├── TCSA ├── Subsystem │ ├── miniCapa │ │ └── capa │ │ │ ├── __init__.py │ │ │ ├── features │ │ │ ├── __init__.py │ │ │ └── extractors │ │ │ │ ├── __init__.py │ │ │ │ ├── smda │ │ │ │ └── __init__.py │ │ │ │ └── viv │ │ │ │ └── __init__.py │ │ │ └── perf.py │ └── __init__.py └── .vscode │ └── launch.json ├── samples ├── decodePrint.exe ├── handsomware.exe ├── hello_recur.exe ├── pikaProcHollowing.exe └── 1c64966bdcbc55db0256a1aa3fc99062ba1837849b1cc5aa59ce0e31bf279e09_unupx ├── Plugins ├── rules │ ├── .gitattributes │ ├── nursery │ │ ├── empty-the-recycle-bin.yml │ │ ├── debug-build.yml │ │ ├── get-thread-local-storage-value.yml │ │ ├── parse-url.yml │ │ ├── hash-data-using-crc32b.yml │ │ ├── read-raw-disk-data.yml │ │ ├── hash-data-using-md4.yml │ │ ├── send-http-request-with-host-header.yml │ │ ├── compare-security-identifiers.yml │ │ ├── packaged-as-a-wise-installer.yml │ │ ├── make-an-http-request-with-a-cookie.yml │ │ ├── register-raw-input-devices.yml │ │ ├── list-tcp-connections-and-listeners.yml │ │ ├── list-udp-connections-and-listeners.yml │ │ ├── listen-for-remote-procedure-calls.yml │ │ ├── open-cabinet-file.yml │ │ ├── read-and-send-data-from-client-to-server.yml │ │ ├── get-socket-information.yml │ │ ├── packaged-as-a-nsis-installer.yml │ │ ├── query-remote-server-for-available-data.yml │ │ ├── receive-and-write-data-from-server-to-client.yml │ │ ├── add-file-to-cabinet-file.yml │ │ ├── initialize-hashing-via-wincrypt.yml │ │ ├── set-global-application-hook.yml │ │ ├── get-networking-parameters.yml │ │ ├── rebuilt-by-imprec.yml │ │ ├── register-http-server-url.yml │ │ ├── add-user-account.yml │ │ ├── get-proxy.yml │ │ ├── delete-user-account.yml │ │ ├── list-user-accounts.yml │ │ ├── linked-against-cpp-http-library.yml │ │ ├── collect-ssh-keys.yml │ │ ├── delete-internet-cache.yml │ │ ├── reference-quad9-dns-server.yml │ │ ├── delete-windows-backup-catalog.yml │ │ ├── monitor-clipboard-content.yml │ │ ├── reference-cloudflare-dns-server.yml │ │ ├── reference-verisign-dns-server.yml │ │ ├── get-routing-table.yml │ │ ├── packaged-as-a-winzip-self-extracting-archive.yml │ │ ├── reference-opendns-dns-server.yml │ │ ├── reference-startup-folder.yml │ │ ├── change-user-account-password.yml │ │ ├── get-system-firmware-table.yml │ │ ├── hash-data-using-sha1-via-wincrypt.yml │ │ ├── reference-comodo-secure-dns-server.yml │ │ ├── resize-volume-shadow-copy-storage.yml │ │ ├── capture-network-configuration-via-ifconfig.yml │ │ ├── get-session-information.yml │ │ ├── add-user-account-group.yml │ │ ├── enumerate-system-firmware-tables.yml │ │ ├── list-domain-servers.yml │ │ ├── delete-user-account-group.yml │ │ ├── enumerate-network-shares.yml │ │ ├── get-process-image-filename.yml │ │ ├── enumerate-internet-cache.yml │ │ ├── monitor-local-ipv4-address-changes.yml │ │ ├── hooked-by-api-override.yml │ │ ├── terminate-process-by-name.yml │ │ ├── get-installed-programs.yml │ │ ├── reference-kornet-dns-server.yml │ │ ├── flush-cabinet-file.yml │ │ ├── list-user-accounts-for-group.yml │ │ ├── packaged-as-a-createinstall-installer.yml │ │ ├── enumerate-processes-via-procfs.yml │ │ ├── hook-routines-via-microsoft-detours.yml │ │ ├── encrypt-data-via-sspi.yml │ │ ├── get-system-information-on-linux.yml │ │ ├── link-function-at-runtime-on-linux.yml │ │ ├── read-process-memory.yml │ │ ├── create-registry-key-via-stdregprov.yml │ │ ├── decrypt-data-via-sspi.yml │ │ ├── delete-registry-key-via-stdregprov.yml │ │ ├── linked-against-cpp-json-library.yml │ │ ├── list-drag-and-drop-files.yml │ │ ├── reference-aes-constants.yml │ │ ├── delete-registry-value-via-stdregprov.yml │ │ ├── get-token-privileges.yml │ │ ├── create-restart-manager-session.yml │ │ ├── hide-thread-from-debugger.yml │ │ ├── execute-syscall-instruction.yml │ │ ├── interact-with-iptables.yml │ │ ├── reference-alidns-dns-server.yml │ │ ├── query-or-enumerate-registry-key-via-stdregprov.yml │ │ ├── delete-user-account-from-group.yml │ │ ├── get-mac-address-on-linux.yml │ │ ├── reference-l3-dns-server.yml │ │ ├── packaged-as-an-installshield-installer.yml │ │ ├── execute-shell-command-via-windows-remote-management.yml │ │ ├── list-user-account-groups.yml │ │ ├── run-powershell-expression.yml │ │ ├── hash-data-using-murmur2.yml │ │ ├── list-groups-for-user-account.yml │ │ ├── load-windows-common-language-runtime.yml │ │ ├── connect-network-resource.yml │ │ ├── impersonate-user.yml │ │ ├── linked-against-cpp-regex-library.yml │ │ ├── add-user-account-to-group.yml │ │ ├── packed-with-ccg.yml │ │ ├── packed-with-mew.yml │ │ ├── check-license-value.yml │ │ ├── hash-data-using-sha256-via-x86-extensions.yml │ │ ├── packed-with-svkp.yml │ │ ├── delete-registry-key-via-offline-registry-library.yml │ │ ├── packed-with-epack.yml │ │ ├── packed-with-crunch.yml │ │ ├── packed-with-maskpe.yml │ │ ├── packed-with-pepack.yml │ │ ├── packed-with-perplex.yml │ │ ├── packed-with-seausfx.yml │ │ ├── packed-with-procrypt.yml │ │ ├── packed-with-vprotect.yml │ │ ├── packed-with-simple-pack.yml │ │ ├── packed-with-starforce.yml │ │ ├── reference-google-public-dns-server.yml │ │ ├── packed-with-dragon-armor.yml │ │ ├── get-remote-cert-context-via-schannel.yml │ │ ├── packed-with-wwpack.yml │ │ ├── check-for-windows-sandbox-via-mutex.yml │ │ ├── packed-with-enigma.yml │ │ ├── packed-with-mpress.yml │ │ ├── packed-with-neolite.yml │ │ ├── packed-with-rpcrypt.yml │ │ ├── linked-against-go-registry-library.yml │ │ ├── packed-with-tsuloader.yml │ │ ├── reference-the-vmware-io-port.yml │ │ ├── check-processdebugflags.yml │ │ ├── get-storage-device-properties.yml │ │ ├── build-docker-image.yml │ │ ├── hash-data-using-sha1-via-x86-extensions.yml │ │ ├── packed-with-shrinker.yml │ │ ├── reference-screen-saver-executable.yml │ │ ├── generate-random-numbers-using-the-delphi-lcg.yml │ │ ├── linked-against-go-wmi-library.yml │ │ └── schedule-task-via-itaskservice.yml │ ├── executable │ │ ├── pe │ │ │ ├── pdb │ │ │ │ └── contains-pdb-path.yml │ │ │ └── section │ │ │ │ ├── rsrc │ │ │ │ └── contain-a-resource-rsrc-section.yml │ │ │ │ └── tls │ │ │ │ └── contain-a-thread-local-storage-tls-section.yml │ │ ├── installer │ │ │ └── inno-setup │ │ │ │ └── packaged-as-an-inno-setup-installer.yml │ │ └── subfile │ │ │ └── pe │ │ │ └── contain-an-embedded-pe-file.yml │ ├── compiler │ │ ├── py2exe │ │ │ └── compiled-with-py2exe.yml │ │ ├── vb │ │ │ └── compiled-from-visual-basic.yml │ │ ├── d │ │ │ └── compiled-with-dmd.yml │ │ ├── mingw │ │ │ └── compiled-with-mingw-for-windows.yml │ │ ├── rust │ │ │ └── compiled-with-rust.yml │ │ ├── ps2exe │ │ │ └── compiled-with-ps2exe.yml │ │ ├── perl2exe │ │ │ └── compiled-with-perl2exe.yml │ │ ├── go │ │ │ └── compiled-with-go.yml │ │ ├── delphi │ │ │ └── compiled-with-borland-delphi.yml │ │ ├── nim │ │ │ └── compiled-with-nim.yml │ │ └── autohotkey │ │ │ └── compiled-with-autohotkey.yml │ ├── internal │ │ └── limitation │ │ │ └── file │ │ │ └── README.md │ ├── lib │ │ ├── get-service-handle.yml │ │ ├── contain-loop.yml │ │ ├── duplicate-stdin-and-stdout.yml │ │ ├── allocate-rw-memory.yml │ │ ├── open-process.yml │ │ ├── open-thread.yml │ │ ├── calculate-modulo-256-via-x86-assembly.yml │ │ ├── write-process-memory.yml │ │ └── contain-pusha-popa-sequence.yml │ ├── linking │ │ └── static │ │ │ ├── libcurl │ │ │ └── linked-against-libcurl.yml │ │ │ ├── zlib │ │ │ └── linked-against-zlib.yml │ │ │ ├── msdetours │ │ │ └── linked-against-microsoft-detours.yml │ │ │ └── polarssl │ │ │ └── linked-against-polarsslmbed-tls.yml │ ├── .github │ │ ├── scripts │ │ │ └── changelog_author.py │ │ └── pull_request_template.md │ ├── host-interaction │ │ ├── gui │ │ │ ├── console │ │ │ │ └── set-console-window-title.yml │ │ │ ├── set-application-hook.yml │ │ │ ├── session │ │ │ │ ├── lock │ │ │ │ │ └── lock-the-desktop.yml │ │ │ │ └── wallpaper │ │ │ │ │ └── change-the-wallpaper.yml │ │ │ ├── taskbar │ │ │ │ ├── find │ │ │ │ │ └── find-taskbar.yml │ │ │ │ └── hide │ │ │ │ │ └── hide-the-windows-taskbar.yml │ │ │ ├── window │ │ │ │ ├── find │ │ │ │ │ └── find-graphical-window.yml │ │ │ │ └── hide │ │ │ │ │ └── hide-graphical-window.yml │ │ │ └── logon │ │ │ │ └── references-logon-banner.yml │ │ ├── hardware │ │ │ ├── mouse │ │ │ │ └── swap-mouse-buttons.yml │ │ │ ├── memory │ │ │ │ └── get-memory-capacity.yml │ │ │ ├── cdrom │ │ │ │ └── manipulate-cd-rom-drive.yml │ │ │ └── cpu │ │ │ │ ├── get-number-of-processor-cores.yml │ │ │ │ └── get-number-of-processors.yml │ │ ├── mutex │ │ │ ├── create-mutex.yml │ │ │ ├── lock-file.yml │ │ │ └── check-mutex.yml │ │ ├── process │ │ │ ├── allocate-thread-local-storage.yml │ │ │ ├── create │ │ │ │ └── execute-command.yml │ │ │ ├── dump │ │ │ │ └── create-process-memory-minidump.yml │ │ │ ├── inject │ │ │ │ ├── attach-user-process-memory.yml │ │ │ │ ├── allocate-rwx-memory.yml │ │ │ │ └── allocate-user-process-rwx-memory.yml │ │ │ ├── list │ │ │ │ ├── find-process-by-pid.yml │ │ │ │ ├── get-explorer-pid.yml │ │ │ │ └── enumerate-processes-via-ntquerysysteminformation.yml │ │ │ ├── set-thread-local-storage-value.yml │ │ │ ├── modify │ │ │ │ ├── acquire-debug-privileges.yml │ │ │ │ └── modify-access-privileges.yml │ │ │ └── terminate │ │ │ │ ├── terminate-process-via-fastfail.yml │ │ │ │ └── terminate-process.yml │ │ ├── session │ │ │ ├── get-session-integrity-level.yml │ │ │ ├── get-token-membership.yml │ │ │ ├── get-user-security-identifier.yml │ │ │ └── get-logon-sessions.yml │ │ ├── file-system │ │ │ ├── meta │ │ │ │ └── get-file-size.yml │ │ │ ├── get-file-system-object-information.yml │ │ │ ├── change-file-permission-on-linux.yml │ │ │ ├── files │ │ │ │ └── list │ │ │ │ │ └── enumerate-files-recursively.yml │ │ │ └── delete │ │ │ │ └── delete-directory.yml │ │ ├── network │ │ │ ├── traffic │ │ │ │ ├── copy │ │ │ │ │ └── copy-network-traffic.yml │ │ │ │ └── filter │ │ │ │ │ └── register-network-filter-via-wfp-api.yml │ │ │ └── domain │ │ │ │ └── get-domain-information.yml │ │ ├── cli │ │ │ ├── accept-command-line-arguments.yml │ │ │ └── resolve-path-using-msvcrt.yml │ │ ├── clipboard │ │ │ ├── open-clipboard.yml │ │ │ ├── write-clipboard-data.yml │ │ │ ├── replace-clipboard-data.yml │ │ │ └── read-clipboard-data.yml │ │ ├── service │ │ │ ├── query-service-status.yml │ │ │ ├── start │ │ │ │ └── start-service.yml │ │ │ ├── delete │ │ │ │ └── delete-service.yml │ │ │ ├── list │ │ │ │ └── enumerate-services.yml │ │ │ └── create │ │ │ │ └── create-service.yml │ │ ├── registry │ │ │ ├── open-registry-key-via-offline-registry-library.yml │ │ │ ├── query-registry-key-via-offline-registry-library.yml │ │ │ ├── create-registry-key-via-offline-registry-library.yml │ │ │ └── set-registry-key-via-offline-registry-library.yml │ │ ├── driver │ │ │ ├── create-device-object.yml │ │ │ └── install-driver.yml │ │ ├── thread │ │ │ ├── suspend │ │ │ │ └── suspend-thread.yml │ │ │ ├── resume │ │ │ │ └── resume-thread.yml │ │ │ └── terminate │ │ │ │ └── terminate-thread.yml │ │ ├── os │ │ │ ├── version │ │ │ │ ├── get-kernel-version.yml │ │ │ │ └── get-linux-distribution.yml │ │ │ └── shutdown-system.yml │ │ ├── environment-variable │ │ │ └── set-environment-variable.yml │ │ ├── filter │ │ │ ├── start-minifilter-driver.yml │ │ │ └── register-minifilter-driver.yml │ │ └── bootloader │ │ │ └── disable-code-signing.yml │ ├── communication │ │ ├── http │ │ │ ├── read-http-header.yml │ │ │ ├── set-http-header.yml │ │ │ ├── initialize-winhttp-library.yml │ │ │ ├── client │ │ │ │ ├── prepare-http-request.yml │ │ │ │ ├── connect-to-url.yml │ │ │ │ ├── create-http-request.yml │ │ │ │ ├── connect-to-http-server.yml │ │ │ │ ├── get-http-response-content-encoding.yml │ │ │ │ ├── send-file-via-http.yml │ │ │ │ ├── decompress-http-response-via-iencodingfilterfactory.yml │ │ │ │ ├── receive-http-response.yml │ │ │ │ └── read-data-from-internet.yml │ │ │ └── server │ │ │ │ ├── send-http-response.yml │ │ │ │ └── start-http-server.yml │ │ ├── tcp │ │ │ ├── client │ │ │ │ └── act-as-tcp-client.yml │ │ │ └── serve │ │ │ │ └── start-tcp-server.yml │ │ ├── socket │ │ │ ├── initialize-winsock-library.yml │ │ │ ├── set-socket-configuration.yml │ │ │ ├── get-socket-status.yml │ │ │ ├── tcp │ │ │ │ └── send │ │ │ │ │ └── send-tcp-data-via-wfp-api.yml │ │ │ └── send │ │ │ │ └── send-data-on-socket.yml │ │ ├── named-pipe │ │ │ ├── create │ │ │ │ ├── create-two-anonymous-pipes.yml │ │ │ │ └── create-pipe.yml │ │ │ └── connect │ │ │ │ └── connect-pipe.yml │ │ └── receive-data.yml │ ├── anti-analysis │ │ ├── obfuscation │ │ │ ├── obfuscated-with-callobfuscator.yml │ │ │ ├── obfuscated-with-advobfuscator.yml │ │ │ └── string │ │ │ │ └── stackstring │ │ │ │ └── contain-obfuscated-stackstrings.yml │ │ ├── anti-disasm │ │ │ └── contain-anti-disasm-techniques.yml │ │ ├── packer │ │ │ ├── confuser │ │ │ │ └── packed-with-confuser.yml │ │ │ ├── amber │ │ │ │ └── packed-with-amber.yml │ │ │ ├── petite │ │ │ │ └── packed-with-petite.yml │ │ │ ├── pelocknt │ │ │ │ └── packed-with-pelocknt.yml │ │ │ ├── rlpack │ │ │ │ └── packed-with-rlpack.yml │ │ │ ├── pebundle │ │ │ │ └── packed-with-pebundle.yml │ │ │ └── nspack │ │ │ │ └── packed-with-nspack.yml │ │ └── anti-debugging │ │ │ └── debugger-detection │ │ │ ├── execute-anti-debugging-instructions.yml │ │ │ ├── check-for-time-delay-via-queryperformancecounter.yml │ │ │ └── check-for-outputdebugstring-error.yml │ ├── collection │ │ ├── database │ │ │ ├── sql │ │ │ │ └── reference-sql-statements.yml │ │ │ └── wmi │ │ │ │ └── reference-wmi-statements.yml │ │ ├── file-managers │ │ │ ├── gather-freshftp-information.yml │ │ │ ├── gather-ultrafxp-information.yml │ │ │ ├── gather-ftpnow-information.yml │ │ │ ├── gather-nova-ftp-information.yml │ │ │ ├── gather-goftp-information.yml │ │ │ ├── gather-ftpshell-information.yml │ │ │ ├── gather-nexusfile-information.yml │ │ │ ├── gather-netdrive-information.yml │ │ │ ├── gather-bitkinex-information.yml │ │ │ ├── gather-ftpgetter-information.yml │ │ │ ├── gather-xftp-information.yml │ │ │ ├── gather-frigate3-information.yml │ │ │ ├── gather-ftprush-information.yml │ │ │ ├── gather-staff-ftp-information.yml │ │ │ ├── gather-global-downloader-information.yml │ │ │ ├── gather-classicftp-information.yml │ │ │ ├── gather-faststone-browser-information.yml │ │ │ ├── gather-fasttrack-ftp-information.yml │ │ │ ├── gather-ws-ftp-information.yml │ │ │ ├── gather-3d-ftp-information.yml │ │ │ ├── gather-cyberduck-information.yml │ │ │ ├── gather-softx-ftp-information.yml │ │ │ ├── gather-directory-opus-information.yml │ │ │ ├── gather-ftp-voyager-information.yml │ │ │ ├── gather-alftp-information.yml │ │ │ ├── gather-smart-ftp-information.yml │ │ │ ├── gather-ftp-commander-information.yml │ │ │ ├── gather-ftpinfo-information.yml │ │ │ └── gather-coreftp-information.yml │ │ ├── microphone │ │ │ └── capture-microphone-audio.yml │ │ ├── group-policy │ │ │ └── discover-group-policy-via-gpresult.yml │ │ ├── get-current-user-on-linux.yml │ │ └── keylog │ │ │ └── log-keystrokes-via-application-hook.yml │ ├── runtime │ │ └── dotnet │ │ │ └── compiled-to-the-net-platform.yml │ ├── load-code │ │ ├── pe │ │ │ └── access-pe-header.yml │ │ └── shellcode │ │ │ └── spawn-thread-to-rwx-shellcode.yml │ ├── c2 │ │ ├── shell │ │ │ ├── execute-shell-command-received-from-socket-on-linux.yml │ │ │ └── create-reverse-shell-on-linux.yml │ │ └── file-transfer │ │ │ ├── write-and-execute-a-file.yml │ │ │ └── download-and-write-a-file.yml │ ├── data-manipulation │ │ ├── encoding │ │ │ └── base64 │ │ │ │ └── encode-data-using-base64-via-winapi.yml │ │ └── encryption │ │ │ ├── encrypt-data-using-memfrob-from-glibc.yml │ │ │ ├── import-public-key.yml │ │ │ └── dpapi │ │ │ └── encrypt-data-using-dpapi.yml │ ├── persistence │ │ ├── service │ │ │ └── persist-via-rc-script.yml │ │ ├── persist-via-desktop-autostart.yml │ │ ├── scheduled-tasks │ │ │ └── schedule-task-via-command-line.yml │ │ └── startup-folder │ │ │ └── write-file-to-startup-folder.yml │ └── targeting │ │ ├── language │ │ └── identify-system-language-via-api.yml │ │ └── automated-teller-machine │ │ └── diebold-nixdorf │ │ └── reference-diebold-atm-routines.yml └── capaRules │ ├── lib │ ├── contain-loop.yml │ └── calculate-modulo-256-via-x86-assembly.yml │ ├── nursery │ ├── encrypt-data-via-sspi-wrapper.yml │ ├── encrypt-data-via-sspi.yml │ └── reference-aes-constants.yml │ └── data-manipulation │ ├── prng │ └── lcg │ │ └── generate-random-numbers-using-the-delphi-lcg-wrapper.yml │ └── encryption │ ├── des │ └── encrypt-data-using-des-wrapper.yml │ ├── encrypt-data-using-memfrob-from-glibc.yml │ ├── twofish │ └── encrypt-data-using-twofish-wrapper.yml │ ├── blowfish │ └── encrypt-data-using-blowfish-wrapper.yml │ ├── skipjack │ └── encrypt-data-using-skipjack-wrapper.yml │ └── import-public-key.yml └── README.md /TCSA/Subsystem/miniCapa/capa/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /TCSA/Subsystem/miniCapa/capa/features/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /TCSA/Subsystem/miniCapa/capa/features/extractors/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /TCSA/Subsystem/miniCapa/capa/features/extractors/smda/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /TCSA/Subsystem/miniCapa/capa/features/extractors/viv/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /samples/decodePrint.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TXOne-Networks/TCSA/HEAD/samples/decodePrint.exe -------------------------------------------------------------------------------- /samples/handsomware.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TXOne-Networks/TCSA/HEAD/samples/handsomware.exe -------------------------------------------------------------------------------- /samples/hello_recur.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TXOne-Networks/TCSA/HEAD/samples/hello_recur.exe -------------------------------------------------------------------------------- /samples/pikaProcHollowing.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TXOne-Networks/TCSA/HEAD/samples/pikaProcHollowing.exe -------------------------------------------------------------------------------- /samples/1c64966bdcbc55db0256a1aa3fc99062ba1837849b1cc5aa59ce0e31bf279e09_unupx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TXOne-Networks/TCSA/HEAD/samples/1c64966bdcbc55db0256a1aa3fc99062ba1837849b1cc5aa59ce0e31bf279e09_unupx -------------------------------------------------------------------------------- /Plugins/rules/.gitattributes: -------------------------------------------------------------------------------- 1 | # Set the default behavior, in case people don't have core.autocrlf set. 2 | * text=auto 3 | 4 | # Explicitly declare text files you want to always be normalized and converted 5 | # to native line endings on checkout. 6 | *.yml text 7 | *.md text 8 | *.txt text 9 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/empty-the-recycle-bin.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: empty the recycle bin 4 | namespace: host-interaction/recycle-bin 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | features: 8 | - or: 9 | - api: SHEmptyRecycleBin 10 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/debug-build.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: debug build 4 | namespace: executable/pe/debug 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | features: 8 | - or: 9 | - string: "Assertion failed!" 10 | - string: "Assertion failed:" 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-thread-local-storage-value.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get thread local storage value 4 | namespace: host-interaction/process 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | features: 8 | - and: 9 | - api: kernel32.TlsGetValue 10 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/parse-url.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: parse URL 5 | namespace: communication/http 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | features: 9 | - or: 10 | - api: wininet.InternetCrackUrl 11 | -------------------------------------------------------------------------------- /TCSA/Subsystem/miniCapa/capa/perf.py: -------------------------------------------------------------------------------- 1 | import collections 2 | from typing import Dict 3 | 4 | # this structure is unstable and may change before the next major release. 5 | counters: Dict[str, int] = collections.Counter() 6 | 7 | 8 | def reset(): 9 | global counters 10 | counters = collections.Counter() 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/hash-data-using-crc32b.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using CRC32b 4 | namespace: data-manipulation/checksum/crc32 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | features: 8 | - and: 9 | - number: 0x4C11DB7 10 | - characteristic: nzxor 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/read-raw-disk-data.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: read raw disk data 4 | namespace: host-interaction/file-system 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | features: 8 | - or: 9 | - string: "\\\\.\\PhysicalDrive0" 10 | - string: "\\\\.\\C:" 11 | -------------------------------------------------------------------------------- /Plugins/rules/executable/pe/pdb/contains-pdb-path.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contains PDB path 4 | namespace: executable/pe/pdb 5 | author: moritz.raabe@mandiant.com 6 | scope: file 7 | examples: 8 | - 464EF2CA59782CE697BC329713698CCC # level32.exe 9 | features: 10 | - string: /:\\.*\.pdb/ 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/hash-data-using-md4.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using MD4 4 | namespace: data-manipulation/hashing/md4 5 | author: anamaria.martinezgom@mandiant.com 6 | scope: basic block 7 | features: 8 | - and: 9 | - number: 0x8002 = CALG_MD4 10 | - api: advapi32.CryptCreateHash 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/send-http-request-with-host-header.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: send HTTP request with Host header 4 | namespace: communication/http 5 | author: anamaria.martinezgom@mandiant.com 6 | scope: function 7 | features: 8 | - and: 9 | - match: send HTTP request 10 | - string: /Host:/i 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/compare-security-identifiers.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: compare security identifiers 5 | namespace: host-interaction/sid 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | features: 9 | - or: 10 | - api: advapi32.EqualSid 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packaged-as-a-wise-installer.