├── .gitattributes ├── .github ├── CONTRIBUTING.md ├── ISSUE_TEMPLATE │ ├── false_negative.md │ ├── false_positive.md │ └── rule_idea.md ├── pull_request_template.md ├── scripts │ ├── changelog_author.py │ └── create_releases.py └── workflows │ ├── release.yml │ ├── sync.yml │ └── tests.yml ├── LICENSE.txt ├── README.md ├── anti-analysis ├── anti-av │ ├── block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml │ ├── check-for-sandbox-and-av-modules.yml │ ├── overwrite-dll-text-section-to-remove-hooks.yml │ ├── patch-antimalware-scan-interface-function.yml │ ├── patch-event-tracing-for-windows-function.yml │ └── protect-spawned-processes-with-mitigation-policies.yml ├── anti-debugging │ ├── debugger-detection │ │ ├── check-for-debugger-via-api.yml │ │ ├── check-for-hardware-breakpoints.yml │ │ ├── check-for-kernel-debugger-via-shared-user-data-structure.yml │ │ ├── check-for-outputdebugstring-error.yml │ │ ├── check-for-peb-beingdebugged-flag.yml │ │ ├── check-for-peb-ntglobalflag-flag.yml │ │ ├── check-for-protected-handle-exception.yml │ │ ├── check-for-software-breakpoints.yml │ │ ├── check-for-time-delay-via-gettickcount.yml │ │ ├── check-for-time-delay-via-queryperformancecounter.yml │ │ ├── check-for-trap-flag-exception.yml │ │ ├── check-for-unexpected-memory-writes.yml │ │ ├── check-process-job-object.yml │ │ ├── check-processdebugport.yml │ │ └── execute-anti-debugging-instructions.yml │ └── debugger-evasion │ │ └── hide-thread-from-debugger.yml ├── anti-disasm │ ├── 64-bit-execution-via-heavens-gate.yml │ └── contain-anti-disasm-techniques.yml ├── anti-emulation │ └── wine │ │ └── check-if-process-is-running-under-wine.yml ├── anti-forensic │ ├── clear-logs │ │ ├── clear-windows-event-logs-remotely.yml │ │ └── clear-windows-event-logs.yml │ ├── crash-the-windows-event-logging-service.yml │ ├── impersonate-file-version-information.yml │ ├── patch-process-command-line.yml │ ├── self-deletion │ │ ├── self-delete-using-alternate-data-streams.yml │ │ └── self-delete.yml │ ├── spoof-parent-pid.yml │ ├── timestomp │ │ └── timestomp-file.yml │ └── unload-sysmon.yml ├── anti-vm │ └── vm-detection │ │ ├── check-for-foreground-window-switch.yml │ │ ├── check-for-microsoft-office-emulation.yml │ │ ├── check-for-sandbox-username-or-hostname.yml │ │ ├── check-for-unmoving-mouse-cursor.yml │ │ ├── check-for-windows-sandbox-via-device.yml │ │ ├── check-for-windows-sandbox-via-dns-suffix.yml │ │ ├── check-for-windows-sandbox-via-genuine-state.yml │ │ ├── check-for-windows-sandbox-via-process-name.yml │ │ ├── check-for-windows-sandbox-via-registry.yml │ │ ├── detect-vm-via-disk-hardware-wmi-queries.yml │ │ ├── detect-vm-via-motherboard-hardware-wmi-queries.yml │ │ ├── reference-anti-vm-strings-targeting-parallels.yml │ │ ├── reference-anti-vm-strings-targeting-qemu.yml │ │ ├── reference-anti-vm-strings-targeting-virtualbox.yml │ │ ├── reference-anti-vm-strings-targeting-virtualpc.yml │ │ ├── reference-anti-vm-strings-targeting-vmware.yml │ │ ├── reference-anti-vm-strings-targeting-xen.yml │ │ └── reference-anti-vm-strings.yml ├── obfuscation │ ├── obfuscated-with-advobfuscator.yml │ ├── obfuscated-with-babel-obfuscator.yml │ ├── obfuscated-with-callobfuscator.yml │ ├── obfuscated-with-deepsea-obfuscator.yml │ ├── obfuscated-with-dotfuscator.yml │ ├── obfuscated-with-smartassembly.yml │ ├── obfuscated-with-spicesdotnet-obfuscator.yml │ ├── obfuscated-with-vs-obfuscation.yml │ ├── obfuscated-with-yano.yml │ └── string │ │ └── stackstring │ │ └── contain-obfuscated-stackstrings.yml ├── packer │ ├── amber │ │ └── packed-with-amber.yml │ ├── aspack │ │ └── packed-with-aspack.yml │ ├── confuser │ │ └── packed-with-confuser.yml │ ├── generic │ │ └── packed-with-generic-packer.yml │ ├── gopacker │ │ └── packed-with-gopacker.yml │ ├── huan │ │ └── packed-with-huan.yml │ ├── kkrunchy │ │ └── packed-with-kkrunchy.yml │ ├── nmm-protect │ │ └── packed-with-nmm-protect.yml │ ├── nspack │ │ └── packed-with-nspack.yml │ ├── pebundle │ │ └── packed-with-pebundle.yml │ ├── pecompact │ │ └── packed-with-pecompact.yml │ ├── pelocknt │ │ └── packed-with-pelocknt.yml │ ├── peshield │ │ └── packed-with-peshield.yml │ ├── pespin │ │ └── packed-with-pespin.yml │ ├── petite │ │ └── packed-with-petite.yml │ ├── rlpack │ │ └── packed-with-rlpack.yml │ ├── themida │ │ └── packed-with-themida.yml │ ├── upack │ │ └── packed-with-upack.yml │ ├── upx │ │ └── packed-with-upx.yml │ ├── vmprotect │ │ └── packed-with-vmprotect.yml │ └── y0da │ │ └── packed-with-y0da-crypter.yml └── reference-analysis-tools-strings.yml ├── collection ├── acquire-credentials-from-windows-credential-manager.yml ├── browser │ ├── gather-chrome-based-browser-login-information.yml │ ├── gather-firefox-profile-information.yml │ ├── get-chrome-cookiemonster.yml │ └── get-elevation-service-for-chromium-based-browsers.yml ├── credit-card │ └── parse-credit-card-information.yml ├── database │ ├── sql │ │ └── reference-sql-statements.yml │ └── wmi │ │ └── reference-wmi-statements.yml ├── file-managers │ ├── gather-3d-ftp-information.yml │ ├── gather-alftp-information.yml │ ├── gather-bitkinex-information.yml │ ├── gather-blazeftp-information.yml │ ├── gather-bulletproof-ftp-information.yml │ ├── gather-classicftp-information.yml │ ├── gather-coreftp-information.yml │ ├── gather-cuteftp-information.yml │ ├── gather-cyberduck-information.yml │ ├── gather-direct-ftp-information.yml │ ├── gather-directory-opus-information.yml │ ├── gather-expandrive-information.yml │ ├── gather-faststone-browser-information.yml │ ├── gather-fasttrack-ftp-information.yml │ ├── gather-ffftp-information.yml │ ├── gather-filezilla-information.yml │ ├── gather-flashfxp-information.yml │ ├── gather-fling-ftp-information.yml │ ├── gather-freshftp-information.yml │ ├── gather-frigate3-information.yml │ ├── gather-ftp-commander-information.yml │ ├── gather-ftp-explorer-information.yml │ ├── gather-ftp-voyager-information.yml │ ├── gather-ftpgetter-information.yml │ ├── gather-ftpinfo-information.yml │ ├── gather-ftpnow-information.yml │ ├── gather-ftprush-information.yml │ ├── gather-ftpshell-information.yml │ ├── gather-global-downloader-information.yml │ ├── gather-goftp-information.yml │ ├── gather-leapftp-information.yml │ ├── gather-netdrive-information.yml │ ├── gather-nexusfile-information.yml │ ├── gather-nova-ftp-information.yml │ ├── gather-robo-ftp-information.yml │ ├── gather-securefx-information.yml │ ├── gather-smart-ftp-information.yml │ ├── gather-softx-ftp-information.yml │ ├── gather-southriver-webdrive-information.yml │ ├── gather-staff-ftp-information.yml │ ├── gather-total-commander-information.yml │ ├── gather-turbo-ftp-information.yml │ ├── gather-ultrafxp-information.yml │ ├── gather-winscp-information.yml │ ├── gather-winzip-information.yml │ ├── gather-wise-ftp-information.yml │ ├── gather-ws-ftp-information.yml │ └── gather-xftp-information.yml ├── get-geographical-location.yml ├── get-steam-token.yml ├── group-policy │ └── discover-group-policy-via-gpresult.yml ├── keylog │ ├── log-keystrokes-via-application-hook.yml │ ├── log-keystrokes-via-polling.yml │ └── log-keystrokes.yml ├── microphone │ └── capture-microphone-audio.yml ├── network │ ├── capture-network-configuration-via-ipconfig.yml │ ├── capture-packets-using-sharppcap.yml │ ├── capture-public-ip.yml │ ├── get-domain-trust-relationships.yml │ └── get-mac-address-on-windows.yml ├── password-manager │ └── steal-keepass-passwords-using-keefarce.yml ├── screenshot │ ├── capture-screenshot-via-keybd-event.yml │ └── capture-screenshot.yml ├── use-dotnet-library-sharpclipboard.yml └── webcam │ └── capture-webcam-image.yml ├── communication ├── c2 │ ├── file-transfer │ │ ├── download-and-write-a-file.yml │ │ ├── upload-file-to-onedrive.yml │ │ └── write-and-execute-a-file.yml │ └── shell │ │ ├── create-reverse-shell-on-linux.yml │ │ ├── create-reverse-shell.yml │ │ ├── execute-shell-command-and-capture-output.yml │ │ └── execute-shell-command-received-from-socket-on-linux.yml ├── dns │ ├── reference-dns-over-https-endpoints.yml │ └── resolve-dns.yml ├── ftp │ └── send │ │ └── send-file-using-ftp.yml ├── http │ ├── client │ │ ├── check-http-status-code.yml │ │ ├── connect-to-http-server.yml │ │ ├── connect-to-url.yml │ │ ├── create-bits-job.yml │ │ ├── create-http-request.yml │ │ ├── decompress-http-response-via-iencodingfilterfactory.yml │ │ ├── download-url.yml │ │ ├── extract-http-body.yml │ │ ├── get-http-document-via-iwebbrowser2.yml │ │ ├── get-http-response-content-encoding.yml │ │ ├── prepare-http-request.yml │ │ ├── read-data-from-internet.yml │ │ ├── receive-http-response.yml │ │ ├── send-file-via-http.yml │ │ └── send-http-request.yml │ ├── get-http-content-length.yml │ ├── initialize-iwebbrowser2.yml │ ├── initialize-winhttp-library.yml │ ├── read-http-header.yml │ ├── reference-http-user-agent-string.yml │ ├── server │ │ ├── receive-http-request.yml │ │ ├── send-http-response.yml │ │ └── start-http-server.yml │ └── set-http-header.yml ├── icmp │ └── send-icmp-echo-request.yml ├── ip │ └── convert-ip-address-from-string.yml ├── mailslot │ ├── create-mailslot.yml │ └── read-from-mailslot.yml ├── named-pipe │ ├── connect │ │ └── connect-pipe.yml │ ├── create │ │ ├── create-pipe.yml │ │ └── create-two-anonymous-pipes.yml │ ├── read │ │ └── read-pipe.yml │ └── write │ │ └── write-pipe.yml ├── receive-data.yml ├── send-data.yml ├── socket │ ├── attach-bpf-to-socket-on-linux.yml │ ├── connect-socket.yml │ ├── create-raw-socket.yml │ ├── create-vmci-socket.yml │ ├── get-socket-status.yml │ ├── initialize-winsock-library.yml │ ├── receive │ │ └── receive-data-on-socket.yml │ ├── send │ │ └── send-data-on-socket.yml │ ├── set-socket-configuration.yml │ ├── tcp │ │ ├── connect-tcp-socket.yml │ │ ├── create-tcp-socket-via-raw-afd-driver.yml │ │ ├── create-tcp-socket.yml │ │ └── send │ │ │ ├── obtain-transmitpackets-callback-function-via-wsaioctl.yml │ │ │ └── send-tcp-data-via-wfp-api.yml │ └── udp │ │ └── connect-udp-socket.yml └── tcp │ ├── client │ └── act-as-tcp-client.yml │ └── serve │ └── start-tcp-server.yml ├── compiler ├── autohotkey │ └── compiled-with-autohotkey.yml ├── autoit │ └── compiled-with-autoit.yml ├── cx_freeze │ └── compiled-with-cx_freeze.yml ├── d │ └── compiled-with-dmd.yml ├── dart │ └── compiled-with-dart.yml ├── delphi │ └── compiled-with-borland-delphi.yml ├── exe4j │ └── compiled-with-exe4j.yml ├── go │ └── compiled-with-go.yml ├── mingw │ └── compiled-with-mingw-for-windows.yml ├── nim │ └── compiled-with-nim.yml ├── nuitka │ └── compiled-with-nuitka.yml ├── perl2exe │ └── compiled-with-perl2exe.yml ├── ps2exe │ └── compiled-with-ps2exe.yml ├── py2exe │ └── compiled-with-py2exe.yml ├── pyarmor │ └── compiled-with-pyarmor.yml ├── rust │ └── compiled-with-rust.yml ├── v │ └── compiled-with-v.yml ├── vb │ └── compiled-from-visual-basic.yml └── zig │ └── compiled-with-zig.yml ├── data-manipulation ├── checksum │ ├── adler32 │ │ └── compute-adler32-checksum.yml │ ├── crc32 │ │ └── hash-data-with-crc32.yml │ └── luhn │ │ └── validate-payment-card-number-using-luhn-algorithm.yml ├── compression │ ├── compress-data-using-lzo.yml │ ├── compress-data-via-winapi.yml │ ├── compress-data-via-zlib-inflate-or-deflate.yml │ ├── create-cabinet-on-windows.yml │ ├── decompress-data-using-aplib.yml │ ├── decompress-data-using-lzo.yml │ ├── decompress-data-using-quicklz.yml │ ├── decompress-data-using-ucl.yml │ ├── decompress-data-via-iencodingfilterfactory.yml │ └── extract-cabinet-on-windows.yml ├── encoding │ ├── base64 │ │ ├── decode-data-using-base64-via-dword-translation-table.yml │ │ ├── decode-data-using-base64-via-winapi.yml │ │ ├── encode-data-using-base64-via-winapi.yml │ │ ├── encode-data-using-base64.yml │ │ └── reference-base64-string.yml │ ├── encode-data-using-add-xor-sub-operations.yml │ └── xor │ │ └── encode-data-using-xor.yml ├── encryption │ ├── aes │ │ ├── decrypt-data-using-aes-via-x86-extensions.yml │ │ ├── encrypt-data-using-aes-mixcolumns-step.yml │ │ ├── encrypt-data-using-aes-via-dotnet.yml │ │ ├── encrypt-data-using-aes-via-winapi.yml │ │ ├── manually-build-aes-constants.yml │ │ └── use-dotnet-library-encryptdecryptutils.yml │ ├── blowfish │ │ └── encrypt-data-using-blowfish.yml │ ├── camellia │ │ └── encrypt-data-using-camellia.yml │ ├── chaskey │ │ └── encrypt-data-using-chaskey.yml │ ├── create-new-key-via-cryptacquirecontext.yml │ ├── des │ │ ├── encrypt-data-using-des-via-winapi.yml │ │ └── encrypt-data-using-des.yml │ ├── dpapi │ │ └── encrypt-data-using-dpapi.yml │ ├── elliptic-curve │ │ └── encrypt-data-using-curve25519.yml │ ├── encrypt-data-using-memfrob-from-glibc.yml │ ├── encrypt-or-decrypt-via-wincrypt.yml │ ├── get-outbound-credentials-handle-via-credssp.yml │ ├── hc-128 │ │ ├── encrypt-data-using-hc-128-via-wolfssl.yml │ │ └── encrypt-data-using-hc-128.yml │ ├── import-public-key.yml │ ├── rc4 │ │ ├── encrypt-data-using-rc4-ksa.yml │ │ ├── encrypt-data-using-rc4-prga.yml │ │ ├── encrypt-data-using-rc4-via-systemfunction032.yml │ │ ├── encrypt-data-using-rc4-via-systemfunction033.yml │ │ ├── encrypt-data-using-rc4-via-winapi.yml │ │ └── encrypt-data-using-rc4-with-custom-key-via-winapi.yml │ ├── rc6 │ │ └── encrypt-data-using-rc6.yml │ ├── rsa │ │ ├── encrypt-data-using-rsa-via-embedded-library.yml │ │ └── reference-public-rsa-key.yml │ ├── skipjack │ │ └── encrypt-data-using-skipjack.yml │ ├── sosemanuk │ │ └── encrypt-data-using-sosemanuk.yml │ ├── speck │ │ └── encrypt-data-using-speck.yml │ ├── tea │ │ ├── decrypt-data-using-tea.yml │ │ └── encrypt-data-using-tea.yml │ ├── twofish │ │ └── encrypt-data-using-twofish.yml │ ├── use-bigint-function.yml │ ├── vest │ │ └── encrypt-data-using-vest.yml │ ├── xtea │ │ └── encrypt-data-using-xtea.yml │ └── xxtea │ │ └── encrypt-data-using-xxtea.yml ├── hashing │ ├── djb2 │ │ └── hash-data-using-djb2.yml │ ├── fnv │ │ └── hash-data-using-fnv.yml │ ├── hash-data-via-wincrypt.yml │ ├── md5 │ │ └── hash-data-with-md5.yml │ ├── murmur │ │ └── hash-data-using-murmur3.yml │ ├── sha1 │ │ └── hash-data-using-sha1.yml │ ├── sha224 │ │ └── hash-data-using-sha224.yml │ ├── sha256 │ │ └── hash-data-using-sha256.yml │ ├── sha384 │ │ └── hash-data-using-sha384.yml │ ├── sha512 │ │ └── hash-data-using-sha512.yml │ └── tiger │ │ └── hash-data-using-tiger.yml ├── hmac │ └── authenticate-hmac.yml ├── json │ └── use-dotnet-library-newtonsoftjson.yml ├── prng │ ├── generate-random-numbers-via-rtlgenrandom.yml │ ├── generate-random-numbers-via-winapi.yml │ └── mersenne │ │ └── generate-random-numbers-using-a-mersenne-twister.yml └── svg │ └── use-dotnet-library-sharpvectors.yml ├── doc └── format.md ├── executable ├── dotnet-singlefile │ ├── bundled-with-dotnet-single-file-deployment.yml │ └── packaged-as-single-file-dotnet-application.yml ├── installer │ ├── iexpress │ │ └── packaged-as-an-iexpress-self-extracting-archive.yml │ └── inno-setup │ │ └── packaged-as-an-inno-setup-installer.yml ├── pe │ ├── export │ │ └── forwarded-export.yml │ ├── pdb │ │ └── contains-pdb-path.yml │ └── section │ │ └── tls │ │ └── contain-a-thread-local-storage-tls-section.yml ├── resource │ ├── access-dotnet-resource.yml │ ├── embed-dependencies-as-resources-using-fodycostura.yml │ └── extract-resource-via-kernel32-functions.yml └── subfile │ └── pe │ └── contain-an-embedded-pe-file.yml ├── exploitation ├── enumeration │ └── make-suspicious-ntquerysysteminformation-call.yml ├── gadgets │ ├── load-ntoskrnl.yml │ └── resolve-ntoskrnl-gadgets.yml └── spraying │ └── make-suspicious-ntfscontrolfile-call.yml ├── host-interaction ├── bootloader │ ├── disable-code-signing.yml │ ├── get-uefi-variable.yml │ ├── manipulate-boot-configuration.yml │ ├── manipulate-safe-mode-programs.yml │ └── set-uefi-variable.yml ├── cli │ ├── accept-command-line-arguments.yml │ └── resolve-path-using-msvcrt.yml ├── clipboard │ ├── open-clipboard.yml │ ├── read-clipboard-data.yml │ └── write-clipboard-data.yml ├── console │ └── manipulate-console-buffer.yml ├── driver │ ├── complete-processing-asynchronous-io-request.yml │ ├── create-device-object.yml │ ├── disable-driver-code-integrity.yml │ ├── install-driver.yml │ ├── interact-with-driver-via-ioctl.yml │ └── unload-driver.yml ├── environment-variable │ ├── get-comspec-environment-variable.yml │ ├── query-environment-variable.yml │ └── set-environment-variable.yml ├── file-system │ ├── bypass-mark-of-the-web.yml │ ├── change-file-permission-on-linux.yml │ ├── copy │ │ └── copy-file.yml │ ├── create-virtual-file-system-in-dotnet.yml │ ├── create │ │ └── create-directory.yml │ ├── delete │ │ ├── delete-directory.yml │ │ └── delete-file.yml │ ├── exists │ │ └── check-if-file-exists.yml │ ├── files │ │ └── list │ │ │ ├── enumerate-files-on-linux.yml │ │ │ ├── enumerate-files-on-windows.yml │ │ │ └── enumerate-files-recursively.yml │ ├── get-common-file-path.yml │ ├── get-file-system-object-information.yml │ ├── get-program-files-directory.yml │ ├── get-windows-directory-from-kuser_shared_data.yml │ ├── meta │ │ ├── get-file-attributes.yml │ │ ├── get-file-size.yml │ │ ├── get-file-version-info.yml │ │ └── set-file-attributes.yml │ ├── move │ │ └── move-file.yml │ ├── read │ │ ├── read-file-on-linux.yml │ │ ├── read-file-on-windows.yml │ │ ├── read-file-via-mapping.yml │ │ ├── read-ini-file.yml │ │ └── read-virtual-disk.yml │ ├── reference-absolute-stream-path-on-windows.yml │ ├── windows-file-protection │ │ └── bypass-windows-file-protection.yml │ └── write │ │ ├── clear-file-content.yml │ │ ├── write-file-on-linux.yml │ │ └── write-file-on-windows.yml ├── filter │ ├── enumerate-minifilter-drivers.yml │ ├── register-minifilter-driver.yml │ ├── start-minifilter-driver.yml │ └── unload-minifilter-driver.yml ├── firewall │ └── modify │ │ ├── access-firewall-policy-via-inetfwpolicy2.yml │ │ ├── access-firewall-rule-properties-via-inetfwrule.yml │ │ └── access-firewall-settings-via-inetfwmgr.yml ├── gui │ ├── console │ │ └── set-console-window-title.yml │ ├── enumerate-gui-resources.yml │ ├── logon │ │ └── references-logon-banner.yml │ ├── session │ │ ├── lock │ │ │ └── lock-the-desktop.yml │ │ └── wallpaper │ │ │ └── change-the-wallpaper.yml │ ├── set-application-hook.yml │ ├── switch-active-desktop.yml │ ├── taskbar │ │ ├── find │ │ │ └── find-taskbar.yml │ │ └── hide │ │ │ └── hide-the-windows-taskbar.yml │ └── window │ │ ├── find │ │ └── find-graphical-window.yml │ │ ├── get-text │ │ └── get-graphical-window-text.yml │ │ └── hide │ │ ├── hide-graphical-window-from-taskbar.yml │ │ └── hide-graphical-window.yml ├── hardware │ ├── cdrom │ │ └── manipulate-cd-rom-drive.yml │ ├── cpu │ │ ├── get-cpu-information.yml │ │ ├── get-number-of-processor-cores.yml │ │ └── get-number-of-processors.yml │ ├── enumerate-devices-by-category.yml │ ├── firmware │ │ └── get-system-firmware-table.yml │ ├── keyboard │ │ ├── get-keyboard-layout.yml │ │ └── simulate-ctrl-alt-del.yml │ ├── memory │ │ ├── get-memory-capacity.yml │ │ └── get-memory-information.yml │ ├── mouse │ │ └── swap-mouse-buttons.yml │ └── storage │ │ ├── enumerate-disk-properties.yml │ │ ├── get-disk-information.yml │ │ └── get-disk-size.yml ├── log │ ├── clfs │ │ └── read-data-from-clfs-log-container.yml │ ├── debug │ │ └── write-event │ │ │ └── print-debug-messages.yml │ └── winevt │ │ └── access │ │ └── access-the-windows-event-log.yml ├── memory │ └── create-new-application-domain-in-dotnet.yml ├── mutex │ ├── check-mutex-and-terminate-process-on-windows.yml │ ├── check-mutex-on-windows.yml │ ├── create-or-open-mutex-on-windows.yml │ ├── create-semaphore-on-linux.yml │ ├── lock-file.yml │ ├── lock-semaphore-on-linux.yml │ └── unlock-semaphore-on-linux.yml ├── network │ ├── address │ │ └── get-local-ipv4-addresses.yml │ ├── connectivity │ │ ├── check-internet-connectivity-via-wininet.yml │ │ └── set-tcp-connection-state.yml │ ├── domain │ │ ├── enumerate-domain-computers-via-ldap.yml │ │ ├── get-domain-controller-name.yml │ │ └── get-domain-information.yml │ ├── interface │ │ └── get-networking-interfaces.yml │ └── traffic │ │ ├── copy │ │ └── copy-network-traffic.yml │ │ └── filter │ │ ├── delete-network-filter-via-wfp-api.yml │ │ ├── enumerate-network-filters-via-wfp-api.yml │ │ └── register-network-filter-via-wfp-api.yml ├── os │ ├── hide-shutdown-actions-via-policy.yml │ ├── hostname │ │ └── get-hostname.yml │ ├── info │ │ └── get-system-information-on-windows.yml │ ├── shutdown-system.yml │ └── version │ │ ├── check-os-version.yml │ │ ├── get-kernel-version.yml │ │ └── get-linux-distribution.yml ├── process │ ├── create │ │ ├── create-a-process-with-modified-io-handles-and-window.yml │ │ ├── create-process-on-linux.yml │ │ ├── create-process-on-windows.yml │ │ ├── create-process-suspended.yml │ │ └── execute-command.yml │ ├── dump │ │ └── create-process-memory-minidump.yml │ ├── get-process-filename.yml │ ├── get-process-heap-flags.yml │ ├── get-process-heap-force-flags.yml │ ├── inject │ │ ├── allocate-or-change-rwx-memory.yml │ │ ├── allocate-user-process-rwx-memory.yml │ │ ├── attach-user-process-memory.yml │ │ ├── free-user-process-memory.yml │ │ ├── hijack-thread-execution.yml │ │ ├── inject-apc.yml │ │ ├── inject-dll.yml │ │ ├── inject-pe.yml │ │ ├── inject-shellcode-using-a-file-mapping-object.yml │ │ ├── inject-shellcode-using-extra-window-memory.yml │ │ ├── inject-shellcode-using-window-subclass-procedure.yml │ │ ├── inject-thread.yml │ │ ├── process-ghostly-hollowing.yml │ │ ├── use-process-doppelgänging.yml │ │ └── use-process-replacement.yml │ ├── list │ │ ├── enumerate-processes-on-remote-desktop-session-host.yml │ │ ├── enumerate-processes-via-ntquerysysteminformation.yml │ │ ├── enumerate-processes.yml │ │ ├── find-process-by-pid.yml │ │ └── get-explorer-pid.yml │ ├── map-section-object.yml │ ├── modify │ │ ├── acquire-debug-privileges.yml │ │ └── modify-access-privileges.yml │ ├── modules │ │ └── list │ │ │ └── enumerate-process-modules.yml │ └── terminate │ │ ├── terminate-process-via-kill.yml │ │ └── terminate-process.yml ├── recycle-bin │ └── empty-recycle-bin-quietly.yml ├── registry │ ├── change-registry-key-timestamp.yml │ ├── create-registry-key-via-offline-registry-library.yml │ ├── create │ │ └── set-registry-value.yml │ ├── delete │ │ ├── delete-registry-key.yml │ │ └── delete-registry-value.yml │ ├── open-recentdocs-registry-key.yml │ ├── open-registry-key-via-offline-registry-library.yml │ ├── query-or-enumerate-registry-key.yml │ ├── query-or-enumerate-registry-value.yml │ ├── query-registry-key-via-offline-registry-library.yml │ └── set-registry-key-via-offline-registry-library.yml ├── service │ ├── continue-service.yml │ ├── create │ │ └── create-service.yml │ ├── delete │ │ └── delete-service.yml │ ├── list │ │ └── enumerate-services.yml │ ├── modify │ │ └── modify-service.yml │ ├── pause-service.yml │ ├── query-service-configuration.yml │ ├── query-service-status.yml │ ├── run-as-service.yml │ ├── start │ │ └── start-service.yml │ └── stop │ │ └── stop-service.yml ├── session │ ├── get-current-user-on-linux.yml │ ├── get-logon-sessions.yml │ ├── get-session-integrity-level.yml │ ├── get-session-user-name.yml │ ├── get-token-membership.yml │ └── get-user-security-identifier.yml ├── software │ └── get-installed-programs.yml ├── thread │ ├── create │ │ └── create-thread.yml │ ├── list │ │ └── enumerate-threads.yml │ ├── resume │ │ └── resume-thread.yml │ ├── suspend │ │ └── suspend-thread.yml │ ├── terminate │ │ └── terminate-thread.yml │ └── tls │ │ ├── allocate-thread-local-storage.yml │ │ └── set-thread-local-storage-value.yml ├── uac │ └── bypass │ │ ├── bypass-uac-via-appinfo-alpc.yml │ │ ├── bypass-uac-via-icmluautil.yml │ │ ├── bypass-uac-via-rpc.yml │ │ └── bypass-uac-via-token-manipulation.yml └── wmi │ └── connect-to-wmi-namespace-via-wbemlocator.yml ├── impact ├── inhibit-system-recovery │ └── delete-volume-shadow-copies.yml └── wipe-disk │ ├── delete-drive-layout-via-ioctl.yml │ └── wipe-mbr │ └── overwrite-master-boot-record-mbr.yml ├── internal └── limitation │ ├── dynamic │ └── internal-dotnet-file-limitation.yml │ └── static │ ├── README.md │ ├── internal-autohotkey-file-limitation.yml │ ├── internal-autoit-file-limitation.yml │ ├── internal-dotnet-single-file-deployment-limitation.yml │ ├── internal-installer-file-limitation.yml │ ├── internal-packer-file-limitation.yml │ └── internal-visual-basic-file-limitation.yml ├── lib ├── allocate-memory.yml ├── allocate-or-change-rw-memory.yml ├── calculate-modulo-256-via-x86-assembly.yml ├── change-memory-protection.yml ├── contain-loop.yml ├── contain-pusha-popa-sequence.yml ├── create-file-compression-interface-context-on-windows.yml ├── create-file-decompression-interface-context-on-windows.yml ├── create-or-open-file.yml ├── create-or-open-registry-key.yml ├── create-or-open-section-object.yml ├── delay-execution.yml ├── duplicate-stdin-and-stdout.yml ├── get-os-version.yml ├── get-service-handle.yml ├── open-process.yml ├── open-thread.yml ├── peb-access.yml ├── validate-payment-card-number-using-luhn-algorithm-with-lookup-table.yml ├── validate-payment-card-number-using-luhn-algorithm-with-no-lookup-table.yml └── write-process-memory.yml ├── linking ├── runtime-linking │ ├── access-peb-ldr_data.yml │ ├── get-kernel32-base-address.yml │ ├── get-ntdll-base-address.yml │ ├── link-function-at-runtime-on-windows.yml │ ├── link-many-functions-at-runtime.yml │ ├── populate-syswhispers2-syscall-list.yml │ ├── resolve-function-by-brute-ratel-badger-hash.yml │ └── resolve-function-by-fin8-fasthash.yml └── static │ ├── aplib │ └── linked-against-aplib.yml │ ├── cryptopp │ └── linked-against-crypto.yml │ ├── libcurl │ └── linked-against-libcurl.yml │ ├── linked-against-cpp-standard-library.yml │ ├── minhook │ └── linked-against-minhook.yml │ ├── msdetours │ └── linked-against-microsoft-detours.yml │ ├── openssl │ └── linked-against-openssl.yml │ ├── polarssl │ └── linked-against-polarsslmbed-tls.yml │ ├── sqlite3 │ ├── linked-against-cppsqlite3.yml │ ├── linked-against-sqlcipher.yml │ └── linked-against-sqlite3.yml │ ├── touchsocket │ └── linked-against-touchsocket.yml │ ├── wolfcrypt │ └── linked-against-wolfcrypt.yml │ ├── wolfssl │ └── linked-against-wolfssl.yml │ └── zlib │ └── linked-against-zlib.yml ├── load-code ├── dotnet │ ├── load-assembly-via-iassembly.yml │ └── load-windows-common-language-runtime.yml ├── execute-vbscript-javascript-or-jscript-in-memory.yml ├── pe │ ├── access-pe-header.yml │ ├── enumerate-pe-sections.yml │ ├── inject-dll-reflectively.yml │ ├── inspect-section-memory-permissions.yml │ ├── parse-pe-header.yml │ ├── rebuild-import-table.yml │ └── resolve-function-by-parsing-pe-exports.yml ├── powershell │ └── run-powershell-expression.yml └── shellcode │ ├── execute-shellcode-via-copyfile2.yml │ ├── execute-shellcode-via-createthreadpoolwait.yml │ ├── execute-shellcode-via-windows-callback-function.yml │ ├── execute-shellcode-via-windows-fibers.yml │ └── spawn-thread-to-rwx-shellcode.yml ├── malware-family ├── donut-loader │ └── load-shellcode-via-donut.yml └── plugx │ └── match-known-plugx-module.yml ├── nursery ├── access-camera-in-dotnet-on-android.yml ├── access-unmanaged-com-objects-in-dotnet.yml ├── access-wmi-data-in-dotnet.yml ├── add-user-account-group.yml ├── add-user-account-to-group.yml ├── add-user-account.yml ├── add-value-to-global-atom-table.yml ├── allocate-unmanaged-memory-in-dotnet.yml ├── append-data-to-clfs-log-container.yml ├── authenticate-data-with-md5-mac.yml ├── build-docker-image.yml ├── bypass-hidden-api-restrictions-via-jni-on-android.yml ├── bypass-uac-via-scheduled-task-environment-variable.yml ├── capture-microphone-audio-in-dotnet-on-android.yml ├── capture-network-configuration-via-ifconfig.yml ├── capture-process-snapshot-data.yml ├── capture-screenshot-in-dotnet-on-android.yml ├── capture-screenshot-in-go.yml ├── capture-webcam-video.yml ├── change-memory-permission-on-linux.yml ├── change-user-account-password.yml ├── check-clipboard-data.yml ├── check-file-extension-in-dotnet.yml ├── check-file-permission-on-linux.yml ├── check-for-incoming-call-in-dotnet-on-android.yml ├── check-for-minimum-number-of-windows-on-screen.yml ├── check-for-outgoing-call-in-dotnet-on-android.yml ├── check-for-process-debug-object.yml ├── check-for-sandbox-via-mac-address-ouis-in-dotnet.yml ├── check-for-vm-using-instruction-vpcext.yml ├── check-for-windows-sandbox-via-mutex.yml ├── check-for-windows-sandbox-via-subdirectory.yml ├── check-if-directory-exists.yml ├── check-if-process-is-running-under-android-emulator-on-android.yml ├── check-license-value.yml ├── check-processdebugflags.yml ├── check-systemkerneldebuggerinformation.yml ├── check-thread-suspend-count-exceeded.yml ├── check-thread-yield-allowed.yml ├── clear-clipboard-data.yml ├── collect-ssh-keys.yml ├── communicate-with-kernel-module-via-netlink-socket-on-linux.yml ├── compare-security-identifiers.yml ├── compile-csharp-in-dotnet.yml ├── compile-dotnet-assembly.yml ├── compile-visual-basic-in-dotnet.yml ├── compiled-from-epl.yml ├── compiled-with-exescript.yml ├── compiled-with-xamarin.yml ├── compress-data-using-gzip-in-dotnet.yml ├── connect-network-resource.yml ├── contain-a-thread-local-storage-tls-section-in-dotnet.yml ├── covertly-decode-and-write-data-to-windows-directory-using-indirect-calls.yml ├── create-container.yml ├── create-process-via-wmi-in-dotnet.yml ├── create-registry-key-via-stdregprov.yml ├── create-restart-manager-session.yml ├── create-thread-bypassing-process-freeze.yml ├── create-udp-socket.yml ├── create-zip-archive-in-dotnet.yml ├── debug-build.yml ├── decode-data-using-base64-in-dotnet.yml ├── decode-data-using-base64-via-vbmi-lookup-table.yml ├── decode-data-using-url-encoding.yml ├── decrypt-data-using-rsa-via-winapi.yml ├── decrypt-data-using-tripledes-in-dotnet.yml ├── decrypt-data-via-sspi.yml ├── delete-file-on-linux.yml ├── delete-internet-cache.yml ├── delete-registry-key-via-offline-registry-library.yml ├── delete-registry-key-via-stdregprov.yml ├── delete-registry-value-via-stdregprov.yml ├── delete-user-account-from-group.yml ├── delete-user-account-group.yml ├── delete-user-account.yml ├── delete-windows-backup-catalog.yml ├── deserialize-json-in-dotnet.yml ├── destroy-software-breakpoint-capability.yml ├── disable-automatic-windows-recovery-features.yml ├── disable-device-guard-features-via-registry-on-windows.yml ├── disable-firewall-features-via-registry-on-windows.yml ├── disable-system-features-via-registry-on-windows.yml ├── disable-system-restore-features-via-registry-on-windows.yml ├── disable-windows-defender-features-via-registry-on-windows.yml ├── display-service-notification-message-box.yml ├── empty-the-recycle-bin.yml ├── enable-safe-mode-boot.yml ├── encrypt-data-using-aes-via-x86-extensions.yml ├── encrypt-data-using-aes.yml ├── encrypt-data-using-fakem-cipher.yml ├── encrypt-data-using-openssl-dsa.yml ├── encrypt-data-using-openssl-ecdsa.yml ├── encrypt-data-using-openssl-rsa.yml ├── encrypt-data-using-rsa-via-winapi.yml ├── encrypt-data-using-salsa20-or-chacha.yml ├── encrypt-data-using-tripledes-in-dotnet.yml ├── encrypt-data-via-sspi.yml ├── encrypt-or-decrypt-data-via-bcrypt.yml ├── enter-debug-mode-in-dotnet.yml ├── enumerate-browser-history.yml ├── enumerate-device-drivers-on-linux.yml ├── enumerate-device-drivers-on-windows.yml ├── enumerate-disk-volumes.yml ├── enumerate-drives.yml ├── enumerate-files-in-dotnet.yml ├── enumerate-internet-cache.yml ├── enumerate-network-shares.yml ├── enumerate-pe-sections-in-dotnet.yml ├── enumerate-processes-that-use-resource.yml ├── enumerate-processes-via-procfs.yml ├── enumerate-system-firmware-tables.yml ├── execute-dotnet-assembly.yml ├── execute-shell-command-via-windows-remote-management.yml ├── execute-shellcode-via-indirect-call.yml ├── execute-sqlite-statement-in-dotnet.yml ├── execute-syscall.yml ├── execute-via-asynchronous-task-in-dotnet.yml ├── execute-via-timer-in-dotnet.yml ├── extract-zip-archive-in-dotnet.yml ├── find-data-using-regex-in-dotnet.yml ├── find-process-by-name.yml ├── generate-method-via-reflection-in-dotnet.yml ├── generate-random-bytes-in-dotnet.yml ├── generate-random-filename-in-dotnet.yml ├── generate-random-numbers-in-dotnet.yml ├── generate-random-numbers-using-the-delphi-lcg.yml ├── get-client-handle-via-schannel.yml ├── get-current-pid-on-linux.yml ├── get-current-process-command-line.yml ├── get-current-process-file-path.yml ├── get-current-process-filesystem-mounts-on-linux.yml ├── get-current-process-memory-mapping-on-linux.yml ├── get-disk-information-via-ioctl.yml ├── get-file-system-information-on-linux.yml ├── get-http-request-uri.yml ├── get-inbound-credentials-handle-via-credssp.yml ├── get-mac-address-in-dotnet.yml ├── get-mac-address-on-linux.yml ├── get-networking-parameters.yml ├── get-ntoskrnl-base-address.yml ├── get-os-information-via-kuser_shared_data.yml ├── get-os-version-in-dotnet-on-android.yml ├── get-os-version-in-dotnet.yml ├── get-password-database-entry-on-linux.yml ├── get-process-image-filename.yml ├── get-proxy.yml ├── get-remote-cert-context-via-schannel.yml ├── get-routing-table.yml ├── get-session-information.yml ├── get-shadow-password-file-entry-on-linux.yml ├── get-socket-information.yml ├── get-storage-device-properties.yml ├── get-system-information-on-linux.yml ├── get-system-property-on-android.yml ├── get-system-web-proxy.yml ├── get-thread-local-storage-value.yml ├── get-token-privileges.yml ├── get-volume-information-via-ioctl.yml ├── hash-data-using-aphash.yml ├── hash-data-using-crc32b.yml ├── hash-data-using-jshash.yml ├── hash-data-using-md4.yml ├── hash-data-using-murmur2.yml ├── hash-data-using-ripemd128.yml ├── hash-data-using-ripemd256.yml ├── hash-data-using-ripemd320.yml ├── hash-data-using-rshash.yml ├── hash-data-using-sha1-via-wincrypt.yml ├── hash-data-using-sha1-via-x86-extensions.yml ├── hash-data-using-sha256-via-x86-extensions.yml ├── hash-data-using-sha512managed-in-dotnet.yml ├── hash-data-using-whirlpool.yml ├── hash-data-via-bcrypt.yml ├── hook-routines-via-dlsym-rtld_next.yml ├── hook-routines-via-lsplant.yml ├── hook-routines-via-microsoft-detours.yml ├── hooked-by-api-override.yml ├── impersonate-user.yml ├── implement-com-dll.yml ├── implement-ui-automation-client-in-dotnet.yml ├── initialize-hashing-via-wincrypt.yml ├── inspect-load-icon-resource.yml ├── interact-with-iptables.yml ├── interact-with-shortcut-via-iwshshortcut-in-dotnet.yml ├── interact-with-windows-scripting-host-in-dotnet.yml ├── invoke-dotnet-assembly-method.yml ├── link-function-at-runtime-on-linux.yml ├── linked-against-cpp-http-library.yml ├── linked-against-cpp-json-library.yml ├── linked-against-cpp-regex-library.yml ├── linked-against-go-process-enumeration-library.yml ├── linked-against-go-registry-library.yml ├── linked-against-go-static-asset-library.yml ├── linked-against-go-wmi-library.yml ├── linked-against-hp-socket.yml ├── linked-against-libsodium.yml ├── linked-against-xzip.yml ├── list-containers.yml ├── list-domain-servers.yml ├── list-drag-and-drop-files.yml ├── list-groups-for-user-account.yml ├── list-tcp-connections-and-listeners.yml ├── list-udp-connections-and-listeners.yml ├── list-user-account-groups.yml ├── list-user-accounts-for-group.yml ├── list-user-accounts.yml ├── listen-for-remote-procedure-calls.yml ├── load-dotnet-assembly.yml ├── load-packed-dex-via-jiagu-on-android.yml ├── load-xml-in-dotnet.yml ├── log-keystrokes-via-input-method-manager.yml ├── log-keystrokes-via-raw-input-data.yml ├── make-an-http-request-with-a-cookie.yml ├── manipulate-console-window.yml ├── manipulate-network-credentials-in-dotnet.yml ├── manipulate-unmanaged-memory-in-dotnet.yml ├── manipulate-user-privileges.yml ├── map-or-unmap-memory-on-linux.yml ├── mark-thread-detached-on-linux.yml ├── migrate-process-to-active-window-station.yml ├── mixed-mode.yml ├── modify-api-blacklist-or-denylist-via-jni-on-android.yml ├── monitor-clipboard-content.yml ├── monitor-local-ipv4-address-changes.yml ├── move-directory.yml ├── obfuscated-with-koivm.yml ├── packaged-as-a-createinstall-installer.yml ├── packaged-as-a-nsis-installer.yml ├── packaged-as-a-pintool.yml ├── packaged-as-a-winzip-self-extracting-archive.yml ├── packaged-as-a-wise-installer.yml ├── packaged-as-an-installshield-installer.yml ├── packed-with-ccg.yml ├── packed-with-crunch.yml ├── packed-with-dragon-armor.yml ├── packed-with-enigma.yml ├── packed-with-epack.yml ├── packed-with-maskpe.yml ├── packed-with-mew.yml ├── packed-with-mpress.yml ├── packed-with-neolite.yml ├── packed-with-pepack.yml ├── packed-with-perplex.yml ├── packed-with-procrypt.yml ├── packed-with-rpcrypt.yml ├── packed-with-seausfx.yml ├── packed-with-shrinker.yml ├── packed-with-simple-pack.yml ├── packed-with-starforce.yml ├── packed-with-svkp.yml ├── packed-with-tsuloader.yml ├── packed-with-vprotect.yml ├── packed-with-wwpack.yml ├── parse-url.yml ├── persist-via-aedebug-registry-key.yml ├── persist-via-amsi-registry-key.yml ├── persist-via-app-paths-registry-key.yml ├── persist-via-appcertdlls-registry-key.yml ├── persist-via-application-shimming.yml ├── persist-via-appx-registry-key.yml ├── persist-via-autodialdll-registry-key.yml ├── persist-via-autoplayhandlers-registry-key.yml ├── persist-via-bits-job.yml ├── persist-via-bootverificationprogram-registry-key.yml ├── persist-via-code-signing-registry-key.yml ├── persist-via-com-hijack.yml ├── persist-via-command-processor-registry-key.yml ├── persist-via-contextmenuhandlers-registry-key.yml ├── persist-via-cor_profiler_path-registry-value.yml ├── persist-via-default-file-association-registry-key.yml ├── persist-via-disk-cleanup-handler-registry-key.yml ├── persist-via-dotnet-dbgmanageddebugger-registry-key.yml ├── persist-via-dotnet_startup_hooks-registry-key.yml ├── persist-via-errorhandler-script.yml ├── persist-via-explorer-tools-registry-key.yml ├── persist-via-filter-handlers-registry-key.yml ├── persist-via-get-variable-hijack.yml ├── persist-via-gnome-autostart-on-linux.yml ├── persist-via-group-policy-registry-key.yml ├── persist-via-hhctrl-com-hijack.yml ├── persist-via-htmlhelp-author-registry-key.yml ├── persist-via-image-file-execution-options-registry-key.yml ├── persist-via-iphlpapi-dll-hijack.yml ├── persist-via-lnk-shortcut.yml ├── persist-via-lsa-registry-key.yml ├── persist-via-natural-language-registry-key.yml ├── persist-via-netsh-registry-key.yml ├── persist-via-network-provider-registry-key.yml ├── persist-via-path-registry-key.yml ├── persist-via-powershell-profile.yml ├── persist-via-print-monitors-registry-key.yml ├── persist-via-print-processors-registry-key.yml ├── persist-via-rdp-startup-programs-registry-key.yml ├── persist-via-screensaver-registry-key.yml ├── persist-via-silentprocessexit-registry-key.yml ├── persist-via-telemetrycontroller-registry-key.yml ├── persist-via-timeproviders-registry-key.yml ├── persist-via-ts-initialprogram-registry-key.yml ├── persist-via-userinitmprlogonscript-registry-value.yml ├── persist-via-windows-accessibility-tools.yml ├── persist-via-windows-error-reporting-registry-key.yml ├── persist-via-windows-terminal-profile.yml ├── power-down-monitor.yml ├── prompt-user-for-credentials.yml ├── query-or-enumerate-registry-key-via-stdregprov.yml ├── query-or-enumerate-registry-value-via-stdregprov.yml ├── query-remote-server-for-available-data.yml ├── read-and-send-data-from-client-to-server.yml ├── read-process-memory.yml ├── read-raw-disk-data.yml ├── rebuilt-by-imprec.yml ├── receive-and-write-data-from-server-to-client.yml ├── reference-114dns-dns-server.yml ├── reference-aes-constants.yml ├── reference-alidns-dns-server.yml ├── reference-base58-string.yml ├── reference-cloudflare-dns-server.yml ├── reference-comodo-secure-dns-server.yml ├── reference-cryptocurrency-strings.yml ├── reference-google-public-dns-server.yml ├── reference-hurricane-electric-dns-server.yml ├── reference-kornet-dns-server.yml ├── reference-l3-dns-server.yml ├── reference-opendns-dns-server.yml ├── reference-processor-manufacturer-constants.yml ├── reference-quad9-dns-server.yml ├── reference-startup-folder.yml ├── reference-the-vmware-io-port.yml ├── reference-verisign-dns-server.yml ├── register-http-server-url.yml ├── register-raw-input-devices.yml ├── resize-volume-shadow-copy-storage.yml ├── resolve-function-by-djb2-hash.yml ├── resolve-function-by-fnv-1a-hash.yml ├── resolve-function-by-hash.yml ├── run-in-container.yml ├── save-image-in-dotnet.yml ├── schedule-task-via-itaskservice.yml ├── search-for-credit-card-data.yml ├── send-data-to-internet.yml ├── send-email-in-dotnet.yml ├── send-http-request-with-host-header.yml ├── send-keystrokes.yml ├── send-request-in-dotnet.yml ├── send-sms-on-android.yml ├── serialize-json-in-dotnet.yml ├── set-current-directory.yml ├── set-global-application-hook.yml ├── set-http-cookie.yml ├── set-http-user-agent-in-dotnet.yml ├── set-registry-value-via-stdregprov.yml ├── set-shadow-password-file-entry-on-linux.yml ├── set-thread-name-on-linux.yml ├── set-web-proxy-in-dotnet.yml ├── terminate-process-by-name-in-dotnet.yml ├── terminate-process-by-name.yml ├── truncate-file-on-linux.yml ├── unmanaged-call-via-dynamic-pinvoke-in-dotnet.yml ├── unmanaged-call.yml ├── unmount-volume-via-ioctl.yml ├── use-dotnet-library-simplejson.yml ├── use-dotnet-library-websocket-sharp.yml └── write-to-browser-extension-directory.yml ├── persistence ├── act-as-dhcp-server-callout-dll.yml ├── act-as-dns-server-plugin-dll.yml ├── act-as-share-provider-dll.yml ├── act-as-time-provider-dll.yml ├── act-as-windbg-extension.yml ├── authentication-process │ ├── act-as-credential-manager-dll.yml │ ├── act-as-password-filter-dll.yml │ ├── act-as-security-support-provider-dll.yml │ └── act-as-subauthentication-package-dll.yml ├── create-shortcut-via-ishelllink.yml ├── exchange │ └── act-as-exchange-transport-agent.yml ├── iis │ ├── persist-via-iis-module.yml │ └── persist-via-isapi-extension.yml ├── office │ ├── act-as-excel-xll-add-in.yml │ ├── act-as-office-com-add-in.yml │ └── act-as-word-wll-add-in.yml ├── persist-via-desktop-autostart.yml ├── persist-via-shell-profile-or-rc-file.yml ├── registry │ ├── appinitdlls │ │ ├── disable-appinit_dlls-code-signature-enforcement.yml │ │ └── persist-via-appinit_dlls-registry-key.yml │ ├── ginadll │ │ └── persist-via-ginadll-registry-key.yml │ ├── persist-via-active-setup-registry-key.yml │ ├── run │ │ └── persist-via-run-registry-key.yml │ └── winlogon-helper │ │ └── persist-via-winlogon-helper-dll-registry-key.yml ├── scheduled-tasks │ ├── schedule-task-via-at.yml │ ├── schedule-task-via-itaskscheduler.yml │ └── schedule-task-via-schtasks.yml ├── service │ ├── persist-via-rc-script.yml │ └── persist-via-windows-service.yml └── startup-folder │ ├── get-startup-folder.yml │ └── write-file-to-startup-folder.yml ├── runtime └── dotnet │ ├── compiled-to-the-dotnet-platform.yml │ ├── compiled-with-dotnet-aot.yml │ └── execute-via-dotnet-startup-hook.yml └── targeting ├── automated-teller-machine ├── diebold-nixdorf │ ├── load-diebold-nixdorf-atm-library.yml │ └── reference-diebold-atm-routines.yml ├── identify-atm-dispenser-service-provider.yml └── ncr │ ├── load-ncr-atm-library.yml │ └── reference-ncr-atm-library-routines.yml └── language └── identify-system-language-via-api.yml /.gitattributes: -------------------------------------------------------------------------------- 1 | # Set the default behavior, in case people don't have core.autocrlf set. 2 | * text=auto 3 | 4 | # Explicitly declare text files you want to always be normalized and converted 5 | # to native line endings on checkout. 6 | *.yml text 7 | *.md text 8 | *.txt text 9 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | 2 | 12 | -------------------------------------------------------------------------------- /.github/scripts/changelog_author.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | import yaml 4 | 5 | rule_file = sys.argv[1] 6 | with open(rule_file, "r") as stream: 7 | rule_yaml = yaml.safe_load(stream) 8 | 9 | author_value = rule_yaml["rule"]["meta"]["authors"] 10 | if isinstance(author_value, list): # list of authors 11 | print(" ".join(author_value)) 12 | else: # one author 13 | print(author_value) 14 | -------------------------------------------------------------------------------- /anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain anti-disasm techniques 4 | namespace: anti-analysis/anti-disasm 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | mbc: 11 | - Anti-Static Analysis::Disassembler Evasion [B0012] 12 | examples: 13 | - a5c70086b3bc4fe64f4e7a0aa452e620 14 | features: 15 | - or: 16 | - count(match(contain pusha popa sequence)): 10 or more 17 | -------------------------------------------------------------------------------- /anti-analysis/obfuscation/obfuscated-with-callobfuscator.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: obfuscated with callobfuscator 4 | namespace: anti-analysis/obfuscation 5 | authors: 6 | - johnk3r 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information [T1027] 12 | mbc: 13 | - Anti-Static Analysis::Executable Code Obfuscation [B0032] 14 | examples: 15 | - 71A4F9B800D81FF6632B9892A6A502C412C141341E46D697A8C004E2F460913B 16 | features: 17 | - section: .cobf 18 | -------------------------------------------------------------------------------- /anti-analysis/packer/confuser/packed-with-confuser.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Confuser 4 | namespace: anti-analysis/packer/confuser 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: unsupported # requires class features 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing::Confuser [F0001.009] 14 | examples: 15 | - b9f5bd514485fb06da39beff051b9fdc 16 | features: 17 | - or: 18 | - class: "ConfusedByAttribute" 19 | -------------------------------------------------------------------------------- /collection/database/sql/reference-sql-statements.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference SQL statements 4 | namespace: collection/database/sql 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Collection::Data from Information Repositories [T1213] 12 | examples: 13 | - 5F66B82558CA92E54E77F216EF4C066C:0x42B1DF 14 | features: 15 | - and: 16 | - string: /SELECT.*FROM.*WHERE/ 17 | -------------------------------------------------------------------------------- /collection/database/wmi/reference-wmi-statements.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference WMI statements 4 | namespace: collection/database/wmi 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Collection::Data from Information Repositories [T1213] 12 | examples: 13 | - al-khaser_x86.exe_:0x433490 14 | features: 15 | - or: 16 | - string: /SELECT\s+\*\s+FROM\s+CIM_./ 17 | - string: /SELECT\s+\*\s+FROM\s+Win32_./ 18 | - string: /SELECT\s+\*\s+FROM\s+MSAcpi_./ 19 | -------------------------------------------------------------------------------- /collection/file-managers/gather-3d-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather 3d-ftp information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.3dftp.com/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40CA59 16 | features: 17 | - and: 18 | - string: "3D-FTP" 19 | - string: "sites.ini" 20 | - optional: 21 | - substring: "\\SiteDesigner" 22 | -------------------------------------------------------------------------------- /collection/file-managers/gather-bitkinex-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather bitkinex information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - http://www.bitkinex.com/ftp/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x406D14 16 | features: 17 | - and: 18 | - substring: "bitkinex.ds" 19 | - substring: "\\BitKinex" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-classicftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather classicftp information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.nchsoftware.com/classic/index.html 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40735E 16 | features: 17 | - or: 18 | - substring: "Software\\NCH Software\\ClassicFTP\\FTPAccounts" 19 | -------------------------------------------------------------------------------- /collection/file-managers/gather-cyberduck-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather cyberduck information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://cyberduck.io/ftp/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40D965 16 | features: 17 | - and: 18 | - substring: "\\Cyberduck" 19 | - or: 20 | - string: "user.config" 21 | - string: ".duck" 22 | -------------------------------------------------------------------------------- /collection/file-managers/gather-faststone-browser-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather faststone-browser information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.faststone.org/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40E04F 16 | features: 17 | - and: 18 | - substring: "FastStone Browser" 19 | - string: "FTPList.db" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-fasttrack-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather fasttrack-ftp information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - http://www.fasttracksoft.com/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40F906 16 | features: 17 | - or: 18 | - and: 19 | - string: "FastTrack" 20 | - string: "ftplist.txt" 21 | -------------------------------------------------------------------------------- /collection/file-managers/gather-freshftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather freshftp information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | examples: 13 | - 5a2f620f29ca2f44fc22df67b674198f:0x40C7AB 14 | features: 15 | - and: 16 | - string: "FreshFTP" 17 | - string: ".SMF" 18 | -------------------------------------------------------------------------------- /collection/file-managers/gather-frigate3-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather frigate3 information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - http://www.frigate3.com/index.php 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x4069A0 16 | features: 17 | - and: 18 | - substring: "FtpSite.xml" 19 | - substring: "\\Frigate3" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-ftpgetter-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ftpgetter information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.ftpgetter.com/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40A21C 16 | features: 17 | - and: 18 | - string: "servers.xml" 19 | - substring: "\\FTPGetter" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-ftpnow-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ftpnow information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | examples: 13 | - 5a2f620f29ca2f44fc22df67b674198f:0x40CFF0 14 | features: 15 | - and: 16 | - string: "FTPNow" 17 | - string: "FTP Now" 18 | - string: "sites.xml" 19 | -------------------------------------------------------------------------------- /collection/file-managers/gather-ftprush-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ftprush information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.wftpserver.com/ftprush.htm 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x406AE0 16 | features: 17 | - and: 18 | - substring: "\\FTPRush" 19 | - substring: "RushSite.xml" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-ftpshell-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ftpshell information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.ftpshell.com/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40DEE4 16 | features: 17 | - and: 18 | - string: "FTPShell" 19 | - string: "ftpshell.fsi" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-global-downloader-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather global-downloader information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - http://www.actysoft.com/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40C732 16 | features: 17 | - and: 18 | - substring: "\\Global Downloader" 19 | - string: "SM.arch" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-goftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather goftp information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.goftp.com/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40C9E8 16 | features: 17 | - and: 18 | - string: "GoFTP" 19 | - string: "Connections.txt" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-netdrive-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather netdrive information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.netdrive.net/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x407ED1 16 | features: 17 | - and: 18 | - string: "NDSites.ini" 19 | - substring: "\\NetDrive" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-nexusfile-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather nexusfile information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.xiles.app/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40DFD1 16 | features: 17 | - and: 18 | - string: "NexusFile" 19 | - string: "ftpsite.ini" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-nova-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather nova-ftp information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | examples: 13 | - 5a2f620f29ca2f44fc22df67b674198f:0x40E5FF 14 | features: 15 | - or: 16 | - and: 17 | - string: "NovaFTP.db" 18 | - substring: "\\INSoftware\\NovaFTP" 19 | -------------------------------------------------------------------------------- /collection/file-managers/gather-softx-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather softx-ftp information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - http://www.softx.org/ftp.html 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x407685 16 | features: 17 | - or: 18 | - substring: "Software\\FTPClient\\Sites" 19 | - substring: "Software\\SoftX.org\\FTPClient\\Sites" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-staff-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather staff-ftp information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.gsa-online.de/product/staffftp/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40C516 16 | features: 17 | - and: 18 | - string: "Staff-FTP" 19 | - string: "sites.ini" 20 | -------------------------------------------------------------------------------- /collection/file-managers/gather-ultrafxp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ultrafxp information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | examples: 13 | - 5a2f620f29ca2f44fc22df67b674198f:0x406A5C 14 | features: 15 | - and: 16 | - substring: "UltraFXP" 17 | - substring: "\\sites.xml" 18 | -------------------------------------------------------------------------------- /collection/file-managers/gather-ws-ftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather ws-ftp information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.ipswitch.com/ftp-server 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40504B 16 | features: 17 | - and: 18 | - substring: "\\Ipswitch\\WS_FTP" 19 | - substring: "\\win.ini" 20 | - substring: "WS_FTP" 21 | -------------------------------------------------------------------------------- /collection/file-managers/gather-xftp-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: gather xftp information 4 | namespace: collection/file-managers 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Credentials from Password Stores [T1555] 12 | references: 13 | - https://www.netsarang.com/en/xftp-download/ 14 | examples: 15 | - 5a2f620f29ca2f44fc22df67b674198f:0x40CBEE 16 | features: 17 | - and: 18 | - string: ".xfp" 19 | - substring: "\\NetSarang" 20 | -------------------------------------------------------------------------------- /collection/get-steam-token.