Merge branch 'master' into update-alloc-rules

.github/workflows/tests.yml

@@ -42,10 +42,11 @@ jobs:
       with:
         repository: mandiant/capa-testfiles
         path: tests/data
-    - name: Set up Python 3.9
+    # use latest available python for best performance
+    - name: Set up Python 3.11
       uses: actions/setup-python@v4
       with:
-        python-version: 3.9
+        python-version: 3.11
     - name: Install capa
       run: pip install -e .
     # Regular lint is fast, so do this first

README.md

@@ -1,7 +1,7 @@
 # capa rules
 
 [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22)
-[![Number of rules](https://img.shields.io/badge/rules-800-blue.svg)](rules)
+[![Number of rules](https://img.shields.io/badge/rules-845-blue.svg)](rules)
 [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt)
 
 This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs.

anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml

@@ -0,0 +1,37 @@
+rule:
+  meta:
+    name: patch Event Tracing for Windows function
+    namespace: anti-analysis/anti-av
+    authors:
+      - [email protected]
+    scope: function
+    att&ck:
+      - Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006]
+    mbc:
+      - Defense Evasion::Disable or Evade Security Tools [F0004]
+    references:
+      - https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/
+      - https://github.com/Mr-Un1k0d3r/AMSI-ETW-Patch/blob/main/patch-etw-x64.c
+    examples:
+      - 15835b6dd703e69d22d4ab941ccd5f6e78c3abc22ae123366da5e950eaa62e2b:0x180001D70
+  features:
+    - and:
+      - match: link function at runtime on Windows
+      - or:
+        - api: kernel32.VirtualProtect
+        - api: ntdll.NtProtectVirtualMemory  # exported by only ntdll, not ntoskrnl
+        - api: ZwProtectVirtualMemory  # exported by both ntdll and ntoskrnl
+        - string: "VirtualProtect"
+        - string: "NtProtectVirtualMemory"
+        - string: "ZwProtectVirtualMemory"
+      - or:
+        - string: "EventWrite"
+        - string: "EtwEventWrite"
+        - string: "EtwEventWriteFull"
+        - string: "TraceEvent"
+        - string: "NtTraceEvent"
+        - string: "ZwTraceEvent"
+        - string: "NtTraceControl"
+        - string: "ZwTraceControl"
+      - optional:
+        - match: write process memory

anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml

@@ -0,0 +1,33 @@
+rule:
+  meta:
+    name: hide thread from debugger
+    namespace: anti-analysis/anti-debugging/debugger-evasion
+    authors:
+      - [email protected]
+      - [email protected]
+    scope: function
+    att&ck:
+      - Defense Evasion::Debugger Evasion [T1622]
+    mbc:
+      - Anti-Behavioral Analysis::Debugger Evasion [B0002]
+    references:
+      - https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread
+      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/NtSetInformationThread_ThreadHideFromDebugger.cpp
+      - https://github.com/jaeyung1001/Anti-Debugging/blob/master/Code/NtSetInformationThread.cpp
+    examples:
+      - 26beba7352a32b803aa19e0782011a383a1df19549910e7b2f2f244e49678524:0x10001670
+  features:
+    - or:
+      - basic block:
+        - and:
+          - or:
+            - api: NtSetInformationThread
+            - api: ZwSetInformationThread
+          - number: 0x11 = ThreadHideFromDebugger
+      - and:
+        - or:
+          - string: "NtSetInformationThread"
+          - string: "ZwSetInformationThread"
+        - match: link function at runtime on Windows
+        - api: GetCurrentThread
+        - number: 0x11 = ThreadHideFromDebugger

anti-analysis/anti-forensic/self-deletion/self-delete.yml

@@ -4,6 +4,7 @@ rule:
     namespace: anti-analysis/anti-forensic/self-deletion
     authors:
       - [email protected]
+      - "@mr-tz"
     scope: function
     att&ck:
       - Defense Evasion::Indicator Removal::File Deletion [T1070.004]
@@ -16,9 +17,12 @@ rule:
       - or:
         - match: get COMSPEC environment variable
         - string: "cmd.exe"
-      - match: host-interaction/process/create
-      - string: /\/c\s*del\s*/
-        description: "/c del"
+        - match: host-interaction/process/create
+      - or:
+        - string: /\/c\s*del\s*/
+          description: "/c del"
+        - string: /del\s*\S/
+          description: "del \"%s\""
       - optional:
         - string: /\s*>\s*nul\s*/i
           description: "> nul"

anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml

@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: check for foreground window switch
+    namespace: anti-analysis/anti-vm/vm-detection
+    authors:
+      - [email protected]
+    description: Detect usage of GetForegroundWindow and Sleep APIs to check if there is any foreground window switch. Typically, sandboxes do not switch the foreground window like a user would in a normal environment.
+    scope: function
+    att&ck:
+      - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
+    mbc:
+      - Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012]
+    references:
+      - https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
+      - https://unprotect.it/technique/getforegroundwindow/
+    examples:
+      - 2855ba06b90e7c64d9bce888e47baf6d:0x4112A3
+  features:
+    - and:
+      - count(api(GetForegroundWindow)): 2 or more
+      - api: Sleep
+      - mnemonic: cmp
+      - or:
+        - characteristic: loop
+        - characteristic: tight loop

anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml

@@ -0,0 +1,19 @@
+# generated using capa explorer for IDA Pro
+rule:
+  meta:
+    name: detect VM via disk hardware WMI queries
+    namespace: anti-analysis/anti-vm/vm-detection
+    authors:
+      - [email protected]
+    scope: function
+    att&ck:
+      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
+    mbc:
+      - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023]
+    examples:
+      - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
+  features:
+    - and:
+      - string: "Win32_DiskDrive"
+      - string: "Model"
+      - string: "Virtual"

anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml

@@ -0,0 +1,19 @@
+# generated using capa explorer for IDA Pro
+rule:
+  meta:
+    name: detect VM via motherboard hardware WMI queries
+    namespace: anti-analysis/anti-vm/vm-detection
+    authors:
+      - [email protected]
+    scope: function
+    att&ck:
+      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
+    mbc:
+      - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023]
+    examples:
+      - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
+  features:
+    - and:
+      - string: "Win32_BaseBoard"
+      - string: "Virtual"
+      - string: "Product"

collection/browser/gather-chrome-based-browser-login-information.yml

@@ -4,24 +4,29 @@ rule:
     namespace: collection/browser
     authors:
       - "@_re_fox"
-    scope: function
+      - [email protected]
+    scope: file
     att&ck:
       - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
     examples:
       - 2fd45662e3d0ec0077ea2fa66b6378f0:0x6000039
+      - 54390bda109aab7fc006b8b4ead5b6c2:0x1006E8D3
   features:
     - and:
       - or:
-        - string: /\\(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\User Data\\Default\\Login Data/
-        - string: /\\Opera Software\\Opera Stable\\Login Data/
+        - string: /\\+(Edge|Chrome|Chromium|Brave\-Browser|YandexBrowser|Kometa|Orbitum|Dragon|Torch|Amigo)\\+User Data\\+Default(\\+Network)?\\+(Cookies|Login Data)/i
+        - string: /\\Opera Software\\Opera Stable\\(Login Data|Cookies)/i
       - or:
-        - string: /SELECT [(date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value)\s+,]+ FROM logins/i
+        - string: /SELECT ((date_created|username_element|password_element|origin_url|signon_realm|action_url|username_value|password_value),?\s?)+ FROM logins/i
+        - string: /SELECT ((creation_utc|encrypted_value),?\s?)+ FROM cookies/i
         - 2 or more:
-          - string: /date_created/i
-          - string: /username_element/i
-          - string: /username_value/i
-          - string: /password_element/i
-          - string: /origin_url/i
-          - string: /signon_realm/i
-          - string: /action_url/i
-          - string: /password_value/i
+          - substring: "date_created"
+          - substring: "encrypted_value"
+          - substring: "creation_utc"
+          - substring: "username_element"
+          - substring: "username_value"
+          - substring: "password_element"
+          - substring: "origin_url"
+          - substring: "signon_realm"
+          - substring: "action_url"
+          - substring: "password_value"

collection/browser/gather-firefox-profile-information.yml

@@ -4,16 +4,18 @@ rule:
     namespace: collection/browser
     authors:
       - "@_re_fox"
+      - [email protected]
     scope: function
     att&ck:
       - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
     examples:
       - 7204e3efc2434012e13ca939db0d0b02:0x4073c0
+      - 54390bda109aab7fc006b8b4ead5b6c2:0x1006e58b
   features:
     - and:
       - 2 or more:
         - string: /\\Mozilla\\Firefox\\profiles(\.ini)?/i
-        - string: /\\signons\.sqlite/i
+        - string: /\\(signons|cookies)\.sqlite/i
         - string: /SELECT\s+[a-z,\s]{5,}FROM moz_(logins|cookies)/i
         - string: /FROM moz_(logins|cookies)/i
         - substring: "WHERE moz_cookies.host LIKE"

collection/microphone/capture-microphone-audio.yml

@@ -10,8 +10,12 @@ rule:
     examples:
       - a70052c45e907820187c7e6bcdc7ecca:0x405B40
   features:
-    - and:
-      - api: mciSendString
-      - string: /^open/i
-      - string: /waveaudio/i
-      - string: /^record/i
+    - or:
+      - and:
+        - api: mciSendString
+        - string: /^open/i
+        - string: /waveaudio/i
+        - string: /^record/i
+      - api: winmm.waveInOpen
+      - api: winmm.waveInAddBuffer
+      - api: winmm.waveInStart

collection/network/capture-packets-using-sharppcap.yml

@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: capture packets using SharpPcap
+    namespace: collection/network
+    authors:
+      - [email protected]
+    scope: function
+    att&ck:
+      - Discovery::Network Sniffing [T1040]
+    references:
+      - https://github.com/dotpcap/sharppcap
+    examples:
+      - aefae71bca4bbaa2c013ddf040d797628c8d3da7346108c12735239a86fdfa71:0x6000038
+  features:
+    - and:
+      - format: dotnet
+      - api: SharpPcap.LibPcap.PcapDevice::add_OnPacketArrival

