From c18567589c9b19d005753eab859c41730a32111e Mon Sep 17 00:00:00 2001 From: dkelly2e Date: Tue, 23 May 2023 19:15:27 +0800 Subject: [PATCH 001/100] Create covertly decode and write data to Windows directory using indirect calls.txt --- ...Windows directory using indirect calls.txt | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 data-manipulation/encoding/xor/covertly decode and write data to Windows directory using indirect calls.txt diff --git a/data-manipulation/encoding/xor/covertly decode and write data to Windows directory using indirect calls.txt b/data-manipulation/encoding/xor/covertly decode and write data to Windows directory using indirect calls.txt new file mode 100644 index 000000000..85a2e6bad --- /dev/null +++ b/data-manipulation/encoding/xor/covertly decode and write data to Windows directory using indirect calls.txt @@ -0,0 +1,22 @@ +rule: + meta: + name: covertly decode and write data to Windows directory using indirect calls + namespace: data-manipulation/encoding/xor + authors: + - dna.kelly@mandiant.com + scope: function + att&ck: + - Defense Evasion::Obfuscated Files or Information [T1027] + mbc: + - Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02] + - Data::Encode Data::XOR [C0026.002] + examples: + - 9176F177BD88686C6BEB29D8BB05F20C:0x180001000 + features: + - and: + - match: write file on Windows + - match: encode data using XOR + - match: create or open file + - match: reference absolute stream path on Windows + - match: contain loop + - characteristic: indirect call From 9bce4f8acd5f78642272ce010e0ac1b8b6e40de6 Mon Sep 17 00:00:00 2001 From: dkelly2e Date: Fri, 26 May 2023 19:02:22 +0800 Subject: [PATCH 002/100] Rename covertly decode and write data to Windows directory using indirect calls.txt to covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml --- ...-and-write-data-to-Windows-directory-using-indirect-calls.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename data-manipulation/encoding/xor/{covertly decode and write data to Windows directory using indirect calls.txt => covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml} (100%) diff --git a/data-manipulation/encoding/xor/covertly decode and write data to Windows directory using indirect calls.txt b/data-manipulation/encoding/xor/covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml similarity index 100% rename from data-manipulation/encoding/xor/covertly decode and write data to Windows directory using indirect calls.txt rename to data-manipulation/encoding/xor/covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml From a5cb48e8a22b89264239366f08009ad93e3e9244 Mon Sep 17 00:00:00 2001 From: dkelly2e Date: Fri, 26 May 2023 19:02:32 +0800 Subject: [PATCH 003/100] Update covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml --- ...and-write-data-to-Windows-directory-using-indirect-calls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data-manipulation/encoding/xor/covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml b/data-manipulation/encoding/xor/covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml index 85a2e6bad..c3bfecdf5 100644 --- a/data-manipulation/encoding/xor/covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml +++ b/data-manipulation/encoding/xor/covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml @@ -3,7 +3,7 @@ rule: name: covertly decode and write data to Windows directory using indirect calls namespace: data-manipulation/encoding/xor authors: - - dna.kelly@mandiant.com + - dan.kelly@mandiant.com scope: function att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] From 6c42b0f864667b776eca2b3bd118723cc3daabdf Mon Sep 17 00:00:00 2001 From: Anders Vejlby Date: Tue, 30 May 2023 11:14:44 +0000 Subject: [PATCH 004/100] adding rules for vm detection through wmi calls to drive and motherboard model --- ...-wmi-disk-drive-model-contains-virtual.yml | 19 +++++++++++++++++++ ...wmi-motherboard-model-contains-virtual.yml | 19 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml create mode 100644 anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml new file mode 100644 index 000000000..23fe4f0a2 --- /dev/null +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml @@ -0,0 +1,19 @@ +# generated using capa explorer for IDA Pro +rule: + meta: + name: reference anti-VM strings - WMI disk drive model contains Virtual + namespace: anti-analysis/anti-vm/vm-detection + authors: + - anders.vejlby@mandiant.com + scope: function + att&ck: + - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] + references: + - + examples: + - E69F2E964AA4A4E676F3335705B047E7:0x4035e0 + features: + - or: + - string: "Win32_DiskDrive" + - string: "Model" + - string: "Virtual" diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml new file mode 100644 index 000000000..fc92139a3 --- /dev/null +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml @@ -0,0 +1,19 @@ +# generated using capa explorer for IDA Pro +rule: + meta: + name: reference anti-VM strings - WMI motherboard model contains Virtual + namespace: anti-analysis/anti-vm/vm-detection + authors: + - anders.vejlby@mandiant.com + scope: function + att&ck: + - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] + references: + - + examples: + - E69F2E964AA4A4E676F3335705B047E7:0x4035e0 + features: + - and: + - string: "Win32_BaseBoard" + - string: "Virtual" + - string: "Model" From 165865c69bc2f35de865b9751b29f11fcef90daa Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 30 May 2023 16:27:26 +0200 Subject: [PATCH 005/100] Update anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml --- ...-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml index 23fe4f0a2..8b51935f2 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml @@ -8,8 +8,6 @@ rule: scope: function att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] - references: - - examples: - E69F2E964AA4A4E676F3335705B047E7:0x4035e0 features: From e9767fc8aebf381cc3c04a2384347a4dbf85dc4d Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Tue, 30 May 2023 16:27:36 +0200 Subject: [PATCH 006/100] Update anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml --- ...anti-vm-strings---wmi-motherboard-model-contains-virtual.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml index fc92139a3..9e95c304a 100644 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml +++ b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml @@ -8,8 +8,6 @@ rule: scope: function att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] - references: - - examples: - E69F2E964AA4A4E676F3335705B047E7:0x4035e0 features: From ea8ca38115aa3e0120141468fb854b51465fa62d Mon Sep 17 00:00:00 2001 From: dkelly2e Date: Wed, 31 May 2023 18:44:19 +0800 Subject: [PATCH 007/100] Rename covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml to covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml Lowercase'd the filename --- ...-and-write-data-to-windows-directory-using-indirect-calls.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename data-manipulation/encoding/xor/{covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml => covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml} (100%) diff --git a/data-manipulation/encoding/xor/covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml b/data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml similarity index 100% rename from data-manipulation/encoding/xor/covertly-decode-and-write-data-to-Windows-directory-using-indirect-calls.yml rename to data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml From a1c5c5d10edc402ccf824af29682b3e57a9a8a37 Mon Sep 17 00:00:00 2001 From: Anders Vejlby Date: Wed, 31 May 2023 12:49:19 +0000 Subject: [PATCH 008/100] implementing pr comments --- .../detect-VM-via-disk-hardware-WMI-queries.yml | 17 +++++++++++++++++ ...-VM-via-motherboard-hardware-WMI-queries.yml | 17 +++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml create mode 100644 anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml diff --git a/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml new file mode 100644 index 000000000..00bd032ef --- /dev/null +++ b/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml @@ -0,0 +1,17 @@ +# generated using capa explorer for IDA Pro +rule: + meta: + name: detect VM via disk hardware WMI queries + namespace: anti-analysis/anti-vm/vm-detection + authors: + - anders.vejlby@mandiant.com + scope: function + att&ck: + - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] + examples: + - E69F2E964AA4A4E676F3335705B047E7:0x4035e0 + features: + - and: + - string: "Win32_DiskDrive" + - string: "Model" + - string: "Virtual" diff --git a/anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml new file mode 100644 index 000000000..2ae6ddabe --- /dev/null +++ b/anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml @@ -0,0 +1,17 @@ +# generated using capa explorer for IDA Pro +rule: + meta: + name: detect VM via motherboard hardware WMI queries + namespace: anti-analysis/anti-vm/vm-detection + authors: + - anders.vejlby@mandiant.com + scope: function + att&ck: + - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] + examples: + - E69F2E964AA4A4E676F3335705B047E7:0x4035e0 + features: + - and: + - string: "Win32_BaseBoard" + - string: "Virtual" + - string: "Model" From b75b6e5a6fc1f3357c2a7d99c22a85fff0e21091 Mon Sep 17 00:00:00 2001 From: Anders Vejlby Date: Wed, 31 May 2023 12:54:28 +0000 Subject: [PATCH 009/100] removing duplicate renamed rules --- ...---wmi-disk-drive-model-contains-virtual.yml | 17 ----------------- ...--wmi-motherboard-model-contains-virtual.yml | 17 ----------------- 2 files changed, 34 deletions(-) delete mode 100644 anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml delete mode 100644 anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml deleted file mode 100644 index 8b51935f2..000000000 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-disk-drive-model-contains-virtual.yml +++ /dev/null @@ -1,17 +0,0 @@ -# generated using capa explorer for IDA Pro -rule: - meta: - name: reference anti-VM strings - WMI disk drive model contains Virtual - namespace: anti-analysis/anti-vm/vm-detection - authors: - - anders.vejlby@mandiant.com - scope: function - att&ck: - - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] - examples: - - E69F2E964AA4A4E676F3335705B047E7:0x4035e0 - features: - - or: - - string: "Win32_DiskDrive" - - string: "Model" - - string: "Virtual" diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml deleted file mode 100644 index 9e95c304a..000000000 --- a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings---wmi-motherboard-model-contains-virtual.yml +++ /dev/null @@ -1,17 +0,0 @@ -# generated using capa explorer for IDA Pro -rule: - meta: - name: reference anti-VM strings - WMI motherboard model contains Virtual - namespace: anti-analysis/anti-vm/vm-detection - authors: - - anders.vejlby@mandiant.com - scope: function - att&ck: - - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] - examples: - - E69F2E964AA4A4E676F3335705B047E7:0x4035e0 - features: - - and: - - string: "Win32_BaseBoard" - - string: "Virtual" - - string: "Model" From 758bc4d1654a7c82242858b637b85269870692a8 Mon Sep 17 00:00:00 2001 From: Anders Vejlby Date: Wed, 31 May 2023 13:45:32 +0000 Subject: [PATCH 010/100] changed examples to different smaller binary uploaded on virustotal and changed motherboard model string to Product as this was an error. Rule was working before because of both checks being in the same function. --- .../vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml | 2 +- .../detect-VM-via-motherboard-hardware-WMI-queries.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml index 00bd032ef..d3e3188e8 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml @@ -9,7 +9,7 @@ rule: att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] examples: - - E69F2E964AA4A4E676F3335705B047E7:0x4035e0 + - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0 features: - and: - string: "Win32_DiskDrive" diff --git a/anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml index 2ae6ddabe..08374416e 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml @@ -9,9 +9,9 @@ rule: att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] examples: - - E69F2E964AA4A4E676F3335705B047E7:0x4035e0 + - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0 features: - and: - string: "Win32_BaseBoard" - string: "Virtual" - - string: "Model" + - string: "Product" From 70018d2fbabc7227c06f7f9f85d5ebe0b9851bb8 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Fri, 16 Jun 2023 16:32:08 +0200 Subject: [PATCH 011/100] add rule --- .../enumerate-devices-by-category.yml | 1 + host-interaction/service/continue-service.yml | 19 +++++++++++++++++++ host-interaction/service/pause-service.yml | 19 +++++++++++++++++++ 3 files changed, 39 insertions(+) create mode 100644 host-interaction/service/continue-service.yml create mode 100644 host-interaction/service/pause-service.yml diff --git a/host-interaction/hardware/enumerate-devices-by-category.yml b/host-interaction/hardware/enumerate-devices-by-category.yml index 0f8c10da6..50e1b7368 100644 --- a/host-interaction/hardware/enumerate-devices-by-category.yml +++ b/host-interaction/hardware/enumerate-devices-by-category.yml @@ -19,3 +19,4 @@ rule: - optional: - description: class identifier (CLSID) of the device category - bytes: 10 B3 0B 86 01 5D D0 11 BD 3B 00 A0 C9 11 CE 86 = CVidCapClassManager + - bytes: 62 A7 D9 33 C8 90 D0 11 BD 43 00 A0 C9 11 CE 86 = CWaveinClassManager diff --git a/host-interaction/service/continue-service.yml b/host-interaction/service/continue-service.yml new file mode 100644 index 000000000..34601a8d4 --- /dev/null +++ b/host-interaction/service/continue-service.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: continue service + namespace: host-interaction/service + authors: + - "@mr-tz" + scope: function + att&ck: + - Persistence::Create or Modify System Process::Windows Service [T1543.003] + examples: + - Practical Malware Analysis Lab 17-02.dll_:0x1000bd79 + features: + - and: + - optional: + - match: get service handle + - number: 0x3 = SERVICE_CONTROL_CONTINUE + - or: + - api: advapi32.ControlService + - api: advapi32.ControlServiceEx diff --git a/host-interaction/service/pause-service.yml b/host-interaction/service/pause-service.yml new file mode 100644 index 000000000..7311b6d3f --- /dev/null +++ b/host-interaction/service/pause-service.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: pause service + namespace: host-interaction/service + authors: + - "@mr-tz" + scope: function + att&ck: + - Persistence::Create or Modify System Process::Windows Service [T1543.003] + examples: + - Practical Malware Analysis Lab 17-02.dll_:0x1000bccd + features: + - and: + - optional: + - match: get service handle + - number: 0x2 = SERVICE_CONTROL_PAUSE + - or: + - api: advapi32.ControlService + - api: advapi32.ControlServiceEx From 0929c9cdb5bf45413c057d77c98d788b5d0f3150 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Fri, 16 Jun 2023 17:40:18 +0200 Subject: [PATCH 012/100] tighten rule via basic block subscope --- host-interaction/service/continue-service.yml | 10 ++++++---- host-interaction/service/pause-service.yml | 10 ++++++---- host-interaction/service/stop/stop-service.yml | 10 ++++++---- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/host-interaction/service/continue-service.yml b/host-interaction/service/continue-service.yml index 34601a8d4..dd481e8b0 100644 --- a/host-interaction/service/continue-service.yml +++ b/host-interaction/service/continue-service.yml @@ -13,7 +13,9 @@ rule: - and: - optional: - match: get service handle - - number: 0x3 = SERVICE_CONTROL_CONTINUE - - or: - - api: advapi32.ControlService - - api: advapi32.ControlServiceEx + - basic block: + - and: + - number: 0x3 = SERVICE_CONTROL_CONTINUE + - or: + - api: advapi32.ControlService + - api: advapi32.ControlServiceEx diff --git a/host-interaction/service/pause-service.yml b/host-interaction/service/pause-service.yml index 7311b6d3f..91bbafe99 100644 --- a/host-interaction/service/pause-service.yml +++ b/host-interaction/service/pause-service.yml @@ -13,7 +13,9 @@ rule: - and: - optional: - match: get service handle - - number: 0x2 = SERVICE_CONTROL_PAUSE - - or: - - api: advapi32.ControlService - - api: advapi32.ControlServiceEx + - basic block: + - and: + - number: 0x2 = SERVICE_CONTROL_PAUSE + - or: + - api: advapi32.ControlService + - api: advapi32.ControlServiceEx diff --git a/host-interaction/service/stop/stop-service.yml b/host-interaction/service/stop/stop-service.yml index 80a60bc89..d1426f20b 100644 --- a/host-interaction/service/stop/stop-service.yml +++ b/host-interaction/service/stop/stop-service.yml @@ -14,7 +14,9 @@ rule: - and: - optional: - match: get service handle - - number: 0x1 = SERVICE_CONTROL_STOP - - or: - - api: advapi32.ControlService - - api: advapi32.ControlServiceEx + - basic block: + - and: + - number: 0x1 = SERVICE_CONTROL_STOP + - or: + - api: advapi32.ControlService + - api: advapi32.ControlServiceEx From ce1e11d83892ab4604860bf22b7501444a7ddc31 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Sat, 24 Jun 2023 10:19:11 +0200 Subject: [PATCH 013/100] add rule --- .../service/query-service-configuration.