Commit 84077c743b7f58506de4b326f6da91d2456b7818
1 parent
08c23bde
olevba: updated suspicious keywords
Showing
1 changed file
with
11 additions
and
3 deletions
oletools/olevba.py
| ... | ... | @@ -167,6 +167,7 @@ https://github.com/unixfreak0037/officeparser |
| 167 | 167 | # 2016-03-04 v0.45 CH: - added JSON output (by Christian Herdtweck) |
| 168 | 168 | # 2016-03-16 CH: - added option --no-deobfuscate (temporary) |
| 169 | 169 | # 2016-04-19 v0.46 PL: - new option --deobf instead of --no-deobfuscate |
| 170 | +# - updated suspicious keywords | |
| 170 | 171 | |
| 171 | 172 | __version__ = '0.46' |
| 172 | 173 | |
| ... | ... | @@ -378,8 +379,13 @@ SUSPICIOUS_KEYWORDS = { |
| 378 | 379 | 'May run PowerShell commands': |
| 379 | 380 | #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ |
| 380 | 381 | #also: https://bitbucket.org/decalage/oletools/issues/14/olevba-library-update-ioc |
| 381 | - #TODO: add support for keywords starting with a non-alpha character, such as "-noexit" | |
| 382 | - ('PowerShell', 'noexit', 'ExecutionPolicy', 'noprofile'), | |
| 382 | + # ref: https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/ | |
| 383 | + # TODO: add support for keywords starting with a non-alpha character, such as "-noexit" | |
| 384 | + # TODO: '-command', '-EncodedCommand', '-scriptblock' | |
| 385 | + ('PowerShell', 'noexit', 'ExecutionPolicy', 'noprofile', 'command', 'EncodedCommand', | |
| 386 | + 'invoke-command', 'scriptblock', 'Invoke-Expression', 'AuthorizationManager'), | |
| 387 | + 'May run an executable file or a system command using PowerShell': | |
| 388 | + ('Start-Process',), | |
| 383 | 389 | 'May hide the application': |
| 384 | 390 | ('Application.Visible', 'ShowWindow', 'SW_HIDE'), |
| 385 | 391 | 'May create a directory': |
| ... | ... | @@ -391,6 +397,8 @@ SUSPICIOUS_KEYWORDS = { |
| 391 | 397 | ('Application.AltStartupPath',), |
| 392 | 398 | 'May create an OLE object': |
| 393 | 399 | ('CreateObject',), |
| 400 | + 'May create an OLE object using PowerShell': | |
| 401 | + ('New-Object',), | |
| 394 | 402 | 'May run an application (if combined with CreateObject)': |
| 395 | 403 | ('Shell.Application',), |
| 396 | 404 | 'May enumerate application windows (if combined with Shell.Application object)': |
| ... | ... | @@ -409,7 +417,7 @@ SUSPICIOUS_KEYWORDS = { |
| 409 | 417 | ), |
| 410 | 418 | 'May download files from the Internet using PowerShell': |
| 411 | 419 | #sample: https://malwr.com/analysis/M2NjZWNmMjA0YjVjNGVhYmJlZmFhNWY4NmQxZDllZTY/ |
| 412 | - ('New-Object System.Net.WebClient', 'DownloadFile'), | |
| 420 | + ('Net.WebClient', 'DownloadFile', 'DownloadString'), | |
| 413 | 421 | 'May control another application by simulating user keystrokes': |
| 414 | 422 | ('SendKeys', 'AppActivate'), |
| 415 | 423 | #SendKeys: http://msdn.microsoft.com/en-us/library/office/gg278655%28v=office.15%29.aspx | ... | ... |