diff --git a/host-interaction/driver/install-driver.yml b/host-interaction/driver/install-driver.yml index 1a721a75..3b15bb0d 100644 --- a/host-interaction/driver/install-driver.yml +++ b/host-interaction/driver/install-driver.yml @@ -11,9 +11,16 @@ rule: - Persistence::Create or Modify System Process::Windows Service [T1543.003] mbc: - Hardware::Install Driver [C0037] + references: + - https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/set.htm examples: - af60700383b75727f5256a0000c1476f:0x1127E features: - or: - api: ntdll.NtLoadDriver - api: ZwLoadDriver + - and: + - number: 38 = SystemLoadAndCallImage + - or: + - api: NtSetSystemInformation + - api: ZwSetSystemInformation diff --git a/host-interaction/driver/interact-with-driver-via-control-codes.yml b/host-interaction/driver/interact-with-driver-via-control-codes.yml deleted file mode 100644 index 45dd6d37..00000000 --- a/host-interaction/driver/interact-with-driver-via-control-codes.yml +++ /dev/null @@ -1,22 +0,0 @@ -rule: - meta: - name: interact with driver via control codes - namespace: host-interaction/driver - authors: - - moritz.raabe@mandiant.com - scopes: - static: function - dynamic: thread - att&ck: - - Execution::System Services::Service Execution [T1569.002] - examples: - - Practical Malware Analysis Lab 10-03.exe_:0x401000 - - 9412A66BC81F51A1FA916AC47C77E02AC1A7C9DFF543233ED70AA265EF6A1E76:0x10002DE0 - features: - - or: - - api: DeviceIoControl - - api: NtUnloadDriver - - api: ZwUnloadDriver - - and: - - number: 38 = SystemLoadAndCallImage - - api: ZwSetSystemInformation diff --git a/host-interaction/driver/interact-with-driver-via-ioctl.yml b/host-interaction/driver/interact-with-driver-via-ioctl.yml new file mode 100644 index 00000000..cb24ea09 --- /dev/null +++ b/host-interaction/driver/interact-with-driver-via-ioctl.yml @@ -0,0 +1,14 @@ +rule: + meta: + name: interact with driver via IOCTL + namespace: host-interaction/driver + authors: + - moritz.raabe@mandiant.com + scopes: + static: basic block + dynamic: thread + examples: + - Practical Malware Analysis Lab 10-03.exe_:0x40108c + features: + - or: + - api: DeviceIoControl diff --git a/host-interaction/driver/unload-driver.yml b/host-interaction/driver/unload-driver.yml new file mode 100644 index 00000000..f72e6e04 --- /dev/null +++ b/host-interaction/driver/unload-driver.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: unload driver + namespace: host-interaction/driver + authors: + - moritz.raabe@mandiant.com + scopes: + static: basic block + dynamic: call + att&ck: + - Persistence::Create or Modify System Process::Windows Service [T1543.003] + examples: + - 31cee4f66cf3b537e3d2d37a71f339f4:0x1400044ce + features: + - or: + - api: NtUnloadDriver + - api: ZwUnloadDriver diff --git a/host-interaction/hardware/storage/get-disk-size.yml b/host-interaction/hardware/storage/get-disk-size.yml index ab314cd5..10a61b09 100644 --- a/host-interaction/hardware/storage/get-disk-size.yml +++ b/host-interaction/hardware/storage/get-disk-size.yml @@ -26,11 +26,11 @@ rule: - property/read: System.IO.DriveInfo::AvailableFreeSpace - basic block: - and: - - api: DeviceIoControl + - match: interact with driver via IOCTL - number: 0x7405C = IOCTL_DISK_GET_LENGTH_INFO - call: - and: - - api: DeviceIoControl + - match: interact with driver via IOCTL - number: 0x7405C = IOCTL_DISK_GET_LENGTH_INFO - and: - or: diff --git a/impact/wipe-disk/delete-drive-layout-via-ioctl.yml b/impact/wipe-disk/delete-drive-layout-via-ioctl.yml index 448154f3..82530763 100644 --- a/impact/wipe-disk/delete-drive-layout-via-ioctl.yml +++ b/impact/wipe-disk/delete-drive-layout-via-ioctl.yml @@ -6,7 +6,7 @@ rule: - william.ballenthin@mandiant.com scopes: static: basic