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 host-interaction/service/query-service-configuration.yml diff --git a/host-interaction/service/query-service-configuration.yml b/host-interaction/service/query-service-configuration.yml new file mode 100644 index 000000000..539aab630 --- /dev/null +++ b/host-interaction/service/query-service-configuration.yml @@ -0,0 +1,15 @@ +rule: + meta: + name: query service configuration + namespace: host-interaction/service + authors: + - "@mr-tz" + scope: function + att&ck: + - Discovery::System Service Discovery [T1007] + examples: + - Practical Malware Analysis Lab 17-02.dll_:0x1000bf52 + features: + - or: + - api: advapi32.QueryServiceConfigA + - api: advapi32.QueryServiceConfig2A From 08e0c6178a9b7d2da56a2dcc964e9be3ce285a58 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Sat, 24 Jun 2023 08:21:09 +0000 Subject: [PATCH 014/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f46694b3b..5c8854b4a 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-800-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-802-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 5d091eeb24874cad6a9768d232866134eaffdf20 Mon Sep 17 00:00:00 2001 From: jaxxpnd <108181387+jaxxpnd@users.noreply.github.com> Date: Sun, 25 Jun 2023 13:50:43 +0300 Subject: [PATCH 015/100] Create enumerate-minifilter-drivers.yml Moved rule to enumerate minifilter drivers from anti-analysis/anti-av to host-interaction/filter, added sample to test samples repository --- .../filter/enumerate-minifilter-drivers.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 host-interaction/filter/enumerate-minifilter-drivers.yml diff --git a/host-interaction/filter/enumerate-minifilter-drivers.yml b/host-interaction/filter/enumerate-minifilter-drivers.yml new file mode 100644 index 000000000..46c3dcd37 --- /dev/null +++ b/host-interaction/filter/enumerate-minifilter-drivers.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: enumerate minifilter drivers + namespace: host-interaction/filter + authors: + - aseel.kayal@mandiant.com + scope: function + references: + - https://posts.specterops.io/mimidrv-in-depth-4d273d19e148 + - https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts + examples: + - 3E528207CA374123F63789195A4AEDDE:0x12F49 + features: + - and: + - api: fltmgr.FltEnumerateFilters + - api: fltmgr.FltGetFilterInformation From 21077c2908c309995f533827738724ddd3f6a1e9 Mon Sep 17 00:00:00 2001 From: Moritz Date: Wed, 28 Jun 2023 07:50:07 +0200 Subject: [PATCH 016/100] revert MBC E1055.004 cannot be validated at the moment --- host-interaction/process/inject/inject-apc.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/host-interaction/process/inject/inject-apc.yml b/host-interaction/process/inject/inject-apc.yml index 6ecff4e3f..6f803b9da 100644 --- a/host-interaction/process/inject/inject-apc.yml +++ b/host-interaction/process/inject/inject-apc.yml @@ -7,8 +7,6 @@ rule: scope: function att&ck: - Defense Evasion::Process Injection::Asynchronous Procedure Call [T1055.004] - mbc: - - Defense Evasion::Process Injection::Asynchronous Procedure Call [E1055.004] examples: - al-khaser_x64.exe_:0x140019348 features: From 83d4e3bc02fdbc75fe508486be99511ecf308587 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Sun, 2 Jul 2023 16:23:04 +0200 Subject: [PATCH 017/100] add import --- host-interaction/file-system/get-common-file-path.yml | 1 + lib/get-os-version.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/host-interaction/file-system/get-common-file-path.yml b/host-interaction/file-system/get-common-file-path.yml index 5078a4dae..13ca9804f 100644 --- a/host-interaction/file-system/get-common-file-path.yml +++ b/host-interaction/file-system/get-common-file-path.yml @@ -30,6 +30,7 @@ rule: - api: SHGetFolderPathAndSubDir - api: shell32.SHGetFolderPath - api: shell32.SHGetFolderLocation + - api: shell32.SHGetKnownFolderPath - api: shell32.SHGetSpecialFolderPath - api: shell32.SHGetSpecialFolderLocation - api: System.IO.Directory::GetCurrentDirectory diff --git a/lib/get-os-version.yml b/lib/get-os-version.yml index 3f856a649..f6460d574 100644 --- a/lib/get-os-version.yml +++ b/lib/get-os-version.yml @@ -17,3 +17,4 @@ rule: - api: VerifyVersionInfo - api: VerSetConditionMask - api: RtlGetNtVersionNumbers + - api: GetProductInfo From 1a5751691b5960478d1cf408065941fdeeb85bb4 Mon Sep 17 00:00:00 2001 From: jtothej <95413053+jtothej@users.noreply.github.com> Date: Tue, 4 Jul 2023 13:47:30 +0800 Subject: [PATCH 018/100] Update and promote compiled-with-cx_freeze.yml --- .../cx_freeze/compiled-with-cx_freeze.yml | 43 +++++++++++++++++++ nursery/compiled-with-cx_freeze.yml | 14 ------ 2 files changed, 43 insertions(+), 14 deletions(-) create mode 100644 compiler/cx_freeze/compiled-with-cx_freeze.yml delete mode 100644 nursery/compiled-with-cx_freeze.yml diff --git a/compiler/cx_freeze/compiled-with-cx_freeze.yml b/compiler/cx_freeze/compiled-with-cx_freeze.yml new file mode 100644 index 000000000..bb5689e1e --- /dev/null +++ b/compiler/cx_freeze/compiled-with-cx_freeze.yml @@ -0,0 +1,43 @@ +rule: + meta: + name: compiled with cx_Freeze + namespace: compiler/cx_freeze + authors: + - "@mr-tz" + - jakub.jozwiak@mandiant.com + scope: file + att&ck: + - Execution::Command and Scripting Interpreter::Python [T1059.006] + - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] + references: + - https://github.com/marcelotduarte/cx_Freeze + examples: + - 573174640974b288d9d161cf4d29387cd7dbf7d80a80f5547df887f9836df8fb + features: + - or: + - and: + - os: windows + - 3 or more: + - string: "cx_Freeze Fatal Error" + - string: "cx_Freeze: Python error in main script" + - string: "cx_Freeze: Application Terminated" + - string: "%ls\\lib\\library.zip;%ls\\lib" + - string: "Unable to calculate directory of executable!" + - string: "Unable to load python3.dll!" + - string: "Unable to change DLL search path!" + - string: "initializing with config file %ls" + - string: "%ls --install []" + - string: "exception calling session_changed method" + - and: + - or: + - os: linux + - os: macos + - 3 or more: + - string: "PATH environment variable not defined!" + - string: "Unable to determine absolute path for executable!" + - string: "Unable to convert path to string!" + - string: "Unable to calculate directory of executable!" + - string: "Out of memory creating sys.path!" + - string: "Out of memory converting arguments!" + - string: "Unable to convert argument to string!" + - string: "%ls/lib/library.zip:%ls/lib" diff --git a/nursery/compiled-with-cx_freeze.yml b/nursery/compiled-with-cx_freeze.yml deleted file mode 100644 index 7839c7097..000000000 --- a/nursery/compiled-with-cx_freeze.yml +++ /dev/null @@ -1,14 +0,0 @@ -rule: - meta: - name: compiled with cx_Freeze - namespace: compiler - authors: - - "@mr-tz" - scope: file - references: - - https://github.com/marcelotduarte/cx_Freeze/blob/fbf77369f7466953188e42ff6f7ecbfe026eabf1/source/bases/Win32GUI.c - features: - - or: - - string: "cx_Freeze Fatal Error" - - string: "cx_Freeze: Python error in main script" - - string: "cx_Freeze: Application Terminated" From 098dacbae1ac5d239aa18780de289637e64adda1 Mon Sep 17 00:00:00 2001 From: jtothej <95413053+jtothej@users.noreply.github.com> Date: Tue, 4 Jul 2023 14:24:29 +0800 Subject: [PATCH 019/100] Add create-vmci-socket.yml --- communication/socket/create-vmci-socket.yml | 27 +++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 communication/socket/create-vmci-socket.yml diff --git a/communication/socket/create-vmci-socket.yml b/communication/socket/create-vmci-socket.yml new file mode 100644 index 000000000..784fe3a5d --- /dev/null +++ b/communication/socket/create-vmci-socket.yml @@ -0,0 +1,27 @@ +rule: + meta: + name: create VMCI socket + namespace: communication/socket + authors: + - jakub.jozwiak@mandiant.com + scope: basic block + mbc: + - Communication::Socket Communication::Create Socket [C0001.003] + references: + - https://www.vmware.com/products/beta/ws/VMCIsockets.pdf + examples: + - 9ed5660c6a442dbba9e2ba795ccc913c1f1517ce89854fe4287c1c8b36b21d52:0x180001241 + features: + - or: + - and: + - os: windows + - or: + - api: socket + - api: DeviceIoControl + - number: 0x81032068 = VMCI_SOCKETS_GET_AF_VALUE + - and: + - os: linux + - or: + - api: socket + - api: ioctl + - number: 0x7B8 = VMCI_SOCKETS_GET_AF_VALUE From ffd59a208b8ca45130b1ca34cf5e50835195ade0 Mon Sep 17 00:00:00 2001 From: jtothej <95413053+jtothej@users.noreply.github.com> Date: Tue, 4 Jul 2023 14:41:33 +0800 Subject: [PATCH 020/100] Add switch-active-desktop.yml --- .../switch-active-desktop.yml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 anti-analysis/anti-debugging/debugger-evasion/switch-active-desktop.yml diff --git a/anti-analysis/anti-debugging/debugger-evasion/switch-active-desktop.yml b/anti-analysis/anti-debugging/debugger-evasion/switch-active-desktop.yml new file mode 100644 index 000000000..b04ea8325 --- /dev/null +++ b/anti-analysis/anti-debugging/debugger-evasion/switch-active-desktop.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: switch active desktop + namespace: anti-analysis/anti-debugging/debugger-evasion + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Defense Evasion::Debugger Evasion [T1622] + mbc: + - Anti-Behavioral Analysis::Debugger Evasion [B0002] + references: + - https://anti-debug.checkpoint.com/techniques/interactive.html#switchdesktop + examples: + - 26beba7352a32b803aa19e0782011a383a1df19549910e7b2f2f244e49678524:0x10001670 + features: + - and: + - api: user32.CreateDesktop + - api: user32.SwitchDesktop + - number: 0x182 = DESKTOP_CREATEWINDOW | DESKTOP_WRITEOBJECTS | DESKTOP_SWITCHDESKTOP From a8b8558e8c7c4c391fa8ee96105bf27c3b5c0b6e Mon Sep 17 00:00:00 2001 From: jtothej <95413053+jtothej@users.noreply.github.com> Date: Wed, 5 Jul 2023 10:44:42 +0800 Subject: [PATCH 021/100] Update and promote hide-thread-from-debugger.yml --- .../hide-thread-from-debugger.yml | 33 +++++++++++++++++++ nursery/hide-thread-from-debugger.yml | 13 -------- 2 files changed, 33 insertions(+), 13 deletions(-) create mode 100644 anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml delete mode 100644 nursery/hide-thread-from-debugger.yml diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml new file mode 100644 index 000000000..8605b1038 --- /dev/null +++ b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml @@ -0,0 +1,33 @@ +rule: + meta: + name: hide thread from debugger + namespace: anti-analysis/anti-debugging/debugger-evasion + authors: + - michael.hunhoff@mandiant.com + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Defense Evasion::Debugger Evasion [T1622] + mbc: + - Anti-Behavioral Analysis::Debugger Evasion [B0002] + references: + - https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread + - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.cpp + - https://github.com/jaeyung1001/Anti-Debugging/blob/master/Code/NtSetInformationThread.cpp + examples: + - 26beba7352a32b803aa19e0782011a383a1df19549910e7b2f2f244e49678524:0x10001670 + features: + - or: + - basic block: + - and: + - or: + - api: NtSetInformationThread + - api: ZwSetInformationThread + - number: 0x11 = ThreadHideFromDebugger + - and: + - or: + - string: "NtSetInformationThread" + - string: "ZwSetInformationThread" + - api: GetProcAddress + - api: GetCurrentThread + - number: 0x11 = ThreadHideFromDebugger diff --git a/nursery/hide-thread-from-debugger.yml b/nursery/hide-thread-from-debugger.yml deleted file mode 100644 index 3fb0fc476..000000000 --- a/nursery/hide-thread-from-debugger.yml +++ /dev/null @@ -1,13 +0,0 @@ -rule: - meta: - name: hide thread from debugger - namespace: anti-analysis/anti-debugging - authors: - - michael.hunhoff@mandiant.com - scope: basic block - references: - - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.cpp - features: - - and: - - api: NtSetInformationThread - - number: 0x11 = ThreadHideFromDebugger From e6c917abeb91abc1a308a36678857d11d3b5932b Mon Sep 17 00:00:00 2001 From: JJ <95413053+jtothej@users.noreply.github.com> Date: Wed, 5 Jul 2023 14:39:49 +0800 Subject: [PATCH 022/100] Add act-as-exchange-transport-agent.yml (#782) * Add act-as-exchange-transport-agent.yml --- .../act-as-exchange-transport-agent.yml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 persistence/exchange/act-as-exchange-transport-agent.yml diff --git a/persistence/exchange/act-as-exchange-transport-agent.yml b/persistence/exchange/act-as-exchange-transport-agent.yml new file mode 100644 index 000000000..ae24c8096 --- /dev/null +++ b/persistence/exchange/act-as-exchange-transport-agent.yml @@ -0,0 +1,44 @@ +rule: + meta: + name: act as Exchange transport agent + namespace: persistence/exchange + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Persistence::Server Software Component::Transport Agent [T1505.002] + references: + - https://learn.microsoft.com/en-us/exchange/mail-flow/transport-agents/transport-agents?view=exchserver-2019 + - https://learn.microsoft.com/en-us/exchange/client-developer/transport-agents/how-to-create-a-deliveryagent-transport-agent-for-exchange-2013 + examples: + - a301eadd2b665b696803e143dd4d657d71c56bbded2a3a1b96c5bcb83cc6796a:0x600000E + features: + - and: + - format: dotnet + - or: + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnConnectEvent + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnHeloCommand + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnEhloCommand + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnStartTlsCommand + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnAuthCommand + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnProcessAuthentication + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnEndOfAuthentication + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnXSessionParamsCommand + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnMailCommand + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnRcptToCommand + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnDataCommand + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnEndOfHeaders + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnProxyInboundMessage + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnEndOfData + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnHelpCommand + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnNoopCommand + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnReject + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnRsetCommand + - api: Microsoft.Exchange.Data.Transport.Smtp.SmtpReceiveAgent::add_OnDisconnectEvent + - api: Microsoft.Exchange.Data.Transport.Routing.RoutingAgent::add_OnSubmittedMessage + - api: Microsoft.Exchange.Data.Transport.Routing.RoutingAgent::add_OnResolvedMessage + - api: Microsoft.Exchange.Data.Transport.Routing.RoutingAgent::add_OnRoutedMessage + - api: Microsoft.Exchange.Data.Transport.Routing.RoutingAgent::add_OnCategorizedMessage + - api: Microsoft.Exchange.Data.Transport.Delivery.DeliveryAgent::add_OnCloseConnection + - api: Microsoft.Exchange.Data.Transport.Delivery.DeliveryAgent::add_OnDeliverMailItem + - api: Microsoft.Exchange.Data.Transport.Delivery.DeliveryAgent::add_OnOpenConnection From 71450724d331a5bcc57bf3d8c5dd950f72c8c2cd Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 06:40:03 +0000 Subject: [PATCH 023/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5c8854b4a..68067101a 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-802-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-803-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 65b07e2b5c6d84e6d1f1c50e511813e085e132a2 Mon Sep 17 00:00:00 2001 From: JJ <95413053+jtothej@users.noreply.github.com> Date: Wed, 5 Jul 2023 14:40:46 +0800 Subject: [PATCH 024/100] Add create-virtual-file-system-in-dotnet.yml (#783) * Add create-virtual-file-system-in-dotnet.yml --- .../create-virtual-file-system-in-dotnet.