Skip to main content

Signature Development

Most of the information can be found on CAPEv2's Signature page.

Main file: lib/cuckoo/common/abstracts.py

Most helper functions are located here under the Signature class.

When writing your own file, here is the basic boilerplate:

lib/cuckoo/common/abstracts.py
from lib.cuckoo.common.abstracts import Signature

class SampleSignature(Signature):
    name = "signature_template"
    description = "A basic template for a signature"
    severity = 2
    categories = ["anti-debug"]
    authors = ["nocturne"]
    minimum = "1.3"
    evented = True
    ttp = ["T1106"]  # MITRE v6,7,8
    ttp += ["OB0001", "B0001"]  # MBC

    def __init__(self, *args, **kwargs):
        Signature.__init__(self, *args, **kwargs)

    def on_call(self, call, process):
        # Run code here
        self.data.append({"Important information": "This is a malware."})
        return True

When writing your own signatures, please follow this template when including the TTP IDs:

  1. Sorted and in sequential order
    • Unless MBC/MBC micro-behaviour, in which case the technique is behind the objective (refer to the example below)
  2. Follow the following order for TTPs raised:
    • MITRE
    • MITRE v6
    • MITRE v6,7,8
    • MITRE v7,8
    • MITRE v8
    • MITRE v9 (not yet implemented)
    • MBC
    • MBC micro-behaviour
    • Unprotect
  3. Make sure you enter += instead of = to prevent overwriting the list of TTPs
  4. Include all parent TTP IDs when a subtechnique is present
    • E.g. If T1543.003 is present, then T1543 must be present as well

Here is a comprehensive example (Ignore the fact that these specified TTPs are nonsensical for a signature):

ttp = ["S0103", "S0359"]  # MITRE
ttp += ["T1001", "T1063"]  # MITRE v6
ttp += ["T1083", "T1518"]  # MITRE v6,7,8
ttp += ["T1543", "T1543.003", "T1562", "T1562.001"]  # MITRE v7,8
ttp += ["T1587", "T1587.003"]  # MITRE v8
ttp += ["OB0001", "B0007", "B0007.003", "B0009", "B0009.012", "F0003", "F0003.003", "OB0003", "E1056", "E1056.m01"]  # MBC
ttp += ["OC0003", "C0042", "OC0008", "C0036", "C0036.001"]  # MBC micro-behaviour
ttp += ["U1314"]  # Unprotect
Tips
  • When creating a regex string, please use 4 backslashes instead of the a single backslash if you want to escape a single character.
    • E.g. To match a \, use \\\\. It will be resolved to \\, and then subsequently \.
  • Ensure that your signature does not exit prematurely. Wherever possible, use evented signatures as they are slightly higher-performance, and will not face the issue of exiting prematurely.
  • Do not provide more data than is necessary. Use set() if there is a possibility of overlaps.