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get Steam token 4 | namespace: collection 5 | authors: 6 | - still@teamt5.org 7 | description: locates references to Steam authentication token via the beginning of a Steam bearer token 8 | scopes: 9 | static: function 10 | dynamic: unsupported # requires bytes feature 11 | examples: 12 | - 2c83f152e09d0abaa3a3784669e75276784e50e1e202d16ab27e5741eef9ab4f:0x0041718C 13 | features: 14 | - or: 15 | - substring: "65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A" 16 | - substring: "eyAidHlwIjogIkpXVCIsICJ" 17 | -------------------------------------------------------------------------------- /collection/group-policy/discover-group-policy-via-gpresult.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: discover Group Policy via gpresult 4 | namespace: collection/group-policy 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Discovery::Group Policy Discovery [T1615] 12 | examples: 13 | - 9e4d06759f278255073f9ac7b31a115a:0x100068B7 14 | features: 15 | - and: 16 | - os: windows 17 | - or: 18 | - substring: "gpresult" 19 | - substring: "GPRESULT" 20 | -------------------------------------------------------------------------------- /communication/c2/shell/execute-shell-command-received-from-socket-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: execute shell command received from socket on Linux 4 | namespace: communication/c2/shell 5 | authors: 6 | - joakim@intezer.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] 12 | examples: 13 | - 7351f8a40c5450557b24622417fc478d:0x406549 14 | features: 15 | - and: 16 | - os: linux 17 | - match: receive data on socket 18 | - api: system 19 | -------------------------------------------------------------------------------- /communication/http/client/connect-to-http-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: connect to HTTP server 4 | namespace: communication/http/client 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | mbc: 11 | - Communication::HTTP Communication::Connect to Server [C0002.009] 12 | examples: 13 | - 6f99a2c8944cb02ff28c6f9ced59b161:0x40E2F0 14 | features: 15 | - and: 16 | - optional: 17 | - match: create HTTP request 18 | - api: wininet.InternetConnect 19 | -------------------------------------------------------------------------------- /communication/http/client/connect-to-url.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: connect to URL 4 | namespace: communication/http/client 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: instruction 9 | dynamic: call 10 | mbc: 11 | - Communication::HTTP Communication::Open URL [C0002.004] 12 | examples: 13 | - 6f99a2c8944cb02ff28c6f9ced59b161:0x40E2F0 14 | features: 15 | - and: 16 | - api: wininet.InternetOpenUrl 17 | -------------------------------------------------------------------------------- /communication/http/client/decompress-http-response-via-iencodingfilterfactory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: decompress HTTP response via IEncodingFilterFactory 4 | namespace: communication/http/client 5 | authors: 6 | - matthew.williams@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | mbc: 11 | - Communication::HTTP Communication::Get Response [C0002.017] 12 | examples: 13 | - FBBAAF569B63F6398503E4F1979CABEF:0x4067F0 14 | features: 15 | - and: 16 | - match: get HTTP response content encoding 17 | - match: decompress data via IEncodingFilterFactory 18 | -------------------------------------------------------------------------------- /communication/http/client/get-http-response-content-encoding.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get HTTP response content encoding 4 | namespace: communication/http/client 5 | authors: 6 | - matthew.williams@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | mbc: 11 | - Communication::HTTP Communication::Get Response [C0002.017] 12 | examples: 13 | - FBBAAF569B63F6398503E4F1979CABEF:0x4068D9 14 | features: 15 | - and: 16 | - api: wininet.HttpQueryInfo 17 | - number: 0x1D = HTTP_QUERY_CONTENT_ENCODING 18 | -------------------------------------------------------------------------------- /communication/http/client/prepare-http-request.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: prepare HTTP request 4 | namespace: communication/http/client 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Communication::HTTP Communication::Create Request [C0002.012] 12 | examples: 13 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10002650 14 | features: 15 | - or: 16 | - api: winhttp.WinHttpOpenRequest 17 | -------------------------------------------------------------------------------- /communication/http/client/send-file-via-http.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: send file via HTTP 4 | namespace: communication/http/client 5 | authors: 6 | - matthew.williams@mandiant.com 7 | scopes: 8 | static: instruction 9 | dynamic: call 10 | mbc: 11 | - Communication::HTTP Communication::Send Data [C0002.005] 12 | examples: 13 | - 3d760b6fc84571c928bed835863fc302:0x403687 14 | features: 15 | - and: 16 | - api: wininet.InternetWriteFile 17 | -------------------------------------------------------------------------------- /communication/http/get-http-content-length.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get HTTP content length 4 | namespace: communication/http 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | mbc: 11 | - Communication::HTTP Communication [C0002] 12 | examples: 13 | - 0596c4ea5aa8def47f22c85d75aaca95:0x1079C70 14 | features: 15 | - and: 16 | - api: wininet.HttpQueryInfo 17 | - number: 0x20000005 = HTTP_QUERY_FLAG_NUMBER | HTTP_QUERY_CONTENT_LENGTH 18 | -------------------------------------------------------------------------------- /communication/http/initialize-winhttp-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: initialize WinHTTP library 4 | namespace: communication/http 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Communication::HTTP Communication::WinHTTP [C0002.008] 12 | examples: 13 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000E670 14 | features: 15 | - and: 16 | - api: winhttp.WinHttpOpen 17 | -------------------------------------------------------------------------------- /communication/http/read-http-header.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: read HTTP header 4 | namespace: communication/http 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | - anushka.virgaonkar@mandiant.com 8 | scopes: 9 | static: function 10 | dynamic: call 11 | mbc: 12 | - Communication::HTTP Communication::Read Header [C0002.014] 13 | examples: 14 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10002A30 15 | features: 16 | - or: 17 | - api: winhttp.WinHttpQueryHeaders 18 | - property/read: System.Net.WebClient::Headers 19 | -------------------------------------------------------------------------------- /communication/http/server/send-http-response.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: send HTTP response 4 | namespace: communication/http/server 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Communication::HTTP Communication::Send Response [C0002.016] 12 | examples: 13 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10001B20 14 | features: 15 | - or: 16 | - api: httpapi.HttpSendHttpResponse 17 | - api: httpapi.HttpSendResponseEntityBody 18 | -------------------------------------------------------------------------------- /communication/ip/convert-ip-address-from-string.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: convert IP address from string 5 | namespace: communication/ip 6 | authors: 7 | - "@mr-tz" 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | examples: 12 | - 0796F1C1EA0A142FC1EB7109A44C86CB:0x405D20 13 | features: 14 | - and: 15 | - api: inet_pton 16 | - optional: 17 | - or: 18 | - number: 2 = AF_INET 19 | - number: 23 = AF_INET6 20 | -------------------------------------------------------------------------------- /communication/named-pipe/create/create-two-anonymous-pipes.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create two anonymous pipes 4 | namespace: communication/named-pipe/create 5 | authors: 6 | - matthew.williams@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | mbc: 11 | - Communication::Interprocess Communication::Create Pipe [C0003.001] 12 | examples: 13 | - Practical Malware Analysis Lab 14-02.exe_:0x4011C0 14 | features: 15 | - and: 16 | - count(api(CreatePipe)): 2 17 | -------------------------------------------------------------------------------- /communication/receive-data.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: receive data 4 | namespace: communication 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | description: all known techniques for receiving data from a potential C2 server 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | mbc: 12 | - Command and Control::C2 Communication::Receive Data [B0030.002] 13 | examples: 14 | - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145D60 15 | features: 16 | - or: 17 | - match: receive data on socket 18 | - match: read data from Internet 19 | - match: download URL 20 | -------------------------------------------------------------------------------- /communication/socket/get-socket-status.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get socket status 4 | namespace: communication/socket 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::System Network Configuration Discovery [T1016] 12 | mbc: 13 | - Communication::Socket Communication::Get Socket Status [C0001.012] 14 | examples: 15 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000C1F0 16 | features: 17 | - or: 18 | - api: ws2_32.select 19 | - api: ws2_32.#18 = select 20 | -------------------------------------------------------------------------------- /communication/socket/initialize-winsock-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: initialize Winsock library 4 | namespace: communication/socket 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Communication::Socket Communication::Initialize Winsock Library [C0001.009] 12 | examples: 13 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10001D30 14 | features: 15 | - or: 16 | - api: ws2_32.WSAStartup 17 | - api: ws2_32.#115 = WSAStartup 18 | -------------------------------------------------------------------------------- /communication/socket/set-socket-configuration.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set socket configuration 4 | namespace: communication/socket 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Communication::Socket Communication::Set Socket Config [C0001.001] 12 | examples: 13 | - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000C1F0 14 | features: 15 | - or: 16 | - api: ws2_32.setsockopt 17 | - api: ws2_32.#21 = setsockopt 18 | - api: ws2_32.ioctlsocket 19 | - api: ws2_32.#10 = ioctlsocket 20 | -------------------------------------------------------------------------------- /communication/socket/tcp/connect-tcp-socket.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: connect TCP socket 4 | namespace: communication/socket/tcp 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | - joakim@intezer.com 8 | - mrhafizfarhad@gmail.com 9 | scopes: 10 | static: function 11 | dynamic: span of calls 12 | mbc: 13 | - Communication::Socket Communication::Connect Socket [C0001.004] 14 | examples: 15 | - Practical Malware Analysis Lab 01-01.dll_:0x10001010 16 | features: 17 | - and: 18 | - match: create TCP socket 19 | - match: connect socket 20 | -------------------------------------------------------------------------------- /communication/socket/tcp/send/send-tcp-data-via-wfp-api.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: send TCP data via WFP API 4 | namespace: communication/socket/tcp/send 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | mbc: 11 | - Communication::Socket Communication::Send TCP Data [C0001.014] 12 | examples: 13 | - 493167E85E45363D09495D0841C30648:0x404560 14 | features: 15 | - and: 16 | - api: fwpkclnt.FwpsStreamInjectAsync0 17 | - number: 0x10000 = FWPS_STREAM_FLAG_SEND 18 | -------------------------------------------------------------------------------- /communication/socket/udp/connect-udp-socket.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: connect UDP socket 4 | namespace: communication/socket/udp 5 | authors: 6 | - mrhafizfarhad@gmail.com 7 | description: Detects UDP socket connections by combining UDP socket creation with connection attempts. 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | mbc: 12 | - Communication::Socket Communication::UDP Client [C0001.013] 13 | examples: 14 | - 368239d36d221d8877a07ab6799e643a.elf_:0x20011E9 15 | features: 16 | - and: 17 | - match: create UDP socket 18 | - match: connect socket 19 | -------------------------------------------------------------------------------- /communication/tcp/client/act-as-tcp-client.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: act as TCP client 4 | namespace: communication/tcp/client 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | mbc: 12 | - Communication::Socket Communication::TCP Client [C0001.008] 13 | examples: 14 | - Practical Malware Analysis Lab 01-01.dll_:0x10001010 15 | features: 16 | - or: 17 | - match: connect TCP socket 18 | - api: System.Net.Sockets.TcpClient::ctor 19 | -------------------------------------------------------------------------------- /compiler/d/compiled-with-dmd.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with dmd 4 | namespace: compiler/d 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://github.com/dlang/dmd 12 | examples: 13 | - 321338196a46b600ea330fc5d98d0699 14 | features: 15 | - and: 16 | - section: ._deh 17 | - section: .tp 18 | - section: .dp 19 | - section: .minfo 20 | -------------------------------------------------------------------------------- /compiler/go/compiled-with-go.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with Go 4 | namespace: compiler/go 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | examples: 11 | - 49a34cfbeed733c24392c9217ef46bb6 12 | features: 13 | - or: 14 | - string: /^Go build ID:/ 15 | - substring: "go.buildid" 16 | - string: /^Go buildinf:/ 17 | - string: /\bgo1\.\d/ 18 | - substring: "runtime.main" 19 | - substring: "main.main" 20 | - substring: "runtime.gcWork" 21 | -------------------------------------------------------------------------------- /compiler/mingw/compiled-with-mingw-for-windows.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with MinGW for Windows 4 | namespace: compiler/mingw 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | examples: 11 | - 5b3968b47eb16a1cb88525e3b565eab1 12 | features: 13 | - and: 14 | - string: "Mingw runtime failure:" 15 | - string: "_Jv_RegisterClasses" 16 | description: from GCC 17 | -------------------------------------------------------------------------------- /compiler/nim/compiled-with-nim.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with Nim 4 | namespace: compiler/nim 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | examples: 11 | - 580c37831fe98a254eb6c61c692c70d8.exe_ 12 | features: 13 | - or: 14 | - substring: "NimMain" 15 | - substring: "NimMainModule" 16 | - substring: "NimMainInner" 17 | - substring: "io.nim" 18 | - substring: "fatal.nim" 19 | - substring: "system.nim" 20 | - substring: "alloc.nim" 21 | - substring: "osalloc.nim" 22 | -------------------------------------------------------------------------------- /compiler/py2exe/compiled-with-py2exe.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with py2exe 4 | namespace: compiler/py2exe 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | examples: 11 | - ed888dc2f04f5eac83d6d14088d002de:0x40194A 12 | features: 13 | - and: 14 | - string: "PY2EXE_VERBOSE" 15 | - api: getenv 16 | -------------------------------------------------------------------------------- /compiler/rust/compiled-with-rust.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with rust 4 | namespace: compiler/rust 5 | authors: 6 | - "@_re_fox" 7 | - william.ballenthin@mandiant.com 8 | scopes: 9 | static: file 10 | dynamic: file 11 | examples: 12 | - c3341b7dfbb9d43bca8c812e07b4299f:0x45F490 13 | features: 14 | - or: 15 | - substring: "run with `RUST_BACKTRACE=1` environment variable" 16 | - substring: "called `Option::unwrap()` on a `None` value" 17 | - substring: "called `Result::unwrap()` on an `Err` value" 18 | -------------------------------------------------------------------------------- /compiler/vb/compiled-from-visual-basic.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled from Visual Basic 4 | namespace: compiler/vb 5 | authors: 6 | - "@williballenthin" 7 | scopes: 8 | static: file 9 | dynamic: file 10 | examples: 11 | - 9bca6b99e7981208af4c7925b96fb9cf 12 | features: 13 | - and: 14 | - string: /VB5!.*/ 15 | - import: msvbvm60.ThunRTMain 16 | -------------------------------------------------------------------------------- /data-manipulation/json/use-dotnet-library-newtonsoftjson.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: use .NET library Newtonsoft.Json 4 | namespace: data-manipulation/json 5 | authors: 6 | - "@johnk3r" 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/ 12 | examples: 13 | - 387f15043f0198fd3a637b0758c2b6dde9ead795c3ed70803426fc355731b173 14 | features: 15 | - and: 16 | - match: compiled to the .NET platform 17 | - string: "Newtonsoft.Json" 18 | -------------------------------------------------------------------------------- /data-manipulation/svg/use-dotnet-library-sharpvectors.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: use .NET library SharpVectors 4 | namespace: data-manipulation/svg 5 | authors: 6 | - "@johnk3r" 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/ 12 | examples: 13 | - 387f15043f0198fd3a637b0758c2b6dde9ead795c3ed70803426fc355731b173 14 | features: 15 | - and: 16 | - match: compiled to the .NET platform 17 | - string: "SharpVectors.Converters.Wpf" 18 | -------------------------------------------------------------------------------- /executable/installer/inno-setup/packaged-as-an-inno-setup-installer.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as an Inno Setup installer 4 | namespace: executable/installer/inno-setup 5 | authors: 6 | - awillia2@cisco.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://jrsoftware.org/isinfo.php 12 | examples: 13 | - 70FD3347786ED7A4A43910E6778EF296 14 | features: 15 | - and: 16 | - string: /^Inno Setup Setup Data \(/ 17 | - string: /^Inno Setup Messages \(/ 18 | -------------------------------------------------------------------------------- /executable/pe/export/forwarded-export.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: forwarded export 4 | namespace: executable/pe/export 5 | authors: 6 | - ronnie.salomonsen@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Execution::Shared Modules [T1129] 12 | examples: 13 | - 76FA734236DAA023444DEC26863401DC 14 | features: 15 | - characteristic: forwarded export 16 | -------------------------------------------------------------------------------- /executable/pe/pdb/contains-pdb-path.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contains PDB path 4 | namespace: executable/pe/pdb 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | examples: 11 | - 464EF2CA59782CE697BC329713698CCC # level32.exe 12 | features: 13 | - string: /:\\.*\.pdb/ 14 | -------------------------------------------------------------------------------- /executable/pe/section/tls/contain-a-thread-local-storage-tls-section.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain a thread local storage (.tls) section 4 | namespace: executable/pe/section/tls 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | examples: 11 | - Practical Malware Analysis Lab 16-02.exe_ 12 | features: 13 | - section: .tls 14 | -------------------------------------------------------------------------------- /executable/resource/access-dotnet-resource.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: access .NET resource 4 | namespace: executable/resource 5 | authors: 6 | - "@mr-tz" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | examples: 11 | - 387f15043f0198fd3a637b0758c2b6dde9ead795c3ed70803426fc355731b173:0x06000084 12 | features: 13 | - and: 14 | - format: dotnet 15 | - or: 16 | - api: System.Resources.ResourceManager::ctor 17 | - api: System.Reflection.Assembly::GetManifestResourceStream 18 | -------------------------------------------------------------------------------- /executable/subfile/pe/contain-an-embedded-pe-file.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain an embedded PE file 4 | namespace: executable/subfile/pe 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | mbc: 11 | - Execution::Install Additional Program [B0023] 12 | examples: 13 | - Practical Malware Analysis Lab 01-04.exe_:0x4060 14 | features: 15 | - or: 16 | - count(characteristic(embedded pe)): 1 or more 17 | - count(string(This program cannot be run in DOS mode.)): 2 or more 18 | -------------------------------------------------------------------------------- /host-interaction/bootloader/disable-code-signing.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: disable code signing 4 | namespace: host-interaction/bootloader 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Defense Evasion::Subvert Trust Controls::Code Signing Policy Modification [T1553.006] 12 | examples: 13 | - 0596C4EA5AA8DEF47F22C85D75AACA95:0x10710B3 # old Necurs rootkit 14 | features: 15 | - and: 16 | - match: host-interaction/process/create 17 | - string: /^bcdedit(\.exe)? -set TESTSIGNING ON/i 18 | -------------------------------------------------------------------------------- /host-interaction/cli/resolve-path-using-msvcrt.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: resolve path using msvcrt 4 | namespace: host-interaction/cli 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | att&ck: 11 | - Discovery::File and Directory Discovery [T1083] 12 | examples: 13 | - 31600ad0d1a7ea615690df111ae36c73:0x4016B8 14 | features: 15 | - or: 16 | - api: msvcrt.__p__pgmptr 17 | - api: msvcrt.__p__wpgmptr 18 | - api: msvcrt._get_pgmptr 19 | - api: msvcrt._get_wpgmptr 20 | - api: msvcrt._pgmptr 21 | - api: msvcrt._wpgmptr 22 | -------------------------------------------------------------------------------- /host-interaction/clipboard/open-clipboard.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: open clipboard 4 | namespace: host-interaction/clipboard 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Collection::Clipboard Data [T1115] 12 | examples: 13 | - 6f99a2c8944cb02ff28c6f9ced59b161:0x403180 14 | features: 15 | - and: 16 | - api: user32.OpenClipboard 17 | - optional: 18 | - api: user32.CloseClipboard 19 | -------------------------------------------------------------------------------- /host-interaction/driver/complete-processing-asynchronous-io-request.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: complete processing asynchronous IO request 4 | namespace: host-interaction/driver 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | description: signals that driver has finished all processing for a given IRP (part of major function) 8 | scopes: 9 | static: basic block 10 | dynamic: span of calls 11 | examples: 12 | - Practical Malware Analysis Lab 10-03.sys_:0x10666 13 | features: 14 | - or: 15 | - api: IoCompleteRequest 16 | - api: IofCompleteRequest 17 | -------------------------------------------------------------------------------- /host-interaction/driver/create-device-object.