Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional rules to support capa-scripts. #603

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Additional rules to support capa-scripts. #603

wants to merge 2 commits into from

Conversation

adamstorek
Copy link

I noticed that the current .NET rules missed a lot of functionality/API calls that the aspx test malware includes. I therefore modified the currently available rules and created new ones to fully leverage the capa-scripts extraction capabilities.

mike-hunhoff
mike-hunhoff requested changes Aug 5, 2022
View reviewed changes
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great, thank you! I've left comments and suggestions for your review 🚀. I'm adding a "do not merge" tag for now as we won't be able to merge these rules until after the v4.0.0 release.

collection/database/sql/execute-sql-commands.yml
Comment on lines +14 to +17
- api: "System.Data.SqlClient.SqlConnection"
- api: "System.Data.SqlClient.SqlConnection::Open"
- api: "System.Data.SqlClient.SqlCommand"
- api: "System.Data.SqlClient.SqlCommand::ExecuteReader"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've got questions here we can address offline.

collection/database/sql/execute-sql-commands.yml
- 6f3261eaaabf369bd928d179641b73ffd768184dfd4e00124da462a3075d4239.aspx_
features:
- and:
- api: "System.Data.SqlClient.SqlConnection"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- api: "System.Data.SqlClient.SqlConnection"
- api: System.Data.SqlClient.SqlConnection

collection/database/sql/execute-sql-commands.yml
features:
- and:
- api: "System.Data.SqlClient.SqlConnection"
- api: "System.Data.SqlClient.SqlConnection::Open"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- api: "System.Data.SqlClient.SqlConnection::Open"
- api: System.Data.SqlClient.SqlConnection::Open

collection/database/sql/execute-sql-commands.yml
- and:
- api: "System.Data.SqlClient.SqlConnection"
- api: "System.Data.SqlClient.SqlConnection::Open"
- api: "System.Data.SqlClient.SqlCommand"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- api: "System.Data.SqlClient.SqlCommand"
- api: System.Data.SqlClient.SqlCommand

collection/database/sql/execute-sql-commands.yml
- api: "System.Data.SqlClient.SqlConnection"
- api: "System.Data.SqlClient.SqlConnection::Open"
- api: "System.Data.SqlClient.SqlCommand"
- api: "System.Data.SqlClient.SqlCommand::ExecuteReader"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- api: "System.Data.SqlClient.SqlCommand::ExecuteReader"
- api: System.Data.SqlClient.SqlCommand::ExecuteReader

nursery/encrypt-data-using-rsa.yml
- Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
- Cryptography::Encrypt Data::RSA [C0027.011]
examples:
- d460cae7d34c51059ef57c5aadb3de099469efbac5fffcf76d0528a511192a28.aspx_
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can move this out of the nursery if we have a solid example.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

leads to the question if we expect a test case for binary and script and ...?!

host-interaction/process/create/create-process-on-windows.yml
- and:
- api: System.Diagnostics.Process
- property: System.Diagnostics.Process.StartInfo::FileName
- api: System.Diagnostics.Process::Start
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to add empty line at end of rule - be sure to run the rule linter to ensure formatting is correct.

data-manipulation/hashing/sha1/hash-data-using-sha1.yml
@@ -22,3 +23,7 @@ rule:
- and:
- number: 0x8004 = CALG_SHA1
- api: advapi32.CryptCreateHash
- or:
- api: "System.Security.Cryptography.SHA1"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- api: "System