From e78708c1b0588aeffa9f23bbc40348bdf125e036 Mon Sep 17 00:00:00 2001 From: Mike Hunhoff Date: Fri, 1 Sep 2023 17:58:23 -0600 Subject: [PATCH] adding new rules based on private Linux sample(s) --- .../socket/receive/receive-data-on-socket.yml | 1 + .../file-system/create/create-directory.yml | 1 + .../file-system/delete/delete-directory.yml | 1 + .../file-system/meta/get-file-attributes.yml | 4 ++++ .../file-system/meta/set-file-attributes.yml | 2 ++ .../process/terminate/terminate-process.yml | 2 ++ .../session}/get-current-user-on-linux.yml | 7 +++---- .../thread/terminate/terminate-thread.yml | 1 + ...-kernel-module-via-netlink-socket-on-linux.yml | 13 +++++++++++++ nursery/create-detached-thread-on-linux.yml | 11 +++++++++++ nursery/get-current-pid-on-linux.yml | 13 +++++++++++++ nursery/get-file-system-information-on-linux.yml | 13 +++++++++++++ nursery/get-system-information-on-linux.yml | 2 ++ nursery/get-user-database-entry-on-linux.yml | 13 +++++++++++++ nursery/persist-via-gnome-autostart-on-linux.yml | 12 ++++++++++++ nursery/set-current-directory.yml | 2 ++ nursery/set-thread-name-on-linux.yml | 15 +++++++++++++++ 17 files changed, 109 insertions(+), 4 deletions(-) rename {collection => host-interaction/session}/get-current-user-on-linux.yml (79%) create mode 100644 nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml create mode 100644 nursery/create-detached-thread-on-linux.yml create mode 100644 nursery/get-current-pid-on-linux.yml create mode 100644 nursery/get-file-system-information-on-linux.yml create mode 100644 nursery/get-user-database-entry-on-linux.yml create mode 100644 nursery/persist-via-gnome-autostart-on-linux.yml create mode 100644 nursery/set-thread-name-on-linux.yml diff --git a/communication/socket/receive/receive-data-on-socket.yml b/communication/socket/receive/receive-data-on-socket.yml index f6ee1e209..556df036a 100644 --- a/communication/socket/receive/receive-data-on-socket.yml +++ b/communication/socket/receive/receive-data-on-socket.yml @@ -33,3 +33,4 @@ rule: - api: System.Net.Sockets.Socket::EndReceive - api: System.Net.Sockets.Socket::EndReceiveFrom - api: System.Net.Sockets.Socket::EndReceiveMessageFrom + - api: recvmsg diff --git a/host-interaction/file-system/create/create-directory.yml b/host-interaction/file-system/create/create-directory.yml index 92911501a..d43de4d33 100644 --- a/host-interaction/file-system/create/create-directory.yml +++ b/host-interaction/file-system/create/create-directory.yml @@ -20,6 +20,7 @@ rule: - api: ZwCreateDirectoryObject - api: SHCreateDirectory - api: SHCreateDirectoryEx + - api: mkdir - api: _mkdir - api: _wmkdir - api: System.IO.Directory::CreateDirectory diff --git a/host-interaction/file-system/delete/delete-directory.yml b/host-interaction/file-system/delete/delete-directory.yml index e843d3174..41edc033e 100644 --- a/host-interaction/file-system/delete/delete-directory.yml +++ b/host-interaction/file-system/delete/delete-directory.yml @@ -15,6 +15,7 @@ rule: - or: - api: RemoveDirectory - api: RemoveDirectoryTransacted + - api: rmdir - api: _rmdir - api: _wrmdir - api: System.IO.DirectoryInfo::Delete diff --git a/host-interaction/file-system/meta/get-file-attributes.yml b/host-interaction/file-system/meta/get-file-attributes.yml index 67fdf5e06..a1b929a1e 100644 --- a/host-interaction/file-system/meta/get-file-attributes.yml +++ b/host-interaction/file-system/meta/get-file-attributes.yml @@ -27,3 +27,7 @@ rule: - api: System.IO.File::GetLastWriteTime - api: System.IO.File::GetLastWriteTimeUtc - property/read: System.IO.FileSystemInfo::Attributes + - api: stat + - api: fstat + - api: lstat + - api: fstatat diff --git a/host-interaction/file-system/meta/set-file-attributes.yml b/host-interaction/file-system/meta/set-file-attributes.yml index 1475caf48..53ea96eed 100644 --- a/host-interaction/file-system/meta/set-file-attributes.yml +++ b/host-interaction/file-system/meta/set-file-attributes.yml @@ -27,3 +27,5 @@ rule: - api: System.IO.File::SetLastWriteTime - api: System.IO.File::SetLastWriteTimeUtc - property/write: System.IO.FileSystemInfo::Attributes + - api: utime + - api: utimes diff --git a/host-interaction/process/terminate/terminate-process.yml b/host-interaction/process/terminate/terminate-process.yml index dc3d391f6..6d80122fe 100644 --- a/host-interaction/process/terminate/terminate-process.yml +++ b/host-interaction/process/terminate/terminate-process.yml @@ -19,6 +19,8 @@ rule: - api: System.Diagnostics.Process::WaitForExitAsync - api: System.Environment::Exit - api: System.Windows.Forms.Application::Exit + - api: exit + - api: Exit - and: - optional: - match: open process diff --git a/collection/get-current-user-on-linux.yml b/host-interaction/session/get-current-user-on-linux.yml similarity index 79% rename from collection/get-current-user-on-linux.yml rename to host-interaction/session/get-current-user-on-linux.yml index bae1449ad..06a668dbd 100644 --- a/collection/get-current-user-on-linux.yml +++ b/host-interaction/session/get-current-user-on-linux.yml @@ -1,7 +1,7 @@ rule: meta: name: get current user on