communication/socket/create-vmci-socket.yml

@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: create VMCI socket
+    namespace: communication/socket
+    authors:
+      - [email protected]
+    scope: basic block
+    mbc:
+      - Communication::Socket Communication::Create Socket [C0001.003]
+    references:
+      - https://www.vmware.com/products/beta/ws/VMCIsockets.pdf
+    examples:
+      - 9ed5660c6a442dbba9e2ba795ccc913c1f1517ce89854fe4287c1c8b36b21d52:0x180001241
+  features:
+    - or:
+      - and:
+        - os: windows
+        - or:
+          - api: socket
+          - api: DeviceIoControl
+        - number: 0x81032068 = VMCI_SOCKETS_GET_AF_VALUE
+      - and:
+        - os: linux
+        - or:
+          - api: socket
+          - api: ioctl
+        - number: 0x7B8 = VMCI_SOCKETS_GET_AF_VALUE

communication/socket/receive/receive-data-on-socket.yml

@@ -33,3 +33,4 @@ rule:
       - api: System.Net.Sockets.Socket::EndReceive
       - api: System.Net.Sockets.Socket::EndReceiveFrom
       - api: System.Net.Sockets.Socket::EndReceiveMessageFrom
+      - api: recvmsg

compiler/cx_freeze/compiled-with-cx_freeze.yml

@@ -0,0 +1,43 @@
+rule:
+  meta:
+    name: compiled with cx_Freeze
+    namespace: compiler/cx_freeze
+    authors:
+      - "@mr-tz"
+      - [email protected]
+    scope: file
+    att&ck:
+      - Execution::Command and Scripting Interpreter::Python [T1059.006]
+      - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]
+    references:
+      - https://github.com/marcelotduarte/cx_Freeze
+    examples:
+      - 573174640974b288d9d161cf4d29387cd7dbf7d80a80f5547df887f9836df8fb
+  features:
+    - or:
+      - and:
+        - os: windows
+        - 3 or more:
+          - string: "cx_Freeze Fatal Error"
+          - string: "cx_Freeze: Python error in main script"
+          - string: "cx_Freeze: Application Terminated"
+          - string: "%ls\\lib\\library.zip;%ls\\lib"
+          - string: "Unable to calculate directory of executable!"
+          - string: "Unable to load python3.dll!"
+          - string: "Unable to change DLL search path!"
+          - string: "initializing with config file %ls"
+          - string: "%ls --install <NAME> [<CONFIGFILE>]"
+          - string: "exception calling session_changed method"
+      - and:
+        - or:
+          - os: linux
+          - os: macos
+        - 3 or more:
+          - string: "PATH environment variable not defined!"
+          - string: "Unable to determine absolute path for executable!"
+          - string: "Unable to convert path to string!"
+          - string: "Unable to calculate directory of executable!"
+          - string: "Out of memory creating sys.path!"
+          - string: "Out of memory converting arguments!"
+          - string: "Unable to convert argument to string!"
+          - string: "%ls/lib/library.zip:%ls/lib"

data-manipulation/encoding/base64/decode-data-using-base64-via-dword-translation-table.yml

@@ -4,6 +4,7 @@ rule:
     namespace: data-manipulation/encoding/base64
     authors:
       - [email protected]
+      - [email protected]
     scope: function
     att&ck:
       - Defense Evasion::Obfuscated Files or Information [T1027]
@@ -12,6 +13,7 @@ rule:
       - Data::Encode Data::Base64 [C0026.001]
     examples:
       - 9efa86b43b4367bcdc1591aee59bda25:0x10001000
+      - 09bf850be5da44a1c3629a1f62813a83:0x10001100
   features:
     - and:
       - mnemonic: shl
@@ -23,5 +25,12 @@ rule:
       - number: 3
       - number: 4
       - number: 6
-      - number: 0xF
-      - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = hardcoded base64 translation table (first 64 of 256 dwords)
+      - or:
+        - number: 0xF
+        - number: 0x3D
+        - number: 0x40
+      - or:
+        - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF = hardcoded base64 translation table (first 64 of 256 dwords)
+        - bytes: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 3E FF FF FF 3F 34 35 36 37 38 39 3A 3B 3C 3D FF FF FF FF FF FF FF 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 FF FF FF FF FF FF 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 FF FF FF FF FF = hardcoded base64 translation table
+        - bytes: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3E 00 00 00 3F 00 00 00 3E 00 00 00 3E 00 00 00 3F 00 00 00 34 00 00 00 35 00 00 00 36 00 00 00 37 00 00 00 38 00 00 00 39 00 00 00 3A 00 00 00 3B 00 00 00 3C 00 00 00 3D 00 00 00
+        - string: "BBBBBBBBBB@BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB>BBB?456789:;<=BBBABBB"