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create device object 4 | namespace: host-interaction/driver 5 | authors: 6 | - "@mr-tz" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | examples: 11 | - Practical Malware Analysis Lab 10-03.sys_:0x00010706 12 | features: 13 | - and: 14 | - api: IoCreateDevice 15 | - optional: 16 | - description: sets up a symbolic link between a device object name and a user-visible name for the device 17 | - api: IoCreateSymbolicLink 18 | -------------------------------------------------------------------------------- /host-interaction/driver/interact-with-driver-via-ioctl.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: interact with driver via IOCTL 4 | namespace: host-interaction/driver 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: instruction 9 | dynamic: call 10 | examples: 11 | - Practical Malware Analysis Lab 10-03.exe_:0x40108c 12 | features: 13 | - or: 14 | - api: DeviceIoControl 15 | -------------------------------------------------------------------------------- /host-interaction/driver/unload-driver.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: unload driver 4 | namespace: host-interaction/driver 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | att&ck: 11 | - Persistence::Create or Modify System Process::Windows Service [T1543.003] 12 | examples: 13 | - 31cee4f66cf3b537e3d2d37a71f339f4:0x1400044ce 14 | features: 15 | - or: 16 | - api: NtUnloadDriver 17 | - api: ZwUnloadDriver 18 | -------------------------------------------------------------------------------- /host-interaction/file-system/get-file-system-object-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get file system object information 4 | namespace: host-interaction/file-system 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | att&ck: 11 | - Discovery::File and Directory Discovery [T1083] 12 | examples: 13 | - 50D5EE1CE2CA5E30C6B1019EE64EEEC2:0x403538 14 | features: 15 | - or: 16 | - api: SHGetFileInfo 17 | -------------------------------------------------------------------------------- /host-interaction/file-system/write/clear-file-content.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: clear file content 4 | namespace: host-interaction/file-system/write 5 | authors: 6 | - jakeperalta7 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | mbc: 11 | - File System::Writes File [C0052] 12 | examples: 13 | - e3a6fbbc9b315141da37e5abbae05bf20aa9f48d5f569c6353360f59a0315245:0x140001450 14 | features: 15 | - and: 16 | - api: kernel32.SetEndOfFile 17 | - not: 18 | - api: kernel32.SetFilePointer 19 | -------------------------------------------------------------------------------- /host-interaction/filter/register-minifilter-driver.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: register minifilter driver 4 | namespace: host-interaction/filter 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | mbc: 11 | - Hardware::Install Driver::Minifilter [C0037.001] 12 | references: 13 | - https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts 14 | examples: 15 | - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x4060C8 16 | features: 17 | - and: 18 | - api: FltRegisterFilter 19 | -------------------------------------------------------------------------------- /host-interaction/filter/start-minifilter-driver.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: start minifilter driver 4 | namespace: host-interaction/filter 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | mbc: 11 | - Hardware::Load Driver::Minifilter [C0023.001] 12 | references: 13 | - https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/filter-manager-concepts 14 | examples: 15 | - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x406360 16 | features: 17 | - and: 18 | - api: FltStartFiltering 19 | -------------------------------------------------------------------------------- /host-interaction/filter/unload-minifilter-driver.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: unload minifilter driver 4 | namespace: host-interaction/filter 5 | authors: 6 | - JakePeralta7 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | examples: 11 | - c3ef997d330e65be1e22ba4d2622ece23391c6cfc78b2ee515f3d0c7a3083a79:0x14000161D 12 | features: 13 | - api: fltlib.FilterUnload 14 | -------------------------------------------------------------------------------- /host-interaction/gui/console/set-console-window-title.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set console window title 4 | namespace: host-interaction/gui/console 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Operating System::Console [C0033] 12 | examples: 13 | - mimikatz.exe_:0x44570F 14 | features: 15 | - or: 16 | - api: kernel32.SetConsoleTitle 17 | -------------------------------------------------------------------------------- /host-interaction/gui/logon/references-logon-banner.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: references logon banner 4 | namespace: host-interaction/gui/logon 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: basic block 9 | dynamic: span of calls 10 | examples: 11 | - c3341b7dfbb9d43bca8c812e07b4299f:0x4066FC 12 | features: 13 | - and: 14 | - substring: "\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" 15 | - or: 16 | - substring: "LegalNoticeCaption" 17 | - substring: "LegalNoticeText" 18 | -------------------------------------------------------------------------------- /host-interaction/gui/session/lock/lock-the-desktop.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: lock the desktop 4 | namespace: host-interaction/gui/session/lock 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Impact::Endpoint Denial of Service [T1499] 12 | examples: 13 | - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x100084D0 14 | features: 15 | - api: user32.LockWorkStation 16 | -------------------------------------------------------------------------------- /host-interaction/gui/session/wallpaper/change-the-wallpaper.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: change the wallpaper 4 | namespace: host-interaction/gui/session 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | mbc: 11 | - Operating System::Wallpaper [C0035] 12 | examples: 13 | - 5dd0b130d5c3d40c69e3972f39fd7d62:0x45AC6F 14 | features: 15 | - and: 16 | - api: SystemParametersInfo 17 | - number: 0x14 = SPI_SETDESKWALLPAPER 18 | - number: 0x3 = SPIF_SENDWININICHANGE | SPIF_UPDATEINIFILE 19 | -------------------------------------------------------------------------------- /host-interaction/gui/set-application-hook.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set application hook 4 | namespace: host-interaction/gui 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: instruction 9 | dynamic: call 10 | examples: 11 | - Practical Malware Analysis Lab 12-03.exe_:0x401000 12 | features: 13 | - or: 14 | - api: user32.SetWindowsHookEx 15 | - api: user32.UnhookWindowsHookEx 16 | -------------------------------------------------------------------------------- /host-interaction/gui/taskbar/find/find-taskbar.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: find taskbar 4 | namespace: host-interaction/gui/taskbar/find 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | mbc: 11 | - Discovery::Taskbar Discovery [B0043] 12 | examples: 13 | - B7841B9D5DC1F511A93CC7576672EC0C:0x10007250 14 | features: 15 | - and: 16 | - string: "Shell_TrayWnd" 17 | - match: find graphical window 18 | -------------------------------------------------------------------------------- /host-interaction/gui/taskbar/hide/hide-the-windows-taskbar.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hide the Windows taskbar 4 | namespace: host-interaction/gui/taskbar/hide 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Defense Evasion::Hide Artifacts [T1564] 12 | examples: 13 | - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x10007250 14 | features: 15 | - and: 16 | - match: find taskbar 17 | - match: hide graphical window 18 | -------------------------------------------------------------------------------- /host-interaction/gui/window/find/find-graphical-window.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: find graphical window 4 | namespace: host-interaction/gui/window/find 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: instruction 9 | dynamic: call 10 | att&ck: 11 | - Discovery::Application Window Discovery [T1010] 12 | examples: 13 | - 7C843E75D4F02087B932FE280DF9C90C:0x41B180 14 | features: 15 | - or: 16 | - api: user32.FindWindow 17 | - api: user32.FindWindowEx 18 | -------------------------------------------------------------------------------- /host-interaction/gui/window/hide/hide-graphical-window.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hide graphical window 4 | namespace: host-interaction/gui/window/hide 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | att&ck: 11 | - Defense Evasion::Hide Artifacts::Hidden Window [T1564.003] 12 | examples: 13 | - 39C05B15E9834AC93F206BC114D0A00C357C888DB567BA8F5345DA0529CBED41:0x10007250 14 | features: 15 | - and: 16 | - number: 0x0 = SW_HIDE 17 | - api: user32.ShowWindow 18 | -------------------------------------------------------------------------------- /host-interaction/hardware/memory/get-memory-capacity.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get memory capacity 4 | namespace: host-interaction/hardware/memory 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::System Information Discovery [T1082] 12 | examples: 13 | - 9324D1A8AE37A36AE560C37448C9705A:0x4052A0 14 | features: 15 | - or: 16 | - api: kernel32.GlobalMemoryStatus 17 | - api: kernel32.GlobalMemoryStatusEx 18 | # TODO kernel32.GetSystemInfo with offset 19 | -------------------------------------------------------------------------------- /host-interaction/hardware/mouse/swap-mouse-buttons.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: swap mouse buttons 4 | namespace: host-interaction/hardware/mouse 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Impact::Modify Hardware::Mouse [B0042.002] 12 | examples: 13 | - B7841B9D5DC1F511A93CC7576672EC0C:0x10007250 14 | features: 15 | - or: 16 | - api: user32.SwapMouseButton 17 | -------------------------------------------------------------------------------- /host-interaction/log/debug/write-event/print-debug-messages.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: print debug messages 4 | namespace: host-interaction/log/debug/write-event 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | examples: 11 | - 493167E85E45363D09495D0841C30648:0x401000 12 | features: 13 | - or: 14 | - api: DbgPrint 15 | - api: kernel32.OutputDebugString 16 | - and: 17 | - os: android 18 | - api: __android_log_print 19 | -------------------------------------------------------------------------------- /host-interaction/log/winevt/access/access-the-windows-event-log.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: access the Windows event log 4 | namespace: host-interaction/log/winevt/access 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Discovery::File and Directory Discovery::Log File [E1083.m01] 12 | examples: 13 | - mimikatz.exe_:0x45228B 14 | features: 15 | - or: 16 | - api: OpenEventLog 17 | - api: ClearEventLog 18 | - api: OpenBackupEventLog 19 | - api: ReportEvent 20 | -------------------------------------------------------------------------------- /host-interaction/mutex/create-semaphore-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create semaphore on Linux 4 | namespace: host-interaction/mutex 5 | authors: 6 | - "@ramen0x3f" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | examples: 11 | - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408de0 12 | features: 13 | - and: 14 | - or: 15 | - os: linux 16 | - os: android 17 | - api: sem_init 18 | -------------------------------------------------------------------------------- /host-interaction/mutex/lock-file.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: lock file 4 | namespace: host-interaction/mutex 5 | authors: 6 | - joakim@intezer.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | mbc: 11 | - Process::Create Mutex [C0042] 12 | examples: 13 | - 7351f8a40c5450557b24622417fc478d:0x40858F 14 | features: 15 | - and: 16 | - or: 17 | - os: linux 18 | - os: android 19 | - api: fcntl 20 | - number: 1 = F_WRLCK 21 | - number: 6 = F_SETLK 22 | -------------------------------------------------------------------------------- /host-interaction/mutex/lock-semaphore-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: lock semaphore on Linux 4 | namespace: host-interaction/mutex 5 | authors: 6 | - "@ramen0x3f" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | examples: 11 | - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 12 | features: 13 | - and: 14 | - or: 15 | - os: linux 16 | - os: android 17 | - or: 18 | - api: sem_wait 19 | - api: sem_timedwait 20 | -------------------------------------------------------------------------------- /host-interaction/mutex/unlock-semaphore-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: unlock semaphore on Linux 4 | namespace: host-interaction/mutex 5 | authors: 6 | - "@ramen0x3f" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | examples: 11 | - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40 12 | features: 13 | - and: 14 | - or: 15 | - os: linux 16 | - os: android 17 | - api: sem_post 18 | -------------------------------------------------------------------------------- /host-interaction/network/traffic/copy/copy-network-traffic.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: copy network traffic 4 | namespace: host-interaction/network/traffic/copy 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::Network Sniffing [T1040] 12 | examples: 13 | - 493167E85E45363D09495D0841C30648:0x404780 14 | features: 15 | - and: 16 | - api: fwpkclnt.FwpsCopyStreamDataToBuffer0 17 | -------------------------------------------------------------------------------- /host-interaction/network/traffic/filter/register-network-filter-via-wfp-api.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: register network filter via WFP API 4 | namespace: host-interaction/network/traffic/filter 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Impact::Data Manipulation::Transmitted Data Manipulation [T1565.002] 12 | examples: 13 | - 493167E85E45363D09495D0841C30648:0x404220 14 | features: 15 | - and: 16 | - api: fwpkclnt.FwpmFilterAdd0 17 | -------------------------------------------------------------------------------- /host-interaction/os/version/get-kernel-version.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get kernel version 4 | namespace: host-interaction/os/version 5 | authors: 6 | - joakim@intezer.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Discovery::System Information Discovery [T1082] 12 | examples: 13 | - 7351f8a40c5450557b24622417fc478d:0x405438 14 | features: 15 | - and: 16 | - os: linux 17 | - or: 18 | - api: uname 19 | - and: 20 | - api: system 21 | - string: "uname" 22 | -------------------------------------------------------------------------------- /host-interaction/process/create/execute-command.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: execute command 4 | namespace: host-interaction/process/create 5 | authors: 6 | - "@mr-tz" 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Process::Create Process [C0017] 12 | examples: 13 | - e353d3fbfb5c3738a77a622adff9a416:0x401626 14 | features: 15 | - or: 16 | - api: system 17 | - api: _system 18 | - api: wsystem 19 | - api: _wsystem 20 | -------------------------------------------------------------------------------- /host-interaction/process/dump/create-process-memory-minidump.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: create process memory minidump 5 | namespace: host-interaction/process/dump 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | mbc: 12 | - File System::Writes File [C0052] 13 | examples: 14 | - 91a12a4cf437589ba70b1687f5acad19:0x43E1C9 15 | features: 16 | - or: 17 | - api: dbghelp.MiniDumpWriteDump 18 | -------------------------------------------------------------------------------- /host-interaction/process/inject/attach-user-process-memory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: attach user process memory 4 | namespace: host-interaction/process/inject 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Defense Evasion::Process Injection [T1055] 12 | mbc: 13 | - Defense Evasion::Process Injection [E1055] 14 | examples: 15 | - 493167E85E45363D09495D0841C30648:0x404B00 16 | features: 17 | - and: 18 | - api: ntoskrnl.KeStackAttachProcess 19 | - api: ntoskrnl.KeUnstackDetachProcess 20 | -------------------------------------------------------------------------------- /host-interaction/process/list/get-explorer-pid.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get Explorer PID 4 | namespace: host-interaction/process/list 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: span of calls 10 | att&ck: 11 | - Discovery::Process Discovery [T1057] 12 | references: 13 | - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ParentProcess.cpp 14 | examples: 15 | - al-khaser_x86.exe_:0x425210 16 | features: 17 | - and: 18 | - api: GetShellWindow 19 | - api: GetWindowThreadProcessId 20 | -------------------------------------------------------------------------------- /host-interaction/process/modify/acquire-debug-privileges.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: acquire debug privileges 4 | namespace: host-interaction/process/modify 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | att&ck: 11 | - Privilege Escalation::Access Token Manipulation [T1134] 12 | examples: 13 | - Practical Malware Analysis Lab 01-04.exe_:0x401174 14 | features: 15 | - and: 16 | - string: "SeDebugPrivilege" 17 | - optional: 18 | - match: modify access privileges 19 | -------------------------------------------------------------------------------- /host-interaction/process/modify/modify-access-privileges.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: modify access privileges 4 | namespace: host-interaction/process/modify 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: instruction 9 | dynamic: call 10 | att&ck: 11 | - Privilege Escalation::Access Token Manipulation [T1134] 12 | examples: 13 | - 9324D1A8AE37A36AE560C37448C9705A:0x403BE0 14 | features: 15 | - and: 16 | - api: advapi32.AdjustTokenPrivileges 17 | -------------------------------------------------------------------------------- /host-interaction/registry/create-registry-key-via-offline-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create registry key via offline registry library 4 | namespace: host-interaction/registry 5 | authors: 6 | - johnk3r 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Defense Evasion::Modify Registry [T1112] 12 | mbc: 13 | - Operating System::Registry::Create Registry Key [C0036.004] 14 | examples: 15 | - 5fbbfeed28b258c42e0cfeb16718b31c:0x100481A0 16 | features: 17 | - or: 18 | - api: ORCreateHive 19 | - api: ORCreateKey 20 | -------------------------------------------------------------------------------- /host-interaction/registry/open-registry-key-via-offline-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: open registry key via offline registry library 4 | namespace: host-interaction/registry 5 | authors: 6 | - johnk3r 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Operating System::Registry::Open Registry Key [C0036.003] 12 | examples: 13 | - 5fbbfeed28b258c42e0cfeb16718b31c:0x4071E1 14 | features: 15 | - or: 16 | - api: OROpenHive 17 | - api: OROpenKey 18 | -------------------------------------------------------------------------------- /host-interaction/registry/query-registry-key-via-offline-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: query registry key via offline registry library 4 | namespace: host-interaction/registry 5 | authors: 6 | - johnk3r 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::Query Registry [T1012] 12 | mbc: 13 | - Operating System::Registry::Query Registry Value [C0036.006] 14 | examples: 15 | - 5fbbfeed28b258c42e0cfeb16718b31c:0x42388C 16 | features: 17 | - and: 18 | - api: ORGetValue 19 | -------------------------------------------------------------------------------- /host-interaction/registry/set-registry-key-via-offline-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set registry key via offline registry library 4 | namespace: host-interaction/registry 5 | authors: 6 | - johnk3r 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Defense Evasion::Modify Registry [T1112] 12 | mbc: 13 | - Operating System::Registry::Set Registry Key [C0036.001] 14 | examples: 15 | - 5fbbfeed28b258c42e0cfeb16718b31c:0x43A6C8 16 | features: 17 | - and: 18 | - api: ORSetValue 19 | - optional: 20 | - api: ORSaveHive 21 | -------------------------------------------------------------------------------- /host-interaction/service/list/enumerate-services.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate services 4 | namespace: host-interaction/service/list 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: function 10 | dynamic: call 11 | att&ck: 12 | - Discovery::System Service Discovery [T1007] 13 | examples: 14 | - Practical Malware Analysis Lab 05-01.dll_:0x1000B823 15 | features: 16 | - or: 17 | - api: advapi32.EnumServicesStatus 18 | - api: advapi32.EnumServicesStatusEx 19 | - api: advapi32.EnumDependentServices 20 | -------------------------------------------------------------------------------- /host-interaction/service/query-service-configuration.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: query service configuration 4 | namespace: host-interaction/service 5 | authors: 6 | - "@mr-tz" 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::System Service Discovery [T1007] 12 | examples: 13 | - Practical Malware Analysis Lab 17-02.dll_:0x1000bf52 14 | features: 15 | - or: 16 | - api: advapi32.QueryServiceConfigA 17 | - api: advapi32.QueryServiceConfig2A 18 | -------------------------------------------------------------------------------- /host-interaction/service/query-service-status.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: query service status 4 | namespace: host-interaction/service 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::System Service Discovery [T1007] 12 | examples: 13 | - 9DC209F66DA77858E362E624D0BE86B3:0x403C70 14 | features: 15 | - or: 16 | - api: advapi32.QueryServiceStatusEx 17 | - api: advapi32.QueryServiceStatus 18 | -------------------------------------------------------------------------------- /host-interaction/service/start/start-service.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: start service 4 | namespace: host-interaction/service/start 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Persistence::Create or Modify System Process::Windows Service [T1543.003] 12 | examples: 13 | - E544A4D616B60147D9774B48C2B65EF2:0x401FA0 14 | features: 15 | - and: 16 | - optional: 17 | - match: get service handle 18 | - api: advapi32.StartService 19 | -------------------------------------------------------------------------------- /host-interaction/session/get-token-membership.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get token membership 4 | namespace: host-interaction/session 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Discovery::System Owner/User Discovery [T1033] 12 | examples: 13 | - mimikatz.exe_:0x40DABE 14 | features: 15 | - and: 16 | - api: advapi32.CheckTokenMembership 17 | - optional: 18 | - api: advapi32.AllocateAndInitializeSid 19 | - api: advapi32.FreeSid 20 | -------------------------------------------------------------------------------- /host-interaction/session/get-user-security-identifier.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: get user security identifier 5 | namespace: host-interaction/session 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Discovery::Account Discovery [T1087] 13 | examples: 14 | - mimikatz.exe_:0x40DC42 15 | features: 16 | - or: 17 | - api: advapi32.LookupAccountName 18 | - api: advapi32.LsaLookupNames 19 | - api: advapi32.LsaLookupNames2 20 | -------------------------------------------------------------------------------- /host-interaction/thread/tls/allocate-thread-local-storage.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: allocate thread local storage 4 | namespace: host-interaction/thread/tls 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Process::Allocate Thread Local Storage [C0040] 12 | examples: 13 | - 03B236B23B1EC37C663527C1F53AF3FE:0x18000ADF6 14 | features: 15 | - or: 16 | - api: kernel32.TlsAlloc 17 | -------------------------------------------------------------------------------- /host-interaction/thread/tls/set-thread-local-storage-value.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set thread local storage value 4 | namespace: host-interaction/thread/tls 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | mbc: 11 | - Process::Set Thread Local Storage Value [C0041] 12 | examples: 13 | - 03B236B23B1EC37C663527C1F53AF3FE:0x18000AE21 14 | features: 15 | - and: 16 | - api: kernel32.TlsSetValue 17 | - optional: 18 | - match: allocate thread local storage 19 | -------------------------------------------------------------------------------- /internal/limitation/static/README.md: -------------------------------------------------------------------------------- 1 | # file limitations 2 | 3 | This directory contains rules with the special namespace `internal/limitation/file`. 4 | capa uses these rules to identify files that it cannot handle well, such as .NET modules or packed programs. 5 | When one of these rules matches, capa will render the description as a warning message and bail. -------------------------------------------------------------------------------- /lib/contain-loop.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain loop 4 | authors: 5 | - moritz.raabe@mandiant.com 6 | lib: true 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires characteristic features 10 | examples: 11 | - 08AC667C65D36D6542917655571E61C8:0x406EAA 12 | features: 13 | - or: 14 | - characteristic: loop 15 | - characteristic: tight loop 16 | - characteristic: recursive call 17 | -------------------------------------------------------------------------------- /lib/contain-pusha-popa-sequence.