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 host-interaction/file-system/create-virtual-file-system-in-dotnet.yml diff --git a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml new file mode 100644 index 000000000..fbb2e72f9 --- /dev/null +++ b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: create virtual file system in .NET + namespace: host-interaction/file-system + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Defense Evasion::Hide Artifacts::Hidden File System [T1564.005] + references: + - https://learn.microsoft.com/en-us/dotnet/api/system.web.hosting.virtualpathprovider?view=netframework-4.8.1 + examples: + - be619015f1d5fb13d3bcd48d1b0843759a5e040d8af3da50f2d8f55b5a680e02:0x600000F + features: + - and: + - format: dotnet + - api: System.Web.Hosting.VirtualPathProvider::ctor From d28bb096d4dbe01a4158aba256817efcefaa4616 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 06:40:58 +0000 Subject: [PATCH 025/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 68067101a..9348ac470 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-803-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-804-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 6b449aa96f0e737dc0ed70c5f61ed5836c5f68f9 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 06:57:46 +0000 Subject: [PATCH 026/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9348ac470..fab049bce 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-804-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-805-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 299ba4258b2bb19ac60558ca4681c0ab89b4f5e2 Mon Sep 17 00:00:00 2001 From: jtothej <95413053+jtothej@users.noreply.github.com> Date: Wed, 5 Jul 2023 16:54:38 +0800 Subject: [PATCH 027/100] Update hide-thread-from-debugger.yml --- .../debugger-evasion/hide-thread-from-debugger.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml index 8605b1038..7f50b0e22 100644 --- a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml +++ b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml @@ -28,6 +28,6 @@ rule: - or: - string: "NtSetInformationThread" - string: "ZwSetInformationThread" - - api: GetProcAddress + - match: link function at runtime on Windows - api: GetCurrentThread - number: 0x11 = ThreadHideFromDebugger From 415b40bb96c263971244e0ee0f7d9f4e74d554c7 Mon Sep 17 00:00:00 2001 From: JJ <95413053+jtothej@users.noreply.github.com> Date: Wed, 5 Jul 2023 16:56:57 +0800 Subject: [PATCH 028/100] Add Office Add-ins rules. (#781) * Add Office Add-ins rules. --- .../office/act-as-excel-xll-add-in.yml | 16 ++++++++++++ .../office/act-as-office-com-add-in.yml | 25 +++++++++++++++++++ persistence/office/act-as-word-wll-add-in.yml | 16 ++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 persistence/office/act-as-excel-xll-add-in.yml create mode 100644 persistence/office/act-as-office-com-add-in.yml create mode 100644 persistence/office/act-as-word-wll-add-in.yml diff --git a/persistence/office/act-as-excel-xll-add-in.yml b/persistence/office/act-as-excel-xll-add-in.yml new file mode 100644 index 000000000..446bdcb92 --- /dev/null +++ b/persistence/office/act-as-excel-xll-add-in.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: act as Excel XLL add-in + namespace: persistence/office + authors: + - jakub.jozwiak@mandiant.com + scope: file + att&ck: + - Persistence::Office Application Startup::Add-ins [T1137.006] + references: + - https://learn.microsoft.com/en-us/office/client-developer/excel/xlautoopen + examples: + - c29513e5a51dd24ca840f7628b872cba921976cba89dcbffd5028ba15481108c + features: + - or: + - export: xlAutoOpen diff --git a/persistence/office/act-as-office-com-add-in.yml b/persistence/office/act-as-office-com-add-in.yml new file mode 100644 index 000000000..bfb1dd094 --- /dev/null +++ b/persistence/office/act-as-office-com-add-in.yml @@ -0,0 +1,25 @@ +rule: + meta: + name: act as Office COM add-in + namespace: persistence/office + authors: + - jakub.jozwiak@mandiant.com + scope: file + att&ck: + - Persistence::Office Application Startup::Add-ins [T1137.006] + references: + - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence + - https://learn.microsoft.com/en-us/dotnet/api/extensibility.idtextensibility2?view=visualstudiosdk-2022 + examples: + - 0831bb382211a67c57a392955138808526aa15e55531091841706aae2cb89613 + features: + - and: + - format: dotnet + - class: Extensibility.IDTExtensibility2 + - or: + - string: "OnAddInsUpdate" + - string: "OnAddInsUpdate" + - string: "OnBeginShutdown" + - string: "OnConnection" + - string: "OnDisconnection" + - string: "OnStartupComplete" diff --git a/persistence/office/act-as-word-wll-add-in.yml b/persistence/office/act-as-word-wll-add-in.yml new file mode 100644 index 000000000..74bebc560 --- /dev/null +++ b/persistence/office/act-as-word-wll-add-in.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: act as Word WLL add-in + namespace: persistence/office + authors: + - jakub.jozwiak@mandiant.com + scope: file + att&ck: + - Persistence::Office Application Startup::Add-ins [T1137.006] + references: + - https://www.ired.team/offensive-security/persistence/word-library-add-ins + examples: + - 03bb32d43885e83bc56c0b2bcad6f0c5ea40402763b7057056c654990022471b + features: + - or: + - export: wdAutoOpen From e541c2444fa294452e0f908cdebb5f094495ad8c Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 5 Jul 2023 08:57:08 +0000 Subject: [PATCH 029/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fab049bce..259b0792f 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-805-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-808-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From f8dfe8ec168ca083d8b29892f4deb137f39b342e Mon Sep 17 00:00:00 2001 From: jtothej <95413053+jtothej@users.noreply.github.com> Date: Wed, 5 Jul 2023 18:51:38 +0800 Subject: [PATCH 030/100] Add create-new-application-domain-in-dotnet.yml --- ...reate-new-application-domain-in-dotnet.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 host-interaction/memory/create-new-application-domain-in-dotnet.yml diff --git a/host-interaction/memory/create-new-application-domain-in-dotnet.yml b/host-interaction/memory/create-new-application-domain-in-dotnet.yml new file mode 100644 index 000000000..0bd7dabee --- /dev/null +++ b/host-interaction/memory/create-new-application-domain-in-dotnet.yml @@ -0,0 +1,22 @@ +rule: + meta: + name: create new application domain in .NET + namespace: host-interaction/memory + authors: + - jakub.jozwiak@mandiant.com + scope: file + att&ck: + - Persistence::Hijack Execution Flow [T1574] + references: + - https://learn.microsoft.com/en-us/dotnet/framework/app-domains/application-domains + - https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/ + examples: + - 6f6acca4d3696e08af9ed80f237f3542c362ebc2bcc9759bb64aa3f5c007320e + features: + - and: + - format: dotnet + - class: System.AppDomainManager + - class: System.AppDomainSetup + - or: + - string: "InitializeNewDomain" + - string: "CreateDomain" From f109d758ced8235892da97a5cfe31bcd6b09a4fa Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 6 Jul 2023 08:17:14 +0000 Subject: [PATCH 031/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 259b0792f..ac1f9e272 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-808-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-809-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From fb55d377263002db6e1e1feb5c48125b56b3f057 Mon Sep 17 00:00:00 2001 From: jtothej <95413053+jtothej@users.noreply.github.com> Date: Thu, 6 Jul 2023 16:19:40 +0800 Subject: [PATCH 032/100] Add inject-shellcode-using-extra-window-memory.yml and inject-shellcode-using-window-subclass-procedure.yml --- ...ct-shellcode-using-extra-window-memory.yml | 27 +++++++++++++++++ ...llcode-using-window-subclass-procedure.yml | 30 +++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml create mode 100644 host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml diff --git a/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml new file mode 100644 index 000000000..f500f3e7d --- /dev/null +++ b/host-interaction/process/inject/inject-shellcode-using-extra-window-memory.yml @@ -0,0 +1,27 @@ +rule: + meta: + name: inject shellcode using extra window memory + namespace: host-interaction/process/inject + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Defense Evasion::Process Injection::Extra Window Memory Injection [T1055.011] + mbc: + - Defense Evasion::Process Injection [E1055] + references: + - https://unprotect.it/technique/extra-window-memory-injection/ + - https://github.com/SafeBreach-Labs/pinjectra/blob/master/Pinjector/SetWindowLongPtrA.cpp + examples: + - 592cfd22bba96ef3aab566fe7bf82aff5e1b4130856d1f7f847d03d4689af7e7:0x1400010C0 + features: + - and: + - match: find taskbar + - match: open process + - match: write process memory + - or: + - api: SetWindowLong + - api: SetWindowLongPtr + - or: + - api: PostMessage + - api: SendNotifyMessage diff --git a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml new file mode 100644 index 000000000..1be70de63 --- /dev/null +++ b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml @@ -0,0 +1,30 @@ +rule: + meta: + name: inject shellcode using window subclass procedure + namespace: host-interaction/process/inject + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Defense Evasion::Process Injection [T1055] + mbc: + - Defense Evasion::Process Injection [E1055] + references: + - https://www.hexacorn.com/blog/2017/10/26/propagate-a-new-code-injection-trick/ + - https://modexp.wordpress.com/2018/08/23/process-injection-propagate/ + - https://github.com/Fahersto/code_injection/blob/master/shellcode_injection/propagate_injection.cpp + examples: + - 6c440a5ce8509984dcc4e703d0e4dd9bffc4efd769dc8543f8d2e0cd86452822:0x25D7F1425 + features: + - and: + - match: find graphical window + - match: open process + - match: write process memory + - api: SetProp + - or: + - api: PostMessage + - api: SendNotifyMessage + - string: "UxSubclassInfo" + - or: + - string: "ToolbarWindow32" + - string: "SHELLDLL_DefView" From 1d6c6cbc56631aa3f6c88d5e28e84395d5324504 Mon Sep 17 00:00:00 2001 From: JJ <95413053+jtothej@users.noreply.github.com> Date: Thu, 6 Jul 2023 18:56:09 +0800 Subject: [PATCH 033/100] Update host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml Co-authored-by: Willi Ballenthin --- .../inject/inject-shellcode-using-window-subclass-procedure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml index 1be70de63..ba0ebdacc 100644 --- a/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml +++ b/host-interaction/process/inject/inject-shellcode-using-window-subclass-procedure.yml @@ -20,7 +20,7 @@ rule: - match: find graphical window - match: open process - match: write process memory - - api: SetProp + - api: user32.SetProp - or: - api: PostMessage - api: SendNotifyMessage From f99fd950b6710513a943ed0ffcc653a95d74d804 Mon Sep 17 00:00:00 2001 From: jtothej <95413053+jtothej@users.noreply.github.com> Date: Thu, 6 Jul 2023 21:21:07 +0800 Subject: [PATCH 034/100] Update switch-active-desktop.yml and move to host-interaction/gui --- .../gui}/switch-active-desktop.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) rename {anti-analysis/anti-debugging/debugger-evasion => host-interaction/gui}/switch-active-desktop.yml (77%) diff --git a/anti-analysis/anti-debugging/debugger-evasion/switch-active-desktop.yml b/host-interaction/gui/switch-active-desktop.yml similarity index 77% rename from anti-analysis/anti-debugging/debugger-evasion/switch-active-desktop.yml rename to host-interaction/gui/switch-active-desktop.yml index b04ea8325..54d3ac48e 100644 --- a/anti-analysis/anti-debugging/debugger-evasion/switch-active-desktop.yml +++ b/host-interaction/gui/switch-active-desktop.yml @@ -1,7 +1,7 @@ rule: meta: name: switch active desktop - namespace: anti-analysis/anti-debugging/debugger-evasion + namespace: host-interaction/gui authors: - jakub.jozwiak@mandiant.com scope: function @@ -17,4 +17,3 @@ rule: - and: - api: user32.CreateDesktop - api: user32.SwitchDesktop - - number: 0x182 = DESKTOP_CREATEWINDOW | DESKTOP_WRITEOBJECTS | DESKTOP_SWITCHDESKTOP From eceb48bc8599030996449b59c3b617163b678dc0 Mon Sep 17 00:00:00 2001 From: jtothej <95413053+jtothej@users.noreply.github.com> Date: Thu, 6 Jul 2023 21:35:52 +0800 Subject: [PATCH 035/100] Add patch-event-tracing-for-windows-function.yml --- ...tch-event-tracing-for-windows-function.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml new file mode 100644 index 000000000..c21d5aff4 --- /dev/null +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -0,0 +1,37 @@ +rule: + meta: + name: patch Event Tracing for Windows function + namespace: anti-analysis/anti-av + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006] + mbc: + - Defense Evasion::Disable or Evade Security Tools [F0004] + references: + - https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/ + - https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch/blob/main/patch-etw-x64.c + examples: + - 15835b6dd703e69d22d4ab941ccd5f6e78c3abc22ae123366da5e950eaa62e2b:0x180001D70 + features: + - and: + - match: link function at runtime on Windows + - or: + - api: kernel32.VirtualProtect + - api: ntdll.NtProtectVirtualMemory + - api: ntdll.ZwProtectVirtualMemory + - string: "VirtualProtect" + - string: "NtProtectVirtualMemory" + - string: "ZwProtectVirtualMemory" + - or: + - string: "EventWrite" + - string: "EtwEventWrite" + - string: "EtwEventWriteFull" + - string: "TraceEvent" + - string: "NtTraceEvent" + - string: "ZwTraceEvent" + - string: "NtTraceControl" + - string: "ZwTraceControl" + - optional: + - match: write process memory From a2989e6ba5e145617d2aa3a23d365bff6f752284 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Fri, 7 Jul 2023 06:26:17 +0000 Subject: [PATCH 036/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ac1f9e272..9d8c15fb6 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-809-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-810-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 82d01492177e57d0d9796920675e1b1f54c31028 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Sat, 8 Jul 2023 07:53:12 +0000 Subject: [PATCH 037/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9d8c15fb6..ccb836e90 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-810-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-811-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 46bcd63954b9efdfa7e06e27a4c7e6a17735e02f Mon Sep 17 00:00:00 2001 From: mr-tz Date: Sat, 8 Jul 2023 10:34:13 +0200 Subject: [PATCH 038/100] add winmm wave functions --- collection/microphone/capture-microphone-audio.