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as a Wise installer 4 | namespace: executable/installer/wiseinstall 5 | author: moritz.raabe@mandiant.com 6 | scope: file 7 | features: 8 | - or: 9 | - string: "WiseMain" 10 | - substring: "Wise Installation Wizard" 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/make-an-http-request-with-a-cookie.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: make an HTTP request with a Cookie 4 | namespace: communication/http/client 5 | author: anamaria.martinezgom@mandiant.com 6 | scope: function 7 | features: 8 | - and: 9 | - match: send HTTP request 10 | - string: /Cookie:/i 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/register-raw-input-devices.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: register raw input devices 5 | namespace: host-interaction/hardware 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | features: 9 | - or: 10 | - api: user32.RegisterRawInputDevices 11 | -------------------------------------------------------------------------------- /Plugins/rules/compiler/py2exe/compiled-with-py2exe.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with py2exe 4 | namespace: compiler/py2exe 5 | author: "@_re_fox" 6 | scope: basic block 7 | examples: 8 | - ed888dc2f04f5eac83d6d14088d002de:0x40194A 9 | features: 10 | - and: 11 | - string: "PY2EXE_VERBOSE" 12 | - api: getenv 13 | -------------------------------------------------------------------------------- /Plugins/rules/internal/limitation/file/README.md: -------------------------------------------------------------------------------- 1 | # file limitations 2 | 3 | This directory contains rules with the special namespace `internal/limitation/file`. 4 | capa uses these rules to identify files that it cannot handle well, such as .NET modules or packed programs. 5 | When one of these rules matches, capa will render the description as a warning message and bail. -------------------------------------------------------------------------------- /Plugins/rules/nursery/list-tcp-connections-and-listeners.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list TCP connections and listeners 5 | namespace: collection/network 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | features: 9 | - or: 10 | - api: iphlpapi.GetExtendedTcpTable 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/list-udp-connections-and-listeners.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list UDP connections and listeners 5 | namespace: collection/network 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | features: 9 | - or: 10 | - api: iphlpapi.GetExtendedUdpTable 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/listen-for-remote-procedure-calls.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: listen for remote procedure calls 5 | namespace: communication/rpc/server 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | features: 9 | - or: 10 | - api: rpcrt4.RpcServerListen 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/open-cabinet-file.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: open cabinet file 4 | namespace: host-interaction/file-system 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | references: https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files 8 | features: 9 | - or: 10 | - api: cabinet.FCICreate 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/read-and-send-data-from-client-to-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: read and send data from client to server 4 | namespace: c2/file-transfer 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | features: 8 | - and: 9 | - match: host-interaction/file-system/read 10 | - match: send data 11 | -------------------------------------------------------------------------------- /Plugins/rules/compiler/vb/compiled-from-visual-basic.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled from Visual Basic 4 | namespace: compiler/vb 5 | author: "@williballenthin" 6 | scope: file 7 | examples: 8 | - 9bca6b99e7981208af4c7925b96fb9cf 9 | features: 10 | - and: 11 | - string: /VB5!.*/ 12 | - import: msvbvm60.ThunRTMain 13 | -------------------------------------------------------------------------------- /Plugins/rules/executable/pe/section/rsrc/contain-a-resource-rsrc-section.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain a resource (.rsrc) section 4 | namespace: executable/pe/section/rsrc 5 | author: moritz.raabe@mandiant.com 6 | scope: file 7 | examples: 8 | - A933A1A402775CFA94B6BEE0963F4B46:0x41fd25 9 | features: 10 | - section: .rsrc 11 | -------------------------------------------------------------------------------- /Plugins/rules/lib/get-service-handle.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get service handle 4 | author: moritz.raabe@mandiant.com 5 | lib: true 6 | scope: function 7 | examples: 8 | - Practical Malware Analysis Lab 03-02.dll_:0x10004706 9 | features: 10 | - or: 11 | - api: advapi32.CreateService 12 | - api: advapi32.OpenService 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-socket-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get socket information 4 | namespace: communication/socket 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Network Configuration Discovery [T1016] 9 | features: 10 | - and: 11 | - api: ws2_32.getsockname 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packaged-as-a-nsis-installer.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as a NSIS installer 4 | namespace: executable/installer/nsis 5 | author: moritz.raabe@mandiant.com 6 | scope: file 7 | references: 8 | - https://nsis.sourceforge.io/Main_Page 9 | features: 10 | - or: 11 | - substring: "http://nsis.sf.net" 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/query-remote-server-for-available-data.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: query remote server for available data 5 | namespace: communication 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | features: 9 | - or: 10 | - api: wininet.InternetQueryDataAvailable 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/receive-and-write-data-from-server-to-client.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: receive and write data from server to client 4 | namespace: c2/file-transfer 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | features: 8 | - and: 9 | - match: receive data 10 | - match: host-interaction/file-system/write 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/add-file-to-cabinet-file.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: add file to cabinet file 4 | namespace: host-interaction/file-system 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | references: https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files 8 | features: 9 | - or: 10 | - api: cabinet.FCIAddFile 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/initialize-hashing-via-wincrypt.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: initialize hashing via WinCrypt 4 | namespace: data-manipulation/hashing 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | features: 8 | - and: 9 | - api: advapi32.CryptCreateHash 10 | - optional: 11 | - api: advapi32.CryptDestroyHash 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/set-global-application-hook.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set global application hook 4 | namespace: host-interaction/gui 5 | author: michael.hunhoff@mandiant.com 6 | scope: basic block 7 | features: 8 | - and: 9 | - api: user32.SetWindowsHookEx 10 | - number: 0x3 = WM_GETMESSAGE 11 | - number: 0x0 = dwThreadId 12 | -------------------------------------------------------------------------------- /Plugins/rules/lib/contain-loop.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain loop 4 | author: moritz.raabe@mandiant.com 5 | lib: true 6 | scope: function 7 | examples: 8 | - 08AC667C65D36D6542917655571E61C8:0x406EAA 9 | features: 10 | - or: 11 | - characteristic: loop 12 | - characteristic: tight loop 13 | - characteristic: recursive call 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-networking-parameters.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get networking parameters 4 | namespace: host-interaction/network 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Network Configuration Discovery [T1016] 9 | features: 10 | - or: 11 | - api: iphlpapi.GetNetworkParams 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/rebuilt-by-imprec.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: rebuilt by ImpRec 4 | namespace: executable/imprec 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | references: 8 | - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ 9 | features: 10 | - or: 11 | - section: .mackt 12 | -------------------------------------------------------------------------------- /Plugins/capaRules/lib/contain-loop.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain loop 4 | author: moritz.raabe@mandiant.com 5 | lib: true 6 | scope: function 7 | examples: 8 | - 08AC667C65D36D6542917655571E61C8:0x406EAA 9 | features: 10 | - or: 11 | - characteristic: loop 12 | - characteristic: tight loop 13 | - characteristic: recursive call 14 | -------------------------------------------------------------------------------- /Plugins/rules/executable/pe/section/tls/contain-a-thread-local-storage-tls-section.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain a thread local storage (.tls) section 4 | namespace: executable/pe/section/tls 5 | author: michael.hunhoff@mandiant.com 6 | scope: file 7 | examples: 8 | - Practical Malware Analysis Lab 16-02.exe_ 9 | features: 10 | - section: .tls 11 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/register-http-server-url.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: register HTTP server URL 5 | namespace: communication/http/server 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | features: 9 | - or: 10 | - api: httpapi.HttpAddUrl 11 | - api: httpapi.HttpAddUrlToUrlGroup 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/add-user-account.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: add user account 5 | namespace: host-interaction/accounts 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Persistence::Create Account [T1136] 10 | features: 11 | - or: 12 | - api: netapi32.NetUserAdd 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-proxy.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get proxy 4 | namespace: host-interaction/network/proxy 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Network Configuration Discovery [T1016] 9 | features: 10 | - and: 11 | - match: create or open registry key 12 | - string: "ProxyServer" 13 | -------------------------------------------------------------------------------- /Plugins/rules/linking/static/libcurl/linked-against-libcurl.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against libcurl 4 | namespace: linking/static/libcurl 5 | author: moritz.raabe@mandiant.com 6 | scope: file 7 | examples: 8 | - A90E5B3454AA71D9700B2EA54615F44B 9 | features: 10 | - or: 11 | - substring: "CLIENT libcurl" 12 | - substring: "curl.haxx.se" 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/delete-user-account.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: delete user account 5 | namespace: host-interaction/accounts 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Impact::Account Access Removal [T1531] 10 | features: 11 | - or: 12 | - api: netapi32.NetUserDel 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/list-user-accounts.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list user accounts 5 | namespace: host-interaction/accounts 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Discovery::Account Discovery [T1087] 10 | features: 11 | - or: 12 | - api: netapi32.NetUserEnum 13 | -------------------------------------------------------------------------------- /Plugins/rules/lib/duplicate-stdin-and-stdout.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: duplicate stdin and stdout 4 | author: joakim@intezer.com 5 | lib: true 6 | scope: basic block 7 | examples: 8 | - 7351f8a40c5450557b24622417fc478d:0x40236D 9 | features: 10 | - and: 11 | - os: linux 12 | - api: dup2 13 | - number: 0 = STDIN 14 | - number: 1 = STDOUT 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/linked-against-cpp-http-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against CPP HTTP library 4 | namespace: linking/static/httplib 5 | author: "@mr-tz" 6 | scope: file 7 | references: 8 | - https://github.com/yhirose/cpp-httplib 9 | features: 10 | - or: 11 | - substring: "cpp-httplib/" 12 | - string: /\(HTTP\/1\\\.\[01\]\) \(\\d/ 13 | -------------------------------------------------------------------------------- /TCSA/Subsystem/__init__.py: -------------------------------------------------------------------------------- 1 | import sys, os 2 | from . import miniCapa 3 | 4 | # sys.path.append('C:\\Users\\aaaddress1\\Desktop\\Akali-main\\Akali\\Subsystem\\miniCapa\\') 5 | 6 | absPath_miniCapa = os.path.join(os.path.dirname(os.path.abspath(__file__)), "miniCapa") 7 | sys.path.append(absPath_miniCapa) 8 | 9 | # sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)),os.pardir)) 10 | -------------------------------------------------------------------------------- /Plugins/rules/.github/scripts/changelog_author.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | import yaml 4 | 5 | rule_file = sys.argv[1] 6 | with open(rule_file, "r") as stream: 7 | rule_yaml = yaml.safe_load(stream) 8 | 9 | author_value = rule_yaml["rule"]["meta"]["author"] 10 | if isinstance(author_value, list): # list of authors 11 | print(" ".join(author_value)) 12 | else: # one author 13 | print(author_value) 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/collect-ssh-keys.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: collect ssh keys 4 | namespace: collection 5 | author: joakim@intezer.com 6 | scope: function 7 | att&ck: 8 | - Credential Access::Unsecured Credentials::Private Keys [T1552.004] 9 | features: 10 | - and: 11 | - match: host-interaction/file-system/read 12 | - or: 13 | - substring: "/.ssh/id_rsa" 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/delete-internet-cache.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: delete internet cache 4 | namespace: host-interaction/internet/cache 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | features: 8 | - and: 9 | - match: enumerate internet cache 10 | - api: wininet.DeleteUrlCacheEntry 11 | - optional: 12 | - api: wininet.UnlockUrlCacheEntryFile 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-quad9-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference Quad9 DNS server 4 | namespace: communication/dns 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | references: 8 | - https://www.techradar.com/news/best-dns-server 9 | examples: 10 | features: 11 | - or: 12 | - string: "9.9.9.9" 13 | - string: "149.112.112.112" 14 | -------------------------------------------------------------------------------- /Plugins/rules/lib/allocate-rw-memory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: allocate RW memory 4 | author: 0x534a@mailbox.org 5 | lib: true 6 | scope: basic block 7 | mbc: 8 | - Memory::Allocate Memory [C0007] 9 | examples: 10 | - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D 11 | features: 12 | - and: 13 | - match: allocate memory 14 | - number: 0x4 = PAGE_READWRITE 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/delete-windows-backup-catalog.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: delete Windows backup catalog 4 | namespace: impact/inhibit-system-recovery 5 | author: michael.hunhoff@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Impact::Inhibit System Recovery [T1490] 9 | features: 10 | - and: 11 | - os: windows 12 | - string: /wbadmin(\.exe)?\s+delete\s+catalog/i 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/monitor-clipboard-content.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: monitor clipboard content 5 | namespace: host-interaction/clipboard 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Collection::Clipboard Data [T1115] 10 | features: 11 | - and: 12 | - api: user32.AddClipboardFormatListener 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-cloudflare-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference Cloudflare DNS server 4 | namespace: communication/dns 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | references: 8 | - https://www.techradar.com/news/best-dns-server 9 | examples: 10 | features: 11 | - or: 12 | - string: "1.1.1.1" 13 | - string: "1.0.0.1" 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-verisign-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference Verisign DNS server 4 | namespace: communication/dns 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | references: 8 | - https://www.techradar.com/news/best-dns-server 9 | examples: 10 | features: 11 | - or: 12 | - string: "64.6.64.6" 13 | - string: "64.6.65.6" 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-routing-table.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get routing table 4 | namespace: host-interaction/network/routing-table 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Network Configuration Discovery [T1016] 9 | features: 10 | - or: 11 | - api: iphlpapi.GetIpForwardTable 12 | - api: iphlpapi.GetIpForwardTable2 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packaged-as-a-winzip-self-extracting-archive.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as a WinZip self-extracting archive 4 | namespace: executable/installer/winzip 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | references: 8 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 9 | features: 10 | - or: 11 | - section: _winzip_ 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-opendns-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference OpenDNS DNS server 4 | namespace: communication/dns 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | references: 8 | - https://www.techradar.com/news/best-dns-server 9 | examples: 10 | features: 11 | - or: 12 | - string: "208.67.222.222" 13 | - string: "208.67.220.220" 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-startup-folder.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference startup folder 4 | namespace: persistence/startup-folder 5 | author: matthew.williams@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] 9 | features: 10 | - or: 11 | - string: /Start Menu\\Programs\\Startup/i 12 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/gui/console/set-console-window-title.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set console window title 4 | namespace: host-interaction/gui/console 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Operating System::Console [C0033] 9 | examples: 10 | - mimikatz.exe_:0x44570F 11 | features: 12 | - or: 13 | - api: kernel32.SetConsoleTitle 14 | -------------------------------------------------------------------------------- /Plugins/rules/lib/open-process.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: open process 4 | author: 0x534a@mailbox.org 5 | lib: true 6 | scope: basic block 7 | mbc: 8 | - Process::Open Process [C0065] 9 | examples: 10 | - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D 11 | features: 12 | - or: 13 | - api: kernel32.OpenProcess 14 | - api: NtOpenProcess 15 | - api: ZwOpenProcess 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/change-user-account-password.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: change user account password 5 | namespace: host-interaction/accounts 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Persistence::Account Manipulation [T1098] 10 | features: 11 | - or: 12 | - api: netapi32.NetUserChangePassword 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-system-firmware-table.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get system firmware table 4 | namespace: host-interaction/hardware/firmware 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | references: 8 | - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L854 9 | features: 10 | - and: 11 | - api: kernel32.GetSystemFirmwareTable 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/hash-data-using-sha1-via-wincrypt.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using SHA1 via WinCrypt 4 | namespace: data-manipulation/hashing/sha1 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | features: 8 | - or: 9 | - and: 10 | - match: initialize hashing via WinCrypt 11 | - number: 0x8004 = CALG_SHA1 12 | - api: advapi32.CryptHashData 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-comodo-secure-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference Comodo Secure DNS server 4 | namespace: communication/dns 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | references: 8 | - https://www.techradar.com/news/best-dns-server 9 | examples: 10 | features: 11 | - or: 12 | - string: "8.26.56.26" 13 | - string: "8.20.247.20" 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/resize-volume-shadow-copy-storage.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: resize volume shadow copy storage 5 | namespace: impact/inhibit-system-recovery 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | features: 9 | - and: 10 | - api: kernel32.DeviceIoControl 11 | - number: 0x53C028 = IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE 12 | -------------------------------------------------------------------------------- /Plugins/rules/compiler/d/compiled-with-dmd.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with dmd 4 | namespace: compiler/d 5 | author: "@_re_fox" 6 | scope: file 7 | references: 8 | - https://github.com/dlang/dmd 9 | examples: 10 | - 321338196a46b600ea330fc5d98d0699 11 | features: 12 | - and: 13 | - section: ._deh 14 | - section: .tp 15 | - section: .dp 16 | - section: .minfo 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/gui/set-application-hook.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set application hook 4 | namespace: host-interaction/gui 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | examples: 8 | - Practical Malware Analysis Lab 12-03.exe_:0x401000 9 | features: 10 | - and: 11 | - or: 12 | - api: user32.SetWindowsHookEx 13 | - api: user32.UnhookWindowsHookEx 14 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/read-http-header.