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain pusha popa sequence 4 | authors: 5 | - moritz.raabe@mandiant.com 6 | lib: true 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires mnemonic features 10 | examples: 11 | - a5c70086b3bc4fe64f4e7a0aa452e620:0x35007200 12 | features: 13 | - and: 14 | - or: 15 | - count(mnemonic(pusha)): 2 or more 16 | # vivisect 17 | - count(mnemonic(pushad)): 2 or more 18 | - or: 19 | - count(mnemonic(popa)): 2 or more 20 | # vivisect 21 | - count(mnemonic(popad)): 2 or more 22 | -------------------------------------------------------------------------------- /lib/create-file-compression-interface-context-on-windows.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create File Compression Interface context on Windows 4 | authors: 5 | - michael.hunhoff@mandiant.com 6 | lib: true 7 | scopes: 8 | static: function 9 | dynamic: call 10 | references: 11 | - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files 12 | examples: 13 | - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0 14 | features: 15 | - or: 16 | - api: cabinet.FCICreate 17 | -------------------------------------------------------------------------------- /lib/create-file-decompression-interface-context-on-windows.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create File Decompression Interface context on Windows 4 | authors: 5 | - jakub.jozwiak@mandiant.com 6 | lib: true 7 | scopes: 8 | static: function 9 | dynamic: call 10 | references: 11 | - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files 12 | examples: 13 | - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0 14 | features: 15 | - or: 16 | - api: cabinet.FDICreate 17 | -------------------------------------------------------------------------------- /lib/create-or-open-section-object.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create or open section object 4 | authors: 5 | - william.ballenthin@mandiant.com 6 | lib: true 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | examples: 11 | - daa13ae302fe8b618ddbf590537443ef:0x401116 12 | features: 13 | - and: 14 | - os: windows 15 | - or: 16 | - api: NtCreateSection 17 | - api: ZwCreateSection 18 | - api: NtOpenSection 19 | - api: ZwOpenSection 20 | -------------------------------------------------------------------------------- /lib/duplicate-stdin-and-stdout.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: duplicate stdin and stdout 4 | authors: 5 | - joakim@intezer.com 6 | lib: true 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | examples: 11 | - 7351f8a40c5450557b24622417fc478d:0x40236D 12 | features: 13 | - and: 14 | - or: 15 | - os: linux 16 | - os: android 17 | - api: dup2 18 | - number: 0 = STDIN 19 | - number: 1 = STDOUT 20 | -------------------------------------------------------------------------------- /lib/get-service-handle.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get service handle 4 | authors: 5 | - moritz.raabe@mandiant.com 6 | lib: true 7 | scopes: 8 | static: function 9 | dynamic: call 10 | examples: 11 | - Practical Malware Analysis Lab 03-02.dll_:0x10004706 12 | features: 13 | - or: 14 | - api: advapi32.CreateService 15 | - api: advapi32.OpenService 16 | -------------------------------------------------------------------------------- /lib/open-process.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: open process 4 | authors: 5 | - 0x534a@mailbox.org 6 | lib: true 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | mbc: 11 | - Process::Open Process [C0065] 12 | examples: 13 | - Practical Malware Analysis Lab 17-02.dll_:0x1000D10D 14 | features: 15 | - or: 16 | - api: kernel32.OpenProcess 17 | - api: NtOpenProcess 18 | - api: ZwOpenProcess 19 | -------------------------------------------------------------------------------- /lib/open-thread.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: open thread 4 | authors: 5 | - 0x534a@mailbox.org 6 | lib: true 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | mbc: 11 | - Process::Open Thread [C0066] 12 | examples: 13 | - 787cbc8a6d1bc58ea169e51e1ad029a637f22560660cc129ab8a099a745bd50e:00502F4C 14 | features: 15 | - or: 16 | - api: kernel32.OpenThread 17 | - api: NtOpenThread 18 | - api: ZwOpenThread 19 | -------------------------------------------------------------------------------- /lib/write-process-memory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: write process memory 4 | authors: 5 | - moritz.raabe@mandiant.com 6 | lib: true 7 | scopes: 8 | static: instruction 9 | dynamic: call 10 | att&ck: 11 | - Defense Evasion::Process Injection [T1055] 12 | examples: 13 | - 2D3EDC218A90F03089CC01715A9F047F:0x4027CF 14 | features: 15 | - or: 16 | - api: kernel32.WriteProcessMemory 17 | - api: ntdll.NtWriteVirtualMemory 18 | - api: ntdll.ZwWriteVirtualMemory 19 | - api: NtWow64WriteVirtualMemory64 20 | -------------------------------------------------------------------------------- /linking/runtime-linking/link-many-functions-at-runtime.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: link many functions at runtime 4 | namespace: linking/runtime-linking 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | - joakim@intezer.com 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | att&ck: 12 | - Execution::Shared Modules [T1129] 13 | examples: 14 | - b7b5e1253710d8927cbe07d52d2d2e10:0x401000 15 | features: 16 | - or: 17 | - count(match(link function at runtime on Windows)): 5 or more 18 | - count(match(link function at runtime on Linux)): 5 or more 19 | -------------------------------------------------------------------------------- /linking/static/aplib/linked-against-aplib.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against aPLib 4 | namespace: linking/static/aplib 5 | authors: 6 | - still@teamt5.org 7 | scopes: 8 | static: file 9 | dynamic: file 10 | mbc: 11 | - Data::Compression Library [C0060] 12 | examples: 13 | - 72c8e3c8049927fa1dd53b61d9b67b9d74ab5b6c030bc38dfbe9a338a32438c9 14 | features: 15 | - or: 16 | - string: /aPLib v.* the smaller the better/ 17 | -------------------------------------------------------------------------------- /linking/static/libcurl/linked-against-libcurl.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against libcurl 4 | namespace: linking/static/libcurl 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | examples: 11 | - A90E5B3454AA71D9700B2EA54615F44B 12 | features: 13 | - or: 14 | - substring: "CLIENT libcurl" 15 | - substring: "curl.haxx.se" 16 | -------------------------------------------------------------------------------- /linking/static/msdetours/linked-against-microsoft-detours.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against Microsoft Detours 4 | namespace: linking/static/msdetours 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Hijack Execution Flow [T1574] 12 | references: 13 | - https://github.com/microsoft/Detours 14 | examples: 15 | - 071F2D1C4C2201EE95FFE2AA965000F5F615A11A12D345E33B9FB060E5597740 16 | features: 17 | - or: 18 | - section: .detourc 19 | - section: .detourd 20 | -------------------------------------------------------------------------------- /linking/static/sqlite3/linked-against-cppsqlite3.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against CppSQLite3 4 | namespace: linking/static/sqlite3 5 | authors: 6 | - still@teamt5.org 7 | scopes: 8 | static: file 9 | dynamic: file 10 | examples: 11 | - 253309d8b3675d3cc61d4bf23aa15d4b 12 | features: 13 | - and: 14 | - substring: "CppSQLite3DB" 15 | - substring: "CppSQLite3Query" 16 | -------------------------------------------------------------------------------- /linking/static/zlib/linked-against-zlib.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against ZLIB 4 | namespace: linking/static/zlib 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | mbc: 11 | - Data::Compression Library [C0060] 12 | examples: 13 | - 6cc148363200798a12091b97a17181a1 14 | features: 15 | - or: 16 | - string: /deflate .* Copyright/ 17 | - string: /inflate .* Copyright/ 18 | -------------------------------------------------------------------------------- /load-code/pe/access-pe-header.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: access PE header 4 | namespace: load-code/pe 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Execution::Shared Modules [T1129] 12 | examples: 13 | - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x1400018E0 14 | features: 15 | - and: 16 | - os: windows 17 | - or: 18 | - api: RtlImageNtHeader 19 | - api: RtlImageNtHeaderEx 20 | -------------------------------------------------------------------------------- /load-code/shellcode/spawn-thread-to-rwx-shellcode.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: spawn thread to RWX shellcode 4 | namespace: load-code/shellcode 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | mbc: 11 | - Memory::Allocate Memory [C0007] 12 | - Process::Create Thread [C0038] 13 | examples: 14 | - Practical Malware Analysis Lab 19-02.exe_:0x401230 15 | features: 16 | - and: 17 | - match: allocate or change RWX memory 18 | - match: create thread 19 | -------------------------------------------------------------------------------- /nursery/access-camera-in-dotnet-on-android.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: access camera in .NET on Android 4 | namespace: host-interaction/hardware/camera 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires .NET API feature 10 | features: 11 | - or: 12 | - api: Android.Hardware.Camera::Open 13 | -------------------------------------------------------------------------------- /nursery/access-unmanaged-com-objects-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: access unmanaged COM objects in .NET 4 | namespace: host-interaction/com 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires .NET API feature 10 | features: 11 | - or: 12 | - api: System.Runtime.InteropServices.Marshal::GetTypeFromCLSID 13 | -------------------------------------------------------------------------------- /nursery/add-user-account-group.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: add user account group 5 | namespace: host-interaction/accounts 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Persistence::Account Manipulation [T1098] 13 | features: 14 | - or: 15 | - api: netapi32.NetLocalGroupAdd 16 | - api: netapi32.NetGroupAdd 17 | -------------------------------------------------------------------------------- /nursery/add-user-account-to-group.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: add user account to group 5 | namespace: host-interaction/accounts 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Persistence::Account Manipulation [T1098] 13 | features: 14 | - or: 15 | - api: netapi32.NetLocalGroupAddMembers 16 | - api: netapi32.NetLocalGroupAddMember 17 | - api: netapi32.NetGroupAddUser 18 | - api: netapi32.NetGroupSetUsers 19 | -------------------------------------------------------------------------------- /nursery/add-user-account.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: add user account 5 | namespace: host-interaction/accounts 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Persistence::Create Account [T1136] 13 | features: 14 | - or: 15 | - api: netapi32.NetUserAdd 16 | -------------------------------------------------------------------------------- /nursery/add-value-to-global-atom-table.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: add value to global atom table 4 | namespace: host-interaction/process/inject 5 | authors: 6 | - "@mr-tz" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://www.fortinet.com/blog/threat-research/atombombing-brand-new-code-injection-technique-for-windows 12 | - https://github.com/BreakingMalwareResearch/atom-bombing 13 | features: 14 | - and: 15 | - api: AddAtom 16 | - api: GlobalAddAtom 17 | - api: GlobalAddAtomEx 18 | -------------------------------------------------------------------------------- /nursery/allocate-unmanaged-memory-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: allocate unmanaged memory in .NET 4 | namespace: host-interaction/memory 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: System.Runtime.InteropServices.Marshal::AllocHGlobal 13 | -------------------------------------------------------------------------------- /nursery/capture-microphone-audio-in-dotnet-on-android.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: capture microphone audio in .NET on Android 4 | namespace: collection/microphone 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires .NET API features 10 | features: 11 | - and: 12 | - api: Android.Media.AudioRecord::StartRecording 13 | - optional: 14 | - api: Android.Media.AudioRecord::Release 15 | - api: Android.Media.AudioRecord::Stop 16 | -------------------------------------------------------------------------------- /nursery/capture-network-configuration-via-ifconfig.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: capture network configuration via ifconfig 4 | namespace: collection/network 5 | authors: 6 | - joakim@intezeer.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | att&ck: 11 | - Discovery::System Network Configuration Discovery [T1016] 12 | features: 13 | - and: 14 | - os: linux 15 | - api: system 16 | - substring: "ifconfig" 17 | -------------------------------------------------------------------------------- /nursery/capture-process-snapshot-data.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: capture process snapshot data 4 | namespace: host-interaction/process/dump 5 | authors: 6 | - "@mr-tz" 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: PssCaptureSnapshot 13 | - api: PssQuerySnapshot 14 | - api: PssWalkSnapshot 15 | -------------------------------------------------------------------------------- /nursery/capture-screenshot-in-dotnet-on-android.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: capture screenshot in .NET on Android 4 | namespace: collection/screenshot 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires .NET API feature 10 | features: 11 | - or: 12 | - api: Android.Media.Projection.MediaProjectionManager::CreateScreenCaptureIntent 13 | -------------------------------------------------------------------------------- /nursery/change-memory-permission-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: change memory permission on Linux 4 | namespace: host-interaction/memory 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - and: 12 | - or: 13 | - os: linux 14 | - os: android 15 | - or: 16 | - api: mprotect 17 | - api: pkey_mprotect 18 | -------------------------------------------------------------------------------- /nursery/change-user-account-password.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: change user account password 5 | namespace: host-interaction/accounts 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Persistence::Account Manipulation [T1098] 13 | features: 14 | - or: 15 | - api: netapi32.NetUserChangePassword 16 | -------------------------------------------------------------------------------- /nursery/check-file-extension-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check file extension in .NET 4 | namespace: host-interaction/file-system 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: System.IO.Path::GetExtension 13 | - api: System.IO.Path::HasExtension 14 | -------------------------------------------------------------------------------- /nursery/check-file-permission-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check file permission on Linux 4 | namespace: host-interaction/file-system 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - and: 12 | - or: 13 | - os: android 14 | - os: linux 15 | - or: 16 | - api: access 17 | - api: faccessat 18 | -------------------------------------------------------------------------------- /nursery/check-for-incoming-call-in-dotnet-on-android.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check for incoming call in .NET on Android 4 | namespace: host-interaction 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires property 10 | features: 11 | - and: 12 | - property/read: Android.Content.Intent::Action 13 | - string: "android.intent.action.PHONE_STATE" 14 | - property/read: Android.Telephony.TelephonyManager::ExtraStateRinging 15 | -------------------------------------------------------------------------------- /nursery/check-for-outgoing-call-in-dotnet-on-android.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check for outgoing call in .NET on Android 4 | namespace: host-interaction 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires property 10 | features: 11 | - and: 12 | - property/read: Android.Content.Intent::Action 13 | - string: "android.intent.action.NEW_OUTGOING_CALL" 14 | -------------------------------------------------------------------------------- /nursery/check-if-directory-exists.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check if directory exists 4 | namespace: host-interaction/file-system/exists 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::File and Directory Discovery [T1083] 12 | features: 13 | - or: 14 | - api: System.IO.Directory::Exists 15 | -------------------------------------------------------------------------------- /nursery/check-license-value.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: check license value 4 | namespace: anti-analysis/anti-vm/vm-detection 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] 12 | references: 13 | - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L1224 14 | features: 15 | - and: 16 | - api: NtQueryLicenseValue 17 | - string: "Kernel-VMDetection-Private" 18 | -------------------------------------------------------------------------------- /nursery/clear-clipboard-data.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: clear clipboard data 4 | namespace: host-interaction/clipboard 5 | authors: 6 | - anushka.virgaonkar@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Collection::Clipboard Data [T1115] 12 | features: 13 | - and: 14 | - api: System.Windows.Forms.Clipboard::Clear 15 | -------------------------------------------------------------------------------- /nursery/collect-ssh-keys.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: collect ssh keys 4 | namespace: collection 5 | authors: 6 | - joakim@intezer.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Credential Access::Unsecured Credentials::Private Keys [T1552.004] 12 | features: 13 | - and: 14 | - match: host-interaction/file-system/read 15 | - or: 16 | - substring: "/.ssh/id_rsa" 17 | -------------------------------------------------------------------------------- /nursery/communicate-with-kernel-module-via-netlink-socket-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: communicate with kernel module via Netlink socket on Linux 4 | namespace: host-interaction/kernel 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | description: Netlink is used to transfer information between the kernel and user-space processes (https://man7.org/linux/man-pages/man7/netlink.7.html) 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | features: 12 | - and: 13 | - os: linux 14 | - api: socket 15 | - number: 0x10 = AF_NETLINK 16 | -------------------------------------------------------------------------------- /nursery/compare-security-identifiers.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: compare security identifiers 5 | namespace: host-interaction/sid 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | features: 12 | - or: 13 | - api: advapi32.EqualSid 14 | -------------------------------------------------------------------------------- /nursery/compile-csharp-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compile CSharp in .NET 4 | namespace: load-code/dotnet/csharp 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] 12 | features: 13 | - and: 14 | - match: compile .NET assembly 15 | - api: Microsoft.CSharp.CSharpCodeProvider::ctor 16 | -------------------------------------------------------------------------------- /nursery/compile-dotnet-assembly.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compile .NET assembly 4 | namespace: load-code/dotnet 5 | authors: 6 | - anushka.virgaonkar@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] 12 | features: 13 | - or: 14 | - api: System.CodeDom.Compiler.CodeDomProvider::CompileAssemblyFromDom 15 | - api: System.CodeDom.Compiler.CodeDomProvider::CompileAssemblyFromFile 16 | - api: System.CodeDom.Compiler.CodeDomProvider::CompileAssemblyFromSource 17 | -------------------------------------------------------------------------------- /nursery/compile-visual-basic-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compile Visual Basic in .NET 4 | namespace: load-code/dotnet/vb 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Compile After Delivery [T1027.004] 12 | features: 13 | - and: 14 | - match: compile .NET assembly 15 | - api: Microsoft.VisualBasic.VBCodeProvider::ctor 16 | -------------------------------------------------------------------------------- /nursery/compiled-with-xamarin.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled with Xamarin 4 | namespace: compiler/xamarin 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | features: 11 | - or: 12 | - namespace: Xamarin.Essentials 13 | -------------------------------------------------------------------------------- /nursery/compress-data-using-gzip-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compress data using GZip in .NET 4 | namespace: data-manipulation/compression 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Collection::Archive Collected Data::Archive via Library [T1560.002] 12 | mbc: 13 | - Data::Compress Data [C0024] 14 | features: 15 | - or: 16 | - api: System.IO.Compression.GZipStream::ctor 17 | -------------------------------------------------------------------------------- /nursery/connect-network-resource.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: connect network resource 4 | namespace: communication/http 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | description: connect to disk or print resource 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | features: 12 | - and: 13 | - or: 14 | - api: mpr.WNetAddConnection 15 | - api: mpr.WNetAddConnection2 16 | - api: mpr.WNetAddConnection3 17 | - optional: 18 | - api: mpr.WNetCancelConnection 19 | - api: mpr.WNetCancelConnection2 20 | -------------------------------------------------------------------------------- /nursery/contain-a-thread-local-storage-tls-section-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: contain a thread local storage (.tls) section in .NET 4 | namespace: executable/pe/section/tls 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | description: .NET file contains uncommon TLS section 8 | scopes: 9 | static: file 10 | dynamic: file 11 | references: 12 | - https://washi.dev/blog/posts/entry-points/ 13 | features: 14 | - and: 15 | - match: contain a thread local storage (.tls) section 16 | - format: dotnet 17 | -------------------------------------------------------------------------------- /nursery/create-registry-key-via-stdregprov.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: create registry key via StdRegProv 5 | namespace: host-interaction/registry 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | references: 12 | - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods 13 | features: 14 | - and: 15 | - string: "StdRegProv" 16 | - string: "CreateKey" 17 | -------------------------------------------------------------------------------- /nursery/create-restart-manager-session.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create Restart Manager session 4 | namespace: host-interaction/process 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | description: Windows Restart Manager can be used to close/unlock specific files, often abused by Ransomware 8 | scopes: 9 | static: function 10 | dynamic: call 11 | references: 12 | - https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ 13 | features: 14 | - or: 15 | - api: rstrtmgr.RmStartSession 16 | -------------------------------------------------------------------------------- /nursery/create-zip-archive-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: create zip archive in .NET 4 | namespace: data-manipulation/compression 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: unsupported 10 | features: 11 | - and: 12 | - optional: 13 | - api: System.IO.Compression.ZipFile::Open 14 | - or: 15 | - api: System.IO.Compression.ZipFile::CreateFromDirectory 16 | - api: System.IO.Compression.ZipFile::CreateEntryFromFile 17 | -------------------------------------------------------------------------------- /nursery/debug-build.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: debug build 4 | namespace: executable/pe/debug 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | features: 11 | - or: 12 | - string: "Assertion failed!" 13 | - string: "Assertion failed:" 14 | -------------------------------------------------------------------------------- /nursery/decode-data-using-url-encoding.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: decode data using URL encoding 4 | namespace: data-manipulation/encoding/url 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information [T1027] 12 | mbc: 13 | - Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02] 14 | features: 15 | - or: 16 | - api: System.Web.HttpUtility::UrlDecode 17 | - api: System.Web.HttpUtility::UrlDecodeToBytes 18 | -------------------------------------------------------------------------------- /nursery/decrypt-data-via-sspi.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: decrypt data via SSPI 4 | namespace: data-manipulation/encryption 5 | authors: 6 | - matthew.williams@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | att&ck: 11 | - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] 12 | references: 13 | - https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-decryptmessage 14 | features: 15 | - and: 16 | - api: secur32.DecryptMessage 17 | -------------------------------------------------------------------------------- /nursery/delete-file-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: delete file on Linux 4 | namespace: host-interaction/file-system/delete 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | mbc: 11 | - File System::Delete File [C0047] 12 | features: 13 | - and: 14 | - or: 15 | - os: linux 16 | - os: android 17 | - or: 18 | - api: unlink 19 | - api: unlinkat 20 | -------------------------------------------------------------------------------- /nursery/delete-internet-cache.