set state tcp connection (#829)

* Add rule --------- Co-authored-by: Willi Ballenthin <[email protected]>
mandiant · Oct 6, 2023 · b33f95c · b33f95c
1 parent 2d615e2
commit b33f95c
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/host-interaction/network/connectivity/set-tcp-connection-state.yml b/host-interaction/network/connectivity/set-tcp-connection-state.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: set TCP connection state
+    namespace: host-interaction/network/connectivity
+    authors:
+      - "@johnk3r"
+    description: The SetTcpEntry function sets the state of a TCP connection.
+    scope: function
+    att&ck:
+      - Defense Evasion::Impair Defenses [T1562]
+    references:
+      - https://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website
+      - https://github.com/magisterquis/EDRSniper/blob/master/edrsniper.c
+    examples:
+      - 883bf161937f8dc6e766b07000110254:0x403150
+  features:
+    - and:
+      - api: iphlpapi.SetTcpEntry
+      - number: 12 = MIB_TCP_STATE_DELETE_TCB