-
Notifications
You must be signed in to change notification settings - Fork 7
/
service_manifest.yml
241 lines (206 loc) · 6.47 KB
/
service_manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
name: Extract
version: $SERVICE_TAG
description: This service extracts embedded files from file containers (like ZIP, RAR, 7z, ...).
accepts: (archive|executable|java)/.*|code/vbe|code/html|code/hta|code/wsf|code/a3x|document/installer/windows|document/pdf.*|document/office/onenote|document/office/passwordprotected|document/epub|document/mobi|android/apk|ios/ipa|gpg/symmetric|resource/pyc
rejects: empty|metadata/.*
stage: EXTRACT
category: Extraction
file_required: true
timeout: 60
disable_cache: false
enabled: true
is_external: false
licence_count: 0
privileged: true
uses_temp_submission_data: true
config:
# Must be all strings
default_pw_list:
[
password,
infected,
VelvetSweatshop,
"/01Hannes Ruescher/01",
"123",
"1234",
"12345",
"123456",
"4321",
]
small_size_bypass_drop: 10485760
max_file_count_bypass_drop: 5
heur16_max_file_count: 5
heur22_min_overlay_size: 31457280
heur22_min_overlay_entropy: 0.5
heur22_min_general_bloat_entropy: 0.2
heur22_max_compression_ratio: 0.1
submission_params:
- default: ""
name: password
type: str
value: ""
- default: false
name: extract_executable_sections
type: bool
value: false
- default: false
name: continue_after_extract
type: bool
value: false
- default: true
name: use_custom_safelisting
type: bool
value: true
- default: false
name: score_failed_password
type: bool
value: false
heuristics:
- heur_id: 1
name: Extracted from archive
score: 0
filetype: archive/
description: Files were extracted from a standard archive file
- heur_id: 2
name: Extracted from executable
score: 0
filetype: executable/
description: Files were extracted from an executable file
- heur_id: 3
name: Extracted from JAR
score: 0
filetype: java/
description: Files were extracted from a JAR file
- heur_id: 4
name: Extracted from APK
score: 0
filetype: android/
description: Files were extracted from an APK file
- heur_id: 6
name: Office password removed
score: 0
filetype: document/office/passwordprotected
description: Extracted from protected office document
- heur_id: 7
name: Extracted from PDF
score: 0
filetype: document/pdf
description: Files were extracted from a PDF document
- heur_id: 8
name: Extracted from SWF
score: 0
filetype: archive/audiovisual/flash
description: Files were extracted from flash container.
- heur_id: 9
name: Extracted from IPA
score: 0
filetype: ios/ipa
description: Files were extracted from apple IPA file
- heur_id: 10
name: Extracted from Protected Archive
score: 0
filetype: "archive/.*"
description: Password protected archive successfully extracted
- heur_id: 11
name: VBE Decoded
score: 0
filetype: code/vbe
description: VBE file was decoded
- heur_id: 12
name: Password Protected File Extraction Failed
score: 0
signature_score_map:
raise_score: 500
filetype: ".*"
description: Failed to extract password protected file.
- heur_id: 13
name: Single Executable Inside Archive File
score: 500
filetype: ".*"
description: Archive file with single executable inside. Potentially malicious.
- heur_id: 14
name: "Uncommon format: archive/ace"
score: 500
filetype: archive/ace
description: "Uncommon format: archive/ace"
- heur_id: 15
name: Symlink(s) Found
score: 0
filetype: ".*"
description: File(s) extracted contain one or many symbolic links to an expected file on the host
- heur_id: 16
name: Suspicious combination of executables in Archive File
score: 500
filetype: ".*"
description: Suspicious combination of executables. Potentially malicious.
- heur_id: 17
name: Encoded JScript used
score: 500
filetype: "code/.*"
description: Encoded JScript is ancient and shouldn't be used anymore. The odds of a legitimate use are abysmally low.
- heur_id: 18
name: Hidden files found in archive
score: 0
filetype: ".*"
description: Some files in the archive were found with the Hidden attribute on.
- heur_id: 19
name: Unexpected container
score: 0
filetype: ".*"
description: Files were extracted from an unexpected container.
- heur_id: 20
name: Multilingual WSF script
score: 0
filetype: "code/wsf"
description: A WSF script with multiple languages was found. Static analysis is going to be hard to apply on that sample.
- heur_id: 21
name: External script loading
score: 0
signature_score_map:
local: 0
web: 25
filetype: "code/wsf"
description: A WSF script with multiple languages was found. Static analysis is going to be hard to apply on that sample.
- heur_id: 22
name: Bloated file
score: 500
filetype: ".*"
description: >-
The file is bloated in some way. Either a PE using a large overlay with low entropy, a PE with bloated sections or .rsrc, or a script with a lot null bytes padding at the end. It is usually an attempt to bypass certain detection techniques.
- heur_id: 23
name: Executable File(s) found in Office Document
score: 1000
filetype: "document/office/.*"
description: Office document with executable(s) inside. Malicious!
- heur_id: 24
name: Unable to recover file listing
score: 0
filetype: ".*"
description: File listing is probably stored in an encrypted header, so we can't recover the expected files.
- heur_id: 25
name: CVE exploit vector found
score: 1000
filetype: ".*"
description: >-
A CVE exploit detection that was specifically coded in this module was raised. (i.e. CVE-2023-23397, CVE-2023-38831) This needs be investigated.
- heur_id: 26
name: Extracted AutoIt script from PE file
score: 100
filetype: executable/windows/(dll32|dll64|pe32|pe64)
description: AutoIt script extracted from a PE file
- heur_id: 27
name: Extracted AutoIt script from compiled script
score: 100
filetype: code/a3x
description: AutoIt script extracted from compiled script
- heur_id: 28
name: Extractable _RDATA section found
score: 200
filetype: executable/windows
description: >-
_RDATA is a non-standard section name for PEs, and the fact that it is extractable
is trending towards suspicious.
docker_config:
image: ${REGISTRY}cccs/assemblyline-service-extract:$SERVICE_TAG
cpu_cores: 1
ram_mb: 1024