From b1f39a3a29261f94de03db28282501e0bd864f87 Mon Sep 17 00:00:00 2001 From: rxrd Date: Tue, 5 Sep 2023 06:12:58 -0700 Subject: [PATCH 1/7] RC4 encryption via Advapi32.SystemFunction032 --- ...t-data-using-rc4-via-systemfunction032.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 nursery/encrypt-data-using-rc4-via-systemfunction032.yml diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml new file mode 100644 index 000000000..c5ed00e35 --- /dev/null +++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml @@ -0,0 +1,23 @@ +rule: + meta: + name: encrypt data using RC4 via WinAPI SystemFunctionXXX Procedures + namespace: data-manipulation/encryption/rc4 + authors: + - richard.weiss@mandiant.com + scope: function + att&ck: + - Defense Evasion::Obfuscated Files or Information [T1027] + mbc: + - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05] + - Cryptography::Encrypt Data::RC4 [C0027.009] + references: + - https://doxygen.reactos.org/df/d13/sysfunc_8c_source.html + - https://blog.gentilkiwi.com/tag/systemfunction032 + features: + - or: + - api: SystemFunction032 + - optional: + - and: + - string: Advapi32.dll + - string: SystemFunction032 + description: Procedure Address resolved at runtime From 91351deb0b9b0207e51f14af98752af526c43a1c Mon Sep 17 00:00:00 2001 From: rxrd Date: Tue, 5 Sep 2023 06:54:49 -0700 Subject: [PATCH 2/7] rule name and a few rule conventions --- ...crypt-data-using-rc4-via-systemfunction032.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml index c5ed00e35..c10be918a 100644 --- a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml @@ -1,6 +1,6 @@ rule: meta: - name: encrypt data using RC4 via WinAPI SystemFunctionXXX Procedures + name: encrypt data using RC4 via SystemFunction032 namespace: data-manipulation/encryption/rc4 authors: - richard.weiss@mandiant.com @@ -14,10 +14,9 @@ rule: - https://doxygen.reactos.org/df/d13/sysfunc_8c_source.html - https://blog.gentilkiwi.com/tag/systemfunction032 features: - - or: - - api: SystemFunction032 - - optional: - - and: - - string: Advapi32.dll - - string: SystemFunction032 - description: Procedure Address resolved at runtime + - or: + - api: SystemFunction032 + - and: + - string: "Advapi32.dll" + - string: "SystemFunction032" + description: Procedure Address resolved at runtime From 3671acbb61c808e97841e10fccffb41edf5a6d67 Mon Sep 17 00:00:00 2001 From: Richard <9610284+richardweiss80@users.noreply.github.com> Date: Tue, 5 Sep 2023 23:25:05 -0700 Subject: [PATCH 3/7] added example hash and changed rule content of the strings part --- nursery/encrypt-data-using-rc4-via-systemfunction032.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml index c10be918a..01863d20d 100644 --- a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml @@ -13,10 +13,14 @@ rule: references: - https://doxygen.reactos.org/df/d13/sysfunc_8c_source.html - https://blog.gentilkiwi.com/tag/systemfunction032 + examples: + - 1F31917FFF1E43B0BBC72576906B0746A88F978084FADA49312900B5241A9FC8:0x14009E058 # SystemFunction032 features: - or: - api: SystemFunction032 - and: - - string: "Advapi32.dll" + - or: + - substring: "Advapi32" + - substring: "cryptsp" - string: "SystemFunction032" description: Procedure Address resolved at runtime From 90ed870a1ad2a10860219d1b9da71defd4cbbd25 Mon Sep 17 00:00:00 2001 From: Richard <9610284+richardweiss80@users.noreply.github.com> Date: Sun, 10 Sep 2023 20:59:14 -0700 Subject: [PATCH 4/7] changed example of capa rule SystemFunction032 --- nursery/encrypt-data-using-rc4-via-systemfunction032.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml index 01863d20d..25a4e0c0d 100644 --- a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml @@ -14,7 +14,7 @@ rule: - https://doxygen.reactos.org/df/d13/sysfunc_8c_source.html - https://blog.gentilkiwi.com/tag/systemfunction032 examples: - - 1F31917FFF1E43B0BBC72576906B0746A88F978084FADA49312900B5241A9FC8:0x14009E058 # SystemFunction032 + - 3BBDF04C25FCD9876733EAA9163B3ED64D81396E7414619758D9376EDF4C103E:0x1000976C # SystemFunction032 features: - or: - api: SystemFunction032 From bc8d5b7d4aa67a9f8d9c19dfc90dbc2a82d63116 Mon Sep 17 00:00:00 2001 From: Richard <9610284+richardweiss80@users.noreply.github.com> Date: Thu, 14 Sep 2023 04:36:10 -0700 Subject: [PATCH 5/7] recommended changes added and tested --- nursery/encrypt-data-using-rc4-via-systemfunction032.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml index 25a4e0c0d..075bbbc28 100644 --- a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml @@ -14,13 +14,12 @@ rule: - https://doxygen.reactos.org/df/d13/sysfunc_8c_source.html - https://blog.gentilkiwi.com/tag/systemfunction032 examples: - - 3BBDF04C25FCD9876733EAA9163B3ED64D81396E7414619758D9376EDF4C103E:0x1000976C # SystemFunction032 + - 3BBDF04C25FCD9876733EAA9163B3ED64D81396E7414619758D9376EDF4C103E:0x1000976C # api match features: - or: - api: SystemFunction032 - and: - or: - - substring: "Advapi32" - - substring: "cryptsp" + - string: /advapi32/i + - string: /cryptsp/i - string: "SystemFunction032" - description: Procedure Address resolved at runtime From 55f5496a4a4d638453b8852e1df3728d87021d53 Mon Sep 17 00:00:00 2001 From: Richard <9610284+richardweiss80@users.noreply.github.com> Date: Fri, 15 Sep 2023 04:46:24 -0700 Subject: [PATCH 6/7] added match of prior matching rule 'link function at runtime on Windows' and rearranged the features section --- nursery/encrypt-data-using-rc4-via-systemfunction032.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml index 075bbbc28..de987f869 100644 --- a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml @@ -19,7 +19,8 @@ rule: - or: - api: SystemFunction032 - and: + - match: link function at runtime on Windows + - string: "SystemFunction032" - or: - string: /advapi32/i - string: /cryptsp/i - - string: "SystemFunction032" From b35f41d78fcb36fe97e5f73bafbc7beb55de7fa1 Mon Sep 17 00:00:00 2001 From: Richard Weiss Date: Mon, 9 Oct 2023 11:19:36 -0700 Subject: [PATCH 7/7] Using optional instead of or --- nursery/encrypt-data-using-rc4-via-systemfunction032.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml index de987f869..ffa79dd05 100644 --- a/nursery/encrypt-data-using-rc4-via-systemfunction032.yml +++ b/nursery/encrypt-data-using-rc4-via-systemfunction032.yml @@ -21,6 +21,6 @@ rule: - and: - match: link function at runtime on Windows - string: "SystemFunction032" - - or: + - optional: - string: /advapi32/i - string: /cryptsp/i