Add support for huorong sysdiag version 6 & some rule tweak

.github/workflows/main.yml

@@ -32,7 +32,7 @@ jobs:
       run: |
         python scripts/merge_rules.py --path rules --output output
     - name: Upload a Build Artifact
-      uses: actions/upload-artifact@v3.1.0
+      uses: actions/upload-artifact@v4
       with:
-        name: my-artifact
+        name: Huorong APT Rules
         path: output/*json

rules/README.md

@@ -316,7 +316,7 @@
 
 ## Suspicious.ScriptHost.A
 
-状态：启用
+状态：未启用
 
 行为描述：源程序`*\?script.exe`做出以下操作时，提示用户处理
 - 对路径为`*\Windows\Sys?????\*.exe`的程序进行`执行`操作
@@ -326,12 +326,12 @@
 
 ## Suspicious.ScriptHost.B
 
-状态：启用
+状态：未启用
 
 行为描述：源程序`*\Windows\Sys?????\*.exe`做出以下操作时，提示用户处理
 - 对路径为`*\?script.exe`的程序进行`执行`操作
 
-***rule.json hash: 7692734f67bdef45c360f5d4b04da6d64141543e16f47214a7b005f3094a3fe9***
+***rule.json hash: 061537b93cbecde04566066386b7a4b439858368c67b85da717ca23251fd4d14***
 # Suspicious.SuspProcAddAutoRun
 
 ## Suspicious.SuspProcAddAutoRun.A

rules/README_en_us.md

@@ -339,7 +339,7 @@ When the source process`*\Windows\Sys?????\>`initializes the following actions,
 
 ## Suspicious.ScriptHost.A
 
-Status: Enabled
+Status: Disabled
 
 Behavioral Description:   
 When the source process`*\?script.exe`initializes the following actions, HIPS module should let the user decide them.
@@ -350,13 +350,13 @@ When the source process`*\?script.exe`initializes the following actions, HIPS mo
 
 ## Suspicious.ScriptHost.B
 
-Status: Enabled
+Status: Disabled
 
 Behavioral Description:   
 When the source process`*\Windows\Sys?????\*.exe`initializes the following actions, HIPS module should let the user decide them.
 - `Execute` the program under the path `*\?script.exe`
 
-***rule.json hash: 7692734f67bdef45c360f5d4b04da6d64141543e16f47214a7b005f3094a3fe9***
+***rule.json hash: 061537b93cbecde04566066386b7a4b439858368c67b85da717ca23251fd4d14***
 # Suspicious.SuspProcAddAutoRun
 
 ## Suspicious.SuspProcAddAutoRun.A

rules/README_zh_tw.md

@@ -316,7 +316,7 @@
 
 ## Suspicious.ScriptHost.A
 
-狀態：啟用
+狀態：未啟用
 
 行為描述：源程式`*\?script.exe`做出以下操作時，提示使用者處理
 - 對路徑為`*\Windows\Sys?????\*.exe`的程序進行`執行`操作
@@ -326,12 +326,12 @@
 
 ## Suspicious.ScriptHost.B
 
-狀態：啟用
+狀態：未啟用
 
 行為描述：源程式`*\Windows\Sys?????\*.exe`做出以下操作時，提示使用者處理
 - 對路徑為`*\?script.exe`的程序進行`執行`操作
 
-***rule.json hash: 7692734f67bdef45c360f5d4b04da6d64141543e16f47214a7b005f3094a3fe9***
+***rule.json hash: 061537b93cbecde04566066386b7a4b439858368c67b85da717ca23251fd4d14***
 # Suspicious.SuspProcAddAutoRun
 
