-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into update-alloc-rules
- Loading branch information
Showing
85 changed files
with
1,152 additions
and
118 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37 changes: 37 additions & 0 deletions
37
anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
rule: | ||
meta: | ||
name: patch Event Tracing for Windows function | ||
namespace: anti-analysis/anti-av | ||
authors: | ||
- [email protected] | ||
scope: function | ||
att&ck: | ||
- Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006] | ||
mbc: | ||
- Defense Evasion::Disable or Evade Security Tools [F0004] | ||
references: | ||
- https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/ | ||
- https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch/blob/main/patch-etw-x64.c | ||
examples: | ||
- 15835b6dd703e69d22d4ab941ccd5f6e78c3abc22ae123366da5e950eaa62e2b:0x180001D70 | ||
features: | ||
- and: | ||
- match: link function at runtime on Windows | ||
- or: | ||
- api: kernel32.VirtualProtect | ||
- api: ntdll.NtProtectVirtualMemory # exported by only ntdll, not ntoskrnl | ||
- api: ZwProtectVirtualMemory # exported by both ntdll and ntoskrnl | ||
- string: "VirtualProtect" | ||
- string: "NtProtectVirtualMemory" | ||
- string: "ZwProtectVirtualMemory" | ||
- or: | ||
- string: "EventWrite" | ||
- string: "EtwEventWrite" | ||
- string: "EtwEventWriteFull" | ||
- string: "TraceEvent" | ||
- string: "NtTraceEvent" | ||
- string: "ZwTraceEvent" | ||
- string: "NtTraceControl" | ||
- string: "ZwTraceControl" | ||
- optional: | ||
- match: write process memory |
33 changes: 33 additions & 0 deletions
33
anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
rule: | ||
meta: | ||
name: hide thread from debugger | ||
namespace: anti-analysis/anti-debugging/debugger-evasion | ||
authors: | ||
- [email protected] | ||
- [email protected] | ||
scope: function | ||
att&ck: | ||
- Defense Evasion::Debugger Evasion [T1622] | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Evasion [B0002] | ||
references: | ||
- https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread | ||
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.cpp | ||
- https://github.com/jaeyung1001/Anti-Debugging/blob/master/Code/NtSetInformationThread.cpp | ||
examples: | ||
- 26beba7352a32b803aa19e0782011a383a1df19549910e7b2f2f244e49678524:0x10001670 | ||
features: | ||
- or: | ||
- basic block: | ||
- and: | ||
- or: | ||
- api: NtSetInformationThread | ||
- api: ZwSetInformationThread | ||
- number: 0x11 = ThreadHideFromDebugger | ||
- and: | ||
- or: | ||
- string: "NtSetInformationThread" | ||
- string: "ZwSetInformationThread" | ||
- match: link function at runtime on Windows | ||
- api: GetCurrentThread | ||
- number: 0x11 = ThreadHideFromDebugger |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,7 @@ rule: | |
namespace: anti-analysis/anti-forensic/self-deletion | ||
authors: | ||
- [email protected] | ||
- "@mr-tz" | ||
scope: function | ||
att&ck: | ||
- Defense Evasion::Indicator Removal::File Deletion [T1070.004] | ||
|
@@ -16,9 +17,12 @@ rule: | |
- or: | ||
- match: get COMSPEC environment variable | ||
- string: "cmd.exe" | ||
- match: host-interaction/process/create | ||
- string: /\/c\s*del\s*/ | ||
description: "/c del" | ||
- match: host-interaction/process/create | ||
- or: | ||
- string: /\/c\s*del\s*/ | ||
description: "/c del" | ||
- string: /del\s*\S/ | ||
description: "del \"%s\"" | ||
- optional: | ||
- string: /\s*>\s*nul\s*/i | ||
description: "> nul" |
25 changes: 25 additions & 0 deletions
25
anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
rule: | ||
meta: | ||
name: check for foreground window switch | ||
namespace: anti-analysis/anti-vm/vm-detection | ||
authors: | ||
- [email protected] | ||
description: Detect usage of GetForegroundWindow and Sleep APIs to check if there is any foreground window switch. Typically, sandboxes do not switch the foreground window like a user would in a normal environment. | ||
scope: function | ||
att&ck: | ||
- Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002] | ||
mbc: | ||
- Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012] | ||
references: | ||
