From cb29506640d5c4c9f20dcd0b7e1cd288cccbe9c3 Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Sun, 27 Nov 2016 22:42:43 +0100 Subject: [PATCH] Extra VTI detections --- .../modules/import_mod/vmray_import.py | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/misp_modules/modules/import_mod/vmray_import.py b/misp_modules/modules/import_mod/vmray_import.py index a7b7110..a263294 100644 --- a/misp_modules/modules/import_mod/vmray_import.py +++ b/misp_modules/modules/import_mod/vmray_import.py @@ -174,6 +174,8 @@ def vmrayVtiPatterns(vti_patterns): content = vmrayGeneric(pattern, "url", 1) elif pattern["category"] == "_network" and pattern["operation"] == "_connect": content = vmrayConnect(pattern) + elif pattern["category"] == "_network" and pattern["operation"] == "_install_server": + content = vmrayGeneric(pattern) elif only_network_info is False and pattern["category"] == "_process" and pattern["operation"] == "_alloc_wx_page": content = vmrayGeneric(pattern) @@ -181,6 +183,10 @@ def vmrayVtiPatterns(vti_patterns): content = vmrayGeneric(pattern, "mutex", 1) elif only_network_info is False and pattern["category"] == "_process" and pattern["operation"] == "_crashed_process": content = vmrayGeneric(pattern) + elif only_network_info is False and pattern["category"] == "_process" and pattern["operation"] == "_read_from_remote_process": + content = vmrayGeneric(pattern) + elif only_network_info is False and pattern["category"] == "_process" and pattern["operation"] == "_create_process_with_hidden_window": + content = vmrayGeneric(pattern) elif only_network_info is False and pattern["category"] == "_anti_analysis" and pattern["operation"] == "_delay_execution": content = vmrayGeneric(pattern) @@ -194,11 +200,20 @@ def vmrayVtiPatterns(vti_patterns): elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_memory": content = vmrayGeneric(pattern) + elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_memory_system": + content = vmrayGeneric(pattern) + elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_memory_non_system": + content = vmrayGeneric(pattern) elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_control_flow": content = vmrayGeneric(pattern) + elif only_network_info is False and pattern["category"] == "_injection" and pattern["operation"] == "_modify_control_flow_non_system": + content = vmrayGeneric(pattern) elif only_network_info is False and pattern["category"] == "_file_system" and pattern["operation"] == "_create_many_files": content = vmrayGeneric(pattern) + elif only_network_info is False and pattern["category"] == "_hide_tracks" and pattern["operation"] == "_hide_data_in_registry": + content = vmrayGeneric(pattern, "regkey", 1) + elif only_network_info is False and pattern["category"] == "_persistence" and pattern["operation"] == "_install_startup_script": content = vmrayGeneric(pattern, "regkey", 1) elif only_network_info is False and pattern["category"] == "_os" and pattern["operation"] == "_enable_process_privileges": @@ -248,12 +263,14 @@ def vmrayGeneric(el, attr="", attrpos=1): content = el["technique_desc"] if content: if attr: + # Some elements are put between \"\" ; replace them to single + content = content.replace("\"\"","\"") content_split = content.split("\"") # Attributes are between open " and close "; so use > if len(content_split) > attrpos: content_split[attrpos] = vmraySanitizeInput(content_split[attrpos]) r["values"].append(content_split[attrpos]) - r["types"] = [attr] + r["types"] = [attr] # Adding the value also as text to get the extra description, # but this is pretty useless for "url"