From 358b666459ab90e5ea12ee6123c6eb563e5911e4 Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Mon, 10 Jul 2023 21:04:13 +0200 Subject: [PATCH 1/6] Update hash-data-using-fnv.yml --- data-manipulation/hashing/fnv/hash-data-using-fnv.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml index 300d337ff..8bc063eaa 100644 --- a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml +++ b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml @@ -16,15 +16,22 @@ rule: - https://create.stephan-brumme.com/fnv-hash/ examples: - ad4229879180e267f431ac6666b6a0a2:0x14007B4D4 + - 09BF850BE5DA44A1C3629A1F62813A83:0x10006010 features: - and: - optional: - characteristic: loop - number: 0xcbf29ce484222325 = FNV_offset_basis, unused by FNV-0 - number: 0x811c9dc5 = FNV_offset_basis, unused by FNV-0 + - and: + - number: 0xcbf29ce4 = FNV_offset_basis 64 bits, 32-bit value + - number: 0x84222325 = FNV_offset_basis 64 bits, 32-bit value - or: - number: 0x100000001b3 = FNV prime - number: 0x01000193 = FNV prime + - and: + - number: 0x100 = FNV prime 64 bits, split in DWORD + - number: 0x1b3 = FNV prime 64 bits, split in DWORD - basic block: # FNV-1 hash does multiply then XOR # FNV-1a hash does XOR then multiply @@ -33,3 +40,4 @@ rule: - or: - mnemonic: imul - mnemonic: mul + - api: _allmul From cda22165c6811540a93925f550e847dd0d8a0afb Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Tue, 11 Jul 2023 17:18:35 +0200 Subject: [PATCH 2/6] Update hash-data-using-fnv.yml didn't match the old example, it's fixed --- data-manipulation/hashing/fnv/hash-data-using-fnv.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml index 8bc063eaa..825be537a 100644 --- a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml +++ b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml @@ -29,9 +29,9 @@ rule: - or: - number: 0x100000001b3 = FNV prime - number: 0x01000193 = FNV prime - - and: - - number: 0x100 = FNV prime 64 bits, split in DWORD - - number: 0x1b3 = FNV prime 64 bits, split in DWORD + - and: + - number: 0x100 = FNV prime 64 bits, split in DWORD + - number: 0x1b3 = FNV prime 64 bits, split in DWORD - basic block: # FNV-1 hash does multiply then XOR # FNV-1a hash does XOR then multiply From aa2da89c34929c33fb47148f7ef2f84210bdf9d2 Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Fri, 28 Jul 2023 19:51:54 +0200 Subject: [PATCH 3/6] Update decode-data-using-base64-via-dword-translation-table.yml additional translation tables --- ...ata-using-base64-via-dword-translation-table.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml index 586185a45..ae2e4987f 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml @@ -4,6 +4,7 @@ rule: namespace: data-manipulation/encoding/base64 authors: - gilbert.elliot@mandiant.com + - sara.rincon@mandiant.com scope: function att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] @@ -12,6 +13,7 @@ rule: - Data::Encode Data::Base64 [C0026.001] examples: - 9efa86b43b4367bcdc1591aee59bda25:0x10001000 + - 09BF850BE5DA44A1C3629A1F62813A83:0x10001100 features: - and: - mnemonic: shl @@ -23,5 +25,12 @@ rule: - number: 3 - number: 4 - number: 6 - - number: 0xF - - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = hardcoded base64 translation table (first 64 of 256 dwords) + - or: + - number: 0xF + - number: 0x3D + - number: 0x40 + - or: + - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = hardcoded base64 translation table (first 64 of 256 dwords) + - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E FF FF FF 3F 34 35 36 37 38 39 3A 3B 3C 3D FF FF FF FF FF FF FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 FF FF FF FF FF FF 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 FF FF FF FF FF = hardcoded base64 translation table + - bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 3F 00 00 00 3E 00 00 00 3E 00 00 00 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 + - string: "BBBBBBBBBB@BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>BBB?456789:;<=BBBABBB" From d57a618076fd3e4451173d2da478591a1a76ce4f Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Sun, 30 Jul 2023 14:59:38 +0200 Subject: [PATCH 4/6] Update decode-data-using-base64-via-dword-translation-table.yml fixed hash --- .../decode-data-using-base64-via-dword-translation-table.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml index ae2e4987f..f53c898e2 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml @@ -13,7 +13,7 @@ rule: - Data::Encode Data::Base64 [C0026.001] examples: - 9efa86b43b4367bcdc1591aee59bda25:0x10001000 - - 09BF850BE5DA44A1C3629A1F62813A83:0x10001100 + - 09bf850be5da44a1c3629a1f62813a83:0x10001100 features: - and: - mnemonic: shl From 04c77aedce494f9f65323a603190f4171959e589 Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Sun, 30 Jul 2023 15:09:13 +0200 Subject: [PATCH 5/6] Update decode-data-using-base64-via-dword-translation-table.yml --- .../decode-data-using-base64-via-dword-translation-table.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml index f53c898e2..69894dbdc 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml @@ -32,5 +32,6 @@ rule: - or: - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = hardcoded base64 translation table (first 64 of 256 dwords) - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E FF FF FF 3F 34 35 36 37 38 39 3A 3B 3C 3D FF FF FF FF FF FF FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 FF FF FF FF FF FF 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 FF FF FF FF FF = hardcoded base64 translation table - - bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 3F 00 00 00 3E 00 00 00 3E 00 00 00 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 + - bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 3F 00 00 00 3E 00 00 00 3E 00 00 00 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 - string: "BBBBBBBBBB@BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>BBB?456789:;<=BBBABBB" + From 7cc3bb46aaf804d0320501c3b817f9c17c812dd9 Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Sun, 30 Jul 2023 15:22:48 +0200 Subject: [PATCH 6/6] Update decode-data-using-base64-via-dword-translation-table.yml --- .../decode-data-using-base64-via-dword-translation-table.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml index 69894dbdc..877f551c0 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml @@ -34,4 +34,3 @@ rule: - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E FF FF FF 3F 34 35 36 37 38 39 3A 3B 3C 3D FF FF FF FF FF FF FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 FF FF FF FF FF FF 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 FF FF FF FF FF = hardcoded base64 translation table - bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 3F 00 00 00 3E 00 00 00 3E 00 00 00 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 - string: "BBBBBBBBBB@BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>BBB?456789:;<=BBBABBB" -