block - dynamic: thread + dynamic: call att&ck: - Impact::Disk Wipe::Disk Structure Wipe [T1561.002] mbc: @@ -20,6 +20,6 @@ rule: features: - and: - or: - - api: DeviceIoControl + - match: interact with driver via IOCTL - characteristic: indirect call - number: 0x7c100 = IOCTL_DISK_DELETE_DRIVE_LAYOUT diff --git a/nursery/get-disk-information-via-ioctl.yml b/nursery/get-disk-information-via-ioctl.yml new file mode 100644 index 00000000..8054ea1d --- /dev/null +++ b/nursery/get-disk-information-via-ioctl.yml @@ -0,0 +1,25 @@ +rule: + meta: + name: get disk information via IOCTL + namespace: host-interaction/hardware/storage + authors: + - william.ballenthin@mandiant.com + scopes: + static: basic block + dynamic: call + att&ck: + - Discovery::System Information Discovery [T1082] + mbc: + - Discovery::System Information Discovery [E1082] + references: + - https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/ + - http://www.ioctls.net/ + features: + - and: + - or: + - match: interact with driver via IOCTL + - characteristic: indirect call + - or: + - number: 0x70050 = IOCTL_DISK_GET_DRIVE_LAYOUT_EX + - number: 0x24050 = IOCTL_DISK_GET_DRIVE_GEOMETRY_EX + - number: 0x2d1080 = IOCTL_STORAGE_GET_DEVICE_NUMBER diff --git a/nursery/get-storage-device-properties.yml b/nursery/get-storage-device-properties.yml index d7fbad94..dc1cb3ed 100644 --- a/nursery/get-storage-device-properties.yml +++ b/nursery/get-storage-device-properties.yml @@ -12,7 +12,9 @@ rule: - https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-ioctl_storage_query_property features: - and: - - match: interact with driver via control codes + - or: + - characteristic: indirect call + - match: interact with driver via IOCTL - number: 0x2D1400 = IOCTL_STORAGE_QUERY_PROPERTY - optional: - string: "\\\\.\\PhysicalDrive0" diff --git a/nursery/get-volume-information-via-ioctl.yml b/nursery/get-volume-information-via-ioctl.yml new file mode 100644 index 00000000..9701df43 --- /dev/null +++ b/nursery/get-volume-information-via-ioctl.yml @@ -0,0 +1,21 @@ +rule: + meta: + name: get volume information via IOCTL + namespace: host-interaction/hardware/storage + authors: + - william.ballenthin@mandiant.com + scopes: + static: basic block + dynamic: call + att&ck: + - Discovery::System Information Discovery [T1082] + mbc: + - Discovery::System Information Discovery [E1082] + references: + - https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/ + features: + - and: + - or: + - match: interact with driver via IOCTL + - characteristic: indirect call + - number: 0x90064 = FSCTL_GET_NTFS_VOLUME_DATA diff --git a/nursery/resize-volume-shadow-copy-storage.yml b/nursery/resize-volume-shadow-copy-storage.yml index d0491395..01e073aa 100644 --- a/nursery/resize-volume-shadow-copy-storage.yml +++ b/nursery/resize-volume-shadow-copy-storage.yml @@ -10,5 +10,5 @@ rule: dynamic: call features: - and: - - api: kernel32.DeviceIoControl + - match: interact with driver via IOCTL - number: 0x53C028 = IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE diff --git a/nursery/unmount-volume-via-ioctl.yml b/nursery/unmount-volume-via-ioctl.yml new file mode 100644 index 00000000..823bdd65 --- /dev/null +++ b/nursery/unmount-volume-via-ioctl.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: unmount volume via IOCTL + namespace: host-interaction/hardware/storage + authors: + - william.ballenthin@mandiant.com + scopes: + static: function + dynamic: call + references: + - https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/ + features: + - and: + - or: + - match: interact with driver via IOCTL + - characteristic: indirect call + - and: + - number: 0x90018 = FSCTL_LOCK_VOLUME + - number: 0x90020 = FSCTL_DISMOUNT_VOLUME