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: read HTTP header 4 | namespace: communication/http 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::Read Header [C0002.014] 9 | examples: 10 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10002A30 11 | features: 12 | - and: 13 | - api: winhttp.WinHttpQueryHeaders 14 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/set-http-header.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set HTTP header 4 | namespace: communication/http 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::Set Header [C0002.013] 9 | examples: 10 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000E230 11 | features: 12 | - and: 13 | - api: winhttp.WinHttpAddRequestHeaders 14 | -------------------------------------------------------------------------------- /Plugins/rules/compiler/mingw/compiled-with-mingw-for-windows.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with MinGW for Windows 4 | namespace: compiler/mingw 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | examples: 8 | - 5b3968b47eb16a1cb88525e3b565eab1 9 | features: 10 | - and: 11 | - string: "Mingw runtime failure:" 12 | - string: "_Jv_RegisterClasses" 13 | description: from GCC 14 | -------------------------------------------------------------------------------- /Plugins/rules/lib/open-thread.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: open thread 4 | author: 0x534a@mailbox.org 5 | lib: true 6 | scope: basic block 7 | mbc: 8 | - Process::Open Thread [C0066] 9 | examples: 10 | - 787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e:00502F4C 11 | features: 12 | - or: 13 | - api: kernel32.OpenThread 14 | - api: NtOpenThread 15 | - api: ZwOpenThread 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/capture-network-configuration-via-ifconfig.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: capture network configuration via ifconfig 4 | namespace: collection/network 5 | author: joakim@intezeer.com 6 | scope: basic block 7 | att&ck: 8 | - Discovery::System Network Configuration Discovery [T1016] 9 | features: 10 | - and: 11 | - os: linux 12 | - api: system 13 | - substring: "ifconfig" 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-session-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get session information 4 | namespace: host-interaction/session 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Owner/User Discovery [T1033] 9 | features: 10 | - and: 11 | - api: wtsapi32.WTSQuerySessionInformation 12 | - optional: 13 | - api: wtsapi32.WTSFreeMemory 14 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: obfuscated with callobfuscator 4 | namespace: anti-analysis/obfuscation 5 | author: johnk3r 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | examples: 10 | - 71A4F9B800D81FF6632B9892A6A502C412C141341E46D697A8C004E2F460913B 11 | features: 12 | - section: .cobf 13 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/hardware/mouse/swap-mouse-buttons.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: swap mouse buttons 4 | namespace: host-interaction/hardware/mouse 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | mbc: 8 | - Impact::Modify Hardware::Mouse [B0042.002] 9 | examples: 10 | - B7841B9D5DC1F511A93CC7576672EC0C:0x10007250 11 | features: 12 | - or: 13 | - api: user32.SwapMouseButton 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/add-user-account-group.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: add user account group 5 | namespace: host-interaction/accounts 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Persistence::Account Manipulation [T1098] 10 | features: 11 | - or: 12 | - api: netapi32.NetLocalGroupAdd 13 | - api: netapi32.NetGroupAdd 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/enumerate-system-firmware-tables.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate system firmware tables 4 | namespace: host-interaction/hardware/firmware 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | references: 8 | - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L843 9 | features: 10 | - and: 11 | - api: kernel32.EnumSystemFirmwareTables 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/list-domain-servers.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list domain servers 5 | namespace: host-interaction/domain 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Discovery::System Network Configuration Discovery::Internet Connection Discovery [T1016.001] 10 | features: 11 | - or: 12 | - api: netapi32.NetServerEnum 13 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/initialize-winhttp-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: initialize WinHTTP library 4 | namespace: communication/http 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::WinHTTP [C0002.008] 9 | examples: 10 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000E670 11 | features: 12 | - and: 13 | - api: winhttp.WinHttpOpen 14 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/mutex/create-mutex.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create mutex 4 | namespace: host-interaction/mutex 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | mbc: 8 | - Process::Create Mutex [C0042] 9 | examples: 10 | - Practical Malware Analysis Lab 01-01.dll_:0x10001010 11 | features: 12 | - or: 13 | - api: kernel32.CreateMutex 14 | - api: kernel32.CreateMutexEx 15 | -------------------------------------------------------------------------------- /Plugins/rules/linking/static/zlib/linked-against-zlib.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against ZLIB 4 | namespace: linking/static/zlib 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | mbc: 8 | - Data::Compression Library [C0060] 9 | examples: 10 | - 6cc148363200798a12091b97a17181a1 11 | features: 12 | - or: 13 | - string: /deflate .* Copyright/ 14 | - string: /inflate .* Copyright/ 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/delete-user-account-group.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: delete user account group 5 | namespace: host-interaction/accounts 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Persistence::Account Manipulation [T1098] 10 | features: 11 | - or: 12 | - api: netapi32.NetLocalGroupDel 13 | - api: netapi32.NetGroupDel 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/enumerate-network-shares.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate network shares 4 | namespace: host-interaction/network 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::Network Share Discovery [T1135] 9 | features: 10 | - and: 11 | - or: 12 | - api: netapi32.NetShareEnum 13 | - api: mpr.WNetEnumResource 14 | - match: contain loop 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-process-image-filename.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: get process image filename 5 | namespace: host-interaction/process 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | features: 9 | - and: 10 | - os: windows 11 | - or: 12 | - api: kernel32.K32GetProcessImageFileName 13 | - api: kernel32.GetProcessImageFileName 14 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/allocate-thread-local-storage.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: allocate thread local storage 4 | namespace: host-interaction/process 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Process::Allocate Thread Local Storage [C0040] 9 | examples: 10 | - 03B236B23B1EC37C663527C1F53AF3FE:0x18000ADF6 11 | features: 12 | - or: 13 | - api: kernel32.TlsAlloc 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/enumerate-internet-cache.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate internet cache 4 | namespace: host-interaction/internet/cache 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | features: 8 | - and: 9 | - api: wininet.FindFirstUrlCacheEntry 10 | - optional: 11 | - api: wininet.FindNextUrlCacheEntry 12 | - api: wininet.FindCloseUrlCache 13 | - match: contain loop 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/monitor-local-ipv4-address-changes.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: monitor local IPv4 address changes 5 | namespace: host-interaction/network/address 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Discovery::System Network Configuration Discovery [T1016] 10 | features: 11 | - and: 12 | - api: iphlpapi.NotifyAddrChange 13 | -------------------------------------------------------------------------------- /Plugins/rules/communication/tcp/client/act-as-tcp-client.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: act as TCP client 4 | namespace: communication/tcp/client 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::Socket Communication::TCP Client [C0001.008] 9 | examples: 10 | - Practical Malware Analysis Lab 01-01.dll_:0x10001010 11 | features: 12 | - and: 13 | - match: connect TCP socket 14 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/session/get-session-integrity-level.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get session integrity level 4 | namespace: host-interaction/session 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Owner/User Discovery [T1033] 9 | examples: 10 | - 9879D201DC5ACA863F357184CD1F170E:0x10003643 11 | features: 12 | - or: 13 | - api: shell32.IsUserAnAdmin 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/hooked-by-api-override.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hooked by API Override 4 | namespace: executable/hooked/api-override 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | references: 8 | - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ 9 | - http://jacquelin.potier.free.fr/winapioverride32/ 10 | features: 11 | - or: 12 | - section: .winapi 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/terminate-process-by-name.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: terminate process by name 4 | namespace: host-interaction/process/terminate 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | examples: 8 | # - unpacked Cl0p ransomware 9 | features: 10 | - and: 11 | - match: terminate process 12 | - match: enumerate processes 13 | - or: 14 | - offset: 0x24 = pe.szExeFile (x32) 15 | -------------------------------------------------------------------------------- /Plugins/rules/collection/database/sql/reference-sql-statements.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference SQL statements 4 | namespace: collection/database/sql 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Collection::Data from Information Repositories [T1213] 9 | examples: 10 | - 5F66B82558CA92E54E77F216EF4C066C:0x42B1DF 11 | features: 12 | - and: 13 | - string: /SELECT.*FROM.*WHERE/ 14 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/client/prepare-http-request.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: prepare HTTP request 4 | namespace: communication/http/client 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::Create Request [C0002.012] 9 | examples: 10 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10002650 11 | features: 12 | - or: 13 | - api: winhttp.WinHttpOpenRequest 14 | -------------------------------------------------------------------------------- /Plugins/rules/compiler/rust/compiled-with-rust.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with rust 4 | namespace: compiler/rust 5 | author: "@_re_fox" 6 | scope: function 7 | examples: 8 | - c3341b7dfbb9d43bca8c812e07b4299f:0x45F490 9 | features: 10 | - and: 11 | - basic block: 12 | - substring: "run with `RUST_BACKTRACE=1` environment variable" 13 | - basic block: 14 | - substring: "thread '' panicked at ''," 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/gui/session/lock/lock-the-desktop.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: lock the desktop 4 | namespace: host-interaction/gui/session/lock 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Impact::Endpoint Denial of Service [T1499] 9 | examples: 10 | - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x100084D0 11 | features: 12 | - api: user32.LockWorkStation 13 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/mutex/lock-file.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: lock file 4 | namespace: host-interaction/mutex 5 | author: joakim@intezer.com 6 | scope: basic block 7 | mbc: 8 | - Process::Create Mutex [C0042] 9 | examples: 10 | - 7351f8a40c5450557b24622417fc478d:0x40858F 11 | features: 12 | - and: 13 | - os: linux 14 | - api: fcntl 15 | - number: 1 = F_WRLCK 16 | - number: 6 = F_SETLK 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-installed-programs.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get installed programs 4 | namespace: host-interaction/software 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::Software Discovery [T1518] 9 | features: 10 | - and: 11 | - match: create or open registry key 12 | - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall/i 13 | - characteristic: loop 14 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-freshftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather freshftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | examples: 10 | - 5a2f620f29ca2f44fc22df67b674198f:0x40C7AB 11 | features: 12 | - and: 13 | - string: "FreshFTP" 14 | - string: ".SMF" 15 | -------------------------------------------------------------------------------- /Plugins/rules/communication/socket/initialize-winsock-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: initialize Winsock library 4 | namespace: communication/socket 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::Socket Communication::Initialize Winsock Library [C0001.009] 9 | examples: 10 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10001D30 11 | features: 12 | - and: 13 | - api: ws2_32.WSAStartup 14 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/file-system/meta/get-file-size.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get file size 4 | namespace: host-interaction/file-system/meta 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::File and Directory Discovery [T1083] 9 | examples: 10 | - mimikatz.exe_:0x40630D 11 | features: 12 | - or: 13 | - api: kernel32.GetFileSize 14 | - api: kernel32.GetFileSizeEx 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/gui/taskbar/find/find-taskbar.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: find taskbar 4 | namespace: host-interaction/gui/taskbar/find 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | mbc: 8 | - Discovery::Taskbar Discovery [B0043] 9 | examples: 10 | - B7841B9D5DC1F511A93CC7576672EC0C:0x10007250 11 | features: 12 | - and: 13 | - string: "Shell_TrayWnd" 14 | - match: find graphical window 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/create/execute-command.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: execute command 4 | namespace: host-interaction/process/create 5 | author: "@mr-tz" 6 | scope: function 7 | mbc: 8 | - Process::Create Process [C0017] 9 | examples: 10 | - e353d3fbfb5c3738a77a622adff9a416:0x401626 11 | features: 12 | - or: 13 | - api: system 14 | - api: _system 15 | - api: wsystem 16 | - api: _wsystem 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-kornet-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference kornet DNS server 4 | namespace: communication/dns 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | references: 8 | - https://whatismyipaddress.com/ip/168.126.63.1 9 | examples: 10 | # - ab57d3c179355bf2bcdb7935483d84d4 11 | features: 12 | - or: 13 | - string: "168.126.63.1" 14 | description: kns.kornet.net 15 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain anti-disasm techniques 4 | namespace: anti-analysis/anti-disasm 5 | author: moritz.raabe@mandiant.com 6 | scope: file 7 | mbc: 8 | - Anti-Static Analysis::Disassembler Evasion [B0012] 9 | examples: 10 | - a5c70086b3bc4fe64f4e7a0aa452e620 11 | features: 12 | - or: 13 | - count(match(contain pusha popa sequence)): 10 or more 14 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/file-system/get-file-system-object-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get file system object information 4 | namespace: host-interaction/file-system 5 | author: michael.hunhoff@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Discovery::File and Directory Discovery [T1083] 9 | examples: 10 | - 50D5EE1CE2CA5E30C6B1019EE64EEEC2:0x403538 11 | features: 12 | - or: 13 | - api: SHGetFileInfo 14 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/network/traffic/copy/copy-network-traffic.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: copy network traffic 4 | namespace: host-interaction/network/traffic/copy 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::Network Sniffing [T1040] 9 | examples: 10 | - 493167E85E45363D09495D0841C30648:0x404780 11 | features: 12 | - and: 13 | - api: fwpkclnt.FwpsCopyStreamDataToBuffer0 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/flush-cabinet-file.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: flush cabinet file 4 | namespace: host-interaction/file-system 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | references: https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files 8 | features: 9 | - or: 10 | - api: cabinet.FCIFlushFolder = flush current folder under construction 11 | - api: cabinet.FCIFlushCabinet = completes current cabinet 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/list-user-accounts-for-group.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list user accounts for group 5 | namespace: host-interaction/accounts 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Discovery::Permission Groups Discovery [T1069] 10 | features: 11 | - or: 12 | - api: netapi32.NetLocalGroupGetMembers 13 | - api: netapi32.NetGroupGetUsers 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packaged-as-a-createinstall-installer.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as a CreateInstall installer 4 | namespace: executable/installer/createinstall 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | references: 8 | - https://www.createinstall.com/ 9 | - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ 10 | features: 11 | - or: 12 | - section: .gentee 13 | -------------------------------------------------------------------------------- /Plugins/rules/runtime/dotnet/compiled-to-the-net-platform.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled to the .NET platform 4 | namespace: runtime/dotnet 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | examples: 8 | - b9f5bd514485fb06da39beff051b9fdc 9 | features: 10 | - or: 11 | - import: mscoree._CorExeMain 12 | - import: mscoree._corexemain 13 | - import: mscoree._CorDllMain 14 | - import: mscoree._cordllmain 15 | -------------------------------------------------------------------------------- /Plugins/rules/.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | 2 | 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/enumerate-processes-via-procfs.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate processes via procfs 4 | namespace: host-interaction/process/list 5 | author: joakim@intezer.com 6 | scope: function 7 | att&ck: 8 | - Discovery::Process Discovery [T1057] 9 | - Discovery::Software Discovery [T1518] 10 | features: 11 | - and: 12 | - os: linux 13 | - match: host-interaction/file-system/files/list 14 | - string: "/proc" 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/hook-routines-via-microsoft-detours.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hook routines via microsoft detours 4 | # namespace: linking/hooking 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | references: 8 | - https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/Flare-On%202017/Challenge7.pdf 9 | examples: 10 | features: 11 | - or: 12 | - number: 0x52727464 = DETOUR_REGION_SIGNATURE 13 | -------------------------------------------------------------------------------- /Plugins/capaRules/nursery/encrypt-data-via-sspi-wrapper.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encrypt data via SSPI wrapper 4 | namespace: data-manipulation/encryption 5 | author: matthew.williams@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | references: 10 | - https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-encryptmessage 11 | features: 12 | - match: encrypt data via SSPI 13 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-ultrafxp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ultrafxp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | examples: 10 | - 5a2f620f29ca2f44fc22df67b674198f:0x406A5C 11 | features: 12 | - and: 13 | - substring: "UltraFXP" 14 | - substring: "\\sites.xml" 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/cli/accept-command-line-arguments.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: accept command line arguments 4 | namespace: host-interaction/cli 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Execution::Command and Scripting Interpreter [T1059] 9 | examples: 10 | - e5369ac309f1be6d77afeeb3edab0ed8:0x402760 11 | features: 12 | - or: 13 | - api: GetCommandLine 14 | - api: CommandLineToArgv 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/clipboard/open-clipboard.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: open clipboard 4 | namespace: host-interaction/clipboard 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Collection::Clipboard Data [T1115] 9 | examples: 10 | - 6f99a2c8944cb02ff28c6f9ced59b161:0x403180 11 | features: 12 | - and: 13 | - api: user32.OpenClipboard 14 | - optional: 15 | - api: user32.CloseClipboard 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/encrypt-data-via-sspi.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encrypt data via SSPI 4 | namespace: data-manipulation/encryption 5 | author: matthew.williams@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | references: 10 | - https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-encryptmessage 11 | features: 12 | - and: 13 | - api: secur32.EncryptMessage 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-system-information-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get system information on Linux 4 | namespace: host-interaction/os/info 5 | author: 6 | - joakim@intezer.com 7 | scope: function 8 | att&ck: 9 | - Discovery::System Information Discovery [T1082] 10 | features: 11 | - and: 12 | - os: linux 13 | - or: 14 | - api: sysconf 15 | - and: 16 | - api: system 17 | - string: "lshw" 18 | -------------------------------------------------------------------------------- /Plugins/capaRules/nursery/encrypt-data-via-sspi.