Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update and add Cabinet archive related rules #808

Merged
merged 2 commits into from
Nov 29, 2023
Merged

Update and add Cabinet archive related rules #808

merged 2 commits into from
Nov 29, 2023

Conversation

jtothej
Copy link
Contributor

@jtothej jtothej commented Aug 1, 2023

Suggesting following rearrangement as FCI/FDI API functions are dependent on each other so I'm not sure if it's worth to have separate rules for each of them:

FCICreate and FDICreate can be potentially used for shellcode execution via callback functions (TODO) so adding them as library functions:
lib/create-file-compression-interface-context.yml
lib/create-file-decompression-interface-context.yml

Rules indicating creation or extraction of data from Cabinet file:
data-manipulation/compression/create-cabinet-file.yml
data-manipulation/compression/extract-files-from-cabinet.yml

CC: @mike-hunhoff

@jtothej jtothej mentioned this pull request Aug 1, 2023
Merged
@mr-tz mr-tz requested a review from mike-hunhoff August 7, 2023 13:30
@mr-tz
Copy link
Collaborator

mr-tz commented Oct 11, 2023

@mike-hunhoff, can you take a look?

@mr-tz
Copy link
Collaborator

mr-tz commented Nov 20, 2023

@mike-hunhoff bump :)

mike-hunhoff
mike-hunhoff requested changes Nov 22, 2023
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @jtothej ! I'm not sure why I missed all of the mentions here and I apologize for the delayed review. Please check out my comments.

data-manipulation/compression/create-cabinet-file.yml Outdated
@@ -0,0 +1,23 @@
rule:
meta:
name: create Cabinet file
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thoughts on changing this to create Cabinet on Windows to make it more clear?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Renamed the rule in ac09516

data-manipulation/compression/create-cabinet-file.yml Outdated
Comment on lines 20 to 23
- or:
- api: cabinet.FCIAddFile = add file to Cabinet
- api: cabinet.FCIFlushFolder = flush current folder under construction
- api: cabinet.FCIFlushCabinet = completes current cabinet
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add cabinet.FCIDestroy?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Added in ac09516

data-manipulation/compression/extract-files-from-cabinet.yml Outdated
@@ -0,0 +1,21 @@
rule:
meta:
name: extract files from Cabinet
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thoughts on changing this to extract Cabinet on Windows to make it more clear?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Renamed the rule in ac09516

lib/create-file-compression-interface-context.yml Outdated
@@ -1,12 +1,14 @@
rule:
meta:
name: open cabinet file
namespace: host-interaction/file-system
name: create File Compression Interface context
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thoughts on adding on Windows to make it more clear?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Renamed the rule in ac09516

lib/create-file-decompression-interface-context.yml Outdated
@@ -0,0 +1,14 @@
rule:
meta:
name: create File Decompression Interface context
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thoughts on adding on Windows to make it more clear?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Renamed the rule in ac09516

mr-tz
mr-tz approved these changes Nov 23, 2023
View reviewed changes
Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, I think these look good now

@mr-tz mr-tz merged commit fa61e11 into mandiant:master Nov 29, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mike-hunhoff mike-hunhoff mike-hunhoff requested changes

@mr-tz mr-tz mr-tz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jtothej @mr-tz @mike-hunhoff