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/collection/microphone/capture-microphone-audio.yml b/collection/microphone/capture-microphone-audio.yml index b826e9b90..f3cb212dc 100644 --- a/collection/microphone/capture-microphone-audio.yml +++ b/collection/microphone/capture-microphone-audio.yml @@ -10,8 +10,12 @@ rule: examples: - a70052c45e907820187c7e6bcdc7ecca:0x405B40 features: - - and: - - api: mciSendString - - string: /^open/i - - string: /waveaudio/i - - string: /^record/i + - or: + - and: + - api: mciSendString + - string: /^open/i + - string: /waveaudio/i + - string: /^record/i + - api: winmm.waveInOpen + - api: winmm.waveInAddBuffer + - api: winmm.waveInStart From ec223d1a1468f1d18887191ddb2e28e0a4a8e8d2 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 10 Jul 2023 15:26:10 +0000 Subject: [PATCH 039/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ccb836e90..1c6c796d2 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-811-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-812-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 358b666459ab90e5ea12ee6123c6eb563e5911e4 Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Mon, 10 Jul 2023 21:04:13 +0200 Subject: [PATCH 040/100] Update hash-data-using-fnv.yml --- data-manipulation/hashing/fnv/hash-data-using-fnv.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml index 300d337ff..8bc063eaa 100644 --- a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml +++ b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml @@ -16,15 +16,22 @@ rule: - https://create.stephan-brumme.com/fnv-hash/ examples: - ad4229879180e267f431ac6666b6a0a2:0x14007B4D4 + - 09BF850BE5DA44A1C3629A1F62813A83:0x10006010 features: - and: - optional: - characteristic: loop - number: 0xcbf29ce484222325 = FNV_offset_basis, unused by FNV-0 - number: 0x811c9dc5 = FNV_offset_basis, unused by FNV-0 + - and: + - number: 0xcbf29ce4 = FNV_offset_basis 64 bits, 32-bit value + - number: 0x84222325 = FNV_offset_basis 64 bits, 32-bit value - or: - number: 0x100000001b3 = FNV prime - number: 0x01000193 = FNV prime + - and: + - number: 0x100 = FNV prime 64 bits, split in DWORD + - number: 0x1b3 = FNV prime 64 bits, split in DWORD - basic block: # FNV-1 hash does multiply then XOR # FNV-1a hash does XOR then multiply @@ -33,3 +40,4 @@ rule: - or: - mnemonic: imul - mnemonic: mul + - api: _allmul From 3759e261fd2900c2dd5ece136e8503bda6670a46 Mon Sep 17 00:00:00 2001 From: jtothej <95413053+jtothej@users.noreply.github.com> Date: Tue, 11 Jul 2023 11:18:06 +0800 Subject: [PATCH 041/100] Add act-as-dhcp-server-callout-dll.yml act-as-dns-server-plugin-dll.yml authentication-process/act-as-security-support-provider-dll.yml authentication-process/act-as-subauthentication-package-dll.yml --- .../act-as-dhcp-server-callout-dll.yml | 16 ++++++++++++++++ persistence/act-as-dns-server-plugin-dll.yml | 18 ++++++++++++++++++ .../act-as-security-support-provider-dll.yml | 17 +++++++++++++++++ .../act-as-subauthentication-package-dll.yml | 19 +++++++++++++++++++ 4 files changed, 70 insertions(+) create mode 100644 persistence/act-as-dhcp-server-callout-dll.yml create mode 100644 persistence/act-as-dns-server-plugin-dll.yml create mode 100644 persistence/authentication-process/act-as-security-support-provider-dll.yml create mode 100644 persistence/authentication-process/act-as-subauthentication-package-dll.yml diff --git a/persistence/act-as-dhcp-server-callout-dll.yml b/persistence/act-as-dhcp-server-callout-dll.yml new file mode 100644 index 000000000..4a3096325 --- /dev/null +++ b/persistence/act-as-dhcp-server-callout-dll.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: act as DHCP server callout DLL + namespace: persistence + authors: + - jakub.jozwiak@mandiant.com + scope: file + att&ck: + - Persistence::Server Software Component [T1505] + references: + - https://learn.microsoft.com/en-gb/previous-versions/windows/desktop/dhcp/how-the-dhcp-server-api-operates + examples: + - 36f506a34b99bf4c199b3c9ec8aa02bd631feafdca20e69e33e714c269ddb8c5 + features: + - or: + - export: DhcpServerCalloutEntry diff --git a/persistence/act-as-dns-server-plugin-dll.yml b/persistence/act-as-dns-server-plugin-dll.yml new file mode 100644 index 000000000..b458b41e3 --- /dev/null +++ b/persistence/act-as-dns-server-plugin-dll.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: act as DNS server plugin DLL + namespace: persistence + authors: + - jakub.jozwiak@mandiant.com + scope: file + att&ck: + - Persistence::Server Software Component [T1505] + references: + - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 + examples: + - 36f506a34b99bf4c199b3c9ec8aa02bd631feafdca20e69e33e714c269ddb8c5 + features: + - or: + - export: DnsPluginInitialize + - export: DnsPluginCleanup + - export: DnsPluginQuery diff --git a/persistence/authentication-process/act-as-security-support-provider-dll.yml b/persistence/authentication-process/act-as-security-support-provider-dll.yml new file mode 100644 index 000000000..9776f1f03 --- /dev/null +++ b/persistence/authentication-process/act-as-security-support-provider-dll.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: act as Security Support Provider DLL + namespace: persistence/authentication-process + authors: + - jakub.jozwiak@mandiant.com + scope: file + att&ck: + - Persistence::Boot or Logon Autostart Execution::Security Support Provider [T1547.005] + references: + - https://learn.microsoft.com/en-us/windows/win32/secauthn/lsa-mode-initialization + - https://github.com/Hagrid29/DuplicateDump/blob/main/LSAPlugin/LSASSP/dllmain.cpp + examples: + - 36f506a34b99bf4c199b3c9ec8aa02bd631feafdca20e69e33e714c269ddb8c5 + features: + - or: + - export: SpLsaModeInitialize diff --git a/persistence/authentication-process/act-as-subauthentication-package-dll.yml b/persistence/authentication-process/act-as-subauthentication-package-dll.yml new file mode 100644 index 000000000..c0def1dd4 --- /dev/null +++ b/persistence/authentication-process/act-as-subauthentication-package-dll.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: act as SubAuthentication Package DLL + namespace: persistence/authentication-process + authors: + - jakub.jozwiak@mandiant.com + scope: file + att&ck: + - Persistence::Boot or Logon Autostart Execution::Authentication Package [T1547.002] + references: + - https://learn.microsoft.com/en-us/windows/win32/secauthn/subauthentication-packages + examples: + - 36f506a34b99bf4c199b3c9ec8aa02bd631feafdca20e69e33e714c269ddb8c5 + features: + - or: + - export: Msv1_0SubAuthenticationFilter + - export: Msv1_0SubAuthenticationRoutine + - export: Msv1_0SubAuthenticationRoutineEx + - export: Msv1_0SubAuthenticationRoutineGeneric From cda22165c6811540a93925f550e847dd0d8a0afb Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Tue, 11 Jul 2023 17:18:35 +0200 Subject: [PATCH 042/100] Update hash-data-using-fnv.yml didn't match the old example, it's fixed --- data-manipulation/hashing/fnv/hash-data-using-fnv.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml index 8bc063eaa..825be537a 100644 --- a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml +++ b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml @@ -29,9 +29,9 @@ rule: - or: - number: 0x100000001b3 = FNV prime - number: 0x01000193 = FNV prime - - and: - - number: 0x100 = FNV prime 64 bits, split in DWORD - - number: 0x1b3 = FNV prime 64 bits, split in DWORD + - and: + - number: 0x100 = FNV prime 64 bits, split in DWORD + - number: 0x1b3 = FNV prime 64 bits, split in DWORD - basic block: # FNV-1 hash does multiply then XOR # FNV-1a hash does XOR then multiply From c96c056d1430ba9cf2adac50256a4909dbc5c41f Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Tue, 11 Jul 2023 22:38:28 +0200 Subject: [PATCH 043/100] Update hash-data-using-fnv.yml (#792) * Update hash-data-using-fnv.yml --- data-manipulation/hashing/fnv/hash-data-using-fnv.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml index 300d337ff..825be537a 100644 --- a/data-manipulation/hashing/fnv/hash-data-using-fnv.yml +++ b/data-manipulation/hashing/fnv/hash-data-using-fnv.yml @@ -16,15 +16,22 @@ rule: - https://create.stephan-brumme.com/fnv-hash/ examples: - ad4229879180e267f431ac6666b6a0a2:0x14007B4D4 + - 09BF850BE5DA44A1C3629A1F62813A83:0x10006010 features: - and: - optional: - characteristic: loop - number: 0xcbf29ce484222325 = FNV_offset_basis, unused by FNV-0 - number: 0x811c9dc5 = FNV_offset_basis, unused by FNV-0 + - and: + - number: 0xcbf29ce4 = FNV_offset_basis 64 bits, 32-bit value + - number: 0x84222325 = FNV_offset_basis 64 bits, 32-bit value - or: - number: 0x100000001b3 = FNV prime - number: 0x01000193 = FNV prime + - and: + - number: 0x100 = FNV prime 64 bits, split in DWORD + - number: 0x1b3 = FNV prime 64 bits, split in DWORD - basic block: # FNV-1 hash does multiply then XOR # FNV-1a hash does XOR then multiply @@ -33,3 +40,4 @@ rule: - or: - mnemonic: imul - mnemonic: mul + - api: _allmul From 816ab128df7c44573872588c37c7cb34abbf1610 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 12 Jul 2023 09:06:12 +0000 Subject: [PATCH 044/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1c6c796d2..6f38573c2 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-812-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-822-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 82714cd7d08cb7eaeba6df7e53adb261439f612b Mon Sep 17 00:00:00 2001 From: JJ <95413053+jtothej@users.noreply.github.com> Date: Wed, 12 Jul 2023 18:12:42 +0800 Subject: [PATCH 045/100] Add resolve-function-by-brute-ratel-badger-hash.yml (#793) * Add resolve-function-by-brute-ratel-badger-hash.yml --- ...ve-function-by-brute-ratel-badger-hash.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml diff --git a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml new file mode 100644 index 000000000..ed78e2d9c --- /dev/null +++ b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml @@ -0,0 +1,38 @@ +rule: + meta: + name: resolve function by Brute Ratel Badger hash + namespace: linking/runtime-linking + authors: + - jakub.jozwiak@mandiant.com + description: Custom API hashing algorithm used in Brute Ratel Badger (version 1.3 or higher) + scope: function + att&ck: + - Defense Evasion::Obfuscated Files or Information::Dynamic API Resolution [T1027.007] + references: + - https://bruteratel.com/release_notes/releases.txt + examples: + - 64ce9ab801d9bef5284b408c3373dd30ba2dc6952c0950c8049be067b5f24530:0x6DB42430 + features: + - or: + - basic block: + - and: + - mnemonic: add + - or: + - instruction: + - mnemonic: imul + - operand[2].number: 0x801 + - and: + - mnemonic: mul + - number: 0x801 + - instruction: + - mnemonic: or + - operand[1].number: 0x2800000 + - basic block: + - and: + - mnemonic: add + - instruction: + - mnemonic: shl + - operand[1].number: 0xB + - instruction: + - mnemonic: or + - operand[1].number: 0x2800000 From e51b74e012d1e8541e8dc6933022628d6925c1b9 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 12 Jul 2023 10:12:56 +0000 Subject: [PATCH 046/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6f38573c2..a68904fb3 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-822-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-823-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 94ecadce03e6bce00b71626ffad5a422a7bd0812 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Thu, 13 Jul 2023 04:09:40 +0200 Subject: [PATCH 047/100] encrypt data using AES: remove nonexistant example --- nursery/encrypt-data-using-aes.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/nursery/encrypt-data-using-aes.yml b/nursery/encrypt-data-using-aes.yml index ef244f013..db463beea 100644 --- a/nursery/encrypt-data-using-aes.yml +++ b/nursery/encrypt-data-using-aes.yml @@ -15,8 +15,6 @@ rule: references: - https://github.com/JusticeRage/Manalyze/blob/8e77642c911d5d82b5f43b198667ab8c77a88763/bin/yara_rules/findcrypt.yara#L351 - https://github.com/creaktive/tsh/blob/53b822b9a07d8cc65f1f31c915cf834a2944e833/aes.c - examples: - - D6EFF9EFA6F93CDE95E7A4194C1BC6EE:0x180002F50 features: - or: - bytes: 63 7c 77 7b f2 6b 6f c5 30 01 67 2b fe d7 ab 76 = AES_SBOX_ENC From fd6cd94bee26ca2ef85a195559a0f2520066d063 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Thu, 13 Jul 2023 04:10:07 +0200 Subject: [PATCH 048/100] graduate get windows directory from kuser_shared data --- .../file-system}/get-windows-directory-from-kuser_shared_data.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {nursery => host-interaction/file-system}/get-windows-directory-from-kuser_shared_data.yml (100%) diff --git a/nursery/get-windows-directory-from-kuser_shared_data.yml b/host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml similarity index 100% rename from nursery/get-windows-directory-from-kuser_shared_data.yml rename to host-interaction/file-system/get-windows-directory-from-kuser_shared_data.yml From 959e77daa3c8a0939168087d119a8344cc1070f0 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Thu, 13 Jul 2023 04:10:30 +0200 Subject: [PATCH 049/100] add comments about locations of API functions for 'patch event tracing for windows function' --- .../anti-av/patch-event-tracing-for-windows-function.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml index c21d5aff4..8edfa3fc0 100644 --- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -19,8 +19,8 @@ rule: - match: link function at runtime on Windows - or: - api: kernel32.VirtualProtect - - api: ntdll.NtProtectVirtualMemory - - api: ntdll.ZwProtectVirtualMemory + - api: ntdll.NtProtectVirtualMemory # exported by only ntdll, not ntoskrnl + - api: ZwProtectVirtualMemory # exported by both ntdll and ntoskrnl - string: "VirtualProtect" - string: "NtProtectVirtualMemory" - string: "ZwProtectVirtualMemory" From 601ac4795399903f09d368cc7bcba7f358a510e3 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Thu, 13 Jul 2023 04:11:16 +0200 Subject: [PATCH 050/100] fix lints for WMI query rules --- ...-queries.yml => detect-vm-via-disk-hardware-wmi-queries.yml} | 2 +- ...s.yml => detect-vm-via-motherboard-hardware-wmi-queries.yml} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename anti-analysis/anti-vm/vm-detection/{detect-VM-via-disk-hardware-WMI-queries.yml => detect-vm-via-disk-hardware-wmi-queries.yml} (89%) rename anti-analysis/anti-vm/vm-detection/{detect-VM-via-motherboard-hardware-WMI-queries.yml => detect-vm-via-motherboard-hardware-wmi-queries.yml} (100%) diff --git a/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml similarity index 89% rename from anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml rename to anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml index d3e3188e8..8a7324bf3 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml @@ -1,7 +1,7 @@ # generated using capa explorer for IDA Pro rule: meta: - name: detect VM via disk hardware WMI queries + name: detect VM via disk hardware WMI queries namespace: anti-analysis/anti-vm/vm-detection authors: - anders.vejlby@mandiant.com diff --git a/anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml similarity index 100% rename from anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml rename to anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml From 800186a7ce6f773707967e9fff9270a260529762 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Thu, 13 Jul 2023 04:11:32 +0200 Subject: [PATCH 051/100] un-promote covertly decode data rule --- ...and-write-data-to-windows-directory-using-indirect-calls.yml | 2 -- 1 file changed, 2 deletions(-) rename {data-manipulation/encoding/xor => nursery}/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml (91%) diff --git a/data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml b/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml similarity index 91% rename from data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml rename to nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml index c3bfecdf5..03ff61292 100644 --- a/data-manipulation/encoding/xor/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml +++ b/nursery/covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml @@ -10,8 +10,6 @@ rule: mbc: - Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02] - Data::Encode Data::XOR [C0026.002] - examples: - - 9176F177BD88686C6BEB29D8BB05F20C:0x180001000 features: - and: - match: write file on Windows From 1da385ca2dd3aa43e11472304d90b0fb08679728 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Thu, 13 Jul 2023 10:29:53 +0200 Subject: [PATCH 052/100] ci: use latest python for best performance --- .github/workflows/tests.