Merge pull request #2118 from CybercentreCanada/maco_sync

cccs-rs · web-flow · commit 51ff3b2d11cb · 2026-04-23T12:57:49.000-04:00
Sync MalwareConfig model with current MACO spec
diff --git a/assemblyline/odm/models/ontology/results/malware_config.py b/assemblyline/odm/models/ontology/results/malware_config.py
@@ -1,14 +1,17 @@
 from assemblyline import odm
 from assemblyline.common.attack_map import attack_map
-from assemblyline.odm.models.ontology.results.network import REQUEST_METHODS, LOOKUP_TYPES
+from assemblyline.odm.models.ontology.results.network import (
+    LOOKUP_TYPES,
+    REQUEST_METHODS,
+)
 
 # Based on model in MaCo framework
 CATEGORIES = ["adware", "apt", "backdoor", "banker", "bootkit", "bot", "browser_hijacker", "bruteforcer",
               "clickfraud", "cryptominer", "ddos", "downloader", "dropper", "exploitkit", "fakeav", "hacktool",
               "infostealer", "keylogger", "loader", "obfuscator", "pos", "proxy", "rat", "ransomware",
               "reverse_proxy", "rootkit", "scanner", "scareware", "spammer", "trojan", "virus", "wiper",
               "webshell", "worm"]
-CONNECTION_USAGE = ["c2", "upload", "download", "propagate", "tunnel", "other", "ransom", "decoy"]
+CONNECTION_USAGE = ["c2", "upload", "download", "propagate", "tunnel", "other", "ransom", "decoy", "dead_drop_resolver"]
 
 
 @odm.model(description="Encryption details")
@@ -21,6 +24,8 @@ class Encryption(odm.Model):
     iv = odm.Optional(odm.Text(), description="Initialization Vector")
     seed = odm.Optional(odm.Text(), description="Seed")
     nonce = odm.Optional(odm.Text(), description="Nonce value")
+    password = odm.Optional(odm.Text(), description="Password")
+    salt = odm.Optional(odm.Text(), description="Salt")
     constants = odm.Optional(odm.List(odm.Text()), description="Constants")
     usage = odm.Optional(odm.Enum(values=["config", "communication", "binary", "ransom", "other"]),
                          description="Purpose of encryptions")
@@ -103,6 +108,15 @@ class DNS(odm.Model):
     usage = odm.Optional(odm.Enum(values=CONNECTION_USAGE), description="Purpose of DNS connection")
 
 
+@odm.model(description="Usage of ICMP")
+class ICMP(odm.Model):
+    type = odm.Optional(odm.Integer(), description="ICMP type")
+    code = odm.Optional(odm.Integer(), description="ICMP code")
+    header = odm.Optional(odm.Text(), description="Non-standard header fields")
+    hostname = odm.Optional(odm.Text(), description="Hostname")
+    usage = odm.Optional(odm.Enum(values=CONNECTION_USAGE), description="Purpose of ICMP connection")
+
+
 @odm.model(description="Usage of General TCP/UDP connection")
 class GeneralConnection(odm.Model):
     client_ip = odm.Optional(odm.IP(), description="Client IP")
@@ -125,7 +139,7 @@ class Service(odm.Model):
 class Cryptocurrency(odm.Model):
     coin = odm.Optional(odm.Text(), description="Name of coin used")
     address = odm.Optional(odm.Text(), description="Wallet address")
-    random_amount = odm.Optional(odm.Integer(), description="Ransom amount")
+    ransom_amount = odm.Optional(odm.Float(), description="Ransom amount")
     usage = odm.Optional(odm.Enum(values=['ransomware', 'miner', 'other']), description="Use of cryptocurrency")
 
 
@@ -187,6 +201,58 @@ class Registry(odm.Model):
         description="Use of registry key")
 
