search

cuckoosandbox / community

Repository of modules and signatures contributed by the community
322 stars 175 forks source link

Recon Fingerprint False #183

Open kholbrook1303 opened 8 years ago

kholbrook1303 commented 8 years ago

In the Recon Fingerprint signature, there is a generic reference to "".*\DigitalProductId$"" which is being incorrectly violated when Office documents are analyzed. Microsoft in of itself validates the version when executing and the Value read is DigitalProductId within the Office keys. registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration{FDF3ECB9-B56F-43B2-A9B8-1B48B6BAE1A7}\DigitalProductID registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration{191301D3-A579-428C-B0C7-D7988500F9E3}\DigitalProductID registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration{90140000-0011-0000-1000-0000000FF1CE}\DigitalProductID registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration{90140000-0011-0000-0000-0000000FF1CE}\DigitalProductID registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Registration{6F327760-8C5C-417C-9B61-836A98287E0C}\DigitalProductID

Perhaps specifically calling out the locations vs wild carding them at the Value would help? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate

botherder commented 8 years ago

Good point, thank you.