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: delete internet cache 4 | namespace: host-interaction/internet/cache 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - match: enumerate internet cache 13 | - api: wininet.DeleteUrlCacheEntry 14 | - optional: 15 | - api: wininet.UnlockUrlCacheEntryFile 16 | -------------------------------------------------------------------------------- /nursery/delete-registry-key-via-offline-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: delete registry key via offline registry library 4 | namespace: host-interaction/registry 5 | authors: 6 | - johnk3r 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Defense Evasion::Modify Registry [T1112] 12 | mbc: 13 | - Operating System::Registry::Delete Registry Key [C0036.002] 14 | - Operating System::Registry::Delete Registry Value [C0036.007] 15 | features: 16 | - or: 17 | - api: ORDeleteKey 18 | - api: ORDeleteValue 19 | -------------------------------------------------------------------------------- /nursery/delete-registry-key-via-stdregprov.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: delete registry key via StdRegProv 5 | namespace: host-interaction/registry 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | references: 12 | - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods 13 | features: 14 | - and: 15 | - string: "StdRegProv" 16 | - string: "DeleteKey" 17 | -------------------------------------------------------------------------------- /nursery/delete-registry-value-via-stdregprov.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: delete registry value via StdRegProv 5 | namespace: host-interaction/registry 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | references: 12 | - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods 13 | features: 14 | - and: 15 | - string: "StdRegProv" 16 | - string: "DeleteValue" 17 | -------------------------------------------------------------------------------- /nursery/delete-user-account-from-group.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: delete user account from group 5 | namespace: host-interaction/accounts 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Persistence::Account Manipulation [T1098] 13 | features: 14 | - or: 15 | - api: netapi32.NetLocalGroupDelMembers 16 | - api: netapi32.NetLocalGroupDelMember 17 | - api: netapi32.NetGroupDelUser 18 | -------------------------------------------------------------------------------- /nursery/delete-user-account-group.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: delete user account group 5 | namespace: host-interaction/accounts 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Persistence::Account Manipulation [T1098] 13 | features: 14 | - or: 15 | - api: netapi32.NetLocalGroupDel 16 | - api: netapi32.NetGroupDel 17 | -------------------------------------------------------------------------------- /nursery/delete-user-account.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: delete user account 5 | namespace: host-interaction/accounts 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Impact::Account Access Removal [T1531] 13 | features: 14 | - or: 15 | - api: netapi32.NetUserDel 16 | -------------------------------------------------------------------------------- /nursery/delete-windows-backup-catalog.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: delete Windows backup catalog 4 | namespace: impact/inhibit-system-recovery 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | att&ck: 11 | - Impact::Inhibit System Recovery [T1490] 12 | features: 13 | - and: 14 | - os: windows 15 | - string: /wbadmin(\.exe)?\s+delete\s+catalog/i 16 | -------------------------------------------------------------------------------- /nursery/display-service-notification-message-box.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: display service notification message box 4 | namespace: host-interaction/gui 5 | authors: 6 | - anushka.virgaonkar@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - number: 0x200000 = service notification 13 | - api: System.Windows.Forms.MessageBox::Show 14 | -------------------------------------------------------------------------------- /nursery/empty-the-recycle-bin.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: empty the recycle bin 4 | namespace: host-interaction/recycle-bin 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: SHEmptyRecycleBin 13 | -------------------------------------------------------------------------------- /nursery/encrypt-data-via-sspi.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: encrypt data via SSPI 4 | namespace: data-manipulation/encryption 5 | authors: 6 | - matthew.williams@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information [T1027] 12 | references: 13 | - https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-encryptmessage 14 | features: 15 | - and: 16 | - api: secur32.EncryptMessage 17 | -------------------------------------------------------------------------------- /nursery/enter-debug-mode-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enter debug mode in .NET 4 | namespace: host-interaction/process/modify 5 | authors: 6 | - "@v1bh475u" 7 | description: Often used by debuggers and malware to attach to and modify other processes. 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | references: 12 | - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.process.enterdebugmode?view=net-8.0 13 | features: 14 | - and: 15 | - api: System.Diagnostics.Process::EnterDebugMode 16 | - format: dotnet 17 | -------------------------------------------------------------------------------- /nursery/enumerate-device-drivers-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate device drivers on Linux 4 | namespace: collection 5 | authors: 6 | - "@mr-tz" 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Discovery::Device Driver Discovery [T1652] 12 | features: 13 | - and: 14 | - os: linux 15 | - api: system 16 | - or: 17 | - substring: "lsmod" 18 | - substring: "modinfo" 19 | -------------------------------------------------------------------------------- /nursery/enumerate-drives.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate drives 4 | namespace: host-interaction/file-system 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: System.IO.DriveInfo::GetDrives 13 | -------------------------------------------------------------------------------- /nursery/enumerate-internet-cache.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate internet cache 4 | namespace: host-interaction/internet/cache 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - api: wininet.FindFirstUrlCacheEntry 13 | - optional: 14 | - api: wininet.FindNextUrlCacheEntry 15 | - api: wininet.FindCloseUrlCache 16 | - match: contain loop 17 | -------------------------------------------------------------------------------- /nursery/enumerate-network-shares.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate network shares 4 | namespace: host-interaction/network 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Discovery::Network Share Discovery [T1135] 12 | features: 13 | - and: 14 | - or: 15 | - api: netapi32.NetShareEnum 16 | - api: mpr.WNetEnumResource 17 | - match: contain loop 18 | -------------------------------------------------------------------------------- /nursery/enumerate-processes-via-procfs.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate processes via procfs 4 | namespace: host-interaction/process/list 5 | authors: 6 | - joakim@intezer.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Discovery::Process Discovery [T1057] 12 | - Discovery::Software Discovery [T1518] 13 | features: 14 | - and: 15 | - os: linux 16 | - match: host-interaction/file-system/files/list 17 | - string: "/proc" 18 | -------------------------------------------------------------------------------- /nursery/enumerate-system-firmware-tables.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: enumerate system firmware tables 4 | namespace: host-interaction/hardware/firmware 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | references: 11 | - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/Shared/Utils.cpp#L843 12 | features: 13 | - and: 14 | - api: kernel32.EnumSystemFirmwareTables 15 | -------------------------------------------------------------------------------- /nursery/execute-dotnet-assembly.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: execute .NET assembly 4 | namespace: load-code/dotnet 5 | authors: 6 | - anushka.virgaonkar@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Defense Evasion::Reflective Code Loading [T1620] 12 | features: 13 | - or: 14 | - api: System.AppDomain::ExecuteAssembly 15 | - api: System.AppDomain::ExecuteAssemblyByName 16 | -------------------------------------------------------------------------------- /nursery/execute-shell-command-via-windows-remote-management.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: execute shell command via Windows Remote Management 5 | namespace: host-interaction/process/create 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: function 10 | dynamic: call 11 | features: 12 | - and: 13 | - or: 14 | - api: wsmsvc.WSManRunShellCommand 15 | - api: wsmsvc.WSManRunShellCommandEx 16 | - optional: 17 | - api: wsmsvc.WSManCreateShell 18 | -------------------------------------------------------------------------------- /nursery/execute-shellcode-via-indirect-call.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: execute shellcode via indirect call 4 | namespace: load-code/shellcode 5 | authors: 6 | - ronnie.salomonsen@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires characteristic features 10 | mbc: 11 | - Memory::Allocate Memory [C0007] 12 | features: 13 | - and: 14 | - match: allocate or change RWX memory 15 | - or: 16 | - characteristic: indirect call 17 | - characteristic: cross section flow 18 | -------------------------------------------------------------------------------- /nursery/execute-via-asynchronous-task-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: execute via asynchronous task in .NET 4 | namespace: host-interaction/thread/task 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: System.Threading.Tasks.Task::ctor 13 | -------------------------------------------------------------------------------- /nursery/execute-via-timer-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: execute via timer in .NET 4 | namespace: host-interaction/thread/timer 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: System.Threading.Timer::ctor 13 | -------------------------------------------------------------------------------- /nursery/find-process-by-name.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: find process by name 4 | namespace: host-interaction/process/list 5 | authors: 6 | - anushka.virgaonkar@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::Process Discovery [T1057] 12 | features: 13 | - and: 14 | - api: System.Diagnostics.Process::GetProcessesByName 15 | -------------------------------------------------------------------------------- /nursery/generate-random-filename-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: generate random filename in .NET 4 | namespace: host-interaction/file-system 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: System.IO.Path::GetRandomFileName 13 | - api: System.IO.Path::GetTempFileName 14 | -------------------------------------------------------------------------------- /nursery/get-current-pid-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get current PID on Linux 4 | namespace: host-interaction/process 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | features: 11 | - and: 12 | - or: 13 | - os: linux 14 | - os: android 15 | - or: 16 | - api: getpid 17 | - api: getppid 18 | -------------------------------------------------------------------------------- /nursery/get-current-process-command-line.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get current process command line 4 | namespace: host-interation/process 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - os: linux 13 | - api: open 14 | - string: "/proc/self/cmdline" 15 | - api: read 16 | -------------------------------------------------------------------------------- /nursery/get-current-process-file-path.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get current process file path 4 | namespace: host-interation/process 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | features: 11 | - and: 12 | - os: linux 13 | - api: readlink 14 | - string: "/proc/self/exe" 15 | -------------------------------------------------------------------------------- /nursery/get-current-process-filesystem-mounts-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get current process filesystem mounts on Linux 4 | namespace: host-interation/process 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | features: 11 | - and: 12 | - or: 13 | - os: linux 14 | - os: android 15 | - match: create or open file 16 | - string: "/proc/self/mounts" 17 | -------------------------------------------------------------------------------- /nursery/get-current-process-memory-mapping-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get current process memory mapping on Linux 4 | namespace: host-interation/process 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | features: 11 | - and: 12 | - or: 13 | - os: linux 14 | - os: android 15 | - match: create or open file 16 | - string: "/proc/self/maps" 17 | -------------------------------------------------------------------------------- /nursery/get-file-system-information-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get file system information on Linux 4 | namespace: host-interaction/file-system 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | features: 11 | - and: 12 | - os: linux 13 | - or: 14 | - api: statfs 15 | - api: fstatfs 16 | -------------------------------------------------------------------------------- /nursery/get-http-request-uri.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get HTTP request URI 4 | namespace: communication/http 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | mbc: 11 | - Communication::HTTP Communication [C0002] 12 | features: 13 | - and: 14 | - api: wininet.HttpQueryInfo 15 | - number: 0xD = HTTP_QUERY_URI 16 | -------------------------------------------------------------------------------- /nursery/get-mac-address-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get MAC address in .NET 4 | namespace: collection/network 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | - michael.hunhoff@mandiant.com 8 | - echernofsky@google.com 9 | scopes: 10 | static: function 11 | dynamic: span of calls 12 | att&ck: 13 | - Discovery::System Information Discovery [T1082] 14 | features: 15 | - or: 16 | - api: System.Net.NetworkInformation.NetworkInterface::GetPhysicalAddress 17 | -------------------------------------------------------------------------------- /nursery/get-mac-address-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get MAC address on Linux 4 | namespace: collection/network 5 | authors: 6 | - joakim@intezer.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Discovery::System Information Discovery [T1082] 12 | features: 13 | - and: 14 | - os: linux 15 | - match: host-interaction/file-system/read 16 | - string: /\/sys\/class\/net\/\S+\/address/ 17 | description: pseudo-file path like /sys/class/net/eth0/address 18 | -------------------------------------------------------------------------------- /nursery/get-networking-parameters.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get networking parameters 4 | namespace: host-interaction/network 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::System Network Configuration Discovery [T1016] 12 | features: 13 | - or: 14 | - api: iphlpapi.GetNetworkParams 15 | -------------------------------------------------------------------------------- /nursery/get-os-version-in-dotnet-on-android.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get OS version in .NET on Android 4 | namespace: host-interaction/os/info 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires class features 10 | features: 11 | - and: 12 | - class: Android.OS.Build 13 | -------------------------------------------------------------------------------- /nursery/get-proxy.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get proxy 4 | namespace: host-interaction/network/proxy 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Discovery::System Network Configuration Discovery [T1016] 12 | features: 13 | - and: 14 | - match: create or open registry key 15 | - string: "ProxyServer" 16 | -------------------------------------------------------------------------------- /nursery/get-remote-cert-context-via-schannel.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get remote cert context via SChannel 4 | namespace: data-manipulation/encryption 5 | authors: 6 | - matthew.williams@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information [T1027] 12 | references: 13 | - https://docs.microsoft.com/en-us/windows/win32/secauthn/querycontextattributes--schannel 14 | features: 15 | - and: 16 | - api: secur32.QueryContextAttributes 17 | - number: 0x53 = SECPKG_ATTR_REMOTE_CERT_CONTEXT 18 | -------------------------------------------------------------------------------- /nursery/get-routing-table.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get routing table 4 | namespace: host-interaction/network/routing-table 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::System Network Configuration Discovery [T1016] 12 | features: 13 | - or: 14 | - api: iphlpapi.GetIpForwardTable 15 | - api: iphlpapi.GetIpForwardTable2 16 | -------------------------------------------------------------------------------- /nursery/get-session-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get session information 4 | namespace: host-interaction/session 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Discovery::System Owner/User Discovery [T1033] 12 | features: 13 | - and: 14 | - api: wtsapi32.WTSQuerySessionInformation 15 | - optional: 16 | - api: wtsapi32.WTSFreeMemory 17 | -------------------------------------------------------------------------------- /nursery/get-shadow-password-file-entry-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get shadow password file entry on Linux 4 | namespace: collection 5 | authors: 6 | - jonathanlepore@google.com 7 | scopes: 8 | static: instruction 9 | dynamic: call 10 | references: 11 | - https://manpages.ubuntu.com/manpages/noble/man3/getspent.3.html 12 | features: 13 | - and: 14 | - os: linux 15 | - or: 16 | - api: getspent 17 | - api: getspent_r 18 | - api: fgetspent 19 | - api: fgetspent_r 20 | - api: getspnam 21 | - api: getspnam_r 22 | -------------------------------------------------------------------------------- /nursery/get-socket-information.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get socket information 4 | namespace: communication/socket 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::System Network Configuration Discovery [T1016] 12 | features: 13 | - or: 14 | - api: ws2_32.getsockname 15 | - api: ws2_32.#6 = getsockname 16 | -------------------------------------------------------------------------------- /nursery/get-system-information-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get system information on Linux 4 | namespace: host-interaction/os/info 5 | authors: 6 | - joakim@intezer.com 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | att&ck: 12 | - Discovery::System Information Discovery [T1082] 13 | features: 14 | - and: 15 | - os: linux 16 | - or: 17 | - api: sysconf 18 | - and: 19 | - api: system 20 | - string: "lshw" 21 | - api: sysinfo 22 | -------------------------------------------------------------------------------- /nursery/get-system-property-on-android.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get system property on Android 4 | namespace: host-interation/process 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | features: 11 | - and: 12 | - os: android 13 | - api: __system_property_get 14 | -------------------------------------------------------------------------------- /nursery/get-system-web-proxy.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get system web proxy 4 | namespace: communication/http 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Discovery::System Network Configuration Discovery [T1016] 12 | references: 13 | - https://docs.microsoft.com/en-us/dotnet/api/system.net.webrequest.getsystemwebproxy 14 | features: 15 | - and: 16 | - api: System.Net.WebRequest::GetSystemWebProxy 17 | -------------------------------------------------------------------------------- /nursery/get-thread-local-storage-value.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: get thread local storage value 4 | namespace: host-interaction/process 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - and: 12 | - api: kernel32.TlsGetValue 13 | -------------------------------------------------------------------------------- /nursery/hash-data-using-crc32b.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using CRC32b 4 | namespace: data-manipulation/checksum/crc32 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires characteristic features 10 | features: 11 | - and: 12 | - number: 0x4C11DB7 13 | - characteristic: nzxor 14 | -------------------------------------------------------------------------------- /nursery/hash-data-using-md4.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using MD4 4 | namespace: data-manipulation/hashing/md4 5 | authors: 6 | - anamaria.martinezgom@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | features: 11 | - and: 12 | - number: 0x8002 = CALG_MD4 13 | - api: advapi32.CryptCreateHash 14 | -------------------------------------------------------------------------------- /nursery/hash-data-using-murmur2.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using murmur2 4 | namespace: data-manipulation/hashing/murmur 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: instruction 9 | dynamic: unsupported # requires mnemonic features 10 | references: 11 | - https://github.com/abrandoned/murmur2/blob/master/MurmurHash2.c 12 | features: 13 | - and: 14 | - mnemonic: imul 15 | - or: 16 | - number: 0xc6a4a7935bd1e995 = 64-bit mixing constant m 17 | - number: 0x5bd1e995 = 32-bit mixing constant m 18 | -------------------------------------------------------------------------------- /nursery/hash-data-using-rshash.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using rshash 4 | namespace: data-manipulation/hashing/rshash 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires characteristic features 10 | mbc: 11 | - Data::Non-Cryptographic Hash [C0030] 12 | references: 13 | - https://www.partow.net/programming/hashfunctions/ 14 | features: 15 | - and: 16 | - number: 0x5c6b7 17 | - number: 0xf8c9 18 | - characteristic: loop 19 | -------------------------------------------------------------------------------- /nursery/hash-data-using-sha1-via-wincrypt.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using SHA1 via WinCrypt 4 | namespace: data-manipulation/hashing/sha1 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - or: 12 | - and: 13 | - match: initialize hashing via WinCrypt 14 | - number: 0x8004 = CALG_SHA1 15 | - api: advapi32.CryptHashData 16 | -------------------------------------------------------------------------------- /nursery/hash-data-using-sha256-via-x86-extensions.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using sha256 via x86 extensions 4 | namespace: data-manipulation/hashing/sha256 5 | authors: 6 | - "@_re_fox" 7 | scopes: 8 | static: basic block 9 | dynamic: unsupported # requires mnemonic features 10 | features: 11 | - or: 12 | - mnemonic: sha256rnds2 = Perform Two Rounds of SHA256 Operation 13 | - mnemonic: sha256msg1 = Perform an Intermediate Calculation for the Next Four SHA256 Message Dwords 14 | - mnemonic: sha256msg2 = Perform a Final Calculation for the Next Four SHA256 Message Dwords 15 | -------------------------------------------------------------------------------- /nursery/hash-data-using-sha512managed-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hash data using SHA512Managed in .NET 4 | namespace: data-manipulation/hashing/sha512 5 | authors: 6 | - jonathanlepore@google.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.sha512managed 12 | features: 13 | - and: 14 | - api: System.Security.Cryptography.SHA512Managed::ctor 15 | - api: System.Security.Cryptography.HashAlgorithm::ComputeHash 16 | -------------------------------------------------------------------------------- /nursery/hook-routines-via-lsplant.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hook routines via LSPlant 4 | namespace: linking/hooking 5 | authors: 6 | - mehunhoff@google.com 7 | description: LSPlant is an Android ART hook library, providing Java method hook/unhook and inline deoptimization 8 | scopes: 9 | static: basic block 10 | dynamic: span of calls 11 | references: 12 | - https://github.com/LSPosed/LSPlant 13 | features: 14 | - and: 15 | - string: "LSPHooker_" 16 | - string: "hooker" 17 | - string: "{target}" 18 | -------------------------------------------------------------------------------- /nursery/hook-routines-via-microsoft-detours.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hook routines via microsoft detours 4 | namespace: linking/hooking 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/Flare-On%202017/Challenge7.pdf 12 | features: 13 | - or: 14 | - number: 0x52727464 = DETOUR_REGION_SIGNATURE 15 | -------------------------------------------------------------------------------- /nursery/hooked-by-api-override.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: hooked by API Override 4 | namespace: executable/hooked/api-override 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ 12 | - http://jacquelin.potier.free.fr/winapioverride32/ 13 | features: 14 | - or: 15 | - section: .winapi 16 | -------------------------------------------------------------------------------- /nursery/implement-com-dll.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: implement COM DLL 4 | namespace: executable/pe 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://learn.