Merge pull request #54 from CybercentreCanada/hh_pe_heurs

Updating regex to match naming convention as well as adding heuristic…
CybercentreCanada · Jul 12, 2021 · ed53ded · ed53ded
2 parents 4c8e4ca + ed5820f
commit ed53ded
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 10 deletions.
diff --git a/assemblyline_v4_service/common/dynamic_service_helper.py b/assemblyline_v4_service/common/dynamic_service_helper.py
@@ -2,13 +2,13 @@
 from re import compile
 from logging import getLogger
 from assemblyline.common import log as al_log
-from assemblyline_v4_service.common.result import ResultSection
+from assemblyline_v4_service.common.result import ResultSection, Heuristic
 from assemblyline_v4_service.common.request import ServiceRequest
 from assemblyline_v4_service.common.task import MaxExtractedExceeded
 
-HOLLOWSHUNTER_EXE_REGEX = "hollowshunter\/hh_process_[0-9]{3,}_[a-zA-Z0-9]*\.*[a-zA-Z0-9]+\.exe$"
-HOLLOWSHUNTER_SHC_REGEX = "hollowshunter\/hh_process_[0-9]{3,}_[a-zA-Z0-9]*\.*[a-zA-Z0-9]+\.shc$"
-HOLLOWSHUNTER_DLL_REGEX = "hollowshunter\/hh_process_[0-9]{3,}_[a-zA-Z0-9]*\.*[a-zA-Z0-9]+\.dll$"
+HOLLOWSHUNTER_EXE_REGEX = "[0-9]{1,}_hollowshunter\/hh_process_[0-9]{3,}_[a-zA-Z0-9]*\.*[a-zA-Z0-9]+\.exe$"
+HOLLOWSHUNTER_SHC_REGEX = "[0-9]{1,}_hollowshunter\/hh_process_[0-9]{3,}_[a-zA-Z0-9]*\.*[a-zA-Z0-9]+\.shc$"
+HOLLOWSHUNTER_DLL_REGEX = "[0-9]{1,}_hollowshunter\/hh_process_[0-9]{3,}_[a-zA-Z0-9]*\.*[a-zA-Z0-9]+\.dll$"
 
 al_log.init_logging('service.dynamic_service_helper')
 log = getLogger('assemblyline.service.dynamic_service_helper')
@@ -254,6 +254,11 @@ def _handle_artefact(artefact: Artefact = None, artefacts_result_section: Result
             if pattern.match(artefact.name):
                 artefact_result_section = ResultSection(title)
                 artefact_result_section.add_tag("dynamic.process.file_name", artefact.path)
+                if regex in [HOLLOWSHUNTER_EXE_REGEX]:
+                    # As of right now, heuristic ID 17 is associated with the Injection category in the Cuckoo service
+                    heur = Heuristic(17)
+                    heur.add_signature_id("hollowshunter_pe")
+                    artefact_result_section.heuristic = heur
 
         if artefact_result_section is not None:
             artefacts_result_section.add_subsection(artefact_result_section)

diff --git a/test/test_dynamic_service_helper.py b/test/test_dynamic_service_helper.py
@@ -99,7 +99,7 @@ def check_section_equality(this, that) -> bool:
 def setup_module():
     if not os.path.exists(TEMP_SERVICE_CONFIG_PATH):
         open_manifest = open(TEMP_SERVICE_CONFIG_PATH, "w")
-        open_manifest.write("name: Sample\nversion: sample\ndocker_config: \n  image: sample")
+        open_manifest.write("name: Sample\nversion: sample\ndocker_config: \n  image: sample\nheuristics:\n  - heur_id: 17\n    name: blah\n    description: blah\n    filetype: '*'\n    score: 250")
 
 
 def teardown_module():
@@ -423,14 +423,14 @@ def test_validate_artefacts(artefact_list):
         [
             (None, None),
             ({"path": "blah", "name": "blah", "description": "blah", "to_be_extracted": True}, None),
-            ({"path": "blah", "name": "hollowshunter/hh_process_123_blah.exe", "description": "blah", "to_be_extracted": True}, "HollowsHunter Injected Portable Executable"),
-            ({"path": "blah", "name": "hollowshunter/hh_process_123_blah.shc", "description": "blah", "to_be_extracted": True}, "HollowsHunter Shellcode"),
-            ({"path": "blah", "name": "hollowshunter/hh_process_123_blah.dll", "description": "blah", "to_be_extracted": True}, "HollowsHunter DLL"),
+            ({"path": "blah", "name": "123_hollowshunter/hh_process_123_blah.exe", "description": "blah", "to_be_extracted": True}, "HollowsHunter Injected Portable Executable"),
+            ({"path": "blah", "name": "123_hollowshunter/hh_process_123_blah.shc", "description": "blah", "to_be_extracted": True}, "HollowsHunter Shellcode"),
+            ({"path": "blah", "name": "123_hollowshunter/hh_process_123_blah.dll", "description": "blah", "to_be_extracted": True}, "HollowsHunter DLL"),
         ]
     )
     def test_handle_artefact(artefact, expected_result_section_title):
         from assemblyline_v4_service.common.dynamic_service_helper import SandboxOntology, Artefact
-        from assemblyline_v4_service.common.result import ResultSection
+        from assemblyline_v4_service.common.result import ResultSection, Heuristic
 
         if artefact is None:
             with pytest.raises(Exception):
@@ -441,7 +441,10 @@ def test_handle_artefact(artefact, expected_result_section_title):
         if expected_result_section_title is not None:
             expected_result_section = ResultSection(expected_result_section_title)
             expected_result_section.add_tag("dynamic.process.file_name", artefact["path"])
-
+            if expected_result_section_title == "HollowsHunter Injected Portable Executable":
+                heur = Heuristic(17)
+                heur.add_signature_id("hollowshunter_pe")
+                expected_result_section.heuristic = heur
         parent_result_section = ResultSection("blah")
         a = Artefact(
             name=artefact["name"],