Merge pull request #801 from RonnieSalomonsen/forwarded_export

Add new rule for forwarded exports and update doc to with new charact…
mandiant · Jul 19, 2023 · c9cd572 · c9cd572
2 parents 85a980a + 8b5e321
commit c9cd572
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/doc/format.md b/doc/format.md
@@ -314,7 +314,8 @@ For example, the `characteristic: nzxor` feature describes non-zeroing XOR instr
 | characteristic                       | scope                              | description |
 |--------------------------------------|------------------------------------|-------------|
 | `characteristic: embedded pe`        | file                               | (XOR encoded) embedded PE files. |
-| `characteristic: mixed mode` | file | File contains both managed and unmanaged (native) code, often seen in .NET |
+| `characteristic: forwarded export`   | file                               | PE file has a forwarded export. |
+| `characteristic: mixed mode`         | file                               | File contains both managed and unmanaged (native) code, often seen in .NET |
 | `characteristic: loop`               | function                           | Function contains a loop. |
 | `characteristic: recursive call`     | function                           | Function is recursive. |
 | `characteristic: calls from`         | function                           | There are unique calls from this function. Best used like: `count(characteristic(calls from)): 3 or more` |
@@ -328,7 +329,7 @@ For example, the `characteristic: nzxor` feature describes non-zeroing XOR instr
 | `characteristic: cross section flow` | instruction, basic block, function | Function contains a call/jump to a different section. This is commonly seen in unpacking stubs. |
 | `characteristic: indirect call`      | instruction, basic block, function | Indirect call instruction; for example, `call edx` or `call qword ptr [rsp+78h]`. |
 | `characteristic: call $+5`           | instruction, basic block, function | Call just past the current instruction. |
-| `characteristic: unmanaged call` | instruction, basic block, function | Function contains a call from managed code to unmanaged (native) code, often seen in .NET |
+| `characteristic: unmanaged call`     | instruction, basic block, function | Function contains a call from managed code to unmanaged (native) code, often seen in .NET |
 
 ## instruction features
 
@@ -604,6 +605,11 @@ Examples:
 
     export: InstallA
 
+To specify a [forwarded export](https://devblogs.microsoft.com/oldnewthing/20060719-24/?p=30473) use the format `<DLL path, lowercase>.<symbol name>`. Note that the path can be either implicit, relative, or absolute:
+
+    export: "c:/windows/system32/version.GetFileVersionInfoA"
+    export: "vresion.GetFileVersionInfoA"
+
 ### import
 
 The name of a routine imported from a shared library.

diff --git a/executable/pe/export/forwarded-export.yml b/executable/pe/export/forwarded-export.yml
@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: forwarded export
+    namespace: executable/pe/export
+    authors:
+      - [email protected]
+    scope: file
+    att&ck:
+      - Execution::Shared Modules [T1129]
+    examples:
+      - 76FA734236DAA023444DEC26863401DC
+  features:
+    - characteristic: forwarded export