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index eeb77d7eb..8866ef93e 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -42,10 +42,11 @@ jobs: with: repository: mandiant/capa-testfiles path: tests/data - - name: Set up Python 3.9 + # use latest available python for best performance + - name: Set up Python 3.11 uses: actions/setup-python@v4 with: - python-version: 3.9 + python-version: 3.11 - name: Install capa run: pip install -e . # Regular lint is fast, so do this first From 108974275d5532099a7d03e8af9a0a7a30bec46c Mon Sep 17 00:00:00 2001 From: Moritz Date: Fri, 14 Jul 2023 11:30:11 +0200 Subject: [PATCH 053/100] Update act-as-credential-manager-dll.yml closes #754 --- .../authentication-process/act-as-credential-manager-dll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/persistence/authentication-process/act-as-credential-manager-dll.yml b/persistence/authentication-process/act-as-credential-manager-dll.yml index 55a77152e..476b650ca 100644 --- a/persistence/authentication-process/act-as-credential-manager-dll.yml +++ b/persistence/authentication-process/act-as-credential-manager-dll.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scope: file att&ck: - - Persistence::Modify Authentication Process [T1556] + - Persistence::Modify Authentication Process::Network Provider DLL [T1556.008] examples: - b283415c9df06f0e53b7d452d3e5c840c5bd7a6ce734a30bae4a869a57974a0e features: From a8d00309c3032a3db6fb98fb02afcc9b0b96bbb9 Mon Sep 17 00:00:00 2001 From: Ronnie Salomonsen Date: Wed, 19 Jul 2023 12:40:20 +0200 Subject: [PATCH 054/100] Add new rule for forwarded exports and update doc to with new characteristic and examples under export feature --- doc/format.md | 10 ++++++++-- executable/pe/export/forwarded-export.yml | 13 +++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 executable/pe/export/forwarded-export.yml diff --git a/doc/format.md b/doc/format.md index d123e24e0..2b2436af4 100644 --- a/doc/format.md +++ b/doc/format.md @@ -314,7 +314,8 @@ For example, the `characteristic: nzxor` feature describes non-zeroing XOR instr | characteristic | scope | description | |--------------------------------------|------------------------------------|-------------| | `characteristic: embedded pe` | file | (XOR encoded) embedded PE files. | -| `characteristic: mixed mode` | file | File contains both managed and unmanaged (native) code, often seen in .NET | +| `characteristic: forwarded export` | file | PE file that forward export. | +| `characteristic: mixed mode` | file | File contains both managed and unmanaged (native) code, often seen in .NET | | `characteristic: loop` | function | Function contains a loop. | | `characteristic: recursive call` | function | Function is recursive. | | `characteristic: calls from` | function | There are unique calls from this function. Best used like: `count(characteristic(calls from)): 3 or more` | @@ -328,7 +329,7 @@ For example, the `characteristic: nzxor` feature describes non-zeroing XOR instr | `characteristic: cross section flow` | instruction, basic block, function | Function contains a call/jump to a different section. This is commonly seen in unpacking stubs. | | `characteristic: indirect call` | instruction, basic block, function | Indirect call instruction; for example, `call edx` or `call qword ptr [rsp+78h]`. | | `characteristic: call $+5` | instruction, basic block, function | Call just past the current instruction. | -| `characteristic: unmanaged call` | instruction, basic block, function | Function contains a call from managed code to unmanaged (native) code, often seen in .NET | +| `characteristic: unmanaged call` | instruction, basic block, function | Function contains a call from managed code to unmanaged (native) code, often seen in .NET | ## instruction features @@ -604,6 +605,11 @@ Examples: export: InstallA +And for forwarded exports: + + export: "c:/windows/system32/version.GetFileVersionInfoA" + export: "vresion.GetFileVersionInfoA" + ### import The name of a routine imported from a shared library. diff --git a/executable/pe/export/forwarded-export.yml b/executable/pe/export/forwarded-export.yml new file mode 100644 index 000000000..185b5bec7 --- /dev/null +++ b/executable/pe/export/forwarded-export.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: forwarded export + namespace: executable/pe/export + authors: + - ronnie.salomonsen@mandiant.com + scope: file + att&ck: + - Execution::Shared Modules [T1129] + examples: + - 76FA734236DAA023444DEC26863401DC:0x18003BD32 + features: + - characteristic: forwarded export \ No newline at end of file From 65ab87b29267487a0509c9bb01ab4eb6841a92bf Mon Sep 17 00:00:00 2001 From: Ronnie Salomonsen Date: Wed, 19 Jul 2023 14:54:12 +0200 Subject: [PATCH 055/100] Update executable/pe/export/forwarded-export.yml Co-authored-by: Willi Ballenthin --- executable/pe/export/forwarded-export.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/executable/pe/export/forwarded-export.yml b/executable/pe/export/forwarded-export.yml index 185b5bec7..1b209efbf 100644 --- a/executable/pe/export/forwarded-export.yml +++ b/executable/pe/export/forwarded-export.yml @@ -8,6 +8,6 @@ rule: att&ck: - Execution::Shared Modules [T1129] examples: - - 76FA734236DAA023444DEC26863401DC:0x18003BD32 + - 76FA734236DAA023444DEC26863401DC features: - characteristic: forwarded export \ No newline at end of file From 658b16f47d82ac26de2b03fb0da752f33df83daa Mon Sep 17 00:00:00 2001 From: Ronnie Salomonsen Date: Wed, 19 Jul 2023 14:54:25 +0200 Subject: [PATCH 056/100] Update doc/format.md Co-authored-by: Willi Ballenthin --- doc/format.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/format.md b/doc/format.md index 2b2436af4..86bf6bfad 100644 --- a/doc/format.md +++ b/doc/format.md @@ -605,7 +605,7 @@ Examples: export: InstallA -And for forwarded exports: +To specify a [forwarded export](https://devblogs.microsoft.com/oldnewthing/20060719-24/?p=30473) use the format `.`. Note that the path can be either implicit, relative, or absolute: export: "c:/windows/system32/version.GetFileVersionInfoA" export: "vresion.GetFileVersionInfoA" From 8b5e3217fa4e8f0ebcc50b15ab90461162e1ccd4 Mon Sep 17 00:00:00 2001 From: Ronnie Salomonsen Date: Wed, 19 Jul 2023 14:54:47 +0200 Subject: [PATCH 057/100] Update doc/format.md Co-authored-by: Willi Ballenthin --- doc/format.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/format.md b/doc/format.md index 86bf6bfad..c72ae9e54 100644 --- a/doc/format.md +++ b/doc/format.md @@ -314,7 +314,7 @@ For example, the `characteristic: nzxor` feature describes non-zeroing XOR instr | characteristic | scope | description | |--------------------------------------|------------------------------------|-------------| | `characteristic: embedded pe` | file | (XOR encoded) embedded PE files. | -| `characteristic: forwarded export` | file | PE file that forward export. | +| `characteristic: forwarded export` | file | PE file has a forwarded export. | | `characteristic: mixed mode` | file | File contains both managed and unmanaged (native) code, often seen in .NET | | `characteristic: loop` | function | Function contains a loop. | | `characteristic: recursive call` | function | Function is recursive. | From a49c174fee5058ca3617a23e782bdcadacb12406 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 19 Jul 2023 13:49:37 +0000 Subject: [PATCH 058/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a68904fb3..5254cdb0e 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-823-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-824-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 0a6b8a5701e1074d31db54fc77009fe8cbe7e070 Mon Sep 17 00:00:00 2001 From: Moritz Date: Sat, 22 Jul 2023 12:29:49 +0200 Subject: [PATCH 059/100] Update self-delete.yml --- .../anti-forensic/self-deletion/self-delete.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml index 14cc63f3f..0b0b75f14 100644 --- a/anti-analysis/anti-forensic/self-deletion/self-delete.yml +++ b/anti-analysis/anti-forensic/self-deletion/self-delete.yml @@ -4,6 +4,7 @@ rule: namespace: anti-analysis/anti-forensic/self-deletion authors: - michael.hunhoff@mandiant.com + - "@mr-tz" scope: function att&ck: - Defense Evasion::Indicator Removal::File Deletion [T1070.004] @@ -16,9 +17,12 @@ rule: - or: - match: get COMSPEC environment variable - string: "cmd.exe" - - match: host-interaction/process/create - - string: /\/c\s*del\s*/ - description: "/c del" + - match: host-interaction/process/create + - or: + - string: /\/c\s*del\s*/ + description: "/c del" + - string: /del\s*\S/ + description: "del \"%s\"" - optional: - string: /\s*>\s*nul\s*/i description: "> nul" From 36d2d14454c4d3240879644ff1a78e979d5f7663 Mon Sep 17 00:00:00 2001 From: Moritz Date: Sat, 22 Jul 2023 12:43:46 +0200 Subject: [PATCH 060/100] Add empty line at EOF --- executable/pe/export/forwarded-export.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/executable/pe/export/forwarded-export.yml b/executable/pe/export/forwarded-export.yml index 1b209efbf..9e7495c94 100644 --- a/executable/pe/export/forwarded-export.yml +++ b/executable/pe/export/forwarded-export.yml @@ -10,4 +10,4 @@ rule: examples: - 76FA734236DAA023444DEC26863401DC features: - - characteristic: forwarded export \ No newline at end of file + - characteristic: forwarded export From ac07d474d2b4317932cf7d27bc4c089e348a2558 Mon Sep 17 00:00:00 2001 From: Moritz Date: Sat, 22 Jul 2023 12:56:57 +0200 Subject: [PATCH 061/100] Create enumerate-device-drivers-on-windows.yml --- .../enumerate-device-drivers-on-windows.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 nursery/enumerate-device-drivers-on-windows.yml diff --git a/nursery/enumerate-device-drivers-on-windows.yml b/nursery/enumerate-device-drivers-on-windows.yml new file mode 100644 index 000000000..ad159db18 --- /dev/null +++ b/nursery/enumerate-device-drivers-on-windows.yml @@ -0,0 +1,23 @@ +rule: + meta: + name: enumerate device drivers on Windows + namespace: collection + authors: + - "@mr-tz" + scope: function + att&ck: + - Discovery::Device Driver Discovery [T1652] + references: + - https://learn.microsoft.com/en-us/windows-hardware/drivers/install/overview-of-registry-trees-and-keys + features: + - or: + - api: EnumDeviceDrivers + - string: /driverquery(.exe)?/i + - and: + - or: + - match: query or enumerate registry key + - match: query or enumerate registry value + - string: /System\\(CurrentControlSet|ControlSet001)\\Services/i + - string: /System\\(CurrentControlSet|ControlSet001)\\Control/i + - string: /System\\(CurrentControlSet|ControlSet001)\\Enum/i + - string: /System\\(CurrentControlSet|ControlSet001)\\HardwareProfiles/i From 5b04cdaef8351121c3638dbc8e5d6fffd5b9d3a5 Mon Sep 17 00:00:00 2001 From: Moritz Date: Sat, 22 Jul 2023 13:11:32 +0200 Subject: [PATCH 062/100] Create enumerate-device-drivers-on-linux.yml --- nursery/enumerate-device-drivers-on-linux.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 nursery/enumerate-device-drivers-on-linux.yml diff --git a/nursery/enumerate-device-drivers-on-linux.yml b/nursery/enumerate-device-drivers-on-linux.yml new file mode 100644 index 000000000..481f5dd43 --- /dev/null +++ b/nursery/enumerate-device-drivers-on-linux.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: enumerate device drivers on Linux + namespace: collection + authors: + - "@mr-tz" + scope: function + att&ck: + - Discovery::Device Driver Discovery [T1652] + features: + - and: + - os: linux + - api: system + - or: + - substring: "lsmod" + - substring: "modinfo" From dfdd5d8fc034ace8f96327f9f999e48ec1a73c5f Mon Sep 17 00:00:00 2001 From: jtothej Date: Sat, 22 Jul 2023 19:33:09 +0800 Subject: [PATCH 063/100] Update get-os-version.yml --- lib/get-os-version.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lib/get-os-version.yml b/lib/get-os-version.yml index f6460d574..4ef45d0c1 100644 --- a/lib/get-os-version.yml +++ b/lib/get-os-version.yml @@ -18,3 +18,18 @@ rule: - api: VerSetConditionMask - api: RtlGetNtVersionNumbers - api: GetProductInfo + - and: + - match: PEB access + - or: + - and: + - arch: i386 + - or: + - offset: 0xA4 = PEB->OSMajorVersion + - offset: 0xA8 = PEB->OSMinorVersion + - offset: 0xAC = PEB->OSBuildNumber + - and: + - arch: amd64 + - or: + - offset: 0x118 = PEB->OSMajorVersion + - offset: 0x11C = PEB->OSMinorVersion + - offset: 0x120 = PEB->OSBuildNumber From aa2da89c34929c33fb47148f7ef2f84210bdf9d2 Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Fri, 28 Jul 2023 19:51:54 +0200 Subject: [PATCH 064/100] Update decode-data-using-base64-via-dword-translation-table.yml additional translation tables --- ...ata-using-base64-via-dword-translation-table.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml index 586185a45..ae2e4987f 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml @@ -4,6 +4,7 @@ rule: namespace: data-manipulation/encoding/base64 authors: - gilbert.elliot@mandiant.com + - sara.rincon@mandiant.com scope: function att&ck: - Defense Evasion::Obfuscated Files or Information [T1027] @@ -12,6 +13,7 @@ rule: - Data::Encode Data::Base64 [C0026.001] examples: - 9efa86b43b4367bcdc1591aee59bda25:0x10001000 + - 09BF850BE5DA44A1C3629A1F62813A83:0x10001100 features: - and: - mnemonic: shl @@ -23,5 +25,12 @@ rule: - number: 3 - number: 4 - number: 6 - - number: 0xF - - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = hardcoded base64 translation table (first 64 of 256 dwords) + - or: + - number: 0xF + - number: 0x3D + - number: 0x40 + - or: + - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = hardcoded base64 translation table (first 64 of 256 dwords) + - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E FF FF FF 3F 34 35 36 37 38 39 3A 3B 3C 3D FF FF FF FF FF FF FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 FF FF FF FF FF FF 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 FF FF FF FF FF = hardcoded base64 translation table + - bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 3F 00 00 00 3E 00 00 00 3E 00 00 00 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 + - string: "BBBBBBBBBB@BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>BBB?456789:;<=BBBABBB" From d57a618076fd3e4451173d2da478591a1a76ce4f Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Sun, 30 Jul 2023 14:59:38 +0200 Subject: [PATCH 065/100] Update decode-data-using-base64-via-dword-translation-table.yml fixed hash --- .../decode-data-using-base64-via-dword-translation-table.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml index ae2e4987f..f53c898e2 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml @@ -13,7 +13,7 @@ rule: - Data::Encode Data::Base64 [C0026.001] examples: - 9efa86b43b4367bcdc1591aee59bda25:0x10001000 - - 09BF850BE5DA44A1C3629A1F62813A83:0x10001100 + - 09bf850be5da44a1c3629a1f62813a83:0x10001100 features: - and: - mnemonic: shl From 04c77aedce494f9f65323a603190f4171959e589 Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Sun, 30 Jul 2023 15:09:13 +0200 Subject: [PATCH 066/100] Update decode-data-using-base64-via-dword-translation-table.yml --- .../decode-data-using-base64-via-dword-translation-table.