 
+SCHEDULED_TASK_USAGE = ["persistence", "defense_evasion", "privilege_escalation",
+                       "lateral_movement", "staging_data", "other"]
+SCHEDULED_TASK_OPERATIONS = ["CHANGE", "CREATE", "DELETE", "END", "QUERY", "RUN"]
+SCHEDULED_TASK_SCHEDULE_TYPES = ["MINUTE", "HOURLY", "DAILY", "WEEKLY", "MONTHLY",
+                                 "ONCE", "ONSTART", "ONLOGON", "ONIDLE", "ONEVENT", "OTHER"]
+SCHEDULED_TASK_RUN_AS = ["SYSTEM", "USER"]
+SCHEDULED_TASK_RUN_LEVELS = ["HIGHEST", "LIMITED"]
+SCHEDULED_TASK_OUTPUT_FORMATS = ["TABLE", "LIST", "CSV"]
+
+
+@odm.model(description="Scheduled task usage by malware")
+class ScheduledTask(odm.Model):
+    usage = odm.Optional(odm.Enum(values=SCHEDULED_TASK_USAGE), description="Scheduled task usage")
+    raw_command = odm.Optional(odm.Text(), description="Raw command used for the scheduled task")
+    task_type = odm.Optional(odm.Enum(values=SCHEDULED_TASK_OPERATIONS), description="Task operation type")
+    schedule_type = odm.Optional(odm.Enum(values=SCHEDULED_TASK_SCHEDULE_TYPES), description="Task schedule type")
+    task_name = odm.Optional(odm.Text(), description="Name of the scheduled task")
+    task_run = odm.Optional(odm.Text(), description="Program or command that the task runs")
+    remote_computer = odm.Optional(odm.Text(), description="Name or IP of a remote computer")
+    user_domain = odm.Optional(odm.Text(), description="User account domain")
+    user_account = odm.Optional(odm.Text(), description="User account to use when running the task")
+    user_password = odm.Optional(odm.Text(), description="Password for the user account")
+    run_as = odm.Optional(odm.Enum(values=SCHEDULED_TASK_RUN_AS), description="Account to run the task as")
+    run_as_domain = odm.Optional(odm.Text(), description="Domain of the account to run the task as")
+    run_as_user = odm.Optional(odm.Text(), description="User of the account to run the task as")
+    run_as_password = odm.Optional(odm.Text(), description="Password of the account to run the task as")
+    modifier = odm.Optional(odm.Text(), description="Modifier for the schedule type")
+    day = odm.Optional(odm.Text(), description="How often the task runs within its schedule type")
+    month = odm.Optional(odm.Text(), description="Month(s) during which the scheduled task should run")
+    idle_time = odm.Optional(odm.Text(), description="Idle time to wait before running the task")
+    start_time = odm.Optional(odm.Text(), description="Start time to run the task (HH:mm 24-hour)")
+    interval = odm.Optional(odm.Text(), description="Repetition interval for the task")
+    end_time = odm.Optional(odm.Text(), description="End time for the task")
+    duration = odm.Optional(odm.Text(), description="Duration for which the task should run")
+    kill = odm.Optional(odm.Boolean(), description="Terminate task if it runs longer than end time or duration")
+    start_date = odm.Optional(odm.Text(), description="Start date to run the task (MM/dd/yyyy)")
+    end_date = odm.Optional(odm.Text(), description="End date to run the task (MM/dd/yyyy)")
+    channel_name = odm.Optional(odm.Text(), description="Event log channel for event-based task")
+    interactive = odm.Optional(odm.Boolean(), description="Task runs only when user is logged on interactively")
+    no_password = odm.Optional(odm.Boolean(), description="Task does not require a password")
+    auto_delete = odm.Optional(odm.Boolean(), description="Task will be deleted after it runs")
+    xml = odm.Optional(odm.Text(), description="XML file containing the task definition")
+    v1 = odm.Optional(odm.Boolean(), description="Create using version 1 task scheduler")
+    force = odm.Optional(odm.Boolean(), description="Create/delete the task and suppress warnings")
+    run_level = odm.Optional(odm.Enum(values=SCHEDULED_TASK_RUN_LEVELS), description="Run level for the task")
+    delay_time = odm.Optional(odm.Text(), description="Wait time to delay running the task after trigger")
+    hresult = odm.Optional(odm.Text(), description="Process exit code in HRESULT format")
+    output_format = odm.Optional(odm.Enum(values=SCHEDULED_TASK_OUTPUT_FORMATS), description="Query output format")
+    no_header = odm.Optional(odm.Boolean(), description="Display column headers in output")
+    add_advanced_properties = odm.Optional(odm.Boolean(), description="Display all properties in output")
+
+
 @odm.model(description="Extracted Malware Configuration")
 class MalwareConfig(odm.Model):
     config_extractor = odm.Keyword(description="Name of extractor")
@@ -216,12 +282,14 @@ class MalwareConfig(odm.Model):
     ssh = odm.Optional(odm.List(odm.Compound(SSH)), description="SSHs")
     proxy = odm.Optional(odm.List(odm.Compound(Proxy)), description="Proxies")
     dns = odm.Optional(odm.List(odm.Compound(DNS)), description="DNS")
+    icmp = odm.Optional(odm.List(odm.Compound(ICMP)), description="ICMPs")
     tcp = odm.Optional(odm.List(odm.Compound(GeneralConnection)), description="TCPs")
     udp = odm.Optional(odm.List(odm.Compound(GeneralConnection)), description="UDPs")
     encryption = odm.Optional(odm.List(odm.Compound(Encryption)), description="Encryptions")
     service = odm.Optional(odm.List(odm.Compound(Service)), description="Services")
     cryptocurrency = odm.Optional(odm.List(odm.Compound(Cryptocurrency)), description="Cryptocurrencies")
     paths = odm.Optional(odm.List(odm.Compound(Path)), description="Paths")
     registry = odm.Optional(odm.List(odm.Compound(Registry)), description="Registry")
+    scheduled_tasks = odm.Optional(odm.List(odm.Compound(ScheduledTask)), description="Scheduled Tasks")
 
     other = odm.Optional(odm.Mapping(odm.Any()), description="Other information")