- https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html | ||
- https://unprotect.it/technique/getforegroundwindow/ | ||
examples: | ||
- 2855ba06b90e7c64d9bce888e47baf6d:0x4112A3 | ||
features: | ||
- and: | ||
- count(api(GetForegroundWindow)): 2 or more | ||
- api: Sleep | ||
- mnemonic: cmp | ||
- or: | ||
- characteristic: loop | ||
- characteristic: tight loop |
19 changes: 19 additions & 0 deletions
19
anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# generated using capa explorer for IDA Pro | ||
rule: | ||
meta: | ||
name: detect VM via disk hardware WMI queries | ||
namespace: anti-analysis/anti-vm/vm-detection | ||
authors: | ||
- [email protected] | ||
scope: function | ||
att&ck: | ||
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] | ||
mbc: | ||
- Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023] | ||
examples: | ||
- 32B3678F8C29437E9EA10EAB10194F66:0x4035e0 | ||
features: | ||
- and: | ||
- string: "Win32_DiskDrive" | ||
- string: "Model" | ||
- string: "Virtual" |
19 changes: 19 additions & 0 deletions
19
anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# generated using capa explorer for IDA Pro | ||
rule: | ||
meta: | ||
name: detect VM via motherboard hardware WMI queries | ||
namespace: anti-analysis/anti-vm/vm-detection | ||
authors: | ||
- [email protected] | ||
scope: function | ||
att&ck: | ||
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] | ||
mbc: | ||
- Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023] | ||
examples: | ||
- 32B3678F8C29437E9EA10EAB10194F66:0x4035e0 | ||
features: | ||
- and: | ||
- string: "Win32_BaseBoard" | ||
- string: "Virtual" | ||
- string: "Product" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,24 +4,29 @@ rule: | |
namespace: collection/browser | ||
authors: | ||
- "@_re_fox" | ||
scope: function | ||
- [email protected] | ||
scope: file | ||
att&ck: | ||
- Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] | ||
examples: | ||
- 2fd45662e3d0ec0077ea2fa66b6378f0:0x6000039 | ||
- 54390bda109aab7fc006b8b4ead5b6c2:0x1006E8D3 | ||
features: | ||
- and: | ||
- or: | ||
- string: /\\(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\User Data\\Default\\Login Data/ | ||
- string: /\\Opera Software\\Opera Stable\\Login Data/ | ||
- string: /\\+(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\+User Data\\+Default(\\+Network)?\\+(Cookies|Login Data)/i | ||
- string: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/i | ||
- or: | ||
- string: /SELECT [(date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value)\s+,]+ FROM logins/i | ||
- string: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i | ||
- string: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i | ||
- 2 or more: | ||
- string: /date_created/i | ||
- string: /username_element/i | ||
- string: /username_value/i | ||
- string: /password_element/i | ||
- string: /origin_url/i | ||
- string: /signon_realm/i | ||
- string: /action_url/i | ||
- string: /password_value/i | ||
- substring: "date_created" | ||
- substring: "encrypted_value" | ||
- substring: "creation_utc" | ||
- substring: "username_element" | ||
- substring: "username_value" | ||
- substring: "password_element" | ||
- substring: "origin_url" | ||
- substring: "signon_realm" | ||
- substring: "action_url" | ||
- substring: "password_value" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,16 +4,18 @@ rule: | |
namespace: collection/browser | ||
authors: | ||
- "@_re_fox" | ||
- [email protected] | ||
scope: function | ||
att&ck: | ||
- Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] | ||
examples: | ||
- 7204e3efc2434012e13ca939db0d0b02:0x4073c0 | ||
- 54390bda109aab7fc006b8b4ead5b6c2:0x1006e58b | ||
features: | ||
- and: | ||
- 2 or more: | ||
- string: /\\Mozilla\\Firefox\\profiles(\.ini)?/i | ||
- string: /\\signons\.sqlite/i | ||
- string: /\\(signons|cookies)\.sqlite/i | ||
- string: /SELECT\s+[a-z,\s]{5,}FROM moz_(logins|cookies)/i | ||
- string: /FROM moz_(logins|cookies)/i | ||
- substring: "WHERE moz_cookies.host LIKE" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
rule: | ||
meta: | ||
name: capture packets using SharpPcap | ||
namespace: collection/network | ||
authors: | ||
- [email protected] | ||
scope: function | ||
