Skip to content

Commit

Permalink
Merge branch 'master' into update-alloc-rules
Browse files Browse the repository at this point in the history
  • Loading branch information
mr-tz authored Oct 11, 2023
2 parents 1be6720 + 54e3a1d commit a39a2c0
Show file tree
Hide file tree
Showing 85 changed files with 1,152 additions and 118 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,11 @@ jobs:
with:
repository: mandiant/capa-testfiles
path: tests/data
- name: Set up Python 3.9
# use latest available python for best performance
- name: Set up Python 3.11
uses: actions/setup-python@v4
with:
python-version: 3.9
python-version: 3.11
- name: Install capa
run: pip install -e .
# Regular lint is fast, so do this first
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# capa rules

[![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22)
[![Number of rules](https://img.shields.io/badge/rules-800-blue.svg)](rules)
[![Number of rules](https://img.shields.io/badge/rules-845-blue.svg)](rules)
[![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt)

This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs.
Expand Down
37 changes: 37 additions & 0 deletions anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
rule:
meta:
name: patch Event Tracing for Windows function
namespace: anti-analysis/anti-av
authors:
- [email protected]
scope: function
att&ck:
- Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006]
mbc:
- Defense Evasion::Disable or Evade Security Tools [F0004]
references:
- https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/
- https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch/blob/main/patch-etw-x64.c
examples:
- 15835b6dd703e69d22d4ab941ccd5f6e78c3abc22ae123366da5e950eaa62e2b:0x180001D70
features:
- and:
- match: link function at runtime on Windows
- or:
- api: kernel32.VirtualProtect
- api: ntdll.NtProtectVirtualMemory # exported by only ntdll, not ntoskrnl
- api: ZwProtectVirtualMemory # exported by both ntdll and ntoskrnl
- string: "VirtualProtect"
- string: "NtProtectVirtualMemory"
- string: "ZwProtectVirtualMemory"
- or:
- string: "EventWrite"
- string: "EtwEventWrite"
- string: "EtwEventWriteFull"
- string: "TraceEvent"
- string: "NtTraceEvent"
- string: "ZwTraceEvent"
- string: "NtTraceControl"
- string: "ZwTraceControl"
- optional:
- match: write process memory
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
rule:
meta:
name: hide thread from debugger
namespace: anti-analysis/anti-debugging/debugger-evasion
authors:
- [email protected]
- [email protected]
scope: function
att&ck:
- Defense Evasion::Debugger Evasion [T1622]
mbc:
- Anti-Behavioral Analysis::Debugger Evasion [B0002]
references:
- https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.cpp
- https://github.com/jaeyung1001/Anti-Debugging/blob/master/Code/NtSetInformationThread.cpp
examples:
- 26beba7352a32b803aa19e0782011a383a1df19549910e7b2f2f244e49678524:0x10001670
features:
- or:
- basic block:
- and:
- or:
- api: NtSetInformationThread
- api: ZwSetInformationThread
- number: 0x11 = ThreadHideFromDebugger
- and:
- or:
- string: "NtSetInformationThread"
- string: "ZwSetInformationThread"
- match: link function at runtime on Windows
- api: GetCurrentThread
- number: 0x11 = ThreadHideFromDebugger
10 changes: 7 additions & 3 deletions anti-analysis/anti-forensic/self-deletion/self-delete.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ rule:
namespace: anti-analysis/anti-forensic/self-deletion
authors:
- [email protected]
- "@mr-tz"
scope: function
att&ck:
- Defense Evasion::Indicator Removal::File Deletion [T1070.004]
Expand All @@ -16,9 +17,12 @@ rule:
- or:
- match: get COMSPEC environment variable
- string: "cmd.exe"
- match: host-interaction/process/create
- string: /\/c\s*del\s*/
description: "/c del"
- match: host-interaction/process/create
- or:
- string: /\/c\s*del\s*/
description: "/c del"
- string: /del\s*\S/
description: "del \"%s\""
- optional:
- string: /\s*>\s*nul\s*/i
description: "> nul"
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
rule:
meta:
name: check for foreground window switch
namespace: anti-analysis/anti-vm/vm-detection
authors:
- [email protected]
