-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathservice_manifest.yml
105 lines (89 loc) · 3.7 KB
/
service_manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
name: Batchdeobfuscator
version: $SERVICE_TAG
description: This service parses and interprets batch files.
# Regex defining the types of files the service accepts and rejects
accepts: code/batch
rejects: empty|metadata/.*
# At which stage the service should run (one of FILTER, EXTRACT, CORE, SECONDARY, POST, REVIEW)
# NOTE: Stages are executed in the order defined in the list
stage: CORE
# Which category the service is part of (one of Antivirus, Dynamic Analysis, External, Extraction, Filtering, Internet Connected, Networking, Static Analysis)
category: Static Analysis
# Does the service require access to the file to perform its task
# If set to false, the service will only have access to the file metadata (e.g. Hashes, size, type, ...)
file_required: true
# Maximum execution time the service has before it's considered to be timed out
timeout: 60
# is the service enabled by default
enabled: true
config:
heur6_min_number_line: 4
heuristics:
- description: >-
Commands are ungrouped and normalized first. If a normalized command yield multiple groups, it may be a very strong sign of obfuscation.
filetype: "code/batch"
heur_id: 1
name: Additional command grouping after command normalization
score: 50
- description: >-
Those binary could be used to run script or executables. They are not often used so their usage is of interest.
filetype: "code/batch"
heur_id: 2
name: Possible rare LOLBAS found
score: 50
- description: >-
The executed command is generated from the content of a variable. This is a sign of obfuscation.
filetype: "code/batch"
heur_id: 3
name: Execution of variable content
score: 250
- description: >-
Variable usage is not surprising in a script, but the use of many of them in a single line is suspicious.
filetype: "code/batch"
heur_id: 4
name: Multiple variable were used on the same line
score: 200
- description: >-
File download is not cause for suspicion, but combined with other factors like one-liner, it can be valuable to bring it up for further analysis.
filetype: "code/batch"
heur_id: 5
name: External file download in batch script
score: 0
signature_score_map:
complex_one_liner: 400
- description: >-
Batch file is a complex one-liner. Usually because it's extracted out of another file, but since it expanded to multiple lines, it is worth noting it.
filetype: "code/batch"
heur_id: 6
name: Complexe One-Liner
score: 10
- description: >-
Some items in the common Windows directories are being manipulated. This is often associated with execution of such items with the goal of hiding it.
filetype: "code/batch"
heur_id: 7
name: Windows Utility Manipulation
score: 10
- description: >-
The set /p utility can be used to create a file by redirecting its prompt toward a file. It is a suspicious way to generate a file as it is not a common behaviour.
filetype: "code/batch"
heur_id: 8
name: File creation using set /p
score: 10
- description: >-
A file that was created from this script was called directly to be executed. May not be a sign of maliciousness but it is worth looking into.
filetype: "code/batch"
heur_id: 9
name: Execution of manipulated content
score: 0
- description: >-
Rundll32 is used to load dynamic link libraries, and can often be abused by malware author to load other payloads to further the compromise.
filetype: "code/batch"
heur_id: 10
name: Rundll32 execution
score: 0
signature_score_map:
internet_download: 500
docker_config:
image: ${REGISTRY}cccs/assemblyline-service-batchdeobfuscator:$SERVICE_TAG
cpu_cores: 1.0
ram_mb: 512