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encrypt data via SSPI 4 | namespace: data-manipulation/encryption 5 | author: matthew.williams@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | references: 10 | - https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-encryptmessage 11 | features: 12 | - and: 13 | - api: secur32.EncryptMessage 14 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/gui/window/find/find-graphical-window.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: find graphical window 4 | namespace: host-interaction/gui/window/find 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::Application Window Discovery [T1010] 9 | examples: 10 | - 7C843E75D4F02087B932FE280DF9C90C:0x41B180 11 | features: 12 | - or: 13 | - api: user32.FindWindow 14 | - api: user32.FindWindowEx 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/link-function-at-runtime-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: link function at runtime on Linux 4 | namespace: linking/runtime-linking 5 | author: 6 | - joakim@intezer.com 7 | scope: function 8 | att&ck: 9 | - Execution::Shared Modules [T1129] 10 | features: 11 | - and: 12 | - os: linux 13 | - or: 14 | - api: dlopen 15 | - api: dlmopen 16 | - or: 17 | - api: dlsym 18 | - api: dlvsym 19 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/read-process-memory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: read process memory 4 | namespace: host-interaction/process 5 | author: 6 | - matthew.williams@mandiant.com 7 | - "@_re_fox" 8 | scope: function 9 | features: 10 | - and: 11 | - api: kernel32.ReadProcessMemory 12 | - optional: 13 | - or: 14 | - api: kernel32.OpenProcess 15 | - api: kernel32.VirtualQueryEx 16 | - api: psapi.QueryWorkingSet 17 | -------------------------------------------------------------------------------- /Plugins/rules/communication/named-pipe/create/create-two-anonymous-pipes.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create two anonymous pipes 4 | namespace: communication/named-pipe/create 5 | author: matthew.williams@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::Interprocess Communication::Create Pipe [C0003.001] 9 | examples: 10 | - Practical Malware Analysis Lab 14-02.exe_:0x4011C0 11 | features: 12 | - and: 13 | - count(api(CreatePipe)): 2 14 | -------------------------------------------------------------------------------- /Plugins/rules/communication/socket/set-socket-configuration.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set socket configuration 4 | namespace: communication/socket 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::Socket Communication::Set Socket Config [C0001.001] 9 | examples: 10 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000C1F0 11 | features: 12 | - or: 13 | - api: ws2_32.setsockopt 14 | - api: ws2_32.ioctlsocket 15 | -------------------------------------------------------------------------------- /Plugins/rules/compiler/ps2exe/compiled-with-ps2exe.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with ps2exe 4 | namespace: compiler/ps2exe 5 | author: "@_re_fox" 6 | scope: file 7 | references: 8 | - https://github.com/ikarstein/ps2exe 9 | examples: 10 | - 8775ed26068788279726e08ff9665aab 11 | features: 12 | - and: 13 | - match: compiled to the .NET platform 14 | - string: "PS2EXEApp" 15 | - string: "PS2EXE" 16 | - string: "PS2EXE_Host" 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/service/query-service-status.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: query service status 4 | namespace: host-interaction/service 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Service Discovery [T1007] 9 | examples: 10 | - 9DC209F66DA77858E362E624D0BE86B3:0x403C70 11 | features: 12 | - or: 13 | - api: advapi32.QueryServiceStatusEx 14 | - api: advapi32.QueryServiceStatus 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/create-registry-key-via-stdregprov.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: create registry key via StdRegProv 5 | namespace: host-interaction/registry 6 | author: michael.hunhoff@mandiant.com 7 | scope: function 8 | references: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods 9 | features: 10 | - and: 11 | - string: "StdRegProv" 12 | - string: "CreateKey" 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/decrypt-data-via-sspi.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: decrypt data via SSPI 4 | namespace: data-manipulation/encryption 5 | author: matthew.williams@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] 9 | references: 10 | - https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-decryptmessage 11 | features: 12 | - and: 13 | - api: secur32.DecryptMessage 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/delete-registry-key-via-stdregprov.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: delete registry key via StdRegProv 5 | namespace: host-interaction/registry 6 | author: michael.hunhoff@mandiant.com 7 | scope: function 8 | references: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods 9 | features: 10 | - and: 11 | - string: "StdRegProv" 12 | - string: "DeleteKey" 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/linked-against-cpp-json-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against CPP JSON library 4 | namespace: linking/static/jsoncpp 5 | author: "@mr-tz" 6 | scope: file 7 | references: 8 | - https://github.com/open-source-parsers/jsoncpp 9 | features: 10 | - or: 11 | - string: "Exceeded stackLimit in readValue()." 12 | - string: "Missing ',' or '}' in object declaration" 13 | - string: "Extra non-whitespace after JSON value." 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/list-drag-and-drop-files.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list drag and drop files 5 | namespace: host-interaction/clipboard 6 | author: michael.hunhoff@mandiant.com 7 | scope: function 8 | att&ck: 9 | - Collection::Clipboard Data [T1115] 10 | features: 11 | - and: 12 | - api: shell32.DragQueryFile 13 | - and: 14 | - api: user32.GetClipboardData 15 | - number: 0xF = HDROP 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-aes-constants.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference AES constants 4 | namespace: data-manipulation/encryption/aes 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | features: 10 | - or: 11 | - bytes: 50 a7 f4 51 53 65 41 7e = d-0 12 | - bytes: 63 7c 77 7b f2 6b 6f c5 = s-box 13 | - bytes: 52 09 6a d5 30 36 a5 38 = inv-s-box 14 | -------------------------------------------------------------------------------- /Plugins/capaRules/nursery/reference-aes-constants.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference AES constants 4 | namespace: data-manipulation/encryption/aes 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | features: 10 | - or: 11 | - bytes: 50 a7 f4 51 53 65 41 7e = d-0 12 | - bytes: 63 7c 77 7b f2 6b 6f c5 = s-box 13 | - bytes: 52 09 6a d5 30 36 a5 38 = inv-s-box 14 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-ftpnow-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ftpnow information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | examples: 10 | - 5a2f620f29ca2f44fc22df67b674198f:0x40CFF0 11 | features: 12 | - and: 13 | - string: "FTPNow" 14 | - string: "FTP Now" 15 | - string: "sites.xml" 16 | -------------------------------------------------------------------------------- /Plugins/rules/collection/microphone/capture-microphone-audio.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: capture microphone audio 4 | namespace: collection/microphone 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Collection::Audio Capture [T1123] 9 | examples: 10 | - a70052c45e907820187c7e6bcdc7ecca:0x405B40 11 | features: 12 | - and: 13 | - api: mciSendString 14 | - string: /^open/i 15 | - string: /waveaudio/i 16 | - string: /^record/i 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/clipboard/write-clipboard-data.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: write clipboard data 4 | namespace: host-interaction/clipboard 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Impact::Clipboard Modification [E1510] 9 | examples: 10 | - 6F99A2C8944CB02FF28C6F9CED59B161:0x403180 11 | features: 12 | - and: 13 | - optional: 14 | - match: open clipboard 15 | - api: user32.SetClipboardData 16 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/registry/open-registry-key-via-offline-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: open registry key via offline registry library 4 | namespace: host-interaction/registry 5 | author: johnk3r 6 | scope: function 7 | mbc: 8 | - Operating System::Registry::Open Registry Key [C0036.003] 9 | examples: 10 | - 5fbbfeed28b258c42e0cfeb16718b31c:0x4071E1 11 | features: 12 | - or: 13 | - api: OROpenHive 14 | - api: OROpenKey 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/delete-registry-value-via-stdregprov.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: delete registry value via StdRegProv 5 | namespace: host-interaction/registry 6 | author: michael.hunhoff@mandiant.com 7 | scope: function 8 | references: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods 9 | features: 10 | - and: 11 | - string: "StdRegProv" 12 | - string: "DeleteValue" 13 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-token-privileges.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: get token privileges 5 | namespace: host-interaction/session 6 | author: michael.hunhoff@mandiant.com 7 | scope: function 8 | features: 9 | - and: 10 | - basic block: 11 | - and: 12 | - api: advapi32.GetTokenInformation 13 | - number: 0x3 = TokenPrivileges 14 | - optional: 15 | - api: advapi32.LookupPrivilegeName 16 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/client/connect-to-url.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: connect to URL 4 | namespace: communication/http/client 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::Open URL [C0002.004] 9 | examples: 10 | - 6f99a2c8944cb02ff28c6f9ced59b161:0x40E2F0 11 | features: 12 | - and: 13 | - optional: 14 | - match: create HTTP request 15 | - api: wininet.InternetOpenUrl 16 | -------------------------------------------------------------------------------- /Plugins/rules/communication/named-pipe/create/create-pipe.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create pipe 4 | namespace: communication/named-pipe/create 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::Interprocess Communication::Create Pipe [C0003.001] 9 | examples: 10 | - Practical Malware Analysis Lab 03-02.dll_:0x10003a13 11 | features: 12 | - or: 13 | - api: kernel32.CreatePipe 14 | - api: kernel32.CreateNamedPipe 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/create-restart-manager-session.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create Restart Manager session 4 | namespace: host-interaction/process 5 | author: michael.hunhoff@mandiant.com 6 | description: Windows Restart Manager can be used to close/unlock specific files, often abused by Ransomware 7 | scope: function 8 | references: https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ 9 | features: 10 | - or: 11 | - api: rstrtmgr.RmStartSession 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/hide-thread-from-debugger.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hide thread from debugger 4 | namespace: anti-analysis/anti-debugging 5 | author: michael.hunhoff@mandiant.com 6 | scope: basic block 7 | references: 8 | - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.cpp 9 | features: 10 | - and: 11 | - api: NtSetInformationThread 12 | - number: 0x11 = ThreadHideFromDebugger 13 | -------------------------------------------------------------------------------- /Plugins/rules/executable/installer/inno-setup/packaged-as-an-inno-setup-installer.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as an Inno Setup installer 4 | namespace: executable/installer/inno-setup 5 | author: awillia2@cisco.com 6 | scope: file 7 | references: 8 | - https://jrsoftware.org/isinfo.php 9 | examples: 10 | - 70FD3347786ED7A4A43910E6778EF296 11 | features: 12 | - and: 13 | - string: /^Inno Setup Setup Data \(/ 14 | - string: /^Inno Setup Messages \(/ 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/gui/logon/references-logon-banner.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: references logon banner 4 | namespace: host-interaction/gui/logon 5 | author: "@_re_fox" 6 | scope: basic block 7 | examples: 8 | - c3341b7dfbb9d43bca8c812e07b4299f:0x4066FC 9 | features: 10 | - and: 11 | - substring: "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" 12 | - or: 13 | - substring: "LegalNoticeCaption" 14 | - substring: "LegalNoticeText" 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/dump/create-process-memory-minidump.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: create process memory minidump 5 | namespace: host-interaction/process/dump 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | mbc: 9 | - File System::Writes File [C0052] 10 | examples: 11 | - 91a12a4cf437589ba70b1687f5acad19:0x43E1C9 12 | features: 13 | - or: 14 | - api: dbghelp.MiniDumpWriteDump 15 | -------------------------------------------------------------------------------- /Plugins/rules/load-code/pe/access-pe-header.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: access PE header 4 | namespace: load-code/pe 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Execution::Shared Modules [T1129] 9 | examples: 10 | - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x1400018E0 11 | features: 12 | - and: 13 | - os: windows 14 | - or: 15 | - api: RtlImageNtHeader 16 | - api: RtlImageNtHeaderEx 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/execute-syscall-instruction.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: execute syscall instruction 4 | namespace: anti-analysis 5 | author: 6 | - "@kulinacs" 7 | - "@mr-tz" 8 | description: may be used to evade hooks or hinder analysis 9 | scope: basic block 10 | references: 11 | - https://github.com/j00ru/windows-syscalls 12 | features: 13 | - and: 14 | - mnemonic: syscall 15 | - or: 16 | - mnemonic: ret 17 | - mnemonic: retn 18 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/interact-with-iptables.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: interact with iptables 4 | namespace: host-interaction/firewall 5 | author: joakim@intezer.com 6 | scope: basic block 7 | att&ck: 8 | - Discovery::Software Discovery::Security Software Discovery [T1518.001] 9 | - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004] 10 | features: 11 | - and: 12 | - os: linux 13 | - api: system 14 | - substring: "iptables" 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-alidns-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference AliDNS DNS server 4 | namespace: communication/dns 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | references: 8 | - https://www.alidns.com/ 9 | examples: 10 | # - ab57d3c179355bf2bcdb7935483d84d4 11 | features: 12 | - or: 13 | - string: "223.5.5.5" 14 | - string: "223.6.6.6" 15 | - string: "2400:3200::1" 16 | - string: "2400:3200:baba::1" 17 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-nova-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather nova-ftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | examples: 10 | - 5a2f620f29ca2f44fc22df67b674198f:0x40E5FF 11 | features: 12 | - or: 13 | - and: 14 | - string: "NovaFTP.db" 15 | - substring: "\\INSoftware\\NovaFTP" 16 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/server/send-http-response.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: send HTTP response 4 | namespace: communication/http/server 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::Send Response [C0002.016] 9 | examples: 10 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10001B20 11 | features: 12 | - or: 13 | - api: httpapi.HttpSendHttpResponse 14 | - api: httpapi.HttpSendResponseEntityBody 15 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/server/start-http-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: start HTTP server 4 | namespace: communication/http/server 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::Start Server [C0002.018] 9 | examples: 10 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10001970 11 | features: 12 | - and: 13 | - api: httpapi.HttpInitialize 14 | - optional: 15 | - api: httpapi.HttpTerminate 16 | -------------------------------------------------------------------------------- /Plugins/rules/load-code/shellcode/spawn-thread-to-rwx-shellcode.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: spawn thread to RWX shellcode 4 | namespace: load-code/shellcode 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | mbc: 8 | - Memory::Allocate Memory [C0007] 9 | - Process::Create Thread [C0038] 10 | examples: 11 | - Practical Malware Analysis Lab 19-02.exe_:0x401230 12 | features: 13 | - and: 14 | - match: allocate RWX memory 15 | - match: create thread 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/query-or-enumerate-registry-key-via-stdregprov.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: query or enumerate registry key via StdRegProv 5 | namespace: host-interaction/registry 6 | author: michael.hunhoff@mandiant.com 7 | scope: function 8 | references: https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods 9 | features: 10 | - and: 11 | - string: "StdRegProv" 12 | - string: "EnumKey" 13 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/client/create-http-request.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create HTTP request 4 | namespace: communication/http/client 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::Create Request [C0002.012] 9 | examples: 10 | - 6f99a2c8944cb02ff28c6f9ced59b161:0x40E2F0 11 | features: 12 | - and: 13 | - api: wininet.InternetOpen 14 | - optional: 15 | - api: wininet.InternetCloseHandle 16 | -------------------------------------------------------------------------------- /Plugins/rules/compiler/perl2exe/compiled-with-perl2exe.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with perl2exe 4 | namespace: compiler/perl2exe 5 | author: "@_re_fox" 6 | scope: function 7 | examples: 8 | - 873275ce8bf88ef66e9fa0c74b5c2a1e:0x4011C9 9 | features: 10 | - and: 11 | - api: LoadLibrary 12 | - api: FreeLibrary 13 | - string: /^p2x[a-z0-9]{1,10}\.dll/i 14 | - basic block: 15 | - and: 16 | - api: GetProcAddress 17 | - string: "RunPerl" 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/network/traffic/filter/register-network-filter-via-wfp-api.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: register network filter via WFP API 4 | namespace: host-interaction/network/traffic/filter 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Impact::Data Manipulation::Transmitted Data Manipulation [T1565.002] 9 | examples: 10 | - 493167E85E45363D09495D0841C30648:0x404220 11 | features: 12 | - and: 13 | - api: fwpkclnt.FwpmFilterAdd0 14 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/inject/attach-user-process-memory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: attach user process memory 4 | namespace: host-interaction/process/inject 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Process Injection [T1055] 9 | examples: 10 | - 493167E85E45363D09495D0841C30648:0x404B00 11 | features: 12 | - and: 13 | - api: ntoskrnl.KeStackAttachProcess 14 | - api: ntoskrnl.KeUnstackDetachProcess 15 | -------------------------------------------------------------------------------- /Plugins/rules/lib/calculate-modulo-256-via-x86-assembly.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: calculate modulo 256 via x86 assembly 4 | author: moritz.raabe@mandiant.com 5 | lib: true 6 | scope: basic block 7 | mbc: 8 | - Data::Modulo [C0058] 9 | examples: 10 | - 9324D1A8AE37A36AE560C37448C9705A:0x4049A9 11 | features: 12 | # and ecx, 800000FFh 13 | # and ecx, 0FFh 14 | - and: 15 | - mnemonic: and 16 | - or: 17 | - number: 0x800000FF 18 | - number: 0xFF 19 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/delete-user-account-from-group.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: delete user account from group 5 | namespace: host-interaction/accounts 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Persistence::Account Manipulation [T1098] 10 | features: 11 | - or: 12 | - api: netapi32.NetLocalGroupDelMembers 13 | - api: netapi32.NetLocalGroupDelMember 14 | - api: netapi32.NetGroupDelUser 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-mac-address-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get MAC address on Linux 4 | namespace: collection/network 5 | author: 6 | - joakim@intezer.com 7 | scope: function 8 | att&ck: 9 | - Discovery::System Information Discovery [T1082] 10 | features: 11 | - and: 12 | - os: linux 13 | - match: host-interaction/file-system/read 14 | - string: /\/sys\/class\/net\/\S+\/address/ 15 | description: pseudo-file path like /sys/class/net/eth0/address 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-l3-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference L3 DNS server 4 | namespace: communication/dns 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | references: 8 | - https://www.quora.com/What-is-a-4-2-2-1-DNS-server 9 | examples: 10 | features: 11 | - or: 12 | - string: "4.2.2.1" 13 | - string: "4.2.2.2" 14 | - string: "4.2.2.3" 15 | - string: "4.2.2.4" 16 | - string: "4.2.2.5" 17 | - string: "4.2.2.6" 18 | -------------------------------------------------------------------------------- /Plugins/capaRules/lib/calculate-modulo-256-via-x86-assembly.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: calculate modulo 256 via x86 assembly 4 | author: moritz.raabe@mandiant.com 5 | lib: true 6 | scope: basic block 7 | mbc: 8 | - Data::Modulo [C0058] 9 | examples: 10 | - 9324D1A8AE37A36AE560C37448C9705A:0x4049A9 11 | features: 12 | # and ecx, 800000FFh 13 | # and ecx, 0FFh 14 | - and: 15 | - mnemonic: and 16 | - or: 17 | - number: 0x800000FF 18 | - number: 0xFF 19 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-goftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather goftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.goftp.com/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40C9E8 13 | features: 14 | - and: 15 | - string: "GoFTP" 16 | - string: "Connections.txt" 17 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/client/connect-to-http-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: connect to HTTP server 4 | namespace: communication/http/client 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::Connect to Server [C0002.009] 9 | examples: 10 | - 6f99a2c8944cb02ff28c6f9ced59b161:0x40E2F0 11 | features: 12 | - and: 13 | - optional: 14 | - match: create HTTP request 15 | - api: wininet.InternetConnect 16 | -------------------------------------------------------------------------------- /Plugins/rules/communication/socket/get-socket-status.