Add encode-data-using-add-xor-sub-operations.yml (#800)

* Add encode-data-using-add-xor-sub-operations.yml --------- Co-authored-by: Moritz <[email protected]>
mandiant · Nov 22, 2023 · 6ad4499 · 6ad4499
1 parent 41a0a9d
commit 6ad4499
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml b/data-manipulation/encoding/encode-data-using-add-xor-sub-operations.yml
@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: encode data using ADD XOR SUB operations
+    namespace: data-manipulation/encoding
+    authors:
+      - [email protected]
+    description: Data encoding using a sequence of ADD/XOR/SUB (or SUB/XOR/ADD) operations common for PlugX but also used by other malware families.
+    scope: function
+    att&ck:
+      - Defense Evasion::Obfuscated Files or Information [T1027]
+    mbc:
+      - Defense Evasion::Obfuscated Files or Information::Encoding-Custom Algorithm [E1027.m03]
+    examples:
+      - df814d4b55912e4ba404c62080b3a7eda70a3c6283ea740f8a14a9116d803259:0x1000100F
+  features:
+    - and:
+      - count(basic blocks): 6 or fewer
+      - basic block:
+        - and:
+          - characteristic: tight loop
+          - characteristic: nzxor
+          - count(mnemonic(add)): 1
+          - count(mnemonic(sub)): 1