threatanalyzer_import - minor generic noise removal

5 years ago · 67cecc89d0
parent 8ed472c7d1
commit 67cecc89d0
1 changed files with 13 additions and 12 deletions
--- a/misp_modules/modules/import_mod/threatanalyzer_import.py
+++ b/misp_modules/modules/import_mod/threatanalyzer_import.py
@ -15,7 +15,7 @@ misperrors = {'error': 'Error'}
 userConfig = {}
 inputSource = ['file']

-moduleinfo = {'version': '0.6', 'author': 'Christophe Vandeplas',
+moduleinfo = {'version': '0.7', 'author': 'Christophe Vandeplas',
              'description': 'Import for ThreatAnalyzer archive.zip/analysis.json files',
              'module-type': ['import']}

@ -451,23 +451,24 @@ def cleanup_filepath(item):

 def cleanup_regkey(item):
    noise_substrings = {
-        r'\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\',
-        r'\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\',
+        r'\\CurrentVersion\\Explorer\\FileExts\\[a-z\.]+\\OpenWith',
        r'\\CurrentVersion\\Explorer\\RecentDocs\\',
        r'\\CurrentVersion\\Explorer\\UserAssist\\',
-        r'\\CurrentVersion\\Explorer\\FileExts\\[a-z\.]+\\OpenWith',
+        r'\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bag',
+        r'\\Software\\Classes\\CLSID\\',
+        r'\\Software\\Classes\\Local Settings\\MuiCache\\',
        r'\\Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch',
        r'\\Software\\Microsoft\\Office\\[0-9\.]+\\',
-        r'\\SOFTWARE\\Microsoft\\OfficeSoftwareProtectionPlatform\\',
        r'\\Software\\Microsoft\\Office\\Common\\Smart Tag\\',
-        r'\\Usage\\SpellingAndGrammarFiles',
-        r'^HKLM\\Software\\Microsoft\\Tracing\\',
-        r'\\Software\\Classes\\CLSID\\',
-        r'\\Software\\Classes\\Local Settings\\MuiCache\\',
-        r'\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bag',
-        r'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\',
+        r'\\SOFTWARE\\Microsoft\\OfficeSoftwareProtectionPlatform\\',
+        r'\\Software\\Microsoft\\Shared Tools\\Panose\\',
+        r'\\Software\\Microsoft\\Tracing\\',
+        r'\\Software\\Microsoft\\Tracing\\powershell_RASAPI32\\',
        r'\\Software\\Microsoft\\Tracing\\powershell_RASMANCS\\',
-        r'\\Software\\Microsoft\\Tracing\\powershell_RASAPI32\\'
+        r'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\',
+        r'\\Software\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\',
+        r'\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\',
+        r'\\Usage\\SpellingAndGrammarFiles'
    }
    if list_in_string(noise_substrings, item, regex=True):
        return None