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get socket status 4 | namespace: communication/socket 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Network Configuration Discovery [T1016] 9 | mbc: 10 | - Communication::Socket Communication::Get Socket Status [C0001.012] 11 | examples: 12 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000C1F0 13 | features: 14 | - and: 15 | - api: ws2_32.select 16 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/driver/create-device-object.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create device object 4 | namespace: host-interaction/driver 5 | author: "@mr-tz" 6 | scope: function 7 | examples: 8 | - Practical Malware Analysis Lab 10-03.sys_:0x00010706 9 | features: 10 | - and: 11 | - api: IoCreateDevice 12 | - optional: 13 | - description: sets up a symbolic link between a device object name and a user-visible name for the device 14 | - api: IoCreateSymbolicLink 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hide the Windows taskbar 4 | namespace: host-interaction/gui/taskbar/hide 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Hide Artifacts [T1564] 9 | examples: 10 | - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x10007250 11 | features: 12 | - and: 13 | - match: find taskbar 14 | - match: hide graphical window 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/list/find-process-by-pid.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: find process by PID 4 | namespace: host-interaction/process/list 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::Process Discovery [T1057] 9 | examples: 10 | - 493167E85E45363D09495D0841C30648:0x404B00 11 | features: 12 | - and: 13 | - api: ntoskrnl.PsLookupProcessByProcessId 14 | - optional: 15 | - api: ntoskrnl.ObfDereferenceObject 16 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/service/start/start-service.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: start service 4 | namespace: host-interaction/service/start 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Persistence::Create or Modify System Process::Windows Service [T1543.003] 9 | examples: 10 | - E544A4D616B60147D9774B48C2B65EF2:0x401FA0 11 | features: 12 | - and: 13 | - optional: 14 | - match: get service handle 15 | - api: advapi32.StartService 16 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/thread/suspend/suspend-thread.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: suspend thread 4 | namespace: host-interaction/thread/suspend 5 | author: 0x534a@mailbox.org 6 | scope: basic block 7 | mbc: 8 | - Process::Suspend Thread [C0055] 9 | examples: 10 | - 787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e:0x502f4c 11 | features: 12 | - or: 13 | - api: kernel32.SuspendThread 14 | - api: ntdll.NtSuspendThread 15 | - api: ntdll.ZwSuspendThread 16 | -------------------------------------------------------------------------------- /Plugins/rules/lib/write-process-memory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: write process memory 4 | author: moritz.raabe@mandiant.com 5 | lib: true 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Process Injection [T1055] 9 | examples: 10 | - 2D3EDC218A90F03089CC01715A9F047F:0x4027CF 11 | features: 12 | - or: 13 | - api: kernel32.WriteProcessMemory 14 | - api: ntdll.NtWriteVirtualMemory 15 | - api: ntdll.ZwWriteVirtualMemory 16 | - api: NtWow64WriteVirtualMemory64 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packaged-as-an-installshield-installer.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as an InstallShield installer 4 | namespace: executable/installer/installshield 5 | author: moritz.raabe@mandiant.com 6 | scope: file 7 | features: 8 | - or: 9 | # AppHelp has an export ApphelpCheckInstallShieldPackage, 10 | # which we want to avoid FP'ing on, 11 | # so do an exact match for this string. 12 | # ok to relax if there are counterexamples. 13 | - string: "InstallShield" 14 | -------------------------------------------------------------------------------- /Plugins/rules/c2/shell/execute-shell-command-received-from-socket-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: execute shell command received from socket on Linux 4 | namespace: c2/shell 5 | author: joakim@intezer.com 6 | scope: function 7 | att&ck: 8 | - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] 9 | examples: 10 | - 7351f8a40c5450557b24622417fc478d:0x406549 11 | features: 12 | - and: 13 | - os: linux 14 | - match: receive data on socket 15 | - api: system 16 | -------------------------------------------------------------------------------- /Plugins/rules/compiler/go/compiled-with-go.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with Go 4 | namespace: compiler/go 5 | author: michael.hunhoff@mandiant.com 6 | scope: file 7 | examples: 8 | - 49a34cfbeed733c24392c9217ef46bb6 9 | features: 10 | - or: 11 | - string: /^Go build ID:/ 12 | - substring: "go.buildid" 13 | - string: /^Go buildinf:/ 14 | - substring: "go1." 15 | - substring: "runtime.main" 16 | - substring: "main.main" 17 | - substring: "runtime.gcWork" 18 | -------------------------------------------------------------------------------- /Plugins/rules/data-manipulation/encoding/base64/encode-data-using-base64-via-winapi.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encode data using Base64 via WinAPI 4 | namespace: data-manipulation/encoding/base64 5 | author: moritz.raabe@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | examples: 10 | - mimikatz.exe_:0x40622D 11 | features: 12 | - and: 13 | - number: 1 = dwFlags=CRYPT_STRING_BASE64 14 | - api: CryptBinaryToString 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/execute-shell-command-via-windows-remote-management.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: execute shell command via Windows Remote Management 5 | namespace: host-interaction/process/create 6 | author: michael.hunhoff@mandiant.com 7 | scope: function 8 | features: 9 | - and: 10 | - or: 11 | - api: wsmsvc.WSManRunShellCommand 12 | - api: wsmsvc.WSManRunShellCommandEx 13 | - optional: 14 | - api: wsmsvc.WSManCreateShell 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/list-user-account-groups.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list user account groups 5 | namespace: host-interaction/accounts 6 | author: michael.hunhoff@mandiant.com 7 | description: enumerates all the groups present on the system/domain 8 | scope: basic block 9 | att&ck: 10 | - Discovery::Permission Groups Discovery [T1069] 11 | features: 12 | - or: 13 | - api: netapi32.NetGroupEnum 14 | - api: netapi32.NetLocalGroupEnum 15 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-ftpshell-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ftpshell information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.ftpshell.com/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40DEE4 13 | features: 14 | - and: 15 | - string: "FTPShell" 16 | - string: "ftpshell.fsi" 17 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-nexusfile-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather nexusfile information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.xiles.app/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40DFD1 13 | features: 14 | - and: 15 | - string: "NexusFile" 16 | - string: "ftpsite.ini" 17 | -------------------------------------------------------------------------------- /Plugins/rules/communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: send TCP data via WFP API 4 | namespace: communication/socket/tcp/send 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::Socket Communication::Send TCP Data [C0001.014] 9 | examples: 10 | - 493167E85E45363D09495D0841C30648:0x404560 11 | features: 12 | - and: 13 | - api: fwpkclnt.FwpsStreamInjectAsync0 14 | - number: 0x10000 = FWPS_STREAM_FLAG_SEND 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/clipboard/replace-clipboard-data.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: replace clipboard data 4 | namespace: host-interaction/clipboard 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Impact::Clipboard Modification [E1510] 9 | examples: 10 | - 6f99a2c8944cb02ff28c6f9ced59b161:0x403180 11 | features: 12 | - and: 13 | - optional: 14 | - match: open clipboard 15 | - match: write clipboard data 16 | - api: user32.EmptyClipboard 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/driver/install-driver.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: install driver 4 | namespace: host-interaction/driver 5 | author: moritz.raabe@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Persistence::Create or Modify System Process::Windows Service [T1543.003] 9 | mbc: 10 | - Hardware::Install Driver [C0037] 11 | examples: 12 | - af60700383b75727f5256a0000c1476f:0x1127E 13 | features: 14 | - or: 15 | - api: ntdll.NtLoadDriver 16 | - api: ZwLoadDriver 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/gui/window/hide/hide-graphical-window.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hide graphical window 4 | namespace: host-interaction/gui/window/hide 5 | author: michael.hunhoff@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Defense Evasion::Hide Artifacts::Hidden Window [T1564.003] 9 | examples: 10 | - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x10007250 11 | features: 12 | - and: 13 | - number: 0x0 = SW_HIDE 14 | - api: user32.ShowWindow 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/set-thread-local-storage-value.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set thread local storage value 4 | namespace: host-interaction/process 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Process::Set Thread Local Storage Value [C0041] 9 | examples: 10 | - 03B236B23B1EC37C663527C1F53AF3FE:0x18000AE21 11 | features: 12 | - and: 13 | - api: kernel32.TlsSetValue 14 | - optional: 15 | - match: allocate thread local storage 16 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/registry/query-registry-key-via-offline-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: query registry key via offline registry library 4 | namespace: host-interaction/registry 5 | author: johnk3r 6 | scope: function 7 | att&ck: 8 | - Discovery::Query Registry [T1012] 9 | mbc: 10 | - Operating System::Registry::Query Registry Value [C0036.006] 11 | examples: 12 | - 5fbbfeed28b258c42e0cfeb16718b31c:0x42388C 13 | features: 14 | - and: 15 | - api: ORGetValue 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/run-powershell-expression.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: run PowerShell expression 4 | namespace: load-code/powershell/ 5 | author: anamaria.martinezgom@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Execution::Command and Scripting Interpreter::PowerShell [T1059.001] 9 | features: 10 | - and: 11 | - or: 12 | - string: / iex\(/i 13 | - string: / iex /i 14 | - string: /Invoke-Expression/i 15 | - optional: 16 | - substring: "powershell.exe " 17 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-netdrive-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather netdrive information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.netdrive.net/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x407ED1 13 | features: 14 | - and: 15 | - string: "NDSites.ini" 16 | - substring: "\\NetDrive" 17 | -------------------------------------------------------------------------------- /Plugins/rules/collection/group-policy/discover-group-policy-via-gpresult.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: discover Group Policy via gpresult 4 | namespace: collection/group-policy 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::Group Policy Discovery [T1615] 9 | examples: 10 | - 9e4d06759f278255073f9ac7b31a115a:0x100068B7 11 | features: 12 | - and: 13 | - os: windows 14 | - or: 15 | - substring: "gpresult" 16 | - substring: "GPRESULT" 17 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/client/get-http-response-content-encoding.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get HTTP response content encoding 4 | namespace: communication/http/client 5 | author: matthew.williams@mandiant.com 6 | scope: basic block 7 | mbc: 8 | - Communication::HTTP Communication::Get Response [C0002.017] 9 | examples: 10 | - FBBAAF569B63F6398503E4F1979CABEF:0x4068D9 11 | features: 12 | - and: 13 | - api: wininet.HttpQueryInfo 14 | - number: 0x1D = HTTP_QUERY_CONTENT_ENCODING 15 | -------------------------------------------------------------------------------- /Plugins/rules/executable/subfile/pe/contain-an-embedded-pe-file.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain an embedded PE file 4 | namespace: executable/subfile/pe 5 | author: moritz.raabe@mandiant.com 6 | scope: file 7 | mbc: 8 | - Execution::Install Additional Program [B0023] 9 | examples: 10 | - Practical Malware Analysis Lab 01-04.exe_:0x4060 11 | features: 12 | - or: 13 | - count(characteristic(embedded pe)): 1 or more 14 | - count(string(This program cannot be run in DOS mode.)): 2 or more 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/os/version/get-kernel-version.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get kernel version 4 | namespace: host-interaction/os/version 5 | author: joakim@intezer.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Information Discovery [T1082] 9 | examples: 10 | - 7351f8a40c5450557b24622417fc478d:0x405438 11 | features: 12 | - and: 13 | - os: linux 14 | - or: 15 | - api: uname 16 | - and: 17 | - api: system 18 | - string: "uname" 19 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/session/get-token-membership.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get token membership 4 | namespace: host-interaction/session 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Owner/User Discovery [T1033] 9 | examples: 10 | - mimikatz.exe_:0x40DABE 11 | features: 12 | - and: 13 | - api: advapi32.CheckTokenMembership 14 | - optional: 15 | - api: advapi32.AllocateAndInitializeSid 16 | - api: advapi32.FreeSid 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/hash-data-using-murmur2.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using murmur2 4 | namespace: data-manipulation/hashing/murmur 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | references: 8 | - https://github.com/abrandoned/murmur2/blob/master/MurmurHash2.c 9 | examples: 10 | features: 11 | - and: 12 | - or: 13 | - number: 0xc6a4a7935bd1e995 = 64-bit mixing constant m 14 | - number: 0x5bd1e995 = 32-bit mixing constant m 15 | - mnemonic: imul 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/list-groups-for-user-account.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list groups for user account 5 | namespace: host-interaction/accounts 6 | author: michael.hunhoff@mandiant.com 7 | description: enumerates all the groups to which a user account belongs 8 | scope: basic block 9 | att&ck: 10 | - Discovery::Account Discovery [T1087] 11 | features: 12 | - or: 13 | - api: netapi32.NetUserGetGroups 14 | - api: netapi32.NetUserGetLocalGroups 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/load-windows-common-language-runtime.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: load Windows Common Language Runtime 5 | namespace: load-code/dotnet 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | features: 9 | - or: 10 | - api: mscoree.CorBindToRuntime 11 | - api: mscoree.CorBindToRuntimeEx 12 | - api: mscoree.CorBindToRuntimeHost 13 | - api: mscoree.CorBindToRuntimeByCfg 14 | - api: mscoree.CorBindToCurrentRuntime 15 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-bitkinex-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather bitkinex information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - http://www.bitkinex.com/ftp/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x406D14 13 | features: 14 | - and: 15 | - substring: "bitkinex.ds" 16 | - substring: "\\BitKinex" 17 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-ftpgetter-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ftpgetter information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.ftpgetter.com/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40A21C 13 | features: 14 | - and: 15 | - string: "servers.xml" 16 | - substring: "\\FTPGetter" 17 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-xftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather xftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.netsarang.com/en/xftp-download/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40CBEE 13 | features: 14 | - and: 15 | - string: ".xfp" 16 | - substring: "\\NetSarang" 17 | -------------------------------------------------------------------------------- /Plugins/rules/communication/tcp/serve/start-tcp-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: start TCP server 4 | namespace: communication/tcp/serve 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::Socket Communication::Start TCP Server [C0001.005] 9 | examples: 10 | - AF2F4142463F42548B8650A3ADF5CEB2:0x10010880 11 | features: 12 | - and: 13 | - match: create TCP socket 14 | - api: listen 15 | - or: 16 | - api: accept 17 | - api: WSAAccept 18 | -------------------------------------------------------------------------------- /Plugins/rules/compiler/delphi/compiled-with-borland-delphi.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with Borland Delphi 4 | namespace: compiler/delphi 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | examples: 8 | - 4BDD67FF852C221112337FECD0681EAC 9 | features: 10 | - or: 11 | - string: "Borland C++ - Copyright 2002 Borland Corporation" 12 | - substring: "SOFTWARE\\Borland\\Delphi\\RTL" 13 | - string: "Sysutils::Exception" 14 | - string: "TForm1" 15 | - import: "BORLNDMM.DLL" 16 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/clipboard/read-clipboard-data.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: read clipboard data 4 | namespace: host-interaction/clipboard 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Collection::Clipboard Data [T1115] 9 | examples: 10 | - C91887D861D9BD4A5872249B641BC9F9:0x40156F 11 | - 93dfc146f60bd796eb28d4e4f348f2e4:0x401050 12 | features: 13 | - and: 14 | - optional: 15 | - match: open clipboard 16 | - api: user32.GetClipboardData 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/environment-variable/set-environment-variable.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set environment variable 4 | namespace: host-interaction/environment-variable 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Operating System::Environment Variable::Set Variable [C0034.001] 9 | examples: 10 | - 0731679c5f99e8ee65d8b29a3cabfc6b:0x43EA81 11 | features: 12 | - or: 13 | - api: kernel32.SetEnvironmentStrings 14 | - api: kernel32.SetEnvironmentVariable 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/gui/session/wallpaper/change-the-wallpaper.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: change the wallpaper 4 | namespace: host-interaction/gui/session 5 | author: "@_re_fox" 6 | scope: basic block 7 | mbc: 8 | - Operating System::Wallpaper [C0035] 9 | examples: 10 | - 5dd0b130d5c3d40c69e3972f39fd7d62:0x45AC6F 11 | features: 12 | - and: 13 | - api: SystemParametersInfo 14 | - number: 0x14 = SPI_SETDESKWALLPAPER 15 | - number: 0x3 = SPIF_SENDWININICHANGE | SPIF_UPDATEINIFILE 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/connect-network-resource.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: connect network resource 4 | namespace: communication/http 5 | author: michael.hunhoff@mandiant.com 6 | description: connect to disk or print resource 7 | scope: function 8 | features: 9 | - and: 10 | - or: 11 | - api: mpr.WNetAddConnection 12 | - api: mpr.WNetAddConnection2 13 | - api: mpr.WNetAddConnection3 14 | - optional: 15 | - api: mpr.WNetCancelConnection 16 | - api: mpr.WNetCancelConnection2 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/impersonate-user.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: impersonate user 4 | namespace: host-interaction/user 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Privilege Escalation::Access Token Manipulation::Token Impersonation/Theft [T1134.001] 9 | features: 10 | - or: 11 | - api: advapi32.LogonUser 12 | - and: 13 | - api: userenv.LoadUserProfile 14 | - optional: 15 | - api: advapi32.GetUserName 16 | - api: advapi32.GetUserNameEx 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/linked-against-cpp-regex-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against CPP regex library 4 | namespace: linking/static/cppregex 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | references: 8 | - http://www.cplusplus.com/reference/regex/regex_error/ 9 | features: 10 | - or: 11 | - string: "regex_error(error_syntax)" 12 | description: C++ STL regex library 13 | - string: "regex_error(error_collate): The expression contained an invalid collating element name." 14 | -------------------------------------------------------------------------------- /Plugins/rules/collection/database/wmi/reference-wmi-statements.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference WMI statements 4 | namespace: collection/database/wmi 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Collection::Data from Information Repositories [T1213] 9 | examples: 10 | - al-khaser_x86.exe_:0x433490 11 | features: 12 | - or: 13 | - string: /SELECT\s+\*\s+FROM\s+CIM_./ 14 | - string: /SELECT\s+\*\s+FROM\s+Win32_./ 15 | - string: /SELECT\s+\*\s+FROM\s+MSAcpi_./ 16 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-frigate3-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather frigate3 information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - http://www.frigate3.com/index.php 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x4069A0 13 | features: 14 | - and: 15 | - substring: "FtpSite.xml" 16 | - substring: "\\Frigate3" 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/add-user-account-to-group.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: add user account to group 5 | namespace: host-interaction/accounts 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Persistence::Account Manipulation [T1098] 10 | features: 11 | - or: 12 | - api: netapi32.NetLocalGroupAddMembers 13 | - api: netapi32.NetLocalGroupAddMember 14 | - api: netapi32.NetGroupAddUser 15 | - api: netapi32.NetGroupSetUsers 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-ccg.