From 043aa57863c4e0cb5963c005ad0c71268bd4157c Mon Sep 17 00:00:00 2001
From: johnk3r <johnatan2camargo@gmail.com>
Date: Mon, 18 Sep 2023 11:09:38 -0300
Subject: [PATCH] Add files via upload

---
 .../connectivity/set-state-tcp-connection.yml  | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 host-interaction/network/connectivity/set-state-tcp-connection.yml

diff --git a/host-interaction/network/connectivity/set-state-tcp-connection.yml b/host-interaction/network/connectivity/set-state-tcp-connection.yml
new file mode 100644
index 000000000..51a838cf7
--- /dev/null
+++ b/host-interaction/network/connectivity/set-state-tcp-connection.yml
@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: set state tcp connection
+    namespace: host-interaction/network/connectivity
+    authors:
+      - "@johnk3r"
+    description: The SetTcpEntry function sets the state of a TCP connection.
+    scope: function
+    att&ck:
+      - Defense Evasion::Impair Defenses [T1562]
+    references:
+      - https://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website
+      - https://github.com/magisterquis/EDRSniper/blob/master/edrsniper.c
+    examples:
+      - 883bf161937f8dc6e766b07000110254:0x403150
+  features:
+    - or:
+      - api: iphlpapi.SetTcpEntry