From bd8a747343d8507b0c8a933b0298b857825721c3 Mon Sep 17 00:00:00 2001 From: Felix Bauer Date: Thu, 9 Jul 2020 17:35:05 +0200 Subject: [PATCH] Add safe paths list to creates exe signature Add a list of safe paths to the creates exe signature and prime it with the Microsoft Office Recent path where some office documents trigger the "Eigene Dateien" / "Own Documents" folder to be linked (apparently when they're somehow referencing templates). --- modules/signatures/windows/creates_exe.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/modules/signatures/windows/creates_exe.py b/modules/signatures/windows/creates_exe.py index 3bd0f5a06..d29efb51c 100644 --- a/modules/signatures/windows/creates_exe.py +++ b/modules/signatures/windows/creates_exe.py @@ -24,9 +24,19 @@ class CreatesExe(Signature): "vb|vbe|vbs|ws|wsc|wse|wsh)$" ) + safelist_re = [ + "^[a-zA-Z]:\\\\Users\\\\.*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\.*\\.LNK", + ] + def on_complete(self): for filepath in self.check_file(pattern=self.pattern, actions=["file_written"], regex=True, all=True): - self.mark_ioc("file", filepath) + on_safelist = False + for regex in self.safelist_re: + if re.match(regex, filepath, re.I): + on_safelist = True + break + if not on_safelist: + self.mark_ioc("file", filepath) return self.has_marks()