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with CCG 4 | namespace: anti-analysis/packer/ccg 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .ccg 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-mew.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with MEW 4 | namespace: anti-analysis/packer/mew 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: MEW 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # TCSA v1 2 | TXOne Code Semantics Analyzer by TXOne Networks, inc. 3 | 4 | ## Hightlight Features 5 | 1. Malware Detection, e.g. Process Hollowing & Ransomware 6 | 2. Vulnerability Scanning e.g. Firmware Command Injection 7 | 3. (unpractical) ML for Clustering Malware e.g. Neural Networks 8 | 9 | ## Installation 10 | 11 | 1. Script Usage: `$pip install vivisect` then `$python3 Akali/akali.py samples/hello_recur.exe` 12 | 2. Standalone Build: `$pyinstaller .github\pyinstaller\akali.spec` then `$dist\akali.exe samples\hello_recur.exe` 13 | -------------------------------------------------------------------------------- /TCSA/.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | // 使用 IntelliSense 以得知可用的屬性。 3 | // 暫留以檢視現有屬性的描述。 4 | // 如需詳細資訊,請瀏覽: https://go.microsoft.com/fwlink/?linkid=830387 5 | "version": "0.2.0", 6 | "configurations": [ 7 | { 8 | "name": "Python: 目前檔案", 9 | "type": "python", 10 | "request": "launch", 11 | "program": "akali.py", 12 | "console": "integratedTerminal", 13 | "justMyCode": false, 14 | "args": ["samples/hello_recur.exe"] 15 | } 16 | ] 17 | } -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-ftprush-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ftprush information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.wftpserver.com/ftprush.htm 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x406AE0 13 | features: 14 | - and: 15 | - substring: "\\FTPRush" 16 | - substring: "RushSite.xml" 17 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-staff-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather staff-ftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.gsa-online.de/product/staffftp/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40C516 13 | features: 14 | - and: 15 | - string: "Staff-FTP" 16 | - string: "sites.ini" 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/filter/start-minifilter-driver.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: start minifilter driver 4 | namespace: host-interaction/filter 5 | author: michael.hunhoff@mandiant.com 6 | scope: basic block 7 | mbc: 8 | - Hardware::Load Driver::Minifilter [C0023.001] 9 | references: 10 | - https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts 11 | examples: 12 | - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x406360 13 | features: 14 | - and: 15 | - api: FltStartFiltering 16 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/modify/acquire-debug-privileges.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: acquire debug privileges 4 | namespace: host-interaction/process/modify 5 | author: william.ballenthin@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Privilege Escalation::Access Token Manipulation [T1134] 9 | examples: 10 | - Practical Malware Analysis Lab 01-04.exe_:0x401174 11 | features: 12 | - and: 13 | - string: "SeDebugPrivilege" 14 | - optional: 15 | - match: modify access privileges 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/check-license-value.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check license value 4 | namespace: anti-analysis/anti-vm/vm-detection 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] 9 | references: 10 | - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L1224 11 | features: 12 | - and: 13 | - api: NtQueryLicenseValue 14 | - string: "Kernel-VMDetection-Private" 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/hash-data-using-sha256-via-x86-extensions.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using sha256 via x86 extensions 4 | namespace: data-manipulation/hashing/sha256 5 | author: "@_re_fox" 6 | scope: basic block 7 | features: 8 | - or: 9 | - mnemonic: sha256rnds2 = Perform Two Rounds of SHA256 Operation 10 | - mnemonic: sha256msg1 = Perform an Intermediate Calculation for the Next Four SHA256 Message Dwords 11 | - mnemonic: sha256msg2 = Perform a Final Calculation for the Next Four SHA256 Message Dwords 12 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-svkp.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with SVKP 4 | namespace: anti-analysis/packer/svkp 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .svkp 17 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/packer/confuser/packed-with-confuser.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Confuser 4 | namespace: anti-analysis/packer/confuser 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing::Confuser [F0001.009] 11 | examples: 12 | - b9f5bd514485fb06da39beff051b9fdc 13 | features: 14 | - or: 15 | - string: "ConfusedByAttribute" 16 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-global-downloader-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather global-downloader information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - http://www.actysoft.com/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40C732 13 | features: 14 | - and: 15 | - substring: "\\Global Downloader" 16 | - string: "SM.arch" 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/file-system/change-file-permission-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: change file permission on Linux 4 | namespace: host-interaction/file-system 5 | author: joakim@intezer.com 6 | scope: basic block 7 | mbc: 8 | - File System::Set File Attributes [C0050] 9 | examples: 10 | - 7351f8a40c5450557b24622417fc478d:0x407C68 11 | features: 12 | - and: 13 | - os: linux 14 | - or: 15 | - api: chown 16 | - api: fchown 17 | - api: lchown 18 | - api: fchownat 19 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/hardware/memory/get-memory-capacity.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get memory capacity 4 | namespace: host-interaction/hardware/memory 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Information Discovery [T1082] 9 | examples: 10 | - 9324D1A8AE37A36AE560C37448C9705A:0x4052A0 11 | features: 12 | - or: 13 | - api: kernel32.GlobalMemoryStatus 14 | - api: kernel32.GlobalMemoryStatusEx 15 | # TODO kernel32.GetSystemInfo with offset 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/delete-registry-key-via-offline-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: delete registry key via offline registry library 4 | namespace: host-interaction/registry 5 | author: johnk3r 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Modify Registry [T1112] 9 | mbc: 10 | - Operating System::Registry::Delete Registry Key [C0036.002] 11 | - Operating System::Registry::Delete Registry Value [C0036.007] 12 | features: 13 | - or: 14 | - api: ORDeleteKey 15 | - api: ORDeleteValue 16 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-epack.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Epack 4 | namespace: anti-analysis/packer/epack 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: "!Epack" 17 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-classicftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather classicftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.nchsoftware.com/classic/index.html 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40735E 13 | features: 14 | - or: 15 | - substring: "Software\\NCH Software\\ClassicFTP\\FTPAccounts" 16 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-faststone-browser-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather faststone-browser information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.faststone.org/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40E04F 13 | features: 14 | - and: 15 | - substring: "FastStone Browser" 16 | - string: "FTPList.db" 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/filter/register-minifilter-driver.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: register minifilter driver 4 | namespace: host-interaction/filter 5 | author: michael.hunhoff@mandiant.com 6 | scope: basic block 7 | mbc: 8 | - Hardware::Install Driver::Minifilter [C0037.001] 9 | references: 10 | - https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts 11 | examples: 12 | - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4060C8 13 | features: 14 | - and: 15 | - api: FltRegisterFilter 16 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/session/get-user-security-identifier.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: get user security identifier 5 | namespace: host-interaction/session 6 | author: michael.hunhoff@mandiant.com 7 | scope: basic block 8 | att&ck: 9 | - Discovery::Account Discovery [T1087] 10 | examples: 11 | - mimikatz.exe_:0x40DC42 12 | features: 13 | - or: 14 | - api: advapi32.LookupAccountName 15 | - api: advapi32.LsaLookupNames 16 | - api: advapi32.LsaLookupNames2 17 | -------------------------------------------------------------------------------- /Plugins/rules/lib/contain-pusha-popa-sequence.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain pusha popa sequence 4 | author: moritz.raabe@mandiant.com 5 | lib: true 6 | scope: function 7 | examples: 8 | - a5c70086b3bc4fe64f4e7a0aa452e620:0x35007200 9 | features: 10 | - and: 11 | - or: 12 | - count(mnemonic(pusha)): 2 or more 13 | # vivisect 14 | - count(mnemonic(pushad)): 2 or more 15 | - or: 16 | - count(mnemonic(popa)): 2 or more 17 | # vivisect 18 | - count(mnemonic(popad)): 2 or more 19 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-crunch.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Crunch 4 | namespace: anti-analysis/packer/crunch 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: BitArts 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-maskpe.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with MaskPE 4 | namespace: anti-analysis/packer/maskpe 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .MaskPE 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-pepack.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Pepack 4 | namespace: anti-analysis/packer/pepack 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: PEPACK!! 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-perplex.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Perplex 4 | namespace: anti-analysis/packer/perplex 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .perplex 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-seausfx.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with SeauSFX 4 | namespace: anti-analysis/packer/seausfx 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .seau 17 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-fasttrack-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather fasttrack-ftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - http://www.fasttracksoft.com/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40F906 13 | features: 14 | - or: 15 | - and: 16 | - string: "FastTrack" 17 | - string: "ftplist.txt" 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/modify/modify-access-privileges.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: modify access privileges 4 | namespace: host-interaction/process/modify 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Privilege Escalation::Access Token Manipulation [T1134] 9 | examples: 10 | - 9324D1A8AE37A36AE560C37448C9705A:0x403BE0 11 | features: 12 | - and: 13 | - api: advapi32.AdjustTokenPrivileges 14 | - optional: 15 | - or: 16 | - api: advapi32.LookupPrivilegeValue 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/terminate/terminate-process-via-fastfail.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: terminate process via fastfail 4 | namespace: host-interaction/process/terminate 5 | author: "@_re_fox" 6 | scope: basic block 7 | mbc: 8 | - Process::Terminate Process [C0018] 9 | references: 10 | - https://docs.microsoft.com/en-us/cpp/intrinsics/fastfail?view=vs-2019 11 | examples: 12 | - b87e9dd18a5533a09d3e48a7a1efbcf6:0x14000747F 13 | features: 14 | - and: 15 | - mnemonic: int 16 | - number: 0x29 17 | -------------------------------------------------------------------------------- /Plugins/rules/linking/static/msdetours/linked-against-microsoft-detours.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against Microsoft Detours 4 | namespace: linking/static/msdetours 5 | author: moritz.raabe@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Hijack Execution Flow [T1574] 9 | references: 10 | - https://github.com/microsoft/Detours 11 | examples: 12 | - 071F2D1C4C2201EE95FFE2AA965000F5F615A11A12D345E33B9FB060E5597740 13 | features: 14 | - or: 15 | - section: .detourc 16 | - section: .detourd 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-procrypt.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with ProCrypt 4 | namespace: anti-analysis/packer/procrypt 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: ProCrypt 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-vprotect.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with VProtect 4 | namespace: anti-analysis/packer/vprotect 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: VProtect 17 | -------------------------------------------------------------------------------- /Plugins/rules/compiler/nim/compiled-with-nim.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with Nim 4 | namespace: compiler/nim 5 | author: michael.hunhoff@mandiant.com 6 | scope: file 7 | examples: 8 | - 580c37831fe98a254eb6c61c692c70d8.exe_ 9 | features: 10 | - or: 11 | - substring: "NimMain" 12 | - substring: "NimMainModule" 13 | - substring: "NimMainInner" 14 | - substring: "io.nim" 15 | - substring: "fatal.nim" 16 | - substring: "system.nim" 17 | - substring: "alloc.nim" 18 | - substring: "osalloc.nim" 19 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-simple-pack.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Simple Pack 4 | namespace: anti-analysis/packer/simple-pack 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .spack 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-starforce.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with StarForce 4 | namespace: anti-analysis/packer/starforce 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .sforce3 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-google-public-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference Google Public DNS server 4 | namespace: communication/dns 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | references: 8 | - https://www.techradar.com/news/best-dns-server 9 | - https://developers.google.com/speed/public-dns/docs/using 10 | examples: 11 | features: 12 | - or: 13 | - string: "8.8.8.8" 14 | - string: "8.8.4.4" 15 | - string: "2001:4860:4860::8888" 16 | - string: "2001:4860:4860::8844" 17 | -------------------------------------------------------------------------------- /Plugins/rules/collection/get-current-user-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get current user on Linux 4 | namespace: collection 5 | author: joakim@intezer.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Owner/User Discovery [T1033] 9 | examples: 10 | - 7351f8a40c5450557b24622417fc478d:0x405438 11 | features: 12 | - and: 13 | - os: linux 14 | - or: 15 | - and: 16 | - api: geteuid 17 | - api: getpwuid 18 | - api: getlogin 19 | - api: getlogin_r 20 | - api: cuserid 21 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/client/send-file-via-http.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: send file via HTTP 4 | namespace: communication/http/client 5 | author: matthew.williams@mandiant.com 6 | scope: basic block 7 | mbc: 8 | - Communication::HTTP Communication::Send Data [C0002.005] 9 | examples: 10 | - 3d760b6fc84571c928bed835863fc302:0x403687 11 | features: 12 | - and: 13 | - api: wininet.InternetWriteFile 14 | - optional: 15 | - or: 16 | - match: connect to HTTP server 17 | - match: connect to URL 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/bootloader/disable-code-signing.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: disable code signing 4 | namespace: host-interaction/bootloader 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] 9 | examples: 10 | - 0596C4EA5AA8DEF47F22C85D75AACA95:0x10710B3 # old Necurs rootkit 11 | features: 12 | - and: 13 | - match: host-interaction/process/create 14 | - string: /^bcdedit(\.exe)? -set TESTSIGNING ON/i 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/registry/create-registry-key-via-offline-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create registry key via offline registry library 4 | namespace: host-interaction/registry 5 | author: johnk3r 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Modify Registry [T1112] 9 | mbc: 10 | - Operating System::Registry::Create Registry Key [C0036.004] 11 | examples: 12 | - 5fbbfeed28b258c42e0cfeb16718b31c:0x100481A0 13 | features: 14 | - or: 15 | - api: ORCreateHive 16 | - api: ORCreateKey 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-dragon-armor.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Dragon Armor 4 | namespace: anti-analysis/packer/dragon-armor 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: DAStub 17 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-ws-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ws-ftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.ipswitch.com/ftp-server 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40504B 13 | features: 14 | - and: 15 | - substring: "\\Ipswitch\\WS_FTP" 16 | - substring: "\\win.ini" 17 | - substring: "WS_FTP" 18 | -------------------------------------------------------------------------------- /Plugins/rules/communication/receive-data.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: receive data 4 | namespace: communication 5 | author: william.ballenthin@mandiant.com 6 | description: all known techniques for receiving data from a potential C2 server 7 | scope: function 8 | mbc: 9 | - Command and Control::C2 Communication::Receive Data [B0030.002] 10 | examples: 11 | - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145D60 12 | features: 13 | - or: 14 | - match: receive data on socket 15 | - match: read data from Internet 16 | - match: download URL 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/list/get-explorer-pid.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get Explorer PID 4 | namespace: host-interaction/process/list 5 | author: michael.hunhoff@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Discovery::Process Discovery [T1057] 9 | references: 10 | - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ParentProcess.cpp 11 | examples: 12 | - al-khaser_x86.exe_:0x425210 13 | features: 14 | - and: 15 | - api: GetShellWindow 16 | - api: GetWindowThreadProcessId 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/thread/resume/resume-thread.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: resume thread 4 | namespace: host-interaction/thread/resume 5 | author: 0x534a@mailbox.org 6 | scope: basic block 7 | mbc: 8 | - Process::Resume Thread [C0054] 9 | examples: 10 | - Practical Malware Analysis Lab 12-02.exe_:0x4010EA 11 | - 787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e:0x4044C7 12 | features: 13 | - or: 14 | - api: kernel32.ResumeThread 15 | - api: ntdll.NtResumeThread 16 | - api: ntdll.ZwResumeThread 17 | -------------------------------------------------------------------------------- /Plugins/rules/persistence/service/persist-via-rc-script.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via rc script 4 | namespace: persistence/service 5 | author: joakim@intezer.com 6 | scope: function 7 | att&ck: 8 | - Persistence::Boot or Logon Initialization Scripts::RC Scripts [T1037.004] 9 | examples: 10 | - 7351f8a40c5450557b24622417fc478d:0x407D11 11 | features: 12 | - and: 13 | - os: linux 14 | - match: host-interaction/file-system/write 15 | - or: 16 | - substring: "/etc/init.d/" 17 | - string: /\/etc\/rc[0-9].d\// 18 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: execute anti-debugging instructions 4 | namespace: anti-analysis/anti-debugging/debugger-detection 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | mbc: 8 | - Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034] 9 | examples: 10 | - Practical Malware Analysis Lab 16-03.exe_:0x401300 11 | features: 12 | - or: 13 | - count(mnemonic(rdtsc)): 2 or more 14 | - mnemonic: icebp 15 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-3d-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather 3d-ftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.3dftp.com/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40CA59 13 | features: 14 | - and: 15 | - string: "3D-FTP" 16 | - string: "sites.ini" 17 | - optional: 18 | - substring: "\\SiteDesigner" 19 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-cyberduck-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather cyberduck information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://cyberduck.io/ftp/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40D965 13 | features: 14 | - and: 15 | - substring: "\\Cyberduck" 16 | - or: 17 | - string: "user.config" 18 | - string: ".duck" 19 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-softx-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather softx-ftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - http://www.softx.org/ftp.html 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x407685 13 | features: 14 | - or: 15 | - substring: "Software\\FTPClient\\Sites" 16 | - substring: "Software\\SoftX.org\\FTPClient\\Sites" 17 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: decompress HTTP response via IEncodingFilterFactory 4 | namespace: communication/http/client 5 | author: matthew.williams@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::Get Response [C0002.017] 9 | examples: 10 | - FBBAAF569B63F6398503E4F1979CABEF:0x4067F0 11 | features: 12 | - and: 13 | - match: get HTTP response content encoding 14 | - match: decompress data via IEncodingFilterFactory 15 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/list/enumerate-processes-via-ntquerysysteminformation.