-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathservice_manifest.yml
96 lines (81 loc) · 2.57 KB
/
service_manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
name: Overpower
version: $SERVICE_TAG
description: De-obfuscates PowerShell files, profiles them and runs them.
# Regex defining the types of files the service accepts and rejects
accepts: code/ps1
rejects: empty|metadata/.*
# At which stage the service should run (one of FILTER, EXTRACT, CORE, SECONDARY, POST, REVIEW)
# NOTE: Stages are executed in the order defined in the list
stage: CORE
# Which category the service is part of (one of Antivirus, Dynamic Analysis, External, Extraction, Filtering, Internet Connected, Networking, Static Analysis)
category: Static Analysis
# Does the service require access to the file to perform its task
# If set to false, the service will only have access to the file metadata (e.g. Hashes, size, type, ...)
file_required: true
# Maximum execution time the service has before it's considered to be timed out
timeout: 300
# is the service enabled by default
enabled: true
uses_temp_submission_data: true
submission_params:
# Generic parameters
- default: 90
name: tool_timeout
type: int
value: 90
- default: false
name: add_supplementary
type: bool
value: false
# PSDecode option
- default: true
name: fake_web_download
type: bool
value: true
heuristics:
- heur_id: 1
name: IOC(s) Extracted
score: 1
filetype: '.*'
description: At least one IOC has been extracted.
- heur_id: 2
name: File is infected
score: 500
filetype: '.*'
description: PowerShellProfiler has determined that the file is malicious
- heur_id: 3
name: File contains suspicious content
score: 1
filetype: '.*'
description: PowerShellProfiler has detected suspicious content
- heur_id: 4
name: Batch file was written to disk
score: 1
filetype: '.*'
description: PSDecode wrote a batch file to disk
signature_score_map:
suspicious_url_found: 500
- heur_id: 5
name: Actions detected by PSDecode
score: 1
filetype: '.*'
description: PSDecode detected actions and was able to override them
signature_score_map:
suspicious_behaviour_combo_url: 500
telegram_post: 500
- heur_id: 6
name: Mshta Downloader
score: 500
filetype: '.*'
description: Ps1 Profiler detected Mshta.exe being used for downloading
- heur_id: 7
name: Network Actions detected by Box-PS
score: 1
filetype: '.*'
description: Box-PS detected aggressive network indicators
signature_score_map:
suspicious_behaviour_combo_url: 500
docker_config:
image: ${REGISTRY}cccs/assemblyline-service-overpower:$SERVICE_TAG
cpu_cores: 1.0
ram_mb: 2048