Add signature for reg.exe called from command shell#474
Open
car062636 wants to merge 1 commit intocuckoosandbox:masterfrom
Open
Add signature for reg.exe called from command shell#474car062636 wants to merge 1 commit intocuckoosandbox:masterfrom
car062636 wants to merge 1 commit intocuckoosandbox:masterfrom
Conversation
What did you create/change? I have added a new signature for windows, this signature is based on https://car.mitre.org/analytics/CAR-2013-03-001/ which is an Analytic, it will be triggered when the built-in utility reg.exe is called from the command shell. According to CAR, I completed a signature code which can traverse the processtree by DFS to capture the reg.exe call from command shell event. What is the goal of this addition/change? I want to integrate the analytics of Cyber Analytics Repository into the Cuckoo report, but the analytics are based on the sensor like Sysmon, so I should map the event recorded by these sensors to the cuckoo report. Did you test your addition/change? I have verified this signature by the following method. First, I created a Windows application that adds a registry key by calling reg.exe from the command shell and downloaded Sysmon to record its event log. Secondly, by observing the event log manually, I confirmed that my windows application can trigger the analytic CAR-2013-03-001. After getting the cuckoo report of this application, I found that the processtree in the report indicates this analytic should have been triggered during the execution of the application. I also tested my signature on the malware sample(MD5:b5d77d9e5a93848aaf59cd6115e54732)which contains the behavior of query the registry. Thirdly, I submit these samples again, the cuckoo new recorded report shows that my signature can capture this event correctly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I have added a new signature for Windows, this signature is based on https://car.mitre.org/analytics/CAR-2013-03-001/ which is an Analytic, it will be triggered when the built-in utility reg.exe is called from the command shell. According to CAR, I completed a signature code which can traverse the processtree by DFS to capture the reg.exe call from command shell event.
I have verified this signature by the following method. First, I created a Windows application that adds a registry key by calling reg.exe from the cmd.exe and downloaded Sysmon to record its event log.
Secondly, by checking the event log manually, I confirmed that my windows application can trigger the analytic CAR-2013-03-001. After getting the cuckoo report of this application, I found that the processtree in the report indicates this analytic should have been triggered during the execution of the application.
I also tested my signature on the malware sample(MD5:b5d77d9e5a93848aaf59cd6115e54732)which contains the behavior of query the registry. The cuckoo new recorded report shows that my signature can capture this event correctly.