add indicators for trellix

Original source: https://github.com/Pennyw0rth/NetExec/blob/05ad3c6bc450abcac259b9c4f2ac8bc8daa0b50a/nxc/modules/enum_av.py#L362
dadevel · Nov 18, 2024 · bf932f9 · bf932f9
1 parent 00411bc
commit bf932f9
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 2 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "servicedetector"
-version = "0.0.7"
+version = "0.0.8"
 description = ""
 authors = ["dadevel <[email protected]>"]
 license = "MIT"

diff --git a/servicedetector/indicators.csv b/servicedetector/indicators.csv
@@ -29,6 +29,10 @@ epp,Bitdefender,service,bdredline_agent
 epp,Carbon Black App Control,service,Parity
 epp,Carbon Black,service,CbDefenseWSC
 epp,Carbon Black,service,CbDefense
+epp,CrowdStrike,driver,CSAgent.sys
+epp,CrowdStrike,driver,CSBoot.sys
+epp,CrowdStrike,driver,CSDeviceControl.sys
+epp,CrowdStrike,driver,CSFirmwareAnalysis.sys
 epp,CrowdStrike,pipe,CrowdStrike\{*
 epp,CrowdStrike,process,CSFalconContainer.exe
 epp,CrowdStrike,process,CSFalconService.exe
@@ -114,6 +118,25 @@ epp,Sophos Intercept X,service,Sophos System Protection Service
 epp,Symantec,service,SNAC
 epp,Symantec,service,SepMasterService
 epp,Symantec,service,SepScanService
+epp,Trellix,pipe,McAfeeAgent_Pipe_*
+epp,Trellix,pipe,TrellixEDR_Pipe_*
+epp,Trellix,pipe,mfefire_*
+epp,Trellix,pipe,mfemactl_*
+epp,Trellix,pipe,mfetp_*
+epp,Trellix,process,McAfeeAgent.exe
+epp,Trellix,process,McAfeeEDR.exe
+epp,Trellix,process,mfefire.exe
+epp,Trellix,process,mfemactl.exe
+epp,Trellix,process,mfetp.exe
+epp,Trellix,service,McAfee Endpoint Security Platform Service
+epp,Trellix,service,macmnsvc
+epp,Trellix,service,masvc
+epp,Trellix,service,mfeaack
+epp,Trellix,service,mfefire
+epp,Trellix,service,mfemactl
+epp,Trellix,service,mfemms
+epp,Trellix,service,mfetp
+epp,Trellix,service,mfewc
 epp,Trend Micro,pipe,IPC_XBC_XBC_AGENT_PIPE_*
 epp,Trend Micro,pipe,Log_ServerNamePipe
 epp,Trend Micro,pipe,OIPC_LWCS_PIPE_*

diff --git a/servicedetector/main.py b/servicedetector/main.py
@@ -149,7 +149,7 @@ def run_detections(host: str, opts: Namespace) -> bool:
 
 def read_indicators() -> dict[str, list[dict[str, str]]]:
     resources = importlib.resources.files(__package__)
-    indicators = dict(file=[], pipe=[], process=[], service=[])
+    indicators = dict(file=[], driver=[], pipe=[], process=[], service=[])
     with open(resources/'indicators.csv') as file:  # type: ignore
         reader = csv.DictReader(file)
         for row in reader: