From a8d00309c3032a3db6fb98fb02afcc9b0b96bbb9 Mon Sep 17 00:00:00 2001 From: Ronnie Salomonsen Date: Wed, 19 Jul 2023 12:40:20 +0200 Subject: [PATCH 1/4] Add new rule for forwarded exports and update doc to with new characteristic and examples under export feature --- doc/format.md | 10 ++++++++-- executable/pe/export/forwarded-export.yml | 13 +++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 executable/pe/export/forwarded-export.yml diff --git a/doc/format.md b/doc/format.md index d123e24e0..2b2436af4 100644 --- a/doc/format.md +++ b/doc/format.md @@ -314,7 +314,8 @@ For example, the `characteristic: nzxor` feature describes non-zeroing XOR instr | characteristic | scope | description | |--------------------------------------|------------------------------------|-------------| | `characteristic: embedded pe` | file | (XOR encoded) embedded PE files. | -| `characteristic: mixed mode` | file | File contains both managed and unmanaged (native) code, often seen in .NET | +| `characteristic: forwarded export` | file | PE file that forward export. | +| `characteristic: mixed mode` | file | File contains both managed and unmanaged (native) code, often seen in .NET | | `characteristic: loop` | function | Function contains a loop. | | `characteristic: recursive call` | function | Function is recursive. | | `characteristic: calls from` | function | There are unique calls from this function. Best used like: `count(characteristic(calls from)): 3 or more` | @@ -328,7 +329,7 @@ For example, the `characteristic: nzxor` feature describes non-zeroing XOR instr | `characteristic: cross section flow` | instruction, basic block, function | Function contains a call/jump to a different section. This is commonly seen in unpacking stubs. | | `characteristic: indirect call` | instruction, basic block, function | Indirect call instruction; for example, `call edx` or `call qword ptr [rsp+78h]`. | | `characteristic: call $+5` | instruction, basic block, function | Call just past the current instruction. | -| `characteristic: unmanaged call` | instruction, basic block, function | Function contains a call from managed code to unmanaged (native) code, often seen in .NET | +| `characteristic: unmanaged call` | instruction, basic block, function | Function contains a call from managed code to unmanaged (native) code, often seen in .NET | ## instruction features @@ -604,6 +605,11 @@ Examples: export: InstallA +And for forwarded exports: + + export: "c:/windows/system32/version.GetFileVersionInfoA" + export: "vresion.GetFileVersionInfoA" + ### import The name of a routine imported from a shared library. diff --git a/executable/pe/export/forwarded-export.yml b/executable/pe/export/forwarded-export.yml new file mode 100644 index 000000000..185b5bec7 --- /dev/null +++ b/executable/pe/export/forwarded-export.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: forwarded export + namespace: executable/pe/export + authors: + - ronnie.salomonsen@mandiant.com + scope: file + att&ck: + - Execution::Shared Modules [T1129] + examples: + - 76FA734236DAA023444DEC26863401DC:0x18003BD32 + features: + - characteristic: forwarded export \ No newline at end of file From 65ab87b29267487a0509c9bb01ab4eb6841a92bf Mon Sep 17 00:00:00 2001 From: Ronnie Salomonsen Date: Wed, 19 Jul 2023 14:54:12 +0200 Subject: [PATCH 2/4] Update executable/pe/export/forwarded-export.yml Co-authored-by: Willi Ballenthin --- executable/pe/export/forwarded-export.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/executable/pe/export/forwarded-export.yml b/executable/pe/export/forwarded-export.yml index 185b5bec7..1b209efbf 100644 --- a/executable/pe/export/forwarded-export.yml +++ b/executable/pe/export/forwarded-export.yml @@ -8,6 +8,6 @@ rule: att&ck: - Execution::Shared Modules [T1129] examples: - - 76FA734236DAA023444DEC26863401DC:0x18003BD32 + - 76FA734236DAA023444DEC26863401DC features: - characteristic: forwarded export \ No newline at end of file From 658b16f47d82ac26de2b03fb0da752f33df83daa Mon Sep 17 00:00:00 2001 From: Ronnie Salomonsen Date: Wed, 19 Jul 2023 14:54:25 +0200 Subject: [PATCH 3/4] Update doc/format.md Co-authored-by: Willi Ballenthin --- doc/format.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/format.md b/doc/format.md index 2b2436af4..86bf6bfad 100644 --- a/doc/format.md +++ b/doc/format.md @@ -605,7 +605,7 @@ Examples: export: InstallA -And for forwarded exports: +To specify a [forwarded export](https://devblogs.microsoft.com/oldnewthing/20060719-24/?p=30473) use the format `.`. Note that the path can be either implicit, relative, or absolute: export: "c:/windows/system32/version.GetFileVersionInfoA" export: "vresion.GetFileVersionInfoA" From 8b5e3217fa4e8f0ebcc50b15ab90461162e1ccd4 Mon Sep 17 00:00:00 2001 From: Ronnie Salomonsen Date: Wed, 19 Jul 2023 14:54:47 +0200 Subject: [PATCH 4/4] Update doc/format.md Co-authored-by: Willi Ballenthin --- doc/format.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/format.md b/doc/format.md index 86bf6bfad..c72ae9e54 100644 --- a/doc/format.md +++ b/doc/format.md @@ -314,7 +314,7 @@ For example, the `characteristic: nzxor` feature describes non-zeroing XOR instr | characteristic | scope | description | |--------------------------------------|------------------------------------|-------------| | `characteristic: embedded pe` | file | (XOR encoded) embedded PE files. | -| `characteristic: forwarded export` | file | PE file that forward export. | +| `characteristic: forwarded export` | file | PE file has a forwarded export. | | `characteristic: mixed mode` | file | File contains both managed and unmanaged (native) code, often seen in .NET | | `characteristic: loop` | function | Function contains a loop. | | `characteristic: recursive call` | function | Function is recursive. |