 ## Suspicious.SuspProcAddAutoRun.A

rules/Suspicious.RunFromSusPath/auto.json

@@ -37,6 +37,16 @@
                 "action_type": 16,
                 "treatment": 0
             }
+        ],
+        "*\\Windows\\system32\\svchost.exe": [
+            {
+                "res_path": "*\\ProgramData\\MEGAsync\\MEGAupdater.exe",
+                "montype": 0,
+                "action_type": 16,
+                "treatment": 0,
+                "cmdline": "*\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
+                "p_procname": "*\\Windows\\System32\\services.exe"
+            }
         ]
     }
 }

rules/Suspicious.ScriptHost/auto.json

@@ -17,6 +17,26 @@
               "action_type": 16,
               "treatment": 0
             }
-          ]
+          ],
+        "*\\Windows\\system32\\svchost.exe": [
+            {
+                "res_path": "*\\Windows\\Sys?????\\wscript.exe",
+                "res_cmdline": "*:\\Windows\\System????\\Wscript.exe /B /NoLogo *\\Program Files\\Intel\\SUR\\QUEENCREEK\\x64\\task.vbs",
+                "montype": 0,
+                "action_type": 16,
+                "treatment": 0,
+                "cmdline": "*\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
+                "p_procname": "*\\Windows\\System32\\services.exe"
+            }
+        ],
+        "*\\Windows\\system32\\conhost.exe": [
+            {
+                "res_path": "*\\foobar2000\\profile\\foo_uie_jsplitter\\package_data\\*\\foo_lastfm_img.vbs",
+                "montype": 0,
+                "action_type": 16,
+                "treatment": 0,
+                "p_procname": "*\\foobar2000.exe"
+            }
+        ]
     }
-}
+}

rules/Suspicious.ScriptHost/rule.json

@@ -4,7 +4,7 @@
   "data": [
     {
       "id": 240,
-      "power": 1,
+      "power": 0,
       "name": "Suspicious.ScriptHost.A",
       "procname": "*\\?script.exe",
       "treatment": 1,
@@ -33,7 +33,7 @@
     },
     {
       "id": 240,
-      "power": 1,
+      "power": 0,
       "name": "Suspicious.ScriptHost.B",
       "procname": "*\\Windows\\Sys?????\\*.exe",
       "treatment": 1,
@@ -46,4 +46,4 @@
       ]
     }
   ]
-}
+}

scripts/merge_rules.py

@@ -23,9 +23,9 @@ def main(input_path:str, output_path:str):
     """
     # sum of rules and auto
     rule_sum_dict = dict(json.loads(
-        '{"ver":"5.0","tag":"hipsuser","data":[]}'))
+        '{"ver":"6.0","tag":"hipsuser","data":[]}'))
     auto_sum_dict = dict(json.loads(
-        '{"ver":"5.0","tag":"hipsuser_auto","data":{}}'))
+        '{"ver":"6.0","tag":"hipsuser_auto","data":{}}'))
 
     for path, dirs, files in sorted(os.walk(input_path)):
         for filename in files:
@@ -36,6 +36,13 @@ def main(input_path:str, output_path:str):
                 print("Merging file: %s" % rule_full_path)
                 # loop each rule in sub rule files
                 for each_rule in rule_dict["data"]:
+                    # fix the blanks(v6)
+                    each_rule.setdefault("cmdline", "*")
+                    each_rule.setdefault("p_procname", "*")
+                    each_rule.setdefault("p_cmdline", "*")
+                    for policy in each_rule["policies"]:
+                        policy.setdefault("res_cmdline", "*")
+
                     rule_sum_dict["data"] = rule_sum_dict["data"] + \
                         [each_rule]  # add them up
 
@@ -45,6 +52,12 @@ def main(input_path:str, output_path:str):
                 print("Merging file: %s" % auto_full_path)
                 # loop each auto in sub auto files
                 for each_key in dict(auto_dict["data"]).keys():
+                    # fix the blanks(v6)
+                    for task in auto_dict["data"][each_key]:
+                        task.setdefault("res_cmdline", "*")
+                        task.setdefault("cmdline", '*')
+                        task.setdefault("p_procname",'*')
+                        task.setdefault("p_cmdline",'*')
                     # check if key already exist
                     if dict(auto_sum_dict["data"]).get(each_key) is None:
                         # frist one