forked from mandiant/capa-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
get-geographical-location.yml
37 lines (37 loc) · 1.05 KB
/
get-geographical-location.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# generated using capa explorer for IDA Pro
rule:
meta:
name: get geographical location
namespace: collection
authors:
- moritz.raabe
scopes:
static: function
dynamic: thread
att&ck:
- Discovery::System Location Discovery [T1614]
examples:
- 9879D201DC5ACA863F357184CD1F170E:0x10001A99
features:
- or:
- api: GetLocaleInfo
- api: GetLocaleInfoEx
- api: kernel32.GetUserGeoID
- api: kernel32.GetGeoInfo
# strings part of requests or parsed from response
# "geo" and "zip" are too short
# "region" results in FPs mostly related to memory
- string: /geolocation/i
- string: /geo-location/i
- string: /^city/i
- string: /region_code/i
- string: /region_name/i
- string: /^country/i
- string: /country_code/i
- string: /countrycode/i
- string: /country_name/i
- string: /continent_code/i
- string: /continent_name/i
- string: /^latitude/i
- string: /^longitude/i