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml index f53c898e2..69894dbdc 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml @@ -32,5 +32,6 @@ rule: - or: - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = hardcoded base64 translation table (first 64 of 256 dwords) - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E FF FF FF 3F 34 35 36 37 38 39 3A 3B 3C 3D FF FF FF FF FF FF FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 FF FF FF FF FF FF 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 FF FF FF FF FF = hardcoded base64 translation table - - bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 3F 00 00 00 3E 00 00 00 3E 00 00 00 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 + - bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 3F 00 00 00 3E 00 00 00 3E 00 00 00 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 - string: "BBBBBBBBBB@BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>BBB?456789:;<=BBBABBB" + From 7cc3bb46aaf804d0320501c3b817f9c17c812dd9 Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Sun, 30 Jul 2023 15:22:48 +0200 Subject: [PATCH 067/100] Update decode-data-using-base64-via-dword-translation-table.yml --- .../decode-data-using-base64-via-dword-translation-table.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml index 69894dbdc..877f551c0 100644 --- a/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml +++ b/data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml @@ -34,4 +34,3 @@ rule: - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E FF FF FF 3F 34 35 36 37 38 39 3A 3B 3C 3D FF FF FF FF FF FF FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 FF FF FF FF FF FF 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 FF FF FF FF FF = hardcoded base64 translation table - bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 3F 00 00 00 3E 00 00 00 3E 00 00 00 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 - string: "BBBBBBBBBB@BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>BBB?456789:;<=BBBABBB" - From 127330a30a51e9d3d7405b0e58edd27b9def839d Mon Sep 17 00:00:00 2001 From: jtothej Date: Tue, 1 Aug 2023 14:27:43 +0800 Subject: [PATCH 068/100] Update metadata and promote create-shortcut-via-ishelllink.yml --- {nursery => persistence}/create-shortcut-via-ishelllink.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) rename {nursery => persistence}/create-shortcut-via-ishelllink.yml (76%) diff --git a/nursery/create-shortcut-via-ishelllink.yml b/persistence/create-shortcut-via-ishelllink.yml similarity index 76% rename from nursery/create-shortcut-via-ishelllink.yml rename to persistence/create-shortcut-via-ishelllink.yml index 9589f2941..94c2cbdad 100644 --- a/nursery/create-shortcut-via-ishelllink.yml +++ b/persistence/create-shortcut-via-ishelllink.yml @@ -1,12 +1,16 @@ rule: meta: name: create shortcut via IShellLink - namespace: host-interaction/file-system/write + namespace: persistence authors: - matthew.williams@mandiant.com scope: function + att&ck: + - Persistence::Boot or Logon Autostart Execution::Shortcut Modification [T1547.009] references: - https://docs.microsoft.com/en-us/windows/win32/shell/links#creating-a-shortcut-and-a-folder-shortcut-to-a-file + examples: + - 7f403f7d643d90c7cbadf3ccfc68bd1badf06f89a35af5fc7811920e820bbcc9:0x10001380 features: - and: - bytes: 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 = CLSID_ShellLink From 39fa5286014cb7164bb8bbe4d4c6e6910e7e01a1 Mon Sep 17 00:00:00 2001 From: jtothej Date: Wed, 2 Aug 2023 18:21:12 +0800 Subject: [PATCH 069/100] Add get-uefi-variable.yml and set-uefi-variable.yml --- .../bootloader/get-uefi-variable.yml | 21 +++++++++++++++++++ .../bootloader/set-uefi-variable.yml | 18 ++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 host-interaction/bootloader/get-uefi-variable.yml create mode 100644 host-interaction/bootloader/set-uefi-variable.yml diff --git a/host-interaction/bootloader/get-uefi-variable.yml b/host-interaction/bootloader/get-uefi-variable.yml new file mode 100644 index 000000000..24eed7cdd --- /dev/null +++ b/host-interaction/bootloader/get-uefi-variable.yml @@ -0,0 +1,21 @@ +rule: + meta: + name: get UEFI variable + namespace: host-interaction/bootloader + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Persistence::Pre-OS Boot::System Firmware [T1542.001] + references: + - https://learn.microsoft.com/en-us/windows/win32/sysinfo/access-uefi-firmware-variables-from-a-universal-windows-app + examples: + - b761e060c7114448d6a5fe276d4ca882c4bd702c12c4d73f6ad79b8dfac33448:0x14000138F + features: + - or: + - api: ntdll.NtEnumerateSystemEnvironmentValuesEx + - api: ntdll.NtQuerySystemEnvironmentValueEx + - api: ntdll.NtQuerySystemEnvironmentValue + - api: kernel32.GetFirmwareEnvironmentVariable + - api: kernel32.GetFirmwareEnvironmentVariableEx + - api: ntoskrnl.ExGetFirmwareEnvironmentVariable diff --git a/host-interaction/bootloader/set-uefi-variable.yml b/host-interaction/bootloader/set-uefi-variable.yml new file mode 100644 index 000000000..d4c669423 --- /dev/null +++ b/host-interaction/bootloader/set-uefi-variable.yml @@ -0,0 +1,18 @@ +rule: + meta: + name: set UEFI variable + namespace: host-interaction/bootloader + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Persistence::Pre-OS Boot::System Firmware [T1542.001] + references: + - https://learn.microsoft.com/en-us/windows/win32/sysinfo/access-uefi-firmware-variables-from-a-universal-windows-app + examples: + - b761e060c7114448d6a5fe276d4ca882c4bd702c12c4d73f6ad79b8dfac33448:0x1400013DA + features: + - or: + - api: ntoskrn.ExSetFirmwareEnvironmentVariable + - api: kernel32.SetFirmwareEnvironmentVariable + - api: kernel32.SetFirmwareEnvironmentVariableEx From bd14f146d3a52e2c3377e93ee4aed810a3bb892e Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Wed, 2 Aug 2023 11:03:37 +0000 Subject: [PATCH 070/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5254cdb0e..0d82b8f77 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-824-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-826-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 7685a232d94acbe7e69addb8bd89d752c9fa27a2 Mon Sep 17 00:00:00 2001 From: Willi Ballenthin Date: Wed, 2 Aug 2023 14:41:35 +0200 Subject: [PATCH 071/100] forwarded export: fmt --- executable/pe/export/forwarded-export.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/executable/pe/export/forwarded-export.yml b/executable/pe/export/forwarded-export.yml index 1b209efbf..9e7495c94 100644 --- a/executable/pe/export/forwarded-export.yml +++ b/executable/pe/export/forwarded-export.yml @@ -10,4 +10,4 @@ rule: examples: - 76FA734236DAA023444DEC26863401DC features: - - characteristic: forwarded export \ No newline at end of file + - characteristic: forwarded export From 9823ed9f3dc2465351b152e07138628f63f2d2a6 Mon Sep 17 00:00:00 2001 From: jtothej Date: Thu, 3 Aug 2023 16:22:39 +0800 Subject: [PATCH 072/100] Add capture-packets-using-sharppcap.yml --- .../network/capture-packets-using-sharppcap.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 collection/network/capture-packets-using-sharppcap.yml diff --git a/collection/network/capture-packets-using-sharppcap.yml b/collection/network/capture-packets-using-sharppcap.yml new file mode 100644 index 000000000..853016008 --- /dev/null +++ b/collection/network/capture-packets-using-sharppcap.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: capture packets using SharpPcap + namespace: collection/network + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Discovery::Network Sniffing [T1040] + references: + - https://github.com/dotpcap/sharppcap + examples: + - aefae71bca4bbaa2c013ddf040d797628c8d3da7346108c12735239a86fdfa71:0x6000038 + features: + - and: + - format: dotnet + - api: SharpPcap.LibPcap.PcapDevice::add_OnPacketArrival From 322d5f031b8ba61f187e8a14f305a9c51d857586 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 7 Aug 2023 13:31:11 +0000 Subject: [PATCH 073/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d82b8f77..e6bfa2daf 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-826-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-828-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 4f3b994a85dc4223e8755d59eccfe97c62901bd9 Mon Sep 17 00:00:00 2001 From: Ervin Ocampo <130457949+ejfocampo@users.noreply.github.com> Date: Fri, 11 Aug 2023 15:07:22 +0800 Subject: [PATCH 074/100] Add foreground window check.yml (#812) * Add rule --- .../check-for-foreground-window-switch.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml diff --git a/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml new file mode 100644 index 000000000..fa2530362 --- /dev/null +++ b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml @@ -0,0 +1,23 @@ +rule: + meta: + name: check for foreground window switch + namespace: anti-analysis/anti-vm/vm-detection + authors: + - ervin.ocampo@mandiant.com + description: Detect usage of GetForegroundWindow and Sleep APIs to check if there is any foreground window switch. Typically, sandboxes do not switch the foreground window like a user would in a normal environment. + scope: function + att&ck: + - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002] + references: + - https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html + - https://unprotect.it/technique/getforegroundwindow/ + examples: + - 2855ba06b90e7c64d9bce888e47baf6d:0x4112A3 + features: + - and: + - count(api(GetForegroundWindow)): 2 or more + - api: Sleep + - mnemonic: cmp + - or: + - characteristic: loop + - characteristic: tight loop From 25cc6a2d5058625a02d94cb8e00b41bcb384057a Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Fri, 11 Aug 2023 07:07:35 +0000 Subject: [PATCH 075/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e6bfa2daf..f527a0f6a 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-828-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-829-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 64d3a359d3a73e0d84af72fe39f7237d65916cf4 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Sat, 19 Aug 2023 11:27:55 +0200 Subject: [PATCH 076/100] fix example function address --- host-interaction/process/inject/free-user-process-memory.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/host-interaction/process/inject/free-user-process-memory.yml b/host-interaction/process/inject/free-user-process-memory.yml index 8b0baec70..eb5ec915f 100644 --- a/host-interaction/process/inject/free-user-process-memory.yml +++ b/host-interaction/process/inject/free-user-process-memory.yml @@ -10,7 +10,7 @@ rule: mbc: - Memory::Free Memory [C0044] examples: - - 493167E85E45363D09495D0841C30648:0x404B00 + - 493167E85E45363D09495D0841C30648:0x404CA0 features: - and: - match: attach user process memory From f73a8bca127641db5c93973050d640c44c785a18 Mon Sep 17 00:00:00 2001 From: Moritz Date: Sat, 19 Aug 2023 11:34:03 +0200 Subject: [PATCH 077/100] Update .NET JSON detections (#813) * Update .NET JSON detections --- nursery/deserialize-json-in-dotnet.yml | 3 +++ nursery/serialize-json-in-dotnet.yml | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/nursery/deserialize-json-in-dotnet.yml b/nursery/deserialize-json-in-dotnet.yml index 9f5eb20a4..e9f458988 100644 --- a/nursery/deserialize-json-in-dotnet.yml +++ b/nursery/deserialize-json-in-dotnet.yml @@ -9,3 +9,6 @@ rule: - or: - api: System.Web.Script.Serialization.JavaScriptSerializer::Deserialize - api: System.Web.Script.Serialization.JavaScriptSerializer::DeserializeObject + - api: System.Text.Json.JsonSerializer::Deserialize + - api: System.Text.Json.JsonSerializer::DeserializeAsync + - api: System.Text.Json.JsonSerializer::DeserializeAsyncEnumerable diff --git a/nursery/serialize-json-in-dotnet.yml b/nursery/serialize-json-in-dotnet.yml index 4ed7a7df3..b23f85ed1 100644 --- a/nursery/serialize-json-in-dotnet.yml +++ b/nursery/serialize-json-in-dotnet.yml @@ -8,3 +8,9 @@ rule: features: - or: - api: System.Web.Script.Serialization.JavaScriptSerializer::Serialize + - api: System.Text.Json.JsonSerializer::Serialize + - api: System.Text.Json.JsonSerializer::SerializeAsync + - api: System.Text.Json.JsonSerializer::SerializeToDocument + - api: System.Text.Json.JsonSerializer::SerializeToElement + - api: System.Text.Json.JsonSerializer::SerializeToNode + - api: System.Text.Json.JsonSerializer::SerializeToUtf8Bytes From 037ca83cb393155796e5f2a5914fe3600c78b85e Mon Sep 17 00:00:00 2001 From: Still / Azaka Date: Sat, 19 Aug 2023 17:36:10 +0800 Subject: [PATCH 078/100] Improve browser stealer & add SQLite lib detection (#757) * Improve regex for existing browser data gathering detection - Fix erroneous regex capture + Add detections for cookies gathering + Add generic browser detection (some webkit browser for some reason uses the same chromium-based paths?) Signed-off-by: Still Hsu * Add rudimentary sqlite db libs detection - Typically used along with browser data collection Signed-off-by: Still Hsu --------- Signed-off-by: Still Hsu --- ...chrome-based-browser-login-information.yml | 29 +++++++++++-------- .../gather-firefox-profile-information.yml | 4 ++- .../sqlite3/linked-against-cppsqlite3.yml | 13 +++++++++ .../static/sqlite3/linked-against-sqlite3.yml | 20 +++++++++++++ 4 files changed, 53 insertions(+), 13 deletions(-) create mode 100644 linking/static/sqlite3/linked-against-cppsqlite3.yml create mode 100644 linking/static/sqlite3/linked-against-sqlite3.yml diff --git a/collection/browser/gather-chrome-based-browser-login-information.yml b/collection/browser/gather-chrome-based-browser-login-information.yml index eb33bdf06..a2020985b 100644 --- a/collection/browser/gather-chrome-based-browser-login-information.yml +++ b/collection/browser/gather-chrome-based-browser-login-information.yml @@ -4,24 +4,29 @@ rule: namespace: collection/browser authors: - "@_re_fox" - scope: function + - still@teamt5.org + scope: file att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: - 2fd45662e3d0ec0077ea2fa66b6378f0:0x6000039 + - 54390bda109aab7fc006b8b4ead5b6c2:0x1006E8D3 features: - and: - or: - - string: /\\(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\User Data\\Default\\Login Data/ - - string: /\\Opera Software\\Opera Stable\\Login Data/ + - string: /\\+(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\+User Data\\+Default(\\+Network)?\\+(Cookies|Login Data)/i + - string: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/i - or: - - string: /SELECT [(date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value)\s+,]+ FROM logins/i + - string: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i + - string: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i - 2 or more: - - string: /date_created/i - - string: /username_element/i - - string: /username_value/i - - string: /password_element/i - - string: /origin_url/i - - string: /signon_realm/i - - string: /action_url/i - - string: /password_value/i + - substring: "date_created" + - substring: "encrypted_value" + - substring: "creation_utc" + - substring: "username_element" + - substring: "username_value" + - substring: "password_element" + - substring: "origin_url" + - substring: "signon_realm" + - substring: "action_url" + - substring: "password_value" diff --git a/collection/browser/gather-firefox-profile-information.yml b/collection/browser/gather-firefox-profile-information.yml index 8b74721b0..6e268da2b 100644 --- a/collection/browser/gather-firefox-profile-information.yml +++ b/collection/browser/gather-firefox-profile-information.yml @@ -4,16 +4,18 @@ rule: namespace: collection/browser authors: - "@_re_fox" + - still@teamt5.org scope: function att&ck: - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] examples: - 7204e3efc2434012e13ca939db0d0b02:0x4073c0 + - 54390bda109aab7fc006b8b4ead5b6c2:0x1006e58b features: - and: - 2 or more: - string: /\\Mozilla\\Firefox\\profiles(\.ini)?/i - - string: /\\signons\.sqlite/i + - string: /\\(signons|cookies)\.sqlite/i - string: /SELECT\s+[a-z,\s]{5,}FROM moz_(logins|cookies)/i - string: /FROM moz_(logins|cookies)/i - substring: "WHERE moz_cookies.host LIKE" diff --git a/linking/static/sqlite3/linked-against-cppsqlite3.yml b/linking/static/sqlite3/linked-against-cppsqlite3.yml new file mode 100644 index 000000000..43d3c5f6d --- /dev/null +++ b/linking/static/sqlite3/linked-against-cppsqlite3.