description: Detect usage of GetForegroundWindow and Sleep APIs to check if there is any foreground window switch. Typically, sandboxes do not switch the foreground window like a user would in a normal environment.
scope: function
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012]
references:
- https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
- https://unprotect.it/technique/getforegroundwindow/
examples:
- 2855ba06b90e7c64d9bce888e47baf6d:0x4112A3
features:
- and:
- count(api(GetForegroundWindow)): 2 or more
- api: Sleep
- mnemonic: cmp
- or:
- characteristic: loop
- characteristic: tight loop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# generated using capa explorer for IDA Pro
rule:
meta:
name: detect VM via disk hardware WMI queries
namespace: anti-analysis/anti-vm/vm-detection
authors:
- [email protected]
scope: function
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023]
examples:
- 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
features:
- and:
- string: "Win32_DiskDrive"
- string: "Model"
- string: "Virtual"
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# generated using capa explorer for IDA Pro
rule:
meta:
name: detect VM via motherboard hardware WMI queries
namespace: anti-analysis/anti-vm/vm-detection
authors:
- [email protected]
scope: function
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023]
examples:
- 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
features:
- and:
- string: "Win32_BaseBoard"
- string: "Virtual"
- string: "Product"
Original file line number Diff line number Diff line change
Expand Up @@ -4,24 +4,29 @@ rule:
namespace: collection/browser
authors:
- "@_re_fox"
scope: function
- [email protected]
scope: file
att&ck:
- Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
examples:
- 2fd45662e3d0ec0077ea2fa66b6378f0:0x6000039
- 54390bda109aab7fc006b8b4ead5b6c2:0x1006E8D3
features:
- and:
- or:
- string: /\\(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\User Data\\Default\\Login Data/
- string: /\\Opera Software\\Opera Stable\\Login Data/
- string: /\\+(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\+User Data\\+Default(\\+Network)?\\+(Cookies|Login Data)/i
- string: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/i
- or:
- string: /SELECT [(date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value)\s+,]+ FROM logins/i
- string: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i
- string: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i
- 2 or more:
- string: /date_created/i
- string: /username_element/i
- string: /username_value/i
- string: /password_element/i
- string: /origin_url/i
- string: /signon_realm/i
- string: /action_url/i
- string: /password_value/i
- substring: "date_created"
- substring: "encrypted_value"
- substring: "creation_utc"
- substring: "username_element"
- substring: "username_value"
- substring: "password_element"
- substring: "origin_url"
- substring: "signon_realm"
- substring: "action_url"
- substring: "password_value"
4 changes: 3 additions & 1 deletion collection/browser/gather-firefox-profile-information.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,18 @@ rule:
namespace: collection/browser
authors:
- "@_re_fox"
- [email protected]
scope: function
att&ck:
- Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
examples:
- 7204e3efc2434012e13ca939db0d0b02:0x4073c0
- 54390bda109aab7fc006b8b4ead5b6c2:0x1006e58b
features:
- and:
- 2 or more:
- string: /\\Mozilla\\Firefox\\profiles(\.ini)?/i
- string: /\\signons\.sqlite/i
- string: /\\(signons|cookies)\.sqlite/i
- string: /SELECT\s+[a-z,\s]{5,}FROM moz_(logins|cookies)/i
- string: /FROM moz_(logins|cookies)/i
- substring: "WHERE moz_cookies.host LIKE"
Expand Down
14 changes: 9 additions & 5 deletions collection/microphone/capture-microphone-audio.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,12 @@ rule:
examples:
- a70052c45e907820187c7e6bcdc7ecca:0x405B40
features:
- and:
- api: mciSendString
- string: /^open/i
- string: /waveaudio/i
- string: /^record/i
- or:
- and:
- api: mciSendString
- string: /^open/i
- string: /waveaudio/i
- string: /^record/i
- api: winmm.waveInOpen
- api: winmm.waveInAddBuffer
- api: winmm.waveInStart
17 changes: 17 additions & 0 deletions collection/network/capture-packets-using-sharppcap.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
rule:
meta:
name: capture packets using SharpPcap
namespace: collection/network
authors:
- [email protected]
scope: function
att&ck:
- Discovery::Network Sniffing [T1040]
references:
- https://github.com/dotpcap/sharppcap
examples:
- aefae71bca4bbaa2c013ddf040d797628c8d3da7346108c12735239a86fdfa71:0x6000038
features:
- and:
- format: dotnet
- api: SharpPcap.LibPcap.PcapDevice::add_OnPacketArrival
27 changes: 27 additions & 0 deletions communication/socket/create-vmci-socket.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
rule:
meta:
name: create VMCI socket
namespace: communication/socket
authors:
- [email protected]
scope: basic block
mbc:
- Communication::Socket Communication::Create Socket [C0001.003]
references:
- https://www.vmware.com/products/beta/ws/VMCIsockets.pdf
examples:
- 9ed5660c6a442dbba9e2ba795ccc913c1f1517ce89854fe4287c1c8b36b21d52:0x180001241
features:
- or:
- and:
- os: windows
- or:
- api: socket
- api: DeviceIoControl
- number: 0x81032068 = VMCI_SOCKETS_GET_AF_VALUE
- and:
- os: linux
- or:
- api: socket
- api: ioctl
- number: 0x7B8 = VMCI_SOCKETS_GET_AF_VALUE
1 change: 1 addition & 0 deletions communication/socket/receive/receive-data-on-socket.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,4 @@ rule:
- api: System.Net.Sockets.Socket::EndReceive
- api: System.Net.Sockets.Socket::EndReceiveFrom
- api: System.Net.Sockets.Socket::EndReceiveMessageFrom
- api: recvmsg
43 changes: 43 additions & 0 deletions compiler/cx_freeze/compiled-with-cx_freeze.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
rule:
meta:
name: compiled with cx_Freeze
namespace: compiler/cx_freeze
authors:
- "@mr-tz"
- [email protected]
scope: file
att&ck:
- Execution::Command and Scripting Interpreter::Python [T1059.006]
- Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]
references:
- https://github.com/marcelotduarte/cx_Freeze
examples:
- 573174640974b288d9d161cf4d29387cd7dbf7d80a80f5547df887f9836df8fb
features:
- or:
- and:
- os: windows
- 3 or more:
- string: "cx_Freeze Fatal Error"
- string: "cx_Freeze: Python error in main script"
- string: "cx_Freeze: Application Terminated"
- string: "%ls\\lib\\library.zip;%ls\\lib"
- string: "Unable to calculate directory of executable!"
- string: "Unable to load python3.dll!"
- string: "Unable to change DLL search path!"
- string: "initializing with config file %ls"
- string: "%ls --install <NAME> [<CONFIGFILE>]"
- string: "exception calling session_changed method"
- and:
- or:
- os: linux
- os: macos
- 3 or more:
- string: "PATH environment variable not defined!"
- string: "Unable to determine absolute path for executable!"
- string: "Unable to convert path to string!"
- string: "Unable to calculate directory of executable!"
- string: "Out of memory creating sys.path!"
- string: "Out of memory converting arguments!"
- string: "Unable to convert argument to string!"
- string: "%ls/lib/library.zip:%ls/lib"
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ rule:
namespace: data-manipulation/encoding/base64
authors:
- [email protected]
- [email protected]
scope: function
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
Expand All @@ -12,6 +13,7 @@ rule:
- Data::Encode Data::Base64 [C0026.001]
examples:
- 9efa86b43b4367bcdc1591aee59bda25:0x10001000
- 09bf850be5da44a1c3629a1f62813a83:0x10001100
features:
- and:
- mnemonic: shl
Expand All @@ -23,5 +25,12 @@ rule:
- number: 3
- number: 4
- number: 6
- number: 0xF
- byteshardcoded base64 translation table (first 64 of 256 dwords)
- or:
- number: 0xF
- number: 0x3D
- number: 0x40
- or:
- byteshardcoded base64 translation table (first 64 of 256 dwords)
- bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E FF FF FF 3F 34 35 36 37 38 39 3A 3B 3C 3D FF FF FF FF FF FF FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 FF FF FF FF FF FF 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 FF FF FF FF FF = hardcoded base64 translation table
- bytes
- string: "BBBBBBBBBB@BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>BBB?456789:;<=BBBABBB"
Loading

0 comments on commit a39a2c0

Please sign in to comment.