att&ck: | ||
- Discovery::Network Sniffing [T1040] | ||
references: | ||
- https://github.com/dotpcap/sharppcap | ||
examples: | ||
- aefae71bca4bbaa2c013ddf040d797628c8d3da7346108c12735239a86fdfa71:0x6000038 | ||
features: | ||
- and: | ||
- format: dotnet | ||
- api: SharpPcap.LibPcap.PcapDevice::add_OnPacketArrival |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
rule: | ||
meta: | ||
name: create VMCI socket | ||
namespace: communication/socket | ||
authors: | ||
- [email protected] | ||
scope: basic block | ||
mbc: | ||
- Communication::Socket Communication::Create Socket [C0001.003] | ||
references: | ||
- https://www.vmware.com/products/beta/ws/VMCIsockets.pdf | ||
examples: | ||
- 9ed5660c6a442dbba9e2ba795ccc913c1f1517ce89854fe4287c1c8b36b21d52:0x180001241 | ||
features: | ||
- or: | ||
- and: | ||
- os: windows | ||
- or: | ||
- api: socket | ||
- api: DeviceIoControl | ||
- number: 0x81032068 = VMCI_SOCKETS_GET_AF_VALUE | ||
- and: | ||
- os: linux | ||
- or: | ||
- api: socket | ||
- api: ioctl | ||
- number: 0x7B8 = VMCI_SOCKETS_GET_AF_VALUE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
rule: | ||
meta: | ||
name: compiled with cx_Freeze | ||
namespace: compiler/cx_freeze | ||
authors: | ||
- "@mr-tz" | ||
- [email protected] | ||
scope: file | ||
att&ck: | ||
- Execution::Command and Scripting Interpreter::Python [T1059.006] | ||
- Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002] | ||
references: | ||
- https://github.com/marcelotduarte/cx_Freeze | ||
examples: | ||
- 573174640974b288d9d161cf4d29387cd7dbf7d80a80f5547df887f9836df8fb | ||
features: | ||
- or: | ||
- and: | ||
- os: windows | ||
- 3 or more: | ||
- string: "cx_Freeze Fatal Error" | ||
- string: "cx_Freeze: Python error in main script" | ||
- string: "cx_Freeze: Application Terminated" | ||
- string: "%ls\\lib\\library.zip;%ls\\lib" | ||
- string: "Unable to calculate directory of executable!" | ||
- string: "Unable to load python3.dll!" | ||
- string: "Unable to change DLL search path!" | ||
- string: "initializing with config file %ls" | ||
- string: "%ls --install <NAME> [<CONFIGFILE>]" | ||
- string: "exception calling session_changed method" | ||
- and: | ||
- or: | ||
- os: linux | ||
- os: macos | ||
- 3 or more: | ||
- string: "PATH environment variable not defined!" | ||
- string: "Unable to determine absolute path for executable!" | ||
- string: "Unable to convert path to string!" | ||
- string: "Unable to calculate directory of executable!" | ||
- string: "Out of memory creating sys.path!" | ||
- string: "Out of memory converting arguments!" | ||
- string: "Unable to convert argument to string!" | ||
- string: "%ls/lib/library.zip:%ls/lib" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,7 @@ rule: | |
namespace: data-manipulation/encoding/base64 | ||
authors: | ||
- [email protected] | ||
- [email protected] | ||
scope: function | ||
att&ck: | ||
- Defense Evasion::Obfuscated Files or Information [T1027] | ||
|
@@ -12,6 +13,7 @@ rule: | |
- Data::Encode Data::Base64 [C0026.001] | ||
examples: | ||
- 9efa86b43b4367bcdc1591aee59bda25:0x10001000 | ||
- 09bf850be5da44a1c3629a1f62813a83:0x10001100 | ||
features: | ||
- and: | ||
- mnemonic: shl | ||
|
@@ -23,5 +25,12 @@ rule: | |
- number: 3 | ||
- number: 4 | ||
- number: 6 | ||
- number: 0xF | ||
- bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = hardcoded base64 translation table (first 64 of 256 dwords) | ||
- or: | ||
- number: 0xF | ||
- number: 0x3D | ||
- number: 0x40 | ||
- or: | ||
- bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = hardcoded base64 translation table (first 64 of 256 dwords) | ||
- bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E FF FF FF 3F 34 35 36 37 38 39 3A 3B 3C 3D FF FF FF FF FF FF FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 FF FF FF FF FF FF 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 FF FF FF FF FF = hardcoded base64 translation table | ||
- bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 3F 00 00 00 3E 00 00 00 3E 00 00 00 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 | ||
- string: "BBBBBBBBBB@BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>BBB?456789:;<=BBBABBB" |
Oops, something went wrong.