I have added a new signature for Windows, this signature is based on https://car.mitre.org/analytics/CAR-2013-03-001/ which is an Analytic, it will be triggered when the built-in utility reg.exe is called from the command shell. According to CAR, I completed a signature code which can traverse the processtree by DFS to capture the reg.exe call from command shell event.
I have verified this signature by the following method. First, I created a Windows application that adds a registry key by calling reg.exe from the cmd.exe and downloaded Sysmon to record its event log.
Secondly, by checking the event log manually, I confirmed that my windows application can trigger the analytic CAR-2013-03-001. After getting the cuckoo report of this application, I found that the processtree in the report indicates this analytic should have been triggered during the execution of the application.
I also tested my signature on the malware sample(MD5:b5d77d9e5a93848aaf59cd6115e54732)which contains the behavior of query the registry. The cuckoo new recorded report shows that my signature can capture this event correctly.
I have added a new signature for Windows, this signature is based on https://car.mitre.org/analytics/CAR-2013-03-001/ which is an Analytic, it will be triggered when the built-in utility reg.exe is called from the command shell. According to CAR, I completed a signature code which can traverse the processtree by DFS to capture the reg.exe call from command shell event.
I have verified this signature by the following method. First, I created a Windows application that adds a registry key by calling reg.exe from the cmd.exe and downloaded Sysmon to record its event log. Secondly, by checking the event log manually, I confirmed that my windows application can trigger the analytic CAR-2013-03-001. After getting the cuckoo report of this application, I found that the processtree in the report indicates this analytic should have been triggered during the execution of the application. I also tested my signature on the malware sample(MD5:b5d77d9e5a93848aaf59cd6115e54732)which contains the behavior of query the registry. The cuckoo new recorded report shows that my signature can capture this event correctly.