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-dllgetclassobject 12 | features: 13 | - and: 14 | - export: DllGetClassObject 15 | - optional: 16 | - export: DllRegisterServer 17 | -------------------------------------------------------------------------------- /nursery/implement-ui-automation-client-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: implement UI automation client in .NET 4 | namespace: host-interaction/ui/automation 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: file 9 | dynamic: unsupported # requires .NET Namespace feature 10 | references: 11 | - https://learn.microsoft.com/en-us/dotnet/api/system.windows.automation?view=windowsdesktop-8.0 12 | features: 13 | - or: 14 | - namespace: System.Windows.Automation 15 | -------------------------------------------------------------------------------- /nursery/initialize-hashing-via-wincrypt.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: initialize hashing via WinCrypt 4 | namespace: data-manipulation/hashing 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - api: advapi32.CryptCreateHash 13 | - optional: 14 | - api: advapi32.CryptDestroyHash 15 | -------------------------------------------------------------------------------- /nursery/interact-with-iptables.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: interact with iptables 4 | namespace: host-interaction/firewall 5 | authors: 6 | - joakim@intezer.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | att&ck: 11 | - Discovery::Software Discovery::Security Software Discovery [T1518.001] 12 | - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004] 13 | features: 14 | - and: 15 | - os: linux 16 | - api: system 17 | - substring: "iptables" 18 | -------------------------------------------------------------------------------- /nursery/interact-with-shortcut-via-iwshshortcut-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: interact with shortcut via IWshShortcut in .NET 4 | namespace: host-interaction/shortcut 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires .NET Class feature 10 | references: 11 | - https://stackoverflow.com/questions/4897655/create-a-shortcut-on-desktop 12 | features: 13 | - or: 14 | - class: IWshRuntimeLibrary.IWshShortcut 15 | -------------------------------------------------------------------------------- /nursery/interact-with-windows-scripting-host-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: interact with Windows Scripting Host in .NET 4 | namespace: host-interaction/wsh 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: file 9 | dynamic: unsupported # requires .NET Namespace feature 10 | references: 11 | - https://stackoverflow.com/questions/4897655/create-a-shortcut-on-desktop 12 | features: 13 | - or: 14 | - namespace: IWshRuntimeLibrary 15 | -------------------------------------------------------------------------------- /nursery/link-function-at-runtime-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: link function at runtime on Linux 4 | namespace: linking/runtime-linking 5 | authors: 6 | - joakim@intezer.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | att&ck: 11 | - Execution::Shared Modules [T1129] 12 | features: 13 | - and: 14 | - or: 15 | - os: linux 16 | - os: android 17 | - or: 18 | - api: dlsym 19 | - api: dlvsym 20 | -------------------------------------------------------------------------------- /nursery/linked-against-cpp-http-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against CPP HTTP library 4 | namespace: linking/static/httplib 5 | authors: 6 | - "@mr-tz" 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://github.com/yhirose/cpp-httplib 12 | features: 13 | - or: 14 | - substring: "cpp-httplib/" 15 | - string: /\(HTTP\/1\\\.\[01\]\) \(\\d/ 16 | -------------------------------------------------------------------------------- /nursery/linked-against-cpp-json-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against CPP JSON library 4 | namespace: linking/static/jsoncpp 5 | authors: 6 | - "@mr-tz" 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://github.com/open-source-parsers/jsoncpp 12 | features: 13 | - or: 14 | - string: "Exceeded stackLimit in readValue()." 15 | - string: "Missing ',' or '}' in object declaration" 16 | - string: "Extra non-whitespace after JSON value." 17 | -------------------------------------------------------------------------------- /nursery/linked-against-cpp-regex-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against CPP regex library 4 | namespace: linking/static/cppregex 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - http://www.cplusplus.com/reference/regex/regex_error/ 12 | features: 13 | - or: 14 | - string: "regex_error(error_syntax)" 15 | description: C++ STL regex library 16 | - string: "regex_error(error_collate): The expression contained an invalid collating element name." 17 | -------------------------------------------------------------------------------- /nursery/linked-against-go-registry-library.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against Go registry library 4 | namespace: host-interaction/registry 5 | authors: 6 | - joakim@intezer.com 7 | description: Uses a Go library for interacting with the Windows registry. 8 | scopes: 9 | static: file 10 | dynamic: file 11 | references: 12 | - https://github.com/golang/sys 13 | features: 14 | - and: 15 | - match: compiled with Go 16 | - or: 17 | - string: "golang.org/x/sys/windows/registry.Key.Close" 18 | - string: "github.com/golang/sys/windows/registry.Key.Close" 19 | -------------------------------------------------------------------------------- /nursery/linked-against-libsodium.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: linked against libsodium 4 | namespace: linking/static/crypto 5 | authors: 6 | - "@mr-tz" 7 | description: Sodium is a software library for encryption, decryption, signatures, password hashing and more. 8 | scopes: 9 | static: file 10 | dynamic: file 11 | mbc: 12 | - Cryptography::Crypto Library [C0059] 13 | features: 14 | - or: 15 | - string: "sodium_crit_enter" 16 | - string: "_sodium_malloc" 17 | - string: "randombytes_sysrandom_implementation" 18 | -------------------------------------------------------------------------------- /nursery/list-domain-servers.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list domain servers 5 | namespace: host-interaction/domain 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Discovery::System Network Configuration Discovery::Internet Connection Discovery [T1016.001] 13 | features: 14 | - or: 15 | - api: netapi32.NetServerEnum 16 | -------------------------------------------------------------------------------- /nursery/list-drag-and-drop-files.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list drag and drop files 5 | namespace: host-interaction/clipboard 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | att&ck: 12 | - Collection::Clipboard Data [T1115] 13 | features: 14 | - and: 15 | - api: shell32.DragQueryFile 16 | - and: 17 | - api: user32.GetClipboardData 18 | - number: 0xF = HDROP 19 | -------------------------------------------------------------------------------- /nursery/list-groups-for-user-account.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list groups for user account 5 | namespace: host-interaction/accounts 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | description: enumerates all the groups to which a user account belongs 9 | scopes: 10 | static: basic block 11 | dynamic: call 12 | att&ck: 13 | - Discovery::Account Discovery [T1087] 14 | features: 15 | - or: 16 | - api: netapi32.NetUserGetGroups 17 | - api: netapi32.NetUserGetLocalGroups 18 | -------------------------------------------------------------------------------- /nursery/list-tcp-connections-and-listeners.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list TCP connections and listeners 5 | namespace: collection/network 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | features: 12 | - or: 13 | - api: iphlpapi.GetExtendedTcpTable 14 | -------------------------------------------------------------------------------- /nursery/list-udp-connections-and-listeners.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list UDP connections and listeners 5 | namespace: collection/network 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | features: 12 | - or: 13 | - api: iphlpapi.GetExtendedUdpTable 14 | -------------------------------------------------------------------------------- /nursery/list-user-account-groups.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list user account groups 5 | namespace: host-interaction/accounts 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | description: enumerates all the groups present on the system/domain 9 | scopes: 10 | static: basic block 11 | dynamic: call 12 | att&ck: 13 | - Discovery::Permission Groups Discovery [T1069] 14 | features: 15 | - or: 16 | - api: netapi32.NetGroupEnum 17 | - api: netapi32.NetLocalGroupEnum 18 | -------------------------------------------------------------------------------- /nursery/list-user-accounts-for-group.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list user accounts for group 5 | namespace: host-interaction/accounts 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Discovery::Permission Groups Discovery [T1069] 13 | features: 14 | - or: 15 | - api: netapi32.NetLocalGroupGetMembers 16 | - api: netapi32.NetGroupGetUsers 17 | -------------------------------------------------------------------------------- /nursery/list-user-accounts.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: list user accounts 5 | namespace: host-interaction/accounts 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Discovery::Account Discovery [T1087] 13 | features: 14 | - or: 15 | - api: netapi32.NetUserEnum 16 | -------------------------------------------------------------------------------- /nursery/listen-for-remote-procedure-calls.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: listen for remote procedure calls 5 | namespace: communication/rpc/server 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | features: 12 | - or: 13 | - api: rpcrt4.RpcServerListen 14 | -------------------------------------------------------------------------------- /nursery/load-packed-dex-via-jiagu-on-android.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: load packed DEX via Jiagu on Android 4 | namespace: anti-analysis 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://github.com/Frezrik/Jiagu 12 | features: 13 | - and: 14 | - os: android 15 | - string: "NDK_JIAGU" 16 | - string: "[-]get %s handle failed:%s" 17 | - string: "[-]ANONYMOUS mmap failed:%s" 18 | - string: "[-]g_sdk_int Update cookie failed" 19 | - string: "dalvik/system/InMemoryDexClassLoader" 20 | -------------------------------------------------------------------------------- /nursery/load-xml-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: load XML in .NET 4 | namespace: data-manipulation/xml 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: System.Xml.XmlDocument::Load 13 | - api: System.Xml.XmlDocument::LoadXml 14 | -------------------------------------------------------------------------------- /nursery/log-keystrokes-via-input-method-manager.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: log keystrokes via Input Method Manager 5 | namespace: collection/keylog 6 | authors: 7 | - "@mr-tz" 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | features: 12 | - and: 13 | - or: 14 | - api: ImmGetCompositionString 15 | - api: ImmGetVirtualKey 16 | - optional: 17 | - api: ImmGetContext 18 | - api: ImmReleaseContext 19 | -------------------------------------------------------------------------------- /nursery/make-an-http-request-with-a-cookie.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: make an HTTP request with a Cookie 4 | namespace: communication/http/client 5 | authors: 6 | - anamaria.martinezgom@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - match: send HTTP request 13 | - string: /Cookie:/i 14 | -------------------------------------------------------------------------------- /nursery/manipulate-console-window.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: manipulate console window 4 | namespace: host-interaction/console 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | mbc: 11 | - Operating System::Console [C0033] 12 | features: 13 | - or: 14 | - api: System.Console::SetWindowSize 15 | - api: System.Console::SetWindowPosition 16 | - api: System.Console::SetCursorPosition 17 | -------------------------------------------------------------------------------- /nursery/manipulate-network-credentials-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: manipulate network credentials in .NET 4 | namespace: communication/authentication 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - and: 12 | - api: System.Net.NetworkCredential::ctor 13 | -------------------------------------------------------------------------------- /nursery/manipulate-unmanaged-memory-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: manipulate unmanaged memory in .NET 4 | namespace: host-interaction/memory 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires class features 10 | features: 11 | - or: 12 | - class: System.Runtime.InteropServices.Marshal 13 | -------------------------------------------------------------------------------- /nursery/manipulate-user-privileges.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: manipulate user privileges 4 | namespace: host-interaction/user 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - and: 12 | - api: advapi32.LsaAddAccountRights 13 | -------------------------------------------------------------------------------- /nursery/map-or-unmap-memory-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: map or unmap memory on Linux 4 | namespace: host-interaction/memory 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - and: 12 | - or: 13 | - os: linux 14 | - os: android 15 | - or: 16 | - api: mmap 17 | - api: munmap 18 | -------------------------------------------------------------------------------- /nursery/mark-thread-detached-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: mark thread detached on Linux 4 | namespace: host-interaction/thread 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | features: 11 | - and: 12 | - os: linux 13 | - api: pthread_detach 14 | -------------------------------------------------------------------------------- /nursery/mixed-mode.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: mixed mode 4 | namespace: runtime 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | description: file contains managed and unmanaged (native) code, often seen in .NET 8 | scopes: 9 | static: file 10 | dynamic: unsupported # requires characteristic features 11 | features: 12 | - or: 13 | - characteristic: mixed mode 14 | -------------------------------------------------------------------------------- /nursery/modify-api-blacklist-or-denylist-via-jni-on-android.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: modify API blacklist or denylist via JNI on Android 4 | namespace: host-interaction/bypass 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - os: android 13 | - string: "com/android/internal/os/ZygoteInit" 14 | - or: 15 | - string: "setApiBlacklistExemptions" 16 | - string: "setApiDenylistExemptions" 17 | - string: "java/lang/String" 18 | -------------------------------------------------------------------------------- /nursery/monitor-clipboard-content.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: monitor clipboard content 5 | namespace: host-interaction/clipboard 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Collection::Clipboard Data [T1115] 13 | features: 14 | - and: 15 | - api: user32.AddClipboardFormatListener 16 | -------------------------------------------------------------------------------- /nursery/monitor-local-ipv4-address-changes.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: monitor local IPv4 address changes 5 | namespace: host-interaction/network/address 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | att&ck: 12 | - Discovery::System Network Configuration Discovery [T1016] 13 | features: 14 | - and: 15 | - api: iphlpapi.NotifyAddrChange 16 | -------------------------------------------------------------------------------- /nursery/move-directory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: move directory 4 | namespace: host-interaction/file-system/move 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: System.IO.DirectoryInfo::MoveTo 13 | - api: System.IO.Directory::Move 14 | -------------------------------------------------------------------------------- /nursery/obfuscated-with-koivm.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: obfuscated with KoiVM 4 | namespace: anti-analysis/obfuscation 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: unsupported # requires namespace, class features 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information [T1027] 12 | mbc: 13 | - Anti-Static Analysis::Executable Code Obfuscation [B0032] 14 | features: 15 | - or: 16 | - namespace: KoiVM.Runtime 17 | - class: KoiVM.Runtime.VMEntry 18 | -------------------------------------------------------------------------------- /nursery/packaged-as-a-createinstall-installer.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as a CreateInstall installer 4 | namespace: executable/installer/createinstall 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://www.createinstall.com/ 12 | - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ 13 | features: 14 | - or: 15 | - section: .gentee 16 | -------------------------------------------------------------------------------- /nursery/packaged-as-a-nsis-installer.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as a NSIS installer 4 | namespace: executable/installer/nsis 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://nsis.sourceforge.io/Main_Page 12 | features: 13 | - or: 14 | - substring: "http://nsis.sf.net" 15 | -------------------------------------------------------------------------------- /nursery/packaged-as-a-winzip-self-extracting-archive.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as a WinZip self-extracting archive 4 | namespace: executable/installer/winzip 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 12 | features: 13 | - or: 14 | - section: _winzip_ 15 | -------------------------------------------------------------------------------- /nursery/packaged-as-a-wise-installer.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as a Wise installer 4 | namespace: executable/installer/wiseinstall 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | features: 11 | - or: 12 | - string: "WiseMain" 13 | - substring: "Wise Installation Wizard" 14 | -------------------------------------------------------------------------------- /nursery/packaged-as-an-installshield-installer.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packaged as an InstallShield installer 4 | namespace: executable/installer/installshield 5 | authors: 6 | - moritz.raabe@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | features: 11 | - or: 12 | # AppHelp has an export ApphelpCheckInstallShieldPackage, 13 | # which we want to avoid FP'ing on, 14 | # so do an exact match for this string. 15 | # ok to relax if there are counterexamples. 16 | - string: "InstallShield" 17 | -------------------------------------------------------------------------------- /nursery/packed-with-ccg.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with CCG 4 | namespace: anti-analysis/packer/ccg 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .ccg 19 | -------------------------------------------------------------------------------- /nursery/packed-with-crunch.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Crunch 4 | namespace: anti-analysis/packer/crunch 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: BitArts 19 | -------------------------------------------------------------------------------- /nursery/packed-with-dragon-armor.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Dragon Armor 4 | namespace: anti-analysis/packer/dragon-armor 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: DAStub 19 | -------------------------------------------------------------------------------- /nursery/packed-with-enigma.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with enigma 4 | namespace: anti-analysis/packer/enigma 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .enigma1 19 | - section: .enigma2 20 | -------------------------------------------------------------------------------- /nursery/packed-with-epack.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Epack 4 | namespace: anti-analysis/packer/epack 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: "!Epack" 19 | -------------------------------------------------------------------------------- /nursery/packed-with-maskpe.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with MaskPE 4 | namespace: anti-analysis/packer/maskpe 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .MaskPE 19 | -------------------------------------------------------------------------------- /nursery/packed-with-mew.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with MEW 4 | namespace: anti-analysis/packer/mew 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: MEW 19 | -------------------------------------------------------------------------------- /nursery/packed-with-mpress.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Mpress 4 | namespace: anti-analysis/packer/mpress 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .MPRESS1 19 | - section: .MPRESS2 20 | -------------------------------------------------------------------------------- /nursery/packed-with-neolite.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Neolite 4 | namespace: anti-analysis/packer/neolite 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .neolite 19 | - section: .neolit 20 | -------------------------------------------------------------------------------- /nursery/packed-with-pepack.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Pepack 4 | namespace: anti-analysis/packer/pepack 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: PEPACK!! 19 | -------------------------------------------------------------------------------- /nursery/packed-with-perplex.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Perplex 4 | namespace: anti-analysis/packer/perplex 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .perplex 19 | -------------------------------------------------------------------------------- /nursery/packed-with-procrypt.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with ProCrypt 4 | namespace: anti-analysis/packer/procrypt 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: ProCrypt 19 | -------------------------------------------------------------------------------- /nursery/packed-with-rpcrypt.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with RPCrypt 4 | namespace: anti-analysis/packer/rpcrypt 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: RCryptor 19 | - section: .RCrypt 20 | -------------------------------------------------------------------------------- /nursery/packed-with-seausfx.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with SeauSFX 4 | namespace: anti-analysis/packer/seausfx 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .seau 19 | -------------------------------------------------------------------------------- /nursery/packed-with-simple-pack.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with Simple Pack 4 | namespace: anti-analysis/packer/simple-pack 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .spack 19 | -------------------------------------------------------------------------------- /nursery/packed-with-starforce.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with StarForce 4 | namespace: anti-analysis/packer/starforce 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .sforce3 19 | -------------------------------------------------------------------------------- /nursery/packed-with-svkp.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with SVKP 4 | namespace: anti-analysis/packer/svkp 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .svkp 19 | -------------------------------------------------------------------------------- /nursery/packed-with-tsuloader.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with TSULoader 4 | namespace: anti-analysis/packer/tsuloader 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .tsuarch 19 | - section: .tsustub 20 | -------------------------------------------------------------------------------- /nursery/packed-with-vprotect.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with VProtect 4 | namespace: anti-analysis/packer/vprotect 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: VProtect 19 | -------------------------------------------------------------------------------- /nursery/packed-with-wwpack.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: packed with WWPACK 4 | namespace: anti-analysis/packer/wwpack 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] 12 | mbc: 13 | - Anti-Static Analysis::Software Packing [F0001] 14 | references: 15 | - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/ 16 | features: 17 | - or: 18 | - section: .WWPACK 19 | - section: .WWP32 20 | -------------------------------------------------------------------------------- /nursery/parse-url.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: parse URL 5 | namespace: communication/http 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | features: 12 | - or: 13 | - api: wininet.InternetCrackUrl 14 | -------------------------------------------------------------------------------- /nursery/persist-via-aedebug-registry-key.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via AeDebug registry key 4 | namespace: persistence/registry 5 | authors: 6 | - j.j.vannielen@utwente.nl 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Persistence::Event Triggered Execution [T1546] 12 | references: 13 | - https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging 14 | features: 15 | - and: 16 | - match: set registry value 17 | - string: /Microsoft\\Windows NT\\CurrentVersion\\AeDebug/i 18 | - string: /Debugger/i 19 | -------------------------------------------------------------------------------- /nursery/persist-via-amsi-registry-key.