user committed Oct 29, 2024
1 parent 9004c15 commit f539f6b
Showing 1 changed file with 35 additions and 15 deletions.
50 changes: 35 additions & 15 deletions modules/signatures/windows/lolbas.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,8 +131,7 @@ class LOLBAS_EvadeExecutionViaFilterManagerControl(Signature):
def run(self):
for cmdline in self.results.get("behavior", {}).get("summary", {}).get("executed_commands", []):
lower = cmdline.lower()
if "fltmc" in lower and "unload" in lower and \
any(arg in lower for arg in ("security", "sysmon", "esensor", "Elastic")):
if "fltmc" in lower and "unload" in lower and any(arg in lower for arg in ("security", "sysmon", "esensor", "Elastic")):
self.data.append({"command": cmdline})
return True
return False
Expand Down Expand Up @@ -180,8 +179,11 @@ def run(self):
cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
for cmdline in cmdlines:
lower = cmdline.lower()
if "gfxdownloadwrapper.exe" in lower and ("run" in lower and any(arg in lower for arg in ("0", "2"))
or ("http" in lower and not "https://gameplayapi.intel.com" in lower)):
if "gfxdownloadwrapper.exe" in lower and (
"run" in lower
and any(arg in lower for arg in ("0", "2"))
or ("http" in lower and not "https://gameplayapi.intel.com" in lower)
):
self.data.append({"command": cmdline})
return True
return False
Expand Down Expand Up @@ -223,8 +225,12 @@ def run(self):
cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
for cmdline in cmdlines:
lower = cmdline.lower()
if "msiexec" in lower and any(arg in lower for arg in ("/z", "/y", "-y", "-z")) and ".dll" in lower and not \
any(arg in lower for arg in ("\\Program Files\\", "\\Program Files %(x86%)\\")):
if (
"msiexec" in lower
and any(arg in lower for arg in ("/z", "/y", "-y", "-z"))
and ".dll" in lower
and not any(arg in lower for arg in ("\\Program Files\\", "\\Program Files %(x86%)\\"))
):
self.data.append({"command": cmdline})
return True
return False
Expand Down Expand Up @@ -349,12 +355,13 @@ def run(self):
lower = cmdline.lower()

# I have tried it on other browsers
if any(process in lower for process in ("chrome.exe", "msedge.exe", "brave.exe",
"browser.exe", "dragon.exe", "vivaldi.exe")) and \
(
any(spawn in lower for spawn in ("cmd", "powershell", "wscript", "cscript")) or
("headless" in lower and "http" in lower and not "http://localhost/allure#graph" in lower)
):
if any(
process in lower
for process in ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe")
) and (
any(spawn in lower for spawn in ("cmd", "powershell", "wscript", "cscript"))
or ("headless" in lower and "http" in lower and not "http://localhost/allure#graph" in lower)
):
self.data.append({"command": cmdline})
return True
return False
Expand Down Expand Up @@ -518,9 +525,22 @@ def run(self):
cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
for cmdline in cmdlines:
lower = cmdline.lower()
if (any(process in lower for process in ("sqltoolsps.exe", "sqlps.exe")) and
any(arg in lower for arg in ("-e", "-enc", "-ep", "-encoded", ";iex", "start-process", "webclient",
"downloadfile", "downloadstring", "bitstransfer", "reflection.assembly"))):
if any(process in lower for process in ("sqltoolsps.exe", "sqlps.exe")) and any(
arg in lower
for arg in (
"-e",
"-enc",
"-ep",
"-encoded",
";iex",
"start-process",
"webclient",
"downloadfile",
"downloadstring",
"bitstransfer",
"reflection.assembly",
)
):
self.data.append({"command": cmdline})
return True

Expand Down

0 comments on commit f539f6b

Please sign in to comment.