adding new rules based on private Linux sample(s)

communication/socket/receive/receive-data-on-socket.yml

@@ -33,3 +33,4 @@ rule:
       - api: System.Net.Sockets.Socket::EndReceive
       - api: System.Net.Sockets.Socket::EndReceiveFrom
       - api: System.Net.Sockets.Socket::EndReceiveMessageFrom
+      - api: recvmsg

host-interaction/file-system/create/create-directory.yml

@@ -20,6 +20,7 @@ rule:
       - api: ZwCreateDirectoryObject
       - api: SHCreateDirectory
       - api: SHCreateDirectoryEx
+      - api: mkdir
       - api: _mkdir
       - api: _wmkdir
       - api: System.IO.Directory::CreateDirectory

host-interaction/file-system/delete/delete-directory.yml

@@ -15,6 +15,7 @@ rule:
     - or:
       - api: RemoveDirectory
       - api: RemoveDirectoryTransacted
+      - api: rmdir
       - api: _rmdir
       - api: _wrmdir
       - api: System.IO.DirectoryInfo::Delete

host-interaction/file-system/meta/get-file-attributes.yml

@@ -27,3 +27,7 @@ rule:
       - api: System.IO.File::GetLastWriteTime
       - api: System.IO.File::GetLastWriteTimeUtc
       - property/read: System.IO.FileSystemInfo::Attributes
+      - api: stat
+      - api: fstat
+      - api: lstat
+      - api: fstatat

host-interaction/file-system/meta/set-file-attributes.yml

@@ -27,3 +27,5 @@ rule:
       - api: System.IO.File::SetLastWriteTime
       - api: System.IO.File::SetLastWriteTimeUtc
       - property/write: System.IO.FileSystemInfo::Attributes
+      - api: utime
+      - api: utimes

host-interaction/process/terminate/terminate-process.yml

@@ -19,6 +19,8 @@ rule:
       - api: System.Diagnostics.Process::WaitForExitAsync
       - api: System.Environment::Exit
       - api: System.Windows.Forms.Application::Exit
+      - api: exit
+      - api: Exit
       - and:
         - optional:
           - match: open process

collection/get-current-user-on-linux.yml → host-interaction/session/get-current-user-on-linux.yml

@@ -1,7 +1,7 @@
 rule:
   meta:
     name: get current user on Linux
-    namespace: collection
+    namespace: host-interaction/session
     authors:
       - [email protected]
     scope: function
@@ -13,9 +13,8 @@ rule:
     - and:
       - os: linux
       - or:
-        - and:
-          - api: geteuid
-          - api: getpwuid
+        - api: geteuid
+        - api: getpwuid
         - api: getlogin
         - api: getlogin_r
         - api: cuserid

host-interaction/thread/terminate/terminate-thread.yml

@@ -17,3 +17,4 @@ rule:
       - api: kernel32.TerminateThread
       - api: PsTerminateSystemThread
       - api: System.Threading.Thread.Abort
+      - api: pthread_terminate

nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml

@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: communicate with Kernel module via Netlink socket on Linux
+    namespace: host-interaction/kernel
+    authors:
+      - [email protected]
+    description: Netlink is used to transfer information between the kernel and user-space processes (https://man7.org/linux/man-pages/man7/netlink.7.html)
+    scope: basic block
+  features:
+    - and:
+      - os: linux
+      - api: socket
+      - number: 0x10 = AF_NETLINK

nursery/create-detached-thread-on-linux.yml

@@ -0,0 +1,11 @@
+rule:
+  meta:
+    name: create detached thread on Linux
+    namespace: host-interaction/thread
+    authors:
+      - [email protected]
+    scope: basic block
+  features:
+    - and:
+      - os: linux
+      - api: pthread_detach

nursery/get-current-pid-on-linux.yml

@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: get current PID on Linux
+    namespace: host-interaction/process
+    authors:
+      - [email protected]
+    scope: basic block
+  features:
+    - and:
+      - os: linux
+      - or:
+        - api: getpid
+        - api: getppid

nursery/get-file-system-information-on-linux.yml

@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: get file system information on Linux
+    namespace: host-interaction/file-system
+    authors:
+      - [email protected]
+    scope: basic block
+  features:
+    - and:
+      - os: linux
+      - or:
+        - api: statfs
+        - api: fstatfs

nursery/get-system-information-on-linux.yml

@@ -4,6 +4,7 @@ rule:
     namespace: host-interaction/os/info
     authors:
       - [email protected]
+      - [email protected]
     scope: function
     att&ck:
       - Discovery::System Information Discovery [T1082]
@@ -15,3 +16,4 @@ rule:
         - and:
           - api: system
           - string: "lshw"
+        - api: sysinfo

nursery/get-user-database-entry-on-linux.yml

@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: get user database entry on Linux
+    namespace: host-interaction/session
+    authors:
+      - [email protected]
+    scope: basic block
+  features:
+    - and:
+      - os: linux
+      - or:
+        - api: getpwuid
+        - api: getpwuid_r

nursery/persist-via-gnome-autostart-on-linux.yml

@@ -0,0 +1,12 @@
+rule:
+  meta:
+    name: persist via GNOME autostart on Linux
+    namespace: persistence
+    authors:
+      - [email protected]
+    scope: function
+  features:
+    - and:
+      - os: linux
+      - match: host-interaction/file-system/write
+      - substring: "X-GNOME-Autostart-enabled=true"

nursery/set-current-directory.yml

@@ -9,3 +9,5 @@ rule:
     - or:
       - api: System.IO.Directory::SetCurrentDirectory
       - api: kernel32.SetCurrentDirectory
+      - api: chdir
+      - api: fchdir

nursery/set-thread-name-on-linux.yml

@@ -0,0 +1,15 @@
+rule:
+  meta:
+    name: set thread name on Linux
+    namespace: host-interaction/thread
+    authors:
+      - [email protected]
+    scope: basic block
+  features:
+    - and:
+      - os: linux
+      - or:
+        - api: pthread_setname_np
+        - and:
+          - api: prctl
+          - number: 0xF = PR_SET_NAME