From 993785dae51b687ec24c51d1350ac0658e68b22d Mon Sep 17 00:00:00 2001 From: Still / Azaka Date: Fri, 15 Nov 2024 18:12:01 +0800 Subject: [PATCH] Add rules for various stealer techniques (#960) * Add rules for various stealer techniques Signed-off-by: Still Hsu * Add bytes and replace string with substring Signed-off-by: Still Hsu * Fix scope for get-steam-token Signed-off-by: Still Hsu * Add Microsoft Edge in IID/CLSID detection & rename rule to broaden scope of the target Signed-off-by: Still Hsu * Remove bytes representation of the string as substring supercedes it Signed-off-by: Still Hsu * Replace string with substring for Steam token rule Signed-off-by: Still Hsu --------- Signed-off-by: Still Hsu --- .../browser/get-chrome-cookiemonster.yml | 25 ++++++++++ ...on-service-for-chromium-based-browsers.yml | 50 +++++++++++++++++++ collection/get-steam-token.yml | 16 ++++++ 3 files changed, 91 insertions(+) create mode 100644 collection/browser/get-chrome-cookiemonster.yml create mode 100644 collection/browser/get-elevation-service-for-chromium-based-browsers.yml create mode 100644 collection/get-steam-token.yml diff --git a/collection/browser/get-chrome-cookiemonster.yml b/collection/browser/get-chrome-cookiemonster.yml new file mode 100644 index 00000000..b7d6153e --- /dev/null +++ b/collection/browser/get-chrome-cookiemonster.yml @@ -0,0 +1,25 @@ +rule: + meta: + name: get Chrome CookieMonster + namespace: collection/browser + authors: + - still@teamt5.org + description: finds sections related to Chrome's CookieMonster component, typically used in conjunction with code that dumps cookies from Chromium-based browsers + scopes: + static: file + dynamic: process + att&ck: + - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] + references: + - https://github.com/Meckazin/ChromeKatz/blob/main/CookieKatz-BOF/CookieKatzBOF.cpp + examples: + - 79f5cabff898d60cd614e7254d409d9c2e05184416e5c54201e2dc216998d28b:0x117D + features: + - and: + - substring: "network.mojom.NetworkService" # process with CookieMonster + - or: + - substring: "chrome.dll" + - substring: "chrome.exe" + - substring: "msedge.exe" + - substring: "msedgewebview2.exe" + - substring: "msedge.dll" diff --git a/collection/browser/get-elevation-service-for-chromium-based-browsers.yml b/collection/browser/get-elevation-service-for-chromium-based-browsers.yml new file mode 100644 index 00000000..58b7da06 --- /dev/null +++ b/collection/browser/get-elevation-service-for-chromium-based-browsers.yml @@ -0,0 +1,50 @@ +rule: + meta: + name: get elevation service for Chromium-based browsers + namespace: collection/browser + authors: + - still@teamt5.org + description: finds strings/identifiers related to Chrome Elevation Service, typically used in conjunction with retrieving App-bound Encryption related key + scopes: + static: function + dynamic: unsupported # requires bytes features + att&ck: + - Credential Access::Exploitation for Credential Access [T1212] + - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] + references: + - https://gist.github.com/snovvcrash/caded55a318bbefcb6cc9ee30e82f824 + - https://chromium.googlesource.com/chromium/src/+/HEAD/chrome/install_static/install_util_unittest.cc + examples: + - fb690a23b66d4f90dac83f1b4d6dec0074aff68d6ef62c2613120bd4d17cfbdd:0x14006E8C0 + features: + - and: + - optional: + - string: "APPB" + description: prefix for App-bound Encryption encrypted credentials + - or: + - 2 or more: + - bytes: CF BE 3A 46 0D 41 7F 40 8A F5 0D F3 5A 00 5C C8 = IID for Google Chrome + - bytes: E0 60 88 70 41 F6 11 46 88 95 7D 86 7D D3 67 5B = CLSID for Google Chrome + - substring: "{708860E0-F641-4611-8895-7D867DD3675B}" + description: CLSID for Google Chrome + - 2 or more: + - bytes: 66 1D 72 A2 6E 37 2F 4D 9F 0F 90 70 E9 A4 2B 5F = IID for Google Chrome Beta + - bytes: BA 46 26 DD 07 37 F8 4B B9 A7 03 86 91 A6 8F C2 = CLSID for Google Chrome Beta + - substring: "{DD2646BA-3707-4BF8-B9A7-038691A68FC2}" + description: CLSID for Google Chrome Beta + - 2 or more: + - bytes: 6B A2 2A BB 3A 34 72 40 8B 6F 80 55 7B 8C E5 71 = IID for Google Chrome Dev + - bytes: A5 DC 7F DA AA 2C 37 46 AA 17 07 40 58 4D E7 DA = CLSID for Google Chrome Dev + - substring: "{DA7FDCA5-2CAA-4637-AA17-0740584DE7DA}" + description: CLSID for Google Chrome Dev + - 2 or more: + - bytes: 41 E0 7C 4F E9 28 4F 48 9D D0 61 A8 CA CE FE E4 = IID for Google Chrome Canary + - bytes: 72 28 4C 70 49 20 5E 43 A4 69 0A 53 43 13 C4 2B = CLSID for Google Chrome Canary + - substring: "{704C2872-2049-435E-A469-0A534313C42B}" + description: CLSID for Google Chrome Canary + - 2 or more: + # untested + - bytes: 07 B8 C2 C9 31 77 34 4F 81 B7 44 FF 77 79 52 2B = IID for Microsoft Edge + - bytes: 6C E9 CB 1F 97 16 AF 43 91 40 28 97 C7 C6 97 67 = CLSID for Microsoft Edge + - substring: "{1FCBE96C-1697-43AF-9140-2897C7C69767}" + description: CLSID for Microsoft Edge diff --git a/collection/get-steam-token.yml b/collection/get-steam-token.yml new file mode 100644 index 00000000..14f60ea2 --- /dev/null +++ b/collection/get-steam-token.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: get Steam token + namespace: collection + authors: + - still@teamt5.org + description: locates references to Steam authentication token via the beginning of a Steam bearer token + scopes: + static: function + dynamic: unsupported # requires bytes feature + examples: + - 2c83f152e09d0abaa3a3784669e75276784e50e1e202d16ab27e5741eef9ab4f:0x0041718C + features: + - or: + - substring: "65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A" + - substring: "eyAidHlwIjogIkpXVCIsICJ"