i m using adobe_pdf_embedded_exe module in metasploit in order to embed a backdoor connection in a pdf file my cuckoo can't detect nothing with a score of 3.8 :( i need some tips to harden my cuckoo and a better score calculation
cuckoo version : 2.0.5
os : ubuntu 16.04
go for documentation how to write signatures
Hi rayenmessaoudi,
Thanks for posting this issue.
The score is not a definite malicious/not malicious answer, and should (currently) be seen as information that should be viewed together with what signatures were triggered. More high severity signatures(red in web interface) means that actions were performed that are likely to be malicious.
There can be many reasons if there was a low amount of triggered signatures. It might be that the embedded executable was not executed, for example.
Could you please post the PDF with embedded executable you have created? :smile: I am curious what signatures are triggered on my own Cuckoo setups.
Hi,
@RicoVZ u have right the problem is the exe was not executed :p
i solved the problem but the score is 4.6.
i developed a module to extract files from mails then submit it to cuckoo for analysis and alerting via mail i asked how i can ameliorate the score calculation because the alert is based on defined threshold example if the score = 5 then send the alert ? so any advices ?
Ah, nice use of Cuckoo. :smile:
Instead of editing the score calculation, I would suggest using three types of information to decide if you want to trigger an alert:
https://github.com/cuckoosandbox/community/search?q=severity+%3D+3&unscoped_q=severity+%3D+3
Of course, this depends very much on the context of the files you are submitting. For example: a known benign torrent client will likely trigger some level 3 signatures. But this is because it is software that does a lot of things. But you would likely not expect mail attachments to perform the same actions.