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: linked against CppSQLite3 + namespace: linking/static/sqlite3 + authors: + - still@teamt5.org + scope: file + examples: + - 253309d8b3675d3cc61d4bf23aa15d4b + features: + - and: + - substring: "CppSQLite3DB" + - substring: "CppSQLite3Query" diff --git a/linking/static/sqlite3/linked-against-sqlite3.yml b/linking/static/sqlite3/linked-against-sqlite3.yml new file mode 100644 index 000000000..ee20789b4 --- /dev/null +++ b/linking/static/sqlite3/linked-against-sqlite3.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: linked against sqlite3 + namespace: linking/static/sqlite3 + authors: + - still@teamt5.org + scope: file + examples: + - 253309d8b3675d3cc61d4bf23aa15d4b + features: + - or: + - 3 or more: + - string: "database corruption" + - string: "SQLITE_OK" + - string: "SQLite format 3" + - string: "sqlite3_extension_init" + - substring: "cannot INSERT into generated column" + - substring: "UPSERT not implemented for virtual table" + - substring: "sqlite3_get_table()" + - substring: "qualified table names are not allowed on" From d61f70b462ca763152c4b56f34ed64759ceb3501 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Sat, 19 Aug 2023 09:36:20 +0000 Subject: [PATCH 079/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f527a0f6a..27ec9e363 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-829-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-831-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 7c2ac2d05cbda173e71e036f224a1a27770047b7 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Sun, 27 Aug 2023 19:55:41 +0200 Subject: [PATCH 080/100] add rule --- nursery/send-sms-on-android.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 nursery/send-sms-on-android.yml diff --git a/nursery/send-sms-on-android.yml b/nursery/send-sms-on-android.yml new file mode 100644 index 000000000..825432752 --- /dev/null +++ b/nursery/send-sms-on-android.yml @@ -0,0 +1,24 @@ +rule: + meta: + name: send SMS on Android + namespace: communication/sms + authors: + - "@mr-tz" + scope: function + # att&ck: + # - Mobile::SMS Control [T1582] + features: + - and: + - os: android + # ... = (*env)->FindClass(env, "android/telephony/SmsManager"); + - string: "android/telephony/SmsManager" + - optional: + - or: + - and: + - arch: i386 + - offset: 0x30 = (*env)->FindClass + - and: + - arch: amd64 + - offset: 0x1C = (*env)->FindClass + # ... = (*env)->GetMethodID(env, ..., "sendTextMessage" ...); + - string: "sendTextMessage" From eba332e702d88927b5816770a9853dd0b3fbc47a Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 5 Sep 2023 13:01:50 +0000 Subject: [PATCH 081/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 27ec9e363..f68828197 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-831-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-832-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From f971df9ab2a18c95b78a263b4138756a8e132d2a Mon Sep 17 00:00:00 2001 From: Moritz Date: Sat, 9 Sep 2023 19:22:13 +0200 Subject: [PATCH 082/100] Update allocate-memory.yml --- lib/allocate-memory.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/allocate-memory.yml b/lib/allocate-memory.yml index e1840dd54..60ab97f50 100644 --- a/lib/allocate-memory.yml +++ b/lib/allocate-memory.yml @@ -22,3 +22,5 @@ rule: - api: ZwAllocateVirtualMemory - api: NtMapViewOfSection - api: ZwMapViewOfSection + - api: NtProtectVirtualMemory + - api: ZwProtectVirtualMemory From 6fbf5187e50fd20253ecf417163af98c95427e77 Mon Sep 17 00:00:00 2001 From: ryan Date: Wed, 27 Sep 2023 10:48:00 -0400 Subject: [PATCH 083/100] Update Mappings for MBC (part 11) --- .../anti-vm/vm-detection/check-for-foreground-window-switch.yml | 2 ++ .../vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml | 2 ++ .../detect-vm-via-motherboard-hardware-wmi-queries.yml | 2 ++ .../file-system/create-virtual-file-system-in-dotnet.yml | 2 ++ .../memory/create-new-application-domain-in-dotnet.yml | 2 ++ .../resolve-function-by-brute-ratel-badger-hash.yml | 2 ++ 6 files changed, 12 insertions(+) diff --git a/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml index fa2530362..412bc98e2 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml @@ -8,6 +8,8 @@ rule: scope: function att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002] + mbc: + - Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012] references: - https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html - https://unprotect.it/technique/getforegroundwindow/ diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml index 8a7324bf3..e19528ffe 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml @@ -8,6 +8,8 @@ rule: scope: function att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] + mbc: + - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023] examples: - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0 features: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml index 08374416e..56c830688 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml @@ -8,6 +8,8 @@ rule: scope: function att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] + mbc: + - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023] examples: - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0 features: diff --git a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml index fbb2e72f9..79474ebb8 100644 --- a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml +++ b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml @@ -7,6 +7,8 @@ rule: scope: function att&ck: - Defense Evasion::Hide Artifacts::Hidden File System [T1564.005] + mbc: + - Defense Evasion::Hidden Files and Directories [F0005] references: - https://learn.microsoft.com/en-us/dotnet/api/system.web.hosting.virtualpathprovider?view=netframework-4.8.1 examples: diff --git a/host-interaction/memory/create-new-application-domain-in-dotnet.yml b/host-interaction/memory/create-new-application-domain-in-dotnet.yml index 0bd7dabee..8626dfdab 100644 --- a/host-interaction/memory/create-new-application-domain-in-dotnet.yml +++ b/host-interaction/memory/create-new-application-domain-in-dotnet.yml @@ -7,6 +7,8 @@ rule: scope: file att&ck: - Persistence::Hijack Execution Flow [T1574] + mbc: + - Persistence::Hijack Execution Flow [F0015] references: - https://learn.microsoft.com/en-us/dotnet/framework/app-domains/application-domains - https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/ diff --git a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml index ed78e2d9c..f7a79c99c 100644 --- a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml +++ b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml @@ -8,6 +8,8 @@ rule: scope: function att&ck: - Defense Evasion::Obfuscated Files or Information::Dynamic API Resolution [T1027.007] + mbc: + - Defense Evasion::Obfuscated Files or Information [E1027] references: - https://bruteratel.com/release_notes/releases.txt examples: From b33f95c9ca7caa72aeec9d85211253307403e754 Mon Sep 17 00:00:00 2001 From: johnk3r Date: Fri, 6 Oct 2023 12:19:47 -0300 Subject: [PATCH 084/100] set state tcp connection (#829) * Add rule --------- Co-authored-by: Willi Ballenthin --- .../connectivity/set-tcp-connection-state.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 host-interaction/network/connectivity/set-tcp-connection-state.yml diff --git a/host-interaction/network/connectivity/set-tcp-connection-state.yml b/host-interaction/network/connectivity/set-tcp-connection-state.yml new file mode 100644 index 000000000..4c8d87a49 --- /dev/null +++ b/host-interaction/network/connectivity/set-tcp-connection-state.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: set TCP connection state + namespace: host-interaction/network/connectivity + authors: + - "@johnk3r" + description: The SetTcpEntry function sets the state of a TCP connection. + scope: function + att&ck: + - Defense Evasion::Impair Defenses [T1562] + references: + - https://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website + - https://github.com/magisterquis/EDRSniper/blob/master/edrsniper.c + examples: + - 883bf161937f8dc6e766b07000110254:0x403150 + features: + - and: + - api: iphlpapi.SetTcpEntry + - number: 12 = MIB_TCP_STATE_DELETE_TCB From e0a4ef2163abca774786ea0818cb1bae0220f4c8 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Fri, 6 Oct 2023 15:20:00 +0000 Subject: [PATCH 085/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f68828197..d9043b610 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-832-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-833-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 216b30ace8d96aec09627298d82024466dfffa2a Mon Sep 17 00:00:00 2001 From: Moritz Date: Mon, 9 Oct 2023 18:01:04 +0200 Subject: [PATCH 086/100] Create capture-process-snapshot.yml (#833) * Create capture-process-snapshot.yml --- nursery/capture-process-snapshot-data.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 nursery/capture-process-snapshot-data.yml diff --git a/nursery/capture-process-snapshot-data.yml b/nursery/capture-process-snapshot-data.yml new file mode 100644 index 000000000..526aa1096 --- /dev/null +++ b/nursery/capture-process-snapshot-data.yml @@ -0,0 +1,12 @@ +rule: + meta: + name: capture process snapshot data + namespace: host-interaction/process/dump + authors: + - "@mr-tz" + scope: function + features: + - or: + - api: PssCaptureSnapshot + - api: PssQuerySnapshot + - api: PssWalkSnapshot From ff0f440ae6fd588a3517061dd813133e657e8093 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 9 Oct 2023 16:01:22 +0000 Subject: [PATCH 087/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d9043b610..1bad7125a 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-833-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-834-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From a1e83cf1476199653650e1ca38f14bcce5aeb2c6 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 9 Oct 2023 16:22:09 +0000 Subject: [PATCH 088/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1bad7125a..1c4fbb6a6 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-834-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-835-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 2a37df98f5b5e2f7d4555874546a5582c07e1ffd Mon Sep 17 00:00:00 2001 From: Mike Hunhoff Date: Mon, 9 Oct 2023 10:27:33 -0600 Subject: [PATCH 089/100] adding new rules based on private Linux sample(s) (#821) * adding new rules based on private Linux sample(s) --------- Co-authored-by: Moritz --- .../socket/receive/receive-data-on-socket.yml | 1 + .../file-system/create/create-directory.yml | 1 + .../file-system/delete/delete-directory.yml | 1 + .../file-system/meta/get-file-attributes.yml | 4 ++++ .../file-system/meta/set-file-attributes.yml | 2 ++ .../process/terminate/terminate-process.yml | 2 ++ .../session}/get-current-user-on-linux.yml | 7 +++---- .../thread/terminate/terminate-thread.yml | 1 + ...-kernel-module-via-netlink-socket-on-linux.yml | 13 +++++++++++++ nursery/get-current-pid-on-linux.yml | 13 +++++++++++++ nursery/get-file-system-information-on-linux.yml | 13 +++++++++++++ nursery/get-password-database-entry-on-linux.yml | 15 +++++++++++++++ nursery/get-system-information-on-linux.yml | 2 ++ nursery/mark-thread-detached-on-linux.yml | 11 +++++++++++ nursery/persist-via-gnome-autostart-on-linux.yml | 12 ++++++++++++ nursery/set-current-directory.yml | 2 ++ nursery/set-thread-name-on-linux.yml | 15 +++++++++++++++ 17 files changed, 111 insertions(+), 4 deletions(-) rename {collection => host-interaction/session}/get-current-user-on-linux.yml (79%) create mode 100644 nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml create mode 100644 nursery/get-current-pid-on-linux.yml create mode 100644 nursery/get-file-system-information-on-linux.yml create mode 100644 nursery/get-password-database-entry-on-linux.yml create mode 100644 nursery/mark-thread-detached-on-linux.yml create mode 100644 nursery/persist-via-gnome-autostart-on-linux.yml create mode 100644 nursery/set-thread-name-on-linux.yml diff --git a/communication/socket/receive/receive-data-on-socket.yml b/communication/socket/receive/receive-data-on-socket.yml index f6ee1e209..556df036a 100644 --- a/communication/socket/receive/receive-data-on-socket.yml +++ b/communication/socket/receive/receive-data-on-socket.yml @@ -33,3 +33,4 @@ rule: - api: System.Net.Sockets.Socket::EndReceive - api: System.Net.Sockets.Socket::EndReceiveFrom - api: System.Net.Sockets.Socket::EndReceiveMessageFrom + - api: recvmsg diff --git a/host-interaction/file-system/create/create-directory.yml b/host-interaction/file-system/create/create-directory.yml index 92911501a..d43de4d33 100644 --- a/host-interaction/file-system/create/create-directory.yml +++ b/host-interaction/file-system/create/create-directory.yml @@ -20,6 +20,7 @@ rule: - api: ZwCreateDirectoryObject - api: SHCreateDirectory - api: SHCreateDirectoryEx + - api: mkdir - api: _mkdir - api: _wmkdir - api: System.IO.Directory::CreateDirectory diff --git a/host-interaction/file-system/delete/delete-directory.yml b/host-interaction/file-system/delete/delete-directory.yml index e843d3174..41edc033e 100644 --- a/host-interaction/file-system/delete/delete-directory.yml +++ b/host-interaction/file-system/delete/delete-directory.yml @@ -15,6 +15,7 @@ rule: - or: - api: RemoveDirectory - api: RemoveDirectoryTransacted + - api: rmdir - api: _rmdir - api: _wrmdir - api: System.IO.DirectoryInfo::Delete diff --git a/host-interaction/file-system/meta/get-file-attributes.yml b/host-interaction/file-system/meta/get-file-attributes.yml index 67fdf5e06..a1b929a1e 100644 --- a/host-interaction/file-system/meta/get-file-attributes.yml +++ b/host-interaction/file-system/meta/get-file-attributes.yml @@ -27,3 +27,7 @@ rule: - api: System.IO.File::GetLastWriteTime - api: System.IO.File::GetLastWriteTimeUtc - property/read: System.IO.FileSystemInfo::Attributes + - api: stat + - api: fstat + - api: lstat + - api: fstatat diff --git a/host-interaction/file-system/meta/set-file-attributes.yml b/host-interaction/file-system/meta/set-file-attributes.yml index 1475caf48..53ea96eed 100644 --- a/host-interaction/file-system/meta/set-file-attributes.yml +++ b/host-interaction/file-system/meta/set-file-attributes.yml @@ -27,3 +27,5 @@ rule: - api: System.IO.File::SetLastWriteTime - api: System.IO.File::SetLastWriteTimeUtc - property/write: System.IO.FileSystemInfo::Attributes + - api: utime + - api: utimes diff --git a/host-interaction/process/terminate/terminate-process.yml b/host-interaction/process/terminate/terminate-process.yml index dc3d391f6..6d80122fe 100644 --- a/host-interaction/process/terminate/terminate-process.yml +++ b/host-interaction/process/terminate/terminate-process.yml @@ -19,6 +19,8 @@ rule: - api: System.Diagnostics.Process::WaitForExitAsync - api: System.Environment::Exit - api: System.Windows.Forms.Application::Exit + - api: exit + - api: Exit - and: - optional: - match: open process diff --git a/collection/get-current-user-on-linux.yml b/host-interaction/session/get-current-user-on-linux.yml similarity index 79% rename from collection/get-current-user-on-linux.yml rename to host-interaction/session/get-current-user-on-linux.yml index bae1449ad..06a668dbd 100644 --- a/collection/get-current-user-on-linux.yml +++ b/host-interaction/session/get-current-user-on-linux.yml @@ -1,7 +1,7 @@ rule: meta: name: get current user on Linux - namespace: collection + namespace: host-interaction/session authors: - joakim@intezer.com scope: function @@ -13,9 +13,8 @@ rule: - and: - os: linux - or: - - and: - - api: geteuid - - api: getpwuid + - api: geteuid + - api: getpwuid - api: getlogin - api: getlogin_r - api: cuserid diff --git a/host-interaction/thread/terminate/terminate-thread.yml b/host-interaction/thread/terminate/terminate-thread.yml index 6f06f9383..cfc7e63ce 100644 --- a/host-interaction/thread/terminate/terminate-thread.yml +++ b/host-interaction/thread/terminate/terminate-thread.yml @@ -17,3 +17,4 @@ rule: - api: kernel32.TerminateThread - api: PsTerminateSystemThread - api: System.Threading.Thread.Abort + - api: pthread_terminate diff --git a/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml b/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml new file mode 100644 index 000000000..1c0b9f1a2 --- /dev/null +++ b/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: communicate with kernel module via Netlink socket on Linux + namespace: host-interaction/kernel + authors: + - michael.hunhoff@mandiant.com + description: Netlink is used to transfer information between the kernel and user-space processes (https://man7.org/linux/man-pages/man7/netlink.7.html) + scope: basic block + features: + - and: + - os: linux + - api: socket + - number: 0x10 = AF_NETLINK diff --git a/nursery/get-current-pid-on-linux.yml b/nursery/get-current-pid-on-linux.yml new file mode 100644 index 000000000..7694d69cf --- /dev/null +++ b/nursery/get-current-pid-on-linux.