Adding signature to detect API hammering technique

cuckoosandbox / community

Repository of modules and signatures contributed by the community

324 stars 175 forks source link

Adding signature to detect API hammering technique #484

Closed cccs-kevin closed 2 years ago

cccs-kevin commented 3 years ago

Samples such as 9d4997249a633b7488270a550eafe4576362f7a9128eb20901669283f4746958 use an unusually high amount of native API calls in order to crash the sandbox. This signature is meant to hit on this technique, called API Hammering.

cccs-kevin commented 3 years ago

As is, this signature has the tendency to raise a false positive more often than not. I still think the signature is useful, but it needs work to narrow down what API calls can be safelisted.