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate processes via NtQuerySystemInformation 4 | namespace: host-interaction/process/list 5 | author: "@_re_fox" 6 | scope: basic block 7 | att&ck: 8 | - Discovery::Process Discovery [T1057] 9 | - Discovery::Software Discovery [T1518] 10 | examples: 11 | - 31bd8dd48ac0de3d4da340bf29f4d280:0x00401be3 12 | features: 13 | - and: 14 | - number: 0x5 = SYSTEM_PROCESS_INFORMATION 15 | - api: NtQuerySystemInformation 16 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/registry/set-registry-key-via-offline-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set registry key via offline registry library 4 | namespace: host-interaction/registry 5 | author: johnk3r 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Modify Registry [T1112] 9 | mbc: 10 | - Operating System::Registry::Set Registry Key [C0036.001] 11 | examples: 12 | - 5fbbfeed28b258c42e0cfeb16718b31c:0x43A6C8 13 | features: 14 | - and: 15 | - api: ORSetValue 16 | - optional: 17 | - api: ORSaveHive 18 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-remote-cert-context-via-schannel.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get remote cert context via SChannel 4 | namespace: data-manipulation/encryption 5 | author: matthew.williams@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | references: 10 | - https://docs.microsoft.com/en-us/windows/win32/secauthn/querycontextattributes--schannel 11 | features: 12 | - and: 13 | - api: secur32.QueryContextAttributes 14 | - number: 0x53 = SECPKG_ATTR_REMOTE_CERT_CONTEXT 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-wwpack.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with WWPACK 4 | namespace: anti-analysis/packer/wwpack 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .WWPACK 17 | - section: .WWP32 18 | -------------------------------------------------------------------------------- /Plugins/rules/c2/file-transfer/write-and-execute-a-file.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: write and execute a file 4 | namespace: c2/file-transfer 5 | maec/malware-category: launcher 6 | author: moritz.raabe@mandiant.com 7 | scope: function 8 | mbc: 9 | - Execution::Install Additional Program [B0023] 10 | examples: 11 | - 9324D1A8AE37A36AE560C37448C9705A:0x403A40 12 | - Practical Malware Analysis Lab 01-04.exe_:0x4011FC 13 | features: 14 | - and: 15 | - match: host-interaction/file-system/write 16 | - match: host-interaction/process/create 17 | -------------------------------------------------------------------------------- /Plugins/rules/c2/shell/create-reverse-shell-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create reverse shell on Linux 4 | namespace: c2/shell 5 | author: joakim@intezer.com 6 | scope: function 7 | att&ck: 8 | - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] 9 | mbc: 10 | - Impact::Remote Access::Reverse Shell [B0022.001] 11 | examples: 12 | - 7351f8a40c5450557b24622417fc478d:0x40231E 13 | features: 14 | - and: 15 | - os: linux 16 | - match: duplicate stdin and stdout 17 | - match: host-interaction/process/create 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/inject/allocate-rwx-memory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: allocate RWX memory 4 | namespace: host-interaction/process/inject 5 | author: moritz.raabe@mandiant.com 6 | scope: basic block 7 | mbc: 8 | - Memory::Allocate Memory [C0007] 9 | examples: 10 | - Practical Malware Analysis Lab 03-03.exe_:0x4010EA 11 | # ntdll 12 | - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x140001ABA 13 | features: 14 | - and: 15 | - match: allocate memory 16 | - number: 0x40 = PAGE_EXECUTE_READWRITE 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/service/delete/delete-service.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: delete service 4 | namespace: host-interaction/service/delete 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Persistence::Create or Modify System Process::Windows Service [T1543.003] 9 | examples: 10 | - E544A4D616B60147D9774B48C2B65EF2:0x402140 11 | - Practical Malware Analysis Lab 03-02.dll_:0x10004B18 12 | features: 13 | - and: 14 | - optional: 15 | - match: get service handle 16 | - api: advapi32.DeleteService 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/session/get-logon-sessions.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get logon sessions 4 | namespace: host-interaction/session 5 | author: awillia2@cisco.com 6 | description: Looks for imported Windows APIs being called to enumerate user sessions. 7 | scope: function 8 | att&ck: 9 | - Discovery::Account Discovery [T1087] 10 | examples: 11 | - 9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x1001C1AC 12 | features: 13 | - and: 14 | - api: secur32.LsaEnumerateLogonSessions 15 | - optional: 16 | - api: secur32.LsaGetLogonSessionData 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/thread/terminate/terminate-thread.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: terminate thread 4 | namespace: host-interaction/thread/terminate 5 | author: 6 | - moritz.raabe@mandiant.com 7 | - michael.hunhoff@mandiant.com 8 | scope: basic block 9 | mbc: 10 | - Process::Terminate Thread [C0039] 11 | examples: 12 | - Practical Malware Analysis Lab 03-02.dll_:0x10003286 13 | - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x407E90 14 | features: 15 | - or: 16 | - api: kernel32.TerminateThread 17 | - api: PsTerminateSystemThread 18 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/check-for-windows-sandbox-via-mutex.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check for windows sandbox via mutex 4 | namespace: anti-analysis/anti-vm/vm-detection 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] 9 | mbc: 10 | - Anti-Behavioral Analysis::Virtual Machine Detection [B0009] 11 | references: 12 | - https://github.com/LloydLabs/wsb-detect 13 | features: 14 | - and: 15 | - match: check mutex 16 | - string: "WindowsSandboxMutex" 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-enigma.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with enigma 4 | namespace: anti-analysis/packer/enigma 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .enigma1 17 | - section: .enigma2 18 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-mpress.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Mpress 4 | namespace: anti-analysis/packer/mpress 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .MPRESS1 17 | - section: .MPRESS2 18 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-neolite.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Neolite 4 | namespace: anti-analysis/packer/neolite 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .neolite 17 | - section: .neolit 18 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-rpcrypt.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with RPCrypt 4 | namespace: anti-analysis/packer/rpcrypt 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: RCryptor 17 | - section: .RCrypt 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/cli/resolve-path-using-msvcrt.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: resolve path using msvcrt 4 | namespace: host-interaction/cli 5 | author: "@_re_fox" 6 | scope: basic block 7 | att&ck: 8 | - Discovery::File and Directory Discovery [T1083] 9 | examples: 10 | - 31600ad0d1a7ea615690df111ae36c73:0x4016B8 11 | features: 12 | - or: 13 | - api: msvcrt.__p__pgmptr 14 | - api: msvcrt.__p__wpgmptr 15 | - api: msvcrt._get_pgmptr 16 | - api: msvcrt._get_wpgmptr 17 | - api: msvcrt._pgmptr 18 | - api: msvcrt._wpgmptr 19 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/hardware/cdrom/manipulate-cd-rom-drive.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: manipulate CD-ROM drive 4 | namespace: host-interaction/hardware/cdrom 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Impact::Modify Hardware::CDROM [B0042.001] 9 | examples: 10 | - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x10007250 11 | features: 12 | - and: 13 | - api: winmm.mciSendString 14 | - or: 15 | - string: "set cdaudio door closed wait" 16 | - string: "set cdaudio door open" 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/linked-against-go-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against Go registry library 4 | namespace: host-interaction/registry 5 | author: 6 | - joakim@intezer.com 7 | description: Uses a Go library for interacting with the Windows registry. 8 | scope: file 9 | references: 10 | - https://github.com/golang/sys 11 | features: 12 | - and: 13 | - match: compiled with Go 14 | - or: 15 | - string: "golang.org/x/sys/windows/registry.Key.Close" 16 | - string: "github.com/golang/sys/windows/registry.Key.Close" 17 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/packer/amber/packed-with-amber.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with amber 4 | namespace: anti-analysis/packer/amber 5 | author: "john.gorman@mandiant.com" 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://github.com/EgeBalci/amber 13 | examples: 14 | - bb7922d368a9a9c8d981837b5ad988f1 15 | features: 16 | - or: 17 | - string: "Amber - Reflective PE Packer" 18 | -------------------------------------------------------------------------------- /Plugins/rules/communication/http/client/receive-http-response.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: receive HTTP response 4 | namespace: communication/http/client 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::Get Response [C0002.017] 9 | examples: 10 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10002790 11 | features: 12 | - or: 13 | - api: winhttp.WinHttpReceiveResponse 14 | - and: 15 | - api: winhttp.WinHttpReadData 16 | - optional: 17 | - api: winhttp.WinHttpQueryDataAvailable 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/file-system/files/list/enumerate-files-recursively.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate files recursively 4 | namespace: host-interaction/file-system/files/list 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Discovery::File and Directory Discovery [T1083] 9 | examples: 10 | - 5f66b82558ca92e54e77f216ef4c066c:0x40640E 11 | features: 12 | - and: 13 | - or: 14 | - match: enumerate files via kernel32 functions 15 | - match: enumerate files via ntdll functions 16 | - characteristic: recursive call 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/service/list/enumerate-services.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate services 4 | namespace: host-interaction/service/list 5 | author: 6 | - moritz.raabe@mandiant.com 7 | - michael.hunhoff@mandiant.com 8 | scope: function 9 | att&ck: 10 | - Discovery::System Service Discovery [T1007] 11 | examples: 12 | - Practical Malware Analysis Lab 05-01.dll_:0x1000B823 13 | features: 14 | - or: 15 | - api: advapi32.EnumServicesStatus 16 | - api: advapi32.EnumServicesStatusEx 17 | - api: advapi32.EnumDependentServices 18 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-tsuloader.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with TSULoader 4 | namespace: anti-analysis/packer/tsuloader 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .tsuarch 17 | - section: .tsustub 18 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/packer/petite/packed-with-petite.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with petite 4 | namespace: anti-analysis/packer/petite 5 | author: "@_re_fox" 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | - 2a7429d60040465f9bd27bbae2beef88 15 | features: 16 | - or: 17 | - section: .petite 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/network/domain/get-domain-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get domain information 4 | namespace: host-interaction/network/domain 5 | author: awillia2@cisco.com 6 | description: Looks for imported Windows APIs being called to collect information about the Windows domain that a computer is connected to. 7 | scope: function 8 | att&ck: 9 | - Discovery::System Network Configuration Discovery [T1016] 10 | examples: 11 | - 9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x1001C184 12 | features: 13 | - api: netapi32.DsRoleGetPrimaryDomainInformation 14 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/os/version/get-linux-distribution.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get Linux distribution 4 | namespace: host-interaction/os/version 5 | author: joakim@intezer.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Information Discovery [T1082] 9 | examples: 10 | - 7351f8a40c5450557b24622417fc478d:0x405438 11 | features: 12 | - and: 13 | - os: linux 14 | - match: host-interaction/file-system/read 15 | - or: 16 | - string: "/etc/os-release" 17 | - string: "/etc/lsb-release" 18 | - string: "/etc/issue" 19 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-the-vmware-io-port.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference the VMWare IO port 4 | namespace: anti-analysis/anti-vm/vm-detection 5 | author: matthew.williams@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] 9 | mbc: 10 | - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check - I/O Communication Port [B0009.025] 11 | features: 12 | - and: 13 | - mnemonic: in 14 | - number: 0x564D5868 = VMXh 15 | - number: 0x5658 = VX 16 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/packer/pelocknt/packed-with-pelocknt.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with pelocknt 4 | namespace: anti-analysis/packer/pelocknt 5 | author: "@_re_fox" 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | - f0a6a1bd6d760497623611e8297a81df 15 | features: 16 | - or: 17 | - section: PELOCKnt 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/service/create/create-service.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create service 4 | namespace: host-interaction/service/create 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Persistence::Create or Modify System Process::Windows Service [T1543.003] 9 | - Execution::System Services::Service Execution [T1569.002] 10 | examples: 11 | - Practical Malware Analysis Lab 03-02.dll_:0x10004706 12 | features: 13 | - and: 14 | - api: advapi32.CreateService 15 | - optional: 16 | - api: advapi32.OpenSCManager 17 | -------------------------------------------------------------------------------- /Plugins/capaRules/data-manipulation/prng/lcg/generate-random-numbers-using-the-delphi-lcg-wrapper.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: generate random numbers using the Delphi LCG wrapper 4 | namespace: data-manipulation/prng/lcg 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | mbc: 8 | - Cryptography::Generate Pseudo-random Sequence [C0021] 9 | references: 10 | - https://en.wikipedia.org/wiki/Linear_congruential_generator 11 | - https://community.osr.com/discussion/130410/generating-random-numbers 12 | features: 13 | - match: generate random numbers using the Delphi LCG -------------------------------------------------------------------------------- /Plugins/rules/nursery/check-processdebugflags.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check ProcessDebugFlags 4 | namespace: anti-analysis/anti-debugging/debugger-detection 5 | author: michael.hunhoff@mandiant.com 6 | scope: basic block 7 | mbc: 8 | - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] 9 | references: 10 | - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtQueryInformationProcess_ProcessDebugFlags.cpp 11 | features: 12 | - and: 13 | - api: NtQueryInformationProcess 14 | - number: 0x1F = ProcessDebugFlags 15 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/get-storage-device-properties.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: get storage device properties 5 | namespace: host-interaction/hardware/storage 6 | author: michael.hunhoff@mandiant.com 7 | scope: function 8 | references: https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-ioctl_storage_query_property 9 | features: 10 | - and: 11 | - match: interact with driver via control codes 12 | - number: 0x2D1400 = IOCTL_STORAGE_QUERY_PROPERTY 13 | - optional: 14 | - string: "\\\\.\\PhysicalDrive0" 15 | -------------------------------------------------------------------------------- /Plugins/rules/persistence/persist-via-desktop-autostart.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via .desktop autostart 4 | namespace: persistence 5 | author: joakim@intezer.com 6 | scope: function 7 | att&ck: 8 | - Persistence::Boot or Logon Autostart Execution::XDG Autostart Entries [T1547.013] 9 | examples: 10 | - 7351f8a40c5450557b24622417fc478d:0x407D11 11 | features: 12 | - and: 13 | - os: linux 14 | - match: host-interaction/file-system/write 15 | - or: 16 | - string: /\/\.config\/autostart\/.+\.desktop/ 17 | - substring: "/etc/xdg/autostart" 18 | -------------------------------------------------------------------------------- /Plugins/rules/targeting/language/identify-system-language-via-api.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: identify system language via API 4 | namespace: targeting/language 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Location Discovery::System Language Discovery [T1614.001] 9 | examples: 10 | - 9b7ccaa2ae6a5b96e3110ebcbc4311f6:0x10001F96 11 | features: 12 | - and: 13 | - os: windows 14 | - or: 15 | - api: GetUserDefaultUILanguage 16 | - api: GetSystemDefaultUILanguage 17 | - api: GetUserDefaultLangID 18 | -------------------------------------------------------------------------------- /Plugins/capaRules/data-manipulation/encryption/des/encrypt-data-using-des-wrapper.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encrypt data using DES wrapper 4 | namespace: data-manipulation/encryption/des 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | mbc: 10 | - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05] 11 | - Cryptography::Encrypt Data::3DES [C0027.004] 12 | examples: 13 | - 91a12a4cf437589ba70b1687f5acad19:0x47F5E8 14 | features: 15 | - match: encrypt data using DES -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-directory-opus-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather directory-opus information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.gpsoft.com.au/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x4076F3 13 | features: 14 | - and: 15 | - substring: "\\GPSoftware\\Directory Opus" 16 | - string: ".oxc" 17 | - string: ".oll" 18 | - string: "ftplast.osd" 19 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/file-system/delete/delete-directory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: delete directory 4 | namespace: host-interaction/file-system/delete 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | mbc: 8 | - File System::Delete Directory [C0048] 9 | examples: 10 | - Practical Malware Analysis Lab 05-01.dll_:0x10009236 11 | - AFB6EC3D721A5CB67863487B0E51A34C167F629CF701F8BC7A038C117B4DDA44:0x429AA0 12 | features: 13 | - or: 14 | - api: RemoveDirectory 15 | - api: RemoveDirectoryTransacted 16 | - api: _rmdir 17 | - api: _wrmdir 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/os/shutdown-system.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: shutdown system 4 | namespace: host-interaction/os 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Impact::System Shutdown/Reboot [T1529] 9 | examples: 10 | - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x10008D60 11 | features: 12 | - or: 13 | - api: user32.ExitWindowsEx 14 | - api: user32.ExitWindows 15 | - api: advapi32.InitiateSystemShutdownEx 16 | - api: advapi32.InitiateSystemShutdown 17 | - api: advapi32.InitiateShutdown 18 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/build-docker-image.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: build Docker image 4 | namespace: host-interaction/container/docker 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Build Image on Host [T1612] 9 | references: 10 | - https://docs.docker.com/engine/api/v1.24/ 11 | examples: 12 | features: 13 | - or: 14 | - string: /^docker(\.exe)? build/ 15 | - and: 16 | - match: send HTTP request 17 | - string: /\/v1\.[0-9]{1,2}\/build/ 18 | description: docker API endpoint, e.g., /v1.24/build 19 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/hash-data-using-sha1-via-x86-extensions.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using sha1 via x86 extensions 4 | namespace: data-manipulation/hashing/sha1 5 | author: "@_re_fox" 6 | scope: basic block 7 | features: 8 | - or: 9 | - mnemonic: sha1rnds4 = Perform Four Rounds of SHA1 Operation 10 | - mnemonic: sha1nexte = Calculate SHA1 State Variable E after Four Rounds 11 | - mnemonic: sha1msg1 = Perform an Intermediate Calculation for the Next Four SHA1 Message Dwords 12 | - mnemonic: sha1msg2 = Perform a Final Calculation for the Next Four SHA1 Message Dwords 13 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/anti-debugging/debugger-detection/check-for-time-delay-via-queryperformancecounter.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check for time delay via QueryPerformanceCounter 4 | namespace: anti-analysis/anti-debugging/debugger-detection 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033] 9 | examples: 10 | - Practical Malware Analysis Lab 16-03.exe_:0x4011e0 11 | features: 12 | - and: 13 | - count(api(kernel32.QueryPerformanceCounter)): 2 or more 14 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/packed-with-shrinker.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Shrinker 4 | namespace: anti-analysis/packer/shrinker 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | features: 15 | - or: 16 | - section: .shrink1 17 | - section: .shrink2 18 | - section: .shrink3 19 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/anti-debugging/debugger-detection/check-for-outputdebugstring-error.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check for OutputDebugString error 4 | namespace: anti-analysis/anti-debugging/debugger-detection 5 | author: michael.hunhoff@mandiant.com 6 | scope: basic block 7 | mbc: 8 | - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016] 9 | examples: 10 | - Practical Malware Analysis Lab 16-02.exe_:0x401020 11 | features: 12 | - and: 13 | - api: kernel32.SetLastError 14 | - api: kernel32.GetLastError 15 | - api: kernel32.OutputDebugString 16 | -------------------------------------------------------------------------------- /Plugins/rules/c2/file-transfer/download-and-write-a-file.