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: get current PID on Linux + namespace: host-interaction/process + authors: + - michael.hunhoff@mandiant.com + scope: basic block + features: + - and: + - os: linux + - or: + - api: getpid + - api: getppid diff --git a/nursery/get-file-system-information-on-linux.yml b/nursery/get-file-system-information-on-linux.yml new file mode 100644 index 000000000..1893ef422 --- /dev/null +++ b/nursery/get-file-system-information-on-linux.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: get file system information on Linux + namespace: host-interaction/file-system + authors: + - michael.hunhoff@mandiant.com + scope: basic block + features: + - and: + - os: linux + - or: + - api: statfs + - api: fstatfs diff --git a/nursery/get-password-database-entry-on-linux.yml b/nursery/get-password-database-entry-on-linux.yml new file mode 100644 index 000000000..e776243fd --- /dev/null +++ b/nursery/get-password-database-entry-on-linux.yml @@ -0,0 +1,15 @@ +rule: + meta: + name: get password database entry on Linux + namespace: host-interaction/session + authors: + - michael.hunhoff@mandiant.com + scope: basic block + features: + - and: + - os: linux + - or: + - api: getpwuid + - api: getpwuid_r + - api: getpwnam + - api: getpwnam_r diff --git a/nursery/get-system-information-on-linux.yml b/nursery/get-system-information-on-linux.yml index 27e322104..dcdf9369e 100644 --- a/nursery/get-system-information-on-linux.yml +++ b/nursery/get-system-information-on-linux.yml @@ -4,6 +4,7 @@ rule: namespace: host-interaction/os/info authors: - joakim@intezer.com + - michael.hunhoff@mandiant.com scope: function att&ck: - Discovery::System Information Discovery [T1082] @@ -15,3 +16,4 @@ rule: - and: - api: system - string: "lshw" + - api: sysinfo diff --git a/nursery/mark-thread-detached-on-linux.yml b/nursery/mark-thread-detached-on-linux.yml new file mode 100644 index 000000000..3eb0e5f5b --- /dev/null +++ b/nursery/mark-thread-detached-on-linux.yml @@ -0,0 +1,11 @@ +rule: + meta: + name: mark thread detached on Linux + namespace: host-interaction/thread + authors: + - michael.hunhoff@mandiant.com + scope: basic block + features: + - and: + - os: linux + - api: pthread_detach diff --git a/nursery/persist-via-gnome-autostart-on-linux.yml b/nursery/persist-via-gnome-autostart-on-linux.yml new file mode 100644 index 000000000..74f3cc92f --- /dev/null +++ b/nursery/persist-via-gnome-autostart-on-linux.yml @@ -0,0 +1,12 @@ +rule: + meta: + name: persist via GNOME autostart on Linux + namespace: persistence + authors: + - michael.hunhoff@mandiant.com + scope: function + features: + - and: + - os: linux + - match: host-interaction/file-system/write + - substring: "X-GNOME-Autostart-enabled=true" diff --git a/nursery/set-current-directory.yml b/nursery/set-current-directory.yml index cc34dae7b..6102bd4e7 100644 --- a/nursery/set-current-directory.yml +++ b/nursery/set-current-directory.yml @@ -9,3 +9,5 @@ rule: - or: - api: System.IO.Directory::SetCurrentDirectory - api: kernel32.SetCurrentDirectory + - api: chdir + - api: fchdir diff --git a/nursery/set-thread-name-on-linux.yml b/nursery/set-thread-name-on-linux.yml new file mode 100644 index 000000000..9c9694da0 --- /dev/null +++ b/nursery/set-thread-name-on-linux.yml @@ -0,0 +1,15 @@ +rule: + meta: + name: set thread name on Linux + namespace: host-interaction/thread + authors: + - michael.hunhoff@mandiant.com + scope: basic block + features: + - and: + - os: linux + - or: + - api: pthread_setname_np + - and: + - api: prctl + - number: 0xF = PR_SET_NAME From 26180485da8786ad683c89608d1d9b2ffb0e526e Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 9 Oct 2023 16:29:59 +0000 Subject: [PATCH 090/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1c4fbb6a6..f59349a2f 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-835-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-843-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 23cfa23626573a7d739c815fa63833629e2f218b Mon Sep 17 00:00:00 2001 From: JJ Date: Mon, 9 Oct 2023 10:59:52 -0700 Subject: [PATCH 091/100] Merge execute-dotnet-assembly-via-clr-host.yml with load-windows-common-language-runtime.yml and promote load-windows-common-language-runtime.yml (#797) --- .../execute-dotnet-assembly-via-clr-host.yml | 28 ----------- .../load-windows-common-language-runtime.yml | 46 +++++++++++++++++++ .../load-windows-common-language-runtime.yml | 15 ------ 3 files changed, 46 insertions(+), 43 deletions(-) delete mode 100644 load-code/dotnet/execute-dotnet-assembly-via-clr-host.yml create mode 100644 load-code/dotnet/load-windows-common-language-runtime.yml delete mode 100644 nursery/load-windows-common-language-runtime.yml diff --git a/load-code/dotnet/execute-dotnet-assembly-via-clr-host.yml b/load-code/dotnet/execute-dotnet-assembly-via-clr-host.yml deleted file mode 100644 index 88f0142ac..000000000 --- a/load-code/dotnet/execute-dotnet-assembly-via-clr-host.yml +++ /dev/null @@ -1,28 +0,0 @@ -# generated using capa explorer for IDA Pro -rule: - meta: - name: execute .NET assembly via CLR host - namespace: load-code/dotnet - authors: - - blas.kojusner@mandiant.com - description: may be used to evade hooks or hinder analysis - scope: function - references: - - https://github.com/TheWover/donut/blob/master/DonutTest/rundotnet.cpp - examples: - - 6CD1315F6F2FA4F8EE2B98BB3CA0A994:0x140001030 - features: - - and: - - bytes: 23 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = CLSID_CorRuntimeHost - - bytes: 22 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = IID_ICorRuntimeHost - - api: CorBindToRuntime - - optional: - - basic block: - - or: - - and: - - operand[0].offset: 0x50 = Start - - characteristic: indirect call - - and: - - operand[0].offset: 0x68 = GetDefaultDomain - - characteristic: indirect call - - api: SafeArrayCreate diff --git a/load-code/dotnet/load-windows-common-language-runtime.yml b/load-code/dotnet/load-windows-common-language-runtime.yml new file mode 100644 index 000000000..de821ea11 --- /dev/null +++ b/load-code/dotnet/load-windows-common-language-runtime.yml @@ -0,0 +1,46 @@ +# generated using capa explorer for IDA Pro +rule: + meta: + name: load Windows Common Language Runtime + namespace: load-code/dotnet + authors: + - michael.hunhoff@mandiant.com + - blas.kojusner@mandiant.com + - jakub.jozwiak@mandiant.com + scope: function + references: + - https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/ + - https://github.com/TheWover/donut/blob/master/loader/inmem_dotnet.c + examples: + - 6CD1315F6F2FA4F8EE2B98BB3CA0A994:0x140001030 + features: + - or: + - and: + - description: .NET Framework versions 2.0, 3.0, 3.5 + - or: + - api: mscoree.CorBindToRuntime + - api: mscoree.CorBindToRuntimeEx + - api: mscoree.CorBindToRuntimeHost + - api: mscoree.CorBindToRuntimeByCfg + - api: mscoree.CorBindToCurrentRuntime + - api: ole32.CoCreateInstance + - and: + - or: + - string: "CorBindToRuntime" + - string: "CorBindToRuntimeEx" + - string: "CorBindToRuntimeHost" + - string: "CorBindToRuntimeByCfg" + - string: "CorBindToCurrentRuntime" + - string: "CoCreateInstance" + - match: link function at runtime on Windows + - bytes: 23 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = CLSID_CorRuntimeHost + - bytes: 22 67 2F CB 3A AB D2 11 9C 40 00 C0 4F A3 0A 3E = IID_ICorRuntimeHost + - and: + - description: .NET Framework version 4.x + - or: + - api: mscoree.CLRCreateInstance + - and: + - string: "CLRCreateInstance" + - match: link function at runtime on Windows + - bytes: 8D 18 80 92 8E 0E 67 48 B3 0C 7F A8 38 84 E8 DE = CLSID_CLRMetaHost + - bytes: 9E DB 32 D3 B3 B9 25 41 82 07 A1 48 84 F5 32 16 = IID_ICLRMetaHost diff --git a/nursery/load-windows-common-language-runtime.yml b/nursery/load-windows-common-language-runtime.yml deleted file mode 100644 index 6251b99bb..000000000 --- a/nursery/load-windows-common-language-runtime.yml +++ /dev/null @@ -1,15 +0,0 @@ -# generated using capa explorer for IDA Pro -rule: - meta: - name: load Windows Common Language Runtime - namespace: load-code/dotnet - authors: - - michael.hunhoff@mandiant.com - scope: basic block - features: - - or: - - api: mscoree.CorBindToRuntime - - api: mscoree.CorBindToRuntimeEx - - api: mscoree.CorBindToRuntimeHost - - api: mscoree.CorBindToRuntimeByCfg - - api: mscoree.CorBindToCurrentRuntime From 8e2e86b54ffc780bd2d605533891455e8cb9cad5 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 9 Oct 2023 18:00:05 +0000 Subject: [PATCH 092/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f59349a2f..50738bef9 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-843-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-842-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 0b6aeb7581ce353b0d05042b00eba416a69b2556 Mon Sep 17 00:00:00 2001 From: Moritz Date: Mon, 9 Oct 2023 20:00:50 +0200 Subject: [PATCH 093/100] Create log-keystrokes-via-input-method-manager.yml (#834) --- .../log-keystrokes-via-input-method-manager.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 nursery/log-keystrokes-via-input-method-manager.yml diff --git a/nursery/log-keystrokes-via-input-method-manager.yml b/nursery/log-keystrokes-via-input-method-manager.yml new file mode 100644 index 000000000..0a266d237 --- /dev/null +++ b/nursery/log-keystrokes-via-input-method-manager.yml @@ -0,0 +1,16 @@ +# generated using capa explorer for IDA Pro +rule: + meta: + name: log keystrokes via Input Method Manager + namespace: collection/keylog + authors: + - "@mr-tz" + scope: function + features: + - and: + - or: + - api: ImmGetCompositionString + - api: ImmGetVirtualKey + - optional: + - api: ImmGetContext + - api: ImmReleaseContext From 5e1ae7943d69793619344cb4f4b6507e4cb71629 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Mon, 9 Oct 2023 18:01:04 +0000 Subject: [PATCH 094/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 50738bef9..f59349a2f 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-842-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-843-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From e4546990828f5425d0e430cc02f70897f16bfb82 Mon Sep 17 00:00:00 2001 From: Moritz Date: Mon, 9 Oct 2023 20:07:38 +0200 Subject: [PATCH 095/100] Update generate-random-numbers-via-rtlgenrandom.yml (#828) --- .../generate-random-numbers-via-rtlgenrandom.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml index 8795b80b4..116b70e1a 100644 --- a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml +++ b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml @@ -4,12 +4,16 @@ rule: namespace: data-manipulation/prng authors: - william.ballenthin@mandiant.com + - richard.weiss@mandiant.com scope: function mbc: - Cryptography::Generate Pseudo-random Sequence::Use API [C0021.003] + references: + - https://doxygen.reactos.org/df/d13/sysfunc_8c_source.html + - https://blog.gentilkiwi.com/tag/systemfunction036 examples: - - b7841b9d5dc1f511a93cc7576672ec0c:0x10002B80 - - 0a0882b8da225406cc838991b5f67d11:0x416F35 + - b7841b9d5dc1f511a93cc7576672ec0c:0x10002B80 # api + - 0a0882b8da225406cc838991b5f67d11:0x416F35 # string features: - or: - api: SystemFunction036 @@ -17,6 +21,6 @@ rule: - match: link function at runtime on Windows - string: "SystemFunction036" - optional: - - string: "advapi32.dll" - - string: "Advapi32.dll" + - string: /advapi32/i + - string: /cryptsp/i - characteristic: indirect call From 6d7191fac64329cc954242589c8e8bb9f47c4f55 Mon Sep 17 00:00:00 2001 From: Moritz Date: Tue, 10 Oct 2023 11:53:01 +0200 Subject: [PATCH 096/100] Update generate-random-numbers-via-rtlgenrandom.yml --- .../prng/generate-random-numbers-via-rtlgenrandom.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml index 116b70e1a..cd6b6e57a 100644 --- a/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml +++ b/data-manipulation/prng/generate-random-numbers-via-rtlgenrandom.yml @@ -23,4 +23,3 @@ rule: - optional: - string: /advapi32/i - string: /cryptsp/i - - characteristic: indirect call From 18f8a33a4e5a1ff6484fae5858a12c0a6e04c040 Mon Sep 17 00:00:00 2001 From: Richard <9610284+richardweiss80@users.noreply.github.com> Date: Tue, 10 Oct 2023 11:55:01 +0200 Subject: [PATCH 097/100] encrypt data using RC4 via SystemFunction032 (#825) * RC4 encryption via Advapi32.SystemFunction032 --- ...t-data-using-rc4-via-systemfunction032.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 nursery/encrypt-data-using-rc4-via-systemfunction032.yml diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml new file mode 100644 index 000000000..ffa79dd05 --- /dev/null +++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml @@ -0,0 +1,26 @@ +rule: + meta: + name: encrypt data using RC4 via SystemFunction032 + namespace: data-manipulation/encryption/rc4 + authors: + - richard.weiss@mandiant.com + scope: function + att&ck: + - Defense Evasion::Obfuscated Files or Information [T1027] + mbc: + - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05] + - Cryptography::Encrypt Data::RC4 [C0027.009] + references: + - https://doxygen.reactos.org/df/d13/sysfunc_8c_source.html + - https://blog.gentilkiwi.com/tag/systemfunction032 + examples: + - 3BBDF04C25FCD9876733EAA9163B3ED64D81396E7414619758D9376EDF4C103E:0x1000976C # api match + features: + - or: + - api: SystemFunction032 + - and: + - match: link function at runtime on Windows + - string: "SystemFunction032" + - optional: + - string: /advapi32/i + - string: /cryptsp/i From 5f579460f5e1dcfac1b0950e31ec02e4d4fa2904 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 10 Oct 2023 09:55:15 +0000 Subject: [PATCH 098/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f59349a2f..a02d0f08a 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-843-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-844-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 773c75c9346f1ec5afb0d2d854f5b7b458ab6274 Mon Sep 17 00:00:00 2001 From: Moritz Date: Tue, 10 Oct 2023 15:34:15 +0200 Subject: [PATCH 099/100] Create add-value-to-global-atom-table.yml (#831) * Create add-value-to-global-atom-table.yml --- nursery/add-value-to-global-atom-table.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 nursery/add-value-to-global-atom-table.yml diff --git a/nursery/add-value-to-global-atom-table.yml b/nursery/add-value-to-global-atom-table.yml new file mode 100644 index 000000000..2cc527b55 --- /dev/null +++ b/nursery/add-value-to-global-atom-table.yml @@ -0,0 +1,15 @@ +rule: + meta: + name: add value to global atom table + namespace: host-interaction/process/inject + authors: + - "@mr-tz" + scope: function + references: + - https://www.fortinet.com/blog/threat-research/atombombing-brand-new-code-injection-technique-for-windows + - https://github.com/BreakingMalwareResearch/atom-bombing + features: + - and: + - api: AddAtom + - api: GlobalAddAtom + - api: GlobalAddAtomEx From 54e3a1d3dd80ebe184dc06779879996e62f065ba Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Tue, 10 Oct 2023 13:34:30 +0000 Subject: [PATCH 100/100] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a02d0f08a..c4fbc839b 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-844-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-845-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs.