-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathservice_manifest.yml
103 lines (94 loc) · 3.43 KB
/
service_manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
name: ConfigExtractor
version: $SERVICE_TAG
description: This service runs parsers to extract malware configuration data.
# Regex defining the types of files the service accepts and rejects
accepts: .*
rejects: empty|metadata/.*|uri/.*
# At which stage the service should run (one of FILTER, EXTRACT, CORE, SECONDARY, POST, REVIEW)
# NOTE: Stages are executed in the order defined in the list
stage: CORE
# Which category the service is part of (one of Antivirus, Dynamic Analysis, External, Extraction, Filtering, Internet Connected, Networking, Static Analysis)
category: Static Analysis
# Does the service require access to the file to perform its task
# If set to false, the service will only have access to the file metadata (e.g. Hashes, size, type, ...)
file_required: true
# Maximum execution time the service has before it's considered to be timed out
timeout: 120
# is the service enabled by default
enabled: true
privileged: true
uses_temp_submission_data: true
submission_params:
- default: true
name: include_empty_config
type: bool
value: true
# Service configuration block (dictionary of config variables)
heuristics:
- heur_id: 1
name: Extracted Malware Configuration
score: 1000
filetype: "*"
description: Category - Malware - Indicates configuration block was extracted
- heur_id: 2
name: De-obfuscated Network IOCs
score: 50
filetype: "*"
signature_score_map:
# Connection usage may be indicative of maliciousness
c2: 1000
upload: 1000
download: 1000
propagate: 1000
tunnel: 1000
ransom: 1000
decoy: 10 # Used to mask actual malicious connection but the connections themselves aren't malicious
other: 10
description: Indicates a network IOC was extracted from malware configuration
- heur_id: 3
name: Missing Malware Configuration
score: 0
filetype: "*"
description: Category - Informational - Indicates configuration block wasn't extracted
signature_score_map:
exception: 0 # A runtime exception occurred
# Docker configuration block which defines:
# - the name of the docker container that will be created
# - cpu and ram allocation by the container
docker_config:
image: ${REGISTRY}cccs/assemblyline-service-configextractor:$SERVICE_TAG
cpu_cores: 1.0
ram_mb: 1024
dependencies:
updates:
container:
allow_internet_access: true
command: ["python", "-m", "configextractor_.update_server"]
image: ${REGISTRY}cccs/assemblyline-service-configextractor:$SERVICE_TAG
ports: ["5003"]
cpu_cores: 2
ram_mb: 2048
run_as_core: True
update_config:
generates_signatures: true
sources:
- name: CAPE
pattern: ^\/tmp\/\w+\/CAPE\/$
uri: https://github.com/CAPESandbox/community.git
default_classification: TLP:C
# Pending: https://github.com/RussianPanda95/Configuration_extractors/pull/3
- name: RussianPanda95
pattern: .*/RussianPanda95/$
uri: https://github.com/cccs-rs/Configuration_extractors.git
default_classification: TLP:C
- name: RatKingParser
pattern: .*/RatKingParser/$
uri: https://github.com/jeFF0Falltrades/rat_king_parser.git
default_classification: TLP:C
- name: apophis
pattern: .*/apophis/$
uri: https://github.com/apophis133/apophis-YARA-Rules.git
default_classification: TLP:C
update_interval_seconds: 21600 # Quarter-day (every 6 hours)
wait_for_update: true
signature_delimiter: file