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via AMSI registry key 4 | namespace: persistence/registry 5 | authors: 6 | - j.j.vannielen@utwente.nl 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Persistence::Event Triggered Execution [T1546] 12 | references: 13 | - https://learn.microsoft.com/en-us/windows/win32/amsi/dev-audience 14 | features: 15 | - and: 16 | - match: set registry value 17 | - string: /Microsoft\\AMSI\\Providers\\/i 18 | -------------------------------------------------------------------------------- /nursery/persist-via-appcertdlls-registry-key.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via AppCertDlls registry key 4 | namespace: persistence/registry 5 | authors: 6 | - j.j.vannielen@utwente.nl 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Persistence::Event Triggered Execution::AppCert DLLs [T1546.009] 12 | references: 13 | - https://skanthak.hier-im-netz.de/appcert.html 14 | features: 15 | - and: 16 | - match: set registry value 17 | - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Control\\Session Manager\\AppCertDlls/i 18 | -------------------------------------------------------------------------------- /nursery/persist-via-command-processor-registry-key.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via Command Processor registry key 4 | namespace: persistence/registry 5 | authors: 6 | - j.j.vannielen@utwente.nl 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Persistence::Event Triggered Execution [T1546] 12 | references: 13 | - https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433 14 | features: 15 | - and: 16 | - match: set registry value 17 | - and: 18 | - string: /Microsoft\\Command Processor/i 19 | - string: /AutoRun/i 20 | -------------------------------------------------------------------------------- /nursery/persist-via-cor_profiler_path-registry-value.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via COR_PROFILER_PATH registry value 4 | namespace: persistence/registry 5 | authors: 6 | - j.j.vannielen@utwente.nl 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Persistence::Hijack Execution Flow::COR_PROFILER [T1574.012] 12 | references: 13 | - https://redcanary.com/blog/threat-detection/cor_profiler-for-persistence/ 14 | features: 15 | - and: 16 | - match: set registry value 17 | - string: /Environment/i 18 | - string: /COR_PROFILER_PATH/i 19 | -------------------------------------------------------------------------------- /nursery/persist-via-explorer-tools-registry-key.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via Explorer tools registry key 4 | namespace: persistence/registry 5 | authors: 6 | - j.j.vannielen@utwente.nl 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Persistence::Event Triggered Execution [T1546] 12 | references: 13 | - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ 14 | features: 15 | - and: 16 | - match: set registry value 17 | - string: /Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\/i 18 | -------------------------------------------------------------------------------- /nursery/persist-via-gnome-autostart-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via GNOME autostart on Linux 4 | namespace: persistence 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - os: linux 13 | - match: host-interaction/file-system/write 14 | - substring: "X-GNOME-Autostart-enabled=true" 15 | -------------------------------------------------------------------------------- /nursery/persist-via-hhctrl-com-hijack.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via hhctrl COM hijack 4 | namespace: persistence/registry 5 | authors: 6 | - j.j.vannielen@utwente.nl 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Persistence::Hijack Execution Flow [T1574] 12 | references: 13 | - https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ 14 | features: 15 | - and: 16 | - match: persist via COM hijack 17 | - string: /{52A2AAAE-085D-4187-97EA-8C30DB990436}/i 18 | -------------------------------------------------------------------------------- /nursery/persist-via-netsh-registry-key.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via Netsh registry key 4 | namespace: persistence/registry 5 | authors: 6 | - j.j.vannielen@utwente.nl 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Persistence::Event Triggered Execution [T1546] 12 | references: 13 | - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ 14 | features: 15 | - and: 16 | - match: set registry value 17 | - string: /Microsoft\\Netsh/i 18 | -------------------------------------------------------------------------------- /nursery/persist-via-path-registry-key.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via PATH registry key 4 | namespace: persistence/registry 5 | authors: 6 | - j.j.vannielen@utwente.nl 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Persistence::Hijack Execution Flow::Path Interception by PATH Environment Variable [T1574.007] 12 | references: 13 | - https://attack.mitre.org/techniques/T1574/007/ 14 | features: 15 | - and: 16 | - match: set registry value 17 | - string: /Environment/i 18 | - string: /^PATH$/i 19 | -------------------------------------------------------------------------------- /nursery/power-down-monitor.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: power down monitor 4 | namespace: host-interaction/hardware/monitor 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | features: 11 | - and: 12 | - api: user32.SendMessage 13 | - number: 0x112 = WM_SYSCOMMAND 14 | - number: 0xF170 = SC_MONITORPOWER 15 | - number: 2 = the display is being shut off 16 | -------------------------------------------------------------------------------- /nursery/query-or-enumerate-registry-key-via-stdregprov.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: query or enumerate registry key via StdRegProv 5 | namespace: host-interaction/registry 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: function 10 | dynamic: span of calls 11 | references: 12 | - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov#methods 13 | features: 14 | - and: 15 | - string: "StdRegProv" 16 | - string: "EnumKey" 17 | -------------------------------------------------------------------------------- /nursery/query-remote-server-for-available-data.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: query remote server for available data 5 | namespace: communication 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | features: 12 | - or: 13 | - api: wininet.InternetQueryDataAvailable 14 | -------------------------------------------------------------------------------- /nursery/read-and-send-data-from-client-to-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: read and send data from client to server 4 | namespace: communication/c2/file-transfer 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - match: host-interaction/file-system/read 13 | - match: send data 14 | -------------------------------------------------------------------------------- /nursery/read-process-memory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: read process memory 4 | namespace: host-interaction/process 5 | authors: 6 | - matthew.williams@mandiant.com 7 | - "@_re_fox" 8 | - michael.hunhoff@mandiant.com 9 | scopes: 10 | static: function 11 | dynamic: span of calls 12 | features: 13 | - and: 14 | - api: kernel32.ReadProcessMemory 15 | - api: kernel32.Toolhelp32ReadProcessMemory 16 | - optional: 17 | - or: 18 | - api: kernel32.OpenProcess 19 | - api: kernel32.VirtualQueryEx 20 | - api: psapi.QueryWorkingSet 21 | -------------------------------------------------------------------------------- /nursery/read-raw-disk-data.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: read raw disk data 4 | namespace: host-interaction/file-system 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | features: 11 | - or: 12 | - string: "\\\\.\\PhysicalDrive0" 13 | - string: "\\\\.\\C:" 14 | -------------------------------------------------------------------------------- /nursery/rebuilt-by-imprec.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: rebuilt by ImpRec 4 | namespace: executable/imprec 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | references: 11 | - https://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/ 12 | features: 13 | - or: 14 | - section: .mackt 15 | -------------------------------------------------------------------------------- /nursery/receive-and-write-data-from-server-to-client.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: receive and write data from server to client 4 | namespace: communication/c2/file-transfer 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - match: receive data 13 | - match: host-interaction/file-system/write 14 | -------------------------------------------------------------------------------- /nursery/reference-aes-constants.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference AES constants 4 | namespace: data-manipulation/encryption/aes 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires bytes features 10 | att&ck: 11 | - Defense Evasion::Obfuscated Files or Information [T1027] 12 | features: 13 | - or: 14 | - bytes: 50 a7 f4 51 53 65 41 7e = d-0 15 | - bytes: 63 7c 77 7b f2 6b 6f c5 = s-box 16 | - bytes: 52 09 6a d5 30 36 a5 38 = inv-s-box 17 | -------------------------------------------------------------------------------- /nursery/reference-alidns-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference AliDNS DNS server 4 | namespace: communication/dns 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://www.alidns.com/ 12 | # examples: 13 | # - ab57d3c179355bf2bcdb7935483d84d4 14 | features: 15 | - or: 16 | - string: "223.5.5.5" 17 | - string: "223.6.6.6" 18 | - string: "2400:3200::1" 19 | - string: "2400:3200:baba::1" 20 | -------------------------------------------------------------------------------- /nursery/reference-cloudflare-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference Cloudflare DNS server 4 | namespace: communication/dns 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://www.techradar.com/news/best-dns-server 12 | features: 13 | - or: 14 | - string: "1.1.1.1" 15 | - string: "1.0.0.1" 16 | -------------------------------------------------------------------------------- /nursery/reference-comodo-secure-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference Comodo Secure DNS server 4 | namespace: communication/dns 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://www.techradar.com/news/best-dns-server 12 | features: 13 | - or: 14 | - string: "8.26.56.26" 15 | - string: "8.20.247.20" 16 | -------------------------------------------------------------------------------- /nursery/reference-google-public-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference Google Public DNS server 4 | namespace: communication/dns 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://www.techradar.com/news/best-dns-server 12 | - https://developers.google.com/speed/public-dns/docs/using 13 | features: 14 | - or: 15 | - string: "8.8.8.8" 16 | - string: "8.8.4.4" 17 | - string: "2001:4860:4860::8888" 18 | - string: "2001:4860:4860::8844" 19 | -------------------------------------------------------------------------------- /nursery/reference-kornet-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference kornet DNS server 4 | namespace: communication/dns 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://whatismyipaddress.com/ip/168.126.63.1 12 | # examples: 13 | # - ab57d3c179355bf2bcdb7935483d84d4 14 | features: 15 | - or: 16 | - string: "168.126.63.1" 17 | description: kns.kornet.net 18 | -------------------------------------------------------------------------------- /nursery/reference-l3-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference L3 DNS server 4 | namespace: communication/dns 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://www.quora.com/What-is-a-4-2-2-1-DNS-server 12 | features: 13 | - or: 14 | - string: "4.2.2.1" 15 | - string: "4.2.2.2" 16 | - string: "4.2.2.3" 17 | - string: "4.2.2.4" 18 | - string: "4.2.2.5" 19 | - string: "4.2.2.6" 20 | -------------------------------------------------------------------------------- /nursery/reference-opendns-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference OpenDNS DNS server 4 | namespace: communication/dns 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://www.techradar.com/news/best-dns-server 12 | features: 13 | - or: 14 | - string: "208.67.222.222" 15 | - string: "208.67.220.220" 16 | -------------------------------------------------------------------------------- /nursery/reference-quad9-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference Quad9 DNS server 4 | namespace: communication/dns 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://www.techradar.com/news/best-dns-server 12 | features: 13 | - or: 14 | - string: "9.9.9.9" 15 | - string: "149.112.112.112" 16 | -------------------------------------------------------------------------------- /nursery/reference-startup-folder.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference startup folder 4 | namespace: persistence/startup-folder 5 | authors: 6 | - matthew.williams@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Persistence::Boot or Logon Autostart Execution::Registry Run Keys / Startup Folder [T1547.001] 12 | features: 13 | - or: 14 | - string: /Start Menu\\Programs\\Startup/i 15 | -------------------------------------------------------------------------------- /nursery/reference-verisign-dns-server.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: reference Verisign DNS server 4 | namespace: communication/dns 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://www.techradar.com/news/best-dns-server 12 | features: 13 | - or: 14 | - string: "64.6.64.6" 15 | - string: "64.6.65.6" 16 | -------------------------------------------------------------------------------- /nursery/register-http-server-url.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: register HTTP server URL 5 | namespace: communication/http/server 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | features: 12 | - or: 13 | - api: httpapi.HttpAddUrl 14 | - api: httpapi.HttpAddUrlToUrlGroup 15 | -------------------------------------------------------------------------------- /nursery/register-raw-input-devices.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: register raw input devices 5 | namespace: host-interaction/hardware 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | features: 12 | - or: 13 | - api: user32.RegisterRawInputDevices 14 | -------------------------------------------------------------------------------- /nursery/resize-volume-shadow-copy-storage.yml: -------------------------------------------------------------------------------- 1 | # generated using capa explorer for IDA Pro 2 | rule: 3 | meta: 4 | name: resize volume shadow copy storage 5 | namespace: impact/inhibit-system-recovery 6 | authors: 7 | - michael.hunhoff@mandiant.com 8 | scopes: 9 | static: basic block 10 | dynamic: call 11 | features: 12 | - and: 13 | - or: 14 | - match: interact with driver via IOCTL 15 | - characteristic: indirect call 16 | - number: 0x53C028 = IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE 17 | -------------------------------------------------------------------------------- /nursery/save-image-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: save image in .NET 4 | namespace: collection 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires class features 10 | features: 11 | - and: 12 | - api: System.Drawing.Image::Save 13 | - optional: 14 | - class: System.Drawing.Imaging.ImageFormat 15 | -------------------------------------------------------------------------------- /nursery/send-email-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: send email in .NET 4 | namespace: communication/smtp/send 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: System.Web.Mail.SmtpMail::Send 13 | -------------------------------------------------------------------------------- /nursery/send-http-request-with-host-header.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: send HTTP request with Host header 4 | namespace: communication/http 5 | authors: 6 | - anamaria.martinezgom@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - match: send HTTP request 13 | - string: /Host:/i 14 | -------------------------------------------------------------------------------- /nursery/send-keystrokes.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: send keystrokes 4 | namespace: host-interaction/hardware/keyboard 5 | authors: 6 | - anushka.virgaonkar@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: System.Windows.Forms.SendKeys::Send 13 | - api: System.Windows.Forms.SendKeys::SendWait 14 | -------------------------------------------------------------------------------- /nursery/set-current-directory.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set current directory 4 | namespace: host-interaction/file-system 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: call 10 | features: 11 | - or: 12 | - api: System.IO.Directory::SetCurrentDirectory 13 | - api: kernel32.SetCurrentDirectory 14 | - api: chdir 15 | - api: fchdir 16 | -------------------------------------------------------------------------------- /nursery/set-global-application-hook.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set global application hook 4 | namespace: host-interaction/gui 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | features: 11 | - and: 12 | - api: user32.SetWindowsHookEx 13 | - number: 0x3 = WM_GETMESSAGE 14 | - number: 0x0 = dwThreadId 15 | -------------------------------------------------------------------------------- /nursery/set-http-user-agent-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set HTTP User-Agent in .NET 4 | namespace: communication/http 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires property features 10 | features: 11 | - or: 12 | - property/write: System.Net.HttpWebRequest::UserAgent 13 | -------------------------------------------------------------------------------- /nursery/set-shadow-password-file-entry-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set shadow password file entry on Linux 4 | namespace: host-interaction/file-system/write 5 | authors: 6 | - jonathanlepore@google.com 7 | scopes: 8 | static: instruction 9 | dynamic: call 10 | references: 11 | - https://manpages.ubuntu.com/manpages/noble/man3/putspent.3.html 12 | features: 13 | - and: 14 | - os: linux 15 | - or: 16 | - api: putspent 17 | -------------------------------------------------------------------------------- /nursery/set-thread-name-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set thread name on Linux 4 | namespace: host-interaction/thread 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: basic block 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - or: 13 | - os: linux 14 | - os: android 15 | - or: 16 | - api: pthread_setname_np 17 | - and: 18 | - api: prctl 19 | - number: 0xF = PR_SET_NAME 20 | -------------------------------------------------------------------------------- /nursery/set-web-proxy-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: set web proxy in .NET 4 | namespace: communication/http 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires property features 10 | features: 11 | - and: 12 | - property/write: System.Net.WebRequest::Proxy 13 | - optional: 14 | - api: System.Net.WebProxy::ctor 15 | -------------------------------------------------------------------------------- /nursery/terminate-process-by-name-in-dotnet.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: terminate process by name in .NET 4 | namespace: host-interaction/process/terminate 5 | authors: 6 | - anushka.virgaonkar@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | features: 11 | - and: 12 | - api: System.Diagnostics.Process::GetProcessesByName 13 | - api: System.Diagnostics.Process::Kill 14 | -------------------------------------------------------------------------------- /nursery/terminate-process-by-name.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: terminate process by name 4 | namespace: host-interaction/process/terminate 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: unsupported # requires offset features 10 | # examples: 11 | # - unpacked Cl0p ransomware 12 | features: 13 | - and: 14 | - match: terminate process 15 | - match: enumerate processes 16 | - or: 17 | - offset: 0x24 = pe.szExeFile (x32) 18 | -------------------------------------------------------------------------------- /nursery/truncate-file-on-linux.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: truncate file on Linux 4 | namespace: host-interaction/file-system/truncate 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: basic block 9 | dynamic: call 10 | features: 11 | - and: 12 | - or: 13 | - os: android 14 | - os: linux 15 | - api: ftruncate 16 | -------------------------------------------------------------------------------- /nursery/unmanaged-call.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: unmanaged call 4 | namespace: runtime 5 | authors: 6 | - michael.hunhoff@mandiant.com 7 | description: managed code calls unmanaged (native) code, often seen in .NET 8 | scopes: 9 | static: function 10 | dynamic: unsupported 11 | features: 12 | - or: 13 | - characteristic: unmanaged call 14 | - match: unmanaged call via dynamic PInvoke in .NET 15 | - api: System.Runtime.InteropServices.Marshal::GetDelegateForFunctionPointer 16 | -------------------------------------------------------------------------------- /nursery/unmount-volume-via-ioctl.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: unmount volume via IOCTL 4 | namespace: host-interaction/hardware/storage 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | references: 11 | - https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/ 12 | features: 13 | - and: 14 | - or: 15 | - match: interact with driver via IOCTL 16 | - characteristic: indirect call 17 | - and: 18 | - number: 0x90018 = FSCTL_LOCK_VOLUME 19 | - number: 0x90020 = FSCTL_DISMOUNT_VOLUME 20 | -------------------------------------------------------------------------------- /nursery/use-dotnet-library-simplejson.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: use .NET library SimpleJSON 4 | namespace: data-manipulation/json 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: file 9 | dynamic: unsupported # requires .NET Class feature 10 | references: 11 | - https://github.com/mhallin/SimpleJSON.NET 12 | features: 13 | - or: 14 | - class: Json.SimpleJson 15 | -------------------------------------------------------------------------------- /nursery/use-dotnet-library-websocket-sharp.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: use .NET library websocket-sharp 4 | namespace: communication/websocket 5 | authors: 6 | - mehunhoff@google.com 7 | scopes: 8 | static: file 9 | dynamic: unsupported # requires .NET Namespace feature 10 | references: 11 | - https://github.com/sta/websocket-sharp 12 | features: 13 | - or: 14 | - namespace: WebSocketSharp 15 | -------------------------------------------------------------------------------- /persistence/act-as-dhcp-server-callout-dll.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: act as DHCP server callout DLL 4 | namespace: persistence 5 | authors: 6 | - jakub.jozwiak@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Persistence::Server Software Component [T1505] 12 | references: 13 | - https://learn.microsoft.com/en-gb/previous-versions/windows/desktop/dhcp/how-the-dhcp-server-api-operates 14 | examples: 15 | - 36f506a34b99bf4c199b3c9ec8aa02bd631feafdca20e69e33e714c269ddb8c5 16 | features: 17 | - or: 18 | - export: DhcpServerCalloutEntry 19 | -------------------------------------------------------------------------------- /persistence/office/act-as-excel-xll-add-in.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: act as Excel XLL add-in 4 | namespace: persistence/office 5 | authors: 6 | - jakub.jozwiak@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Persistence::Office Application Startup::Add-ins [T1137.006] 12 | references: 13 | - https://learn.microsoft.com/en-us/office/client-developer/excel/xlautoopen 14 | examples: 15 | - c29513e5a51dd24ca840f7628b872cba921976cba89dcbffd5028ba15481108c 16 | features: 17 | - or: 18 | - export: xlAutoOpen 19 | -------------------------------------------------------------------------------- /persistence/office/act-as-word-wll-add-in.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: act as Word WLL add-in 4 | namespace: persistence/office 5 | authors: 6 | - jakub.jozwiak@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | att&ck: 11 | - Persistence::Office Application Startup::Add-ins [T1137.006] 12 | references: 13 | - https://www.ired.team/offensive-security/persistence/word-library-add-ins 14 | examples: 15 | - 03bb32d43885e83bc56c0b2bcad6f0c5ea40402763b7057056c654990022471b 16 | features: 17 | - or: 18 | - export: wdAutoOpen 19 | -------------------------------------------------------------------------------- /persistence/service/persist-via-rc-script.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: persist via rc script 4 | namespace: persistence/service 5 | authors: 6 | - joakim@intezer.com 7 | scopes: 8 | static: function 9 | dynamic: span of calls 10 | att&ck: 11 | - Persistence::Boot or Logon Initialization Scripts::RC Scripts [T1037.004] 12 | examples: 13 | - 7351f8a40c5450557b24622417fc478d:0x407D11 14 | features: 15 | - and: 16 | - os: linux 17 | - match: host-interaction/file-system/write 18 | - or: 19 | - substring: "/etc/init.d/" 20 | - string: /\/etc\/rc[0-9]\.d\// 21 | -------------------------------------------------------------------------------- /runtime/dotnet/compiled-to-the-dotnet-platform.yml: -------------------------------------------------------------------------------- 1 | rule: 2 | meta: 3 | name: compiled to the .NET platform 4 | namespace: runtime/dotnet 5 | authors: 6 | - william.ballenthin@mandiant.com 7 | scopes: 8 | static: file 9 | dynamic: file 10 | examples: 11 | - b9f5bd514485fb06da39beff051b9fdc 12 | features: 13 | - or: 14 | - format: dotnet 15 | - import: mscoree._CorExeMain 16 | - import: mscoree._corexemain 17 | - import: mscoree._CorDllMain 18 | - import: mscoree._cordllmain 19 | --------------------------------------------------------------------------------