Linux - namespace: collection + namespace: host-interaction/session authors: - joakim@intezer.com scope: function @@ -13,9 +13,8 @@ rule: - and: - os: linux - or: - - and: - - api: geteuid - - api: getpwuid + - api: geteuid + - api: getpwuid - api: getlogin - api: getlogin_r - api: cuserid diff --git a/host-interaction/thread/terminate/terminate-thread.yml b/host-interaction/thread/terminate/terminate-thread.yml index 6f06f9383..cfc7e63ce 100644 --- a/host-interaction/thread/terminate/terminate-thread.yml +++ b/host-interaction/thread/terminate/terminate-thread.yml @@ -17,3 +17,4 @@ rule: - api: kernel32.TerminateThread - api: PsTerminateSystemThread - api: System.Threading.Thread.Abort + - api: pthread_terminate diff --git a/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml b/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml new file mode 100644 index 000000000..1c0b9f1a2 --- /dev/null +++ b/nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: communicate with kernel module via Netlink socket on Linux + namespace: host-interaction/kernel + authors: + - michael.hunhoff@mandiant.com + description: Netlink is used to transfer information between the kernel and user-space processes (https://man7.org/linux/man-pages/man7/netlink.7.html) + scope: basic block + features: + - and: + - os: linux + - api: socket + - number: 0x10 = AF_NETLINK diff --git a/nursery/create-detached-thread-on-linux.yml b/nursery/create-detached-thread-on-linux.yml new file mode 100644 index 000000000..ed33f4eab --- /dev/null +++ b/nursery/create-detached-thread-on-linux.yml @@ -0,0 +1,11 @@ +rule: + meta: + name: create detached thread on Linux + namespace: host-interaction/thread + authors: + - michael.hunhoff@mandiant.com + scope: basic block + features: + - and: + - os: linux + - api: pthread_detach diff --git a/nursery/get-current-pid-on-linux.yml b/nursery/get-current-pid-on-linux.yml new file mode 100644 index 000000000..7694d69cf --- /dev/null +++ b/nursery/get-current-pid-on-linux.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: get current PID on Linux + namespace: host-interaction/process + authors: + - michael.hunhoff@mandiant.com + scope: basic block + features: + - and: + - os: linux + - or: + - api: getpid + - api: getppid diff --git a/nursery/get-file-system-information-on-linux.yml b/nursery/get-file-system-information-on-linux.yml new file mode 100644 index 000000000..1893ef422 --- /dev/null +++ b/nursery/get-file-system-information-on-linux.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: get file system information on Linux + namespace: host-interaction/file-system + authors: + - michael.hunhoff@mandiant.com + scope: basic block + features: + - and: + - os: linux + - or: + - api: statfs + - api: fstatfs diff --git a/nursery/get-system-information-on-linux.yml b/nursery/get-system-information-on-linux.yml index 27e322104..dcdf9369e 100644 --- a/nursery/get-system-information-on-linux.yml +++ b/nursery/get-system-information-on-linux.yml @@ -4,6 +4,7 @@ rule: namespace: host-interaction/os/info authors: - joakim@intezer.com + - michael.hunhoff@mandiant.com scope: function att&ck: - Discovery::System Information Discovery [T1082] @@ -15,3 +16,4 @@ rule: - and: - api: system - string: "lshw" + - api: sysinfo diff --git a/nursery/get-user-database-entry-on-linux.yml b/nursery/get-user-database-entry-on-linux.yml new file mode 100644 index 000000000..e5b82d74e --- /dev/null +++ b/nursery/get-user-database-entry-on-linux.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: get user database entry on Linux + namespace: host-interaction/session + authors: + - michael.hunhoff@mandiant.com + scope: basic block + features: + - and: + - os: linux + - or: + - api: getpwuid + - api: getpwuid_r diff --git a/nursery/persist-via-gnome-autostart-on-linux.yml b/nursery/persist-via-gnome-autostart-on-linux.yml new file mode 100644 index 000000000..74f3cc92f --- /dev/null +++ b/nursery/persist-via-gnome-autostart-on-linux.yml @@ -0,0 +1,12 @@ +rule: + meta: + name: persist via GNOME autostart on Linux + namespace: persistence + authors: + - michael.hunhoff@mandiant.com + scope: function + features: + - and: + - os: linux + - match: host-interaction/file-system/write + - substring: "X-GNOME-Autostart-enabled=true" diff --git a/nursery/set-current-directory.yml b/nursery/set-current-directory.yml index cc34dae7b..6102bd4e7 100644 --- a/nursery/set-current-directory.yml +++ b/nursery/set-current-directory.yml @@ -9,3 +9,5 @@ rule: - or: - api: System.IO.Directory::SetCurrentDirectory - api: kernel32.SetCurrentDirectory + - api: chdir + - api: fchdir diff --git a/nursery/set-thread-name-on-linux.yml b/nursery/set-thread-name-on-linux.yml new file mode 100644 index 000000000..9c9694da0 --- /dev/null +++ b/nursery/set-thread-name-on-linux.yml @@ -0,0 +1,15 @@ +rule: + meta: + name: set thread name on Linux + namespace: host-interaction/thread + authors: + - michael.hunhoff@mandiant.com + scope: basic block + features: + - and: + - os: linux + - or: + - api: pthread_setname_np + - and: + - api: prctl + - number: 0xF = PR_SET_NAME