style: Automatic code formatting

Author: actions-user

modules/signatures/windows/disables_windefender.py

@@ -205,6 +205,7 @@ def on_complete(self):
 
         return False
 
+
 class AddWindowsDefenderExclusions(Signature):
     name = "add_windows_defender_exclusions"
     description = "Attempts to add Windows Defender Exclusions for specific file types by extension"
@@ -213,8 +214,9 @@ class AddWindowsDefenderExclusions(Signature):
     authors = ["@para0x0dise"]
     minimum = "1.2"
     ttps = ["T1562.001"]
-    references = ["https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/defense_evasion_windows_defender_exclusions_by_extension.toml",
-]
+    references = [
+        "https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/windows/defense_evasion_windows_defender_exclusions_by_extension.toml",
+    ]
     evented = True
 
     filter_apinames = set(["RegSetValueExA", "RegSetValueExW", "NtSetValueKey"])
@@ -228,14 +230,32 @@ def on_call(self, call, process):
             regKeyPath = self.get_argument(call, "FullName").lower()
             valueName = self.get_argument(call, "ValueName")
             buf = self.get_argument(call, "Buffer")
-            if buf == '0' and ("software\\policies\\microsoft\\windows defender\\exclusions\\extensions\\" in regKeyPath and
-                    any(extension in valueName for extension in ("exe", "pif", "scr", "js", "vbs",
-                                                                 "wsh", "hta", "cpl", "jse", "vbe",
-                                                                 "bat", "cmd", "dll", "ps1"))):
+            if buf == "0" and (
+                "software\\policies\\microsoft\\windows defender\\exclusions\\extensions\\" in regKeyPath
+                and any(
+                    extension in valueName
+                    for extension in (
+                        "exe",
+                        "pif",
+                        "scr",
+                        "js",
+                        "vbs",
+                        "wsh",
+                        "hta",
+                        "cpl",
+                        "jse",
+                        "vbe",
+                        "bat",
+                        "cmd",
+                        "dll",
+                        "ps1",
+                    )
+                )
+            ):
                 self.data.append({"regkey": regKeyPath})
                 self.detected = True
 
     def on_complete(self):
         if self.detected:
             return True
-        return False
+        return False

modules/signatures/windows/lolbas.py

@@ -111,8 +111,7 @@ def run(self):
         cmdlines = self.results.get("behavior", {}).get("summary", {}).get("executed_commands", [])
         for cmdline in cmdlines:
             lower = cmdline.lower()
-            if ("conhost.exe" in lower and
-                    any(process in lower for process in ("cmd /c", "powershell", "script", "mshta", "curl"))):
+            if "conhost.exe" in lower and any(process in lower for process in ("cmd /c", "powershell", "script", "mshta", "curl")):
                 self.data.append({"command": cmdline})
                 return True
         return False
@@ -614,6 +613,7 @@ def run(self):
 
         return False
 
+
 class LOLBAS_ExecutePSViaSyncappvpublishingserver(Signature):
     name = "execute_ps_via_syncappvpublishingserver"
     description = "Attempts to execute a PowerShell commands via Microsoft signed Visual Basic script (Syncappvpublishingserver)"
@@ -651,6 +651,7 @@ def on_complete(self):
             return True
         return False
 
+
 class LOLBAS_ExecuteRemoteMSIViaDevinit(Signature):
     name = "execute_remote_msi"
     description = "Attempts to download and execute a remote msi file via Visual Studio tool (devinit.exe)"
@@ -670,4 +671,4 @@ def run(self):
                 self.data.append({"command": cmdline})
                 return True
 
-        return False
+        return False