Add files via upload

mandiant · Sep 18, 2023 · 043aa57 · 043aa57
1 parent b9c2bc1
commit 043aa57
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/host-interaction/network/connectivity/set-state-tcp-connection.yml b/host-interaction/network/connectivity/set-state-tcp-connection.yml
@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: set state tcp connection
+    namespace: host-interaction/network/connectivity
+    authors:
+      - "@johnk3r"
+    description: The SetTcpEntry function sets the state of a TCP connection.
+    scope: function
+    att&ck:
+      - Defense Evasion::Impair Defenses [T1562]
+    references:
+      - https://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website
+      - https://github.com/magisterquis/EDRSniper/blob/master/edrsniper.c
+    examples:
+      - 883bf161937f8dc6e766b07000110254:0x403150
+  features:
+    - or:
+      - api: iphlpapi.SetTcpEntry