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: download and write a file 4 | namespace: c2/file-transfer 5 | maec/malware-category: downloader 6 | author: moritz.raabe@mandiant.com 7 | scope: function 8 | att&ck: 9 | - Command and Control::Ingress Tool Transfer [T1105] 10 | mbc: 11 | - Command and Control::C2 Communication::Server to Client File Transfer [B0030.003] 12 | examples: 13 | - 5D7C34B6854D48D3DA4F96B71550A221:0x401346 14 | features: 15 | - and: 16 | - match: receive data 17 | - match: host-interaction/file-system/write 18 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-ftp-voyager-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ftp-voyager information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.serv-u.com/free-tools/ftp-voyager-ftp-client-for-windows 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x408FD3 13 | features: 14 | - and: 15 | - substring: "\\RhinoSoft.com" 16 | - string: "FTPVoyager.ftp" 17 | - string: "FTPVoyager.qc" 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/hardware/cpu/get-number-of-processor-cores.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get number of processor cores 4 | namespace: host-interaction/hardware/cpu 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Information Discovery [T1082] 9 | references: 10 | - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L207 11 | examples: 12 | - al-khaser_x86.exe_:0x435BA0 13 | features: 14 | - and: 15 | - string: /SELECT\s+\*\s+FROM\s+Win32_Processor/ 16 | - string: "NumberOfCores" 17 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/inject/allocate-user-process-rwx-memory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: allocate user process RWX memory 4 | namespace: host-interaction/process/inject 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Process Injection [T1055] 9 | examples: 10 | - 493167E85E45363D09495D0841C30648:0x404B00 11 | features: 12 | - and: 13 | - match: attach user process memory 14 | - match: allocate RWX memory 15 | - number: 0xFFFFFFFF = NtCurrentProcess() 16 | - optional: 17 | - match: find process by PID 18 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/obfuscation/obfuscated-with-advobfuscator.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: obfuscated with ADVobfuscator 4 | namespace: anti-analysis/obfuscation 5 | author: jakub.jozwiak@mandiant.com 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | mbc: 10 | - Anti-Static Analysis::Executable Code Obfuscation [B0032] 11 | references: 12 | - https://github.com/andrivet/ADVobfuscator 13 | examples: 14 | - c1969efd1e2be79909b880f4dbb8725e52efca82236f8a2165c5a8245393fcd6 15 | features: 16 | - substring: "@ADVobfuscator@andrivet@@" 17 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/obfuscation/string/stackstring/contain-obfuscated-stackstrings.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain obfuscated stackstrings 4 | namespace: anti-analysis/obfuscation/string/stackstring 5 | author: moritz.raabe@mandiant.com 6 | scope: basic block 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] 9 | mbc: 10 | - Anti-Static Analysis::Disassembler Evasion::Argument Obfuscation [B0012.001] 11 | examples: 12 | - Practical Malware Analysis Lab 16-03.exe_:0x4013D0 13 | features: 14 | - characteristic: stack string 15 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/packer/rlpack/packed-with-rlpack.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with rlpack 4 | namespace: anti-analysis/packer/rlpack 5 | author: "@_re_fox" 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | - 068a76d4823419b376d418cf03215d5c 15 | features: 16 | - or: 17 | - section: .RLPack 18 | - section: .packed 19 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-alftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather alftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://en.wikipedia.org/wiki/ALFTP 11 | - https://www.altools.co.kr/Main/Default.aspx 12 | examples: 13 | - 5a2f620f29ca2f44fc22df67b674198f:0x40A257 14 | features: 15 | - and: 16 | - string: "ESTdb2.dat" 17 | - string: "QData.dat" 18 | - substring: "\\Estsoft\\ALFTP" 19 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-smart-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather smart-ftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.smartftp.com/en-us/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x405DE8 13 | features: 14 | - or: 15 | - and: 16 | - substring: "\\SmartFTP" 17 | - string: ".xml" 18 | - string: /Favorites\.dat/i 19 | - string: /History\.dat/i 20 | -------------------------------------------------------------------------------- /Plugins/rules/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encrypt data using memfrob from glibc 4 | namespace: data-manipulation/encryption 5 | author: zander.work@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | mbc: 10 | - Defense Evasion::Obfuscated Files or Information::Encryption [E1027.m04] 11 | - Cryptography::Encrypt Data [C0027] 12 | examples: 13 | - 055da8e6ccfe5a9380231ea04b850e18:0x1189 14 | features: 15 | - and: 16 | - os: linux 17 | - api: memfrob 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/hardware/cpu/get-number-of-processors.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get number of processors 4 | namespace: host-interaction/hardware/cpu 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Discovery::System Information Discovery [T1082] 9 | references: 10 | - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L113 11 | examples: 12 | - al-khaser_x86.exe_:0x432CB0 13 | features: 14 | - and: 15 | - match: PEB access 16 | - or: 17 | - number/x32: 0x64 18 | - number/x64: 0xB8 19 | -------------------------------------------------------------------------------- /Plugins/rules/persistence/scheduled-tasks/schedule-task-via-command-line.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: schedule task via command line 4 | namespace: persistence/scheduled-tasks 5 | author: 0x534a@mailbox.org 6 | scope: function 7 | att&ck: 8 | - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] 9 | examples: 10 | - 79cde1aa711e321b4939805d27e160be:0x401440 11 | features: 12 | - and: 13 | - match: host-interaction/process/create 14 | - or: 15 | - and: 16 | - string: /schtasks/i 17 | - string: /\/create /i 18 | - string: /Register-ScheduledTask /i 19 | -------------------------------------------------------------------------------- /Plugins/capaRules/data-manipulation/encryption/encrypt-data-using-memfrob-from-glibc.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encrypt data using memfrob from glibc 4 | namespace: data-manipulation/encryption 5 | author: zander.work@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | mbc: 10 | - Defense Evasion::Obfuscated Files or Information::Encryption [E1027.m04] 11 | - Cryptography::Encrypt Data [C0027] 12 | examples: 13 | - 055da8e6ccfe5a9380231ea04b850e18:0x1189 14 | features: 15 | - and: 16 | - os: linux 17 | - api: memfrob 18 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-ftp-commander-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ftp-commander information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.ftpcommander.com/free.htm 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x405BC0 13 | features: 14 | - and: 15 | - or: 16 | - substring: "FTP Navigator" 17 | - substring: "FTP Commander" 18 | - or: 19 | - string: "ftplist.txt" 20 | -------------------------------------------------------------------------------- /Plugins/rules/collection/keylog/log-keystrokes-via-application-hook.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: log keystrokes via application hook 4 | namespace: collection/keylog 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Collection::Input Capture::Keylogging [T1056.001] 9 | mbc: 10 | - Collection::Keylogging::Application Hook [F0002.001] 11 | examples: 12 | - Practical Malware Analysis Lab 12-03.exe_:0x401000 13 | features: 14 | - and: 15 | - match: set application hook 16 | - or: 17 | - number: 13 = WH_KEYBOARD_LL 18 | - number: 2 = WH_KEYBOARD 19 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/mutex/check-mutex.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check mutex 4 | namespace: host-interaction/mutex 5 | author: moritz.raabem@mandiant.com 6 | scope: basic block 7 | mbc: 8 | - Process::Check Mutex [C0043] 9 | examples: 10 | - Practical Malware Analysis Lab 01-01.dll_:0x10001010 11 | features: 12 | - and: 13 | - or: 14 | - api: kernel32.OpenMutex 15 | - match: create mutex 16 | - optional: 17 | - or: 18 | - api: kernel32.GetLastError 19 | - number: 2 = ERROR_FILE_NOT_FOUND 20 | - number: 0xB7 = ERROR_ALREADY_EXISTS 21 | -------------------------------------------------------------------------------- /Plugins/rules/linking/static/polarssl/linked-against-polarsslmbed-tls.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against PolarSSL/mbed TLS 4 | namespace: linking/static/polarssl 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | mbc: 8 | - Cryptography::Crypto Library [C0059] 9 | examples: 10 | - 232b0a8546035d9017fadf68398826edb0a1e055566bc1d356d6c9fdf1d7e485 11 | features: 12 | - or: 13 | - string: "PolarSSLTest" 14 | - string: "mbedtls_cipher_setup" 15 | - string: "mbedtls_pk_verify" 16 | - string: "mbedtls_ssl_write_record" 17 | - string: "mbedtls_ssl_fetch_input" 18 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/reference-screen-saver-executable.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference screen saver executable 4 | namespace: persistence/screensaver 5 | author: michael.hunhoff@mandiant.com 6 | description: SCRNSAVE.EXE registry value specifies the name of the screen saver executable file 7 | scope: function 8 | att&ck: 9 | - Persistence::Event Triggered Execution::Screensaver [T1546.002] 10 | features: 11 | - and: 12 | - string: "SCRNSAVE.EXE" 13 | - optional: 14 | - string: "ScreenSaveTimeOut" 15 | - string: "Control Panel\\Desktop" 16 | - match: set registry value 17 | -------------------------------------------------------------------------------- /Plugins/rules/persistence/startup-folder/write-file-to-startup-folder.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: write file to startup folder 4 | namespace: persistence/startup-folder 5 | author: matthew.williams@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] 9 | examples: 10 | - 07F7846BBCDA782E5639292AD93907EB:0x401040 11 | features: 12 | - and: 13 | - match: get startup folder 14 | - or: 15 | - match: copy file 16 | - match: move file 17 | - match: host-interaction/file-system/write 18 | -------------------------------------------------------------------------------- /Plugins/capaRules/data-manipulation/encryption/twofish/encrypt-data-using-twofish-wrapper.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encrypt data using twofish wrapper 4 | namespace: data-manipulation/encryption/twofish 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | mbc: 10 | - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05] 11 | - Cryptography::Encrypt Data::Twofish [C0027.005] 12 | examples: 13 | - 0761142efbda6c4b1e801223de723578:0x653F801C 14 | features: 15 | - match: encrypt data using twofish -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/packer/pebundle/packed-with-pebundle.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with pebundle 4 | namespace: anti-analysis/packer/pebundle 5 | author: "@_re_fox" 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | - db9fe790b4e18abf55df31aa0b81e558 15 | features: 16 | - or: 17 | - section: pebundle 18 | - section: PEBundle 19 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-ftpinfo-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ftpinfo information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - https://www.ftpinfo.ru/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x40DF62 13 | features: 14 | - and: 15 | - string: "ServerList.xml" 16 | - string: "DataDir" 17 | - or: 18 | - substring: "Software\\MAS-Soft\\FTPInfo\\Setup" 19 | - substring: "FTPInfo" 20 | -------------------------------------------------------------------------------- /Plugins/rules/communication/socket/send/send-data-on-socket.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: send data on socket 4 | namespace: communication/socket/send 5 | author: 6 | - moritz.raabe@mandiant.com 7 | - joakim@intezer.com 8 | scope: function 9 | mbc: 10 | - Communication::Socket Communication::Send Data [C0001.007] 11 | examples: 12 | - Practical Malware Analysis Lab 01-01.dll_:0x10001010 13 | features: 14 | - or: 15 | - api: ws2_32.send 16 | - api: ws2_32.sendto 17 | - api: ws2_32.WSASend 18 | - api: ws2_32.WSASendMsg 19 | - api: ws2_32.WSASendTo 20 | - api: send 21 | -------------------------------------------------------------------------------- /Plugins/capaRules/data-manipulation/encryption/blowfish/encrypt-data-using-blowfish-wrapper.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encrypt data using blowfish wrapper 4 | namespace: data-manipulation/encryption/blowfish 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | mbc: 10 | - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05] 11 | - Cryptography::Encrypt Data::Blowfish [C0027.002] 12 | examples: 13 | - 0761142efbda6c4b1e801223de723578:0x653E19E5 14 | features: 15 | - match: encrypt data using blowfish -------------------------------------------------------------------------------- /Plugins/capaRules/data-manipulation/encryption/skipjack/encrypt-data-using-skipjack-wrapper.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encrypt data using skipjack wrapper 4 | namespace: data-manipulation/encryption/skipjack 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | mbc: 10 | - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05] 11 | - Cryptography::Encrypt Data::Skipjack [C0027.013] 12 | examples: 13 | - 94d3c854aadbcfde46b2f82801015c31:0x429C0730 14 | features: 15 | - match: encrypt data using skipjack -------------------------------------------------------------------------------- /Plugins/rules/communication/http/client/read-data-from-internet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: read data from Internet 4 | namespace: communication/http/client 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | mbc: 8 | - Communication::HTTP Communication::Get Response [C0002.017] 9 | examples: 10 | - 6f99a2c8944cb02ff28c6f9ced59b161:0x40D590 11 | features: 12 | - and: 13 | - optional: 14 | - or: 15 | - match: connect to HTTP server 16 | - match: connect to URL 17 | - or: 18 | - api: wininet.InternetReadFile 19 | - api: wininet.InternetReadFileEx 20 | -------------------------------------------------------------------------------- /Plugins/rules/data-manipulation/encryption/import-public-key.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: import public key 4 | namespace: data-manipulation/encryption 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | mbc: 8 | - Cryptography::Encryption Key::Import Public Key [C0028.001] 9 | examples: 10 | - ffeae4a391a1d5203bd04b4161557227:0x4047A0 11 | features: 12 | - and: 13 | - api: advapi32.CryptAcquireContext 14 | - api: crypt32.CryptImportPublicKeyInfo 15 | - optional: 16 | - and: 17 | - api: crypt32.CryptStringToBinary 18 | - api: crypt32.CryptDecodeObjectEx 19 | -------------------------------------------------------------------------------- /Plugins/rules/targeting/automated-teller-machine/diebold-nixdorf/reference-diebold-atm-routines.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference Diebold ATM routines 4 | namespace: targeting/automated-teller-machine/diebold-nixdorf 5 | author: william.ballenthin@mandiant.com 6 | scope: file 7 | references: 8 | - https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html 9 | examples: 10 | - b2ad4409323147b63e370745e5209996 11 | features: 12 | - or: 13 | - string: "DBD_AdvFuncDisp" 14 | description: dispenser function 15 | - string: "DBD_EPP4" 16 | description: pin pad function 17 | -------------------------------------------------------------------------------- /Plugins/capaRules/data-manipulation/encryption/import-public-key.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: import public key 4 | namespace: data-manipulation/encryption 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | mbc: 8 | - Cryptography::Encryption Key::Import Public Key [C0028.001] 9 | examples: 10 | - ffeae4a391a1d5203bd04b4161557227:0x4047A0 11 | features: 12 | - and: 13 | - api: advapi32.CryptAcquireContext 14 | - api: crypt32.CryptImportPublicKeyInfo 15 | - optional: 16 | - and: 17 | - api: crypt32.CryptStringToBinary 18 | - api: crypt32.CryptDecodeObjectEx 19 | -------------------------------------------------------------------------------- /Plugins/rules/anti-analysis/packer/nspack/packed-with-nspack.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with nspack 4 | namespace: anti-analysis/packer/nspack 5 | author: "@_re_fox" 6 | scope: file 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 9 | mbc: 10 | - Anti-Static Analysis::Software Packing [F0001] 11 | references: 12 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 13 | examples: 14 | - 02179f3ba93663074740b5c0d283bae2 15 | features: 16 | - or: 17 | - section: .nsp0 18 | - section: .nsp1 19 | - section: .nsp2 20 | -------------------------------------------------------------------------------- /Plugins/rules/collection/file-managers/gather-coreftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather coreftp information 4 | namespace: collection/file-managers 5 | author: "@_re_fox" 6 | scope: function 7 | att&ck: 8 | - Credential Access::Credentials from Password Stores [T1555] 9 | references: 10 | - http://www.coreftp.com/ 11 | examples: 12 | - 5a2f620f29ca2f44fc22df67b674198f:0x4063FD 13 | features: 14 | - or: 15 | - substring: "Software\\FTPWare\\COREFTP\\Sites" 16 | - and: 17 | - string: "Host" 18 | - string: "User" 19 | - string: "Port" 20 | - string: "PthR" 21 | -------------------------------------------------------------------------------- /Plugins/rules/communication/named-pipe/connect/connect-pipe.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: connect pipe 4 | namespace: communication/named-pipe/connect 5 | author: 6 | - moritz.raabe@mandiant.com 7 | - michael.hunhoff@mandiant.com 8 | scope: function 9 | mbc: 10 | - Communication::Interprocess Communication::Connect Pipe [C0003.002] 11 | examples: 12 | # Windows msdt.exe 13 | - 152d4c9f63efb332ccb134c6953c0104:0x42e400 14 | features: 15 | - or: 16 | - api: kernel32.ConnectNamedPipe 17 | - api: kernel32.CallNamedPipe 18 | description: connect, read, write from pipe in single operation 19 | -------------------------------------------------------------------------------- /Plugins/rules/compiler/autohotkey/compiled-with-autohotkey.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with AutoHotKey 4 | namespace: compiler/autohotkey 5 | author: awillia2@cisco.com 6 | scope: file 7 | att&ck: 8 | - Execution::Command and Scripting Interpreter [T1059] 9 | references: 10 | - https://www.trendmicro.com/en_us/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html 11 | - https://en.wikipedia.org/wiki/AutoHotkey 12 | examples: 13 | - 92D8EA10EA30E8B534334A1C9857A455 14 | features: 15 | - and: 16 | - string: ">AUTOHOTKEY SCRIPT<" 17 | - string: "AutoHotkeyGUI" 18 | -------------------------------------------------------------------------------- /Plugins/rules/host-interaction/process/terminate/terminate-process.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: terminate process 4 | namespace: host-interaction/process/terminate 5 | author: moritz.raabe@mandiant.com 6 | scope: function 7 | mbc: 8 | - Process::Terminate Process [C0018] 9 | examples: 10 | - C91887D861D9BD4A5872249B641BC9F9:0x401A77 11 | - 9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x10010307 12 | features: 13 | - and: 14 | - optional: 15 | - match: open process 16 | - or: 17 | - api: kernel32.TerminateProcess 18 | - api: ntdll.NtTerminateProcess 19 | - api: kernel32.ExitProcess 20 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/generate-random-numbers-using-the-delphi-lcg.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: generate random numbers using the Delphi LCG 4 | namespace: data-manipulation/prng/lcg 5 | author: william.ballenthin@mandiant.com 6 | scope: basic block 7 | mbc: 8 | - Cryptography::Generate Pseudo-random Sequence [C0021] 9 | references: 10 | - https://en.wikipedia.org/wiki/Linear_congruential_generator 11 | - https://community.osr.com/discussion/130410/generating-random-numbers 12 | features: 13 | - and: 14 | - mnemonic: imul 15 | - number: 0x8088405 = multiplier a 16 | - mnemonic: inc = increment c 17 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/linked-against-go-wmi-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against Go WMI library 4 | namespace: collection/database/wmi 5 | author: 6 | - joakim@intezer.com 7 | description: StackExchange's WMI library is used to interact with WMI. 8 | scope: file 9 | att&ck: 10 | - Collection::Data from Information Repositories [T1213] 11 | references: 12 | - https://github.com/StackExchange/wmi 13 | features: 14 | - and: 15 | - match: compiled with Go 16 | - or: 17 | - string: "github.com/StackExchange/wmi.CreateQuery" 18 | - string: "github.com/StackExchange/wmi.Query" 19 | -------------------------------------------------------------------------------- /Plugins/rules/nursery/schedule-task-via-itaskservice.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: schedule task via ITaskService 4 | namespace: persistence/scheduled-tasks 5 | author: michael.hunhoff@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Persistence::Scheduled Task/Job::Scheduled Task [T1053.005] 9 | features: 10 | - and: 11 | - basic block: 12 | - and: 13 | - api: ole32.CoCreateInstance 14 | - bytes: 9F 36 87 0F E5 A4 FC 4C BD 3E 73 E6 15 45 72 DD = CLSID_TaskScheduler 15 | - bytes: C7 A4 AB 2F A9 4D 13 40 96 97 20 CC 3F D4 0F 85 = IID_ITaskService 16 | - offset: 0x24 = ppv->NewTask 17 | -------------------------------------------------------------------------------- /Plugins/rules/data-manipulation/encryption/dpapi/encrypt-data-using-dpapi.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encrypt data using DPAPI 4 | namespace: data-manipulation/encryption/dpapi 5 | author: william.ballenthin@mandiant.com 6 | scope: function 7 | att&ck: 8 | - Defense Evasion::Obfuscated Files or Information [T1027] 9 | mbc: 10 | - Cryptography::Encrypt Data [C0027] 11 | examples: 12 | - 6cc148363200798a12091b97a17181a1:0x1400CE9A0 13 | features: 14 | - or: 15 | - api: CryptProtectMemory 16 | - api: CryptUnprotectMemory 17 | - api: crypt32.CryptProtectData 18 | - api: crypt32.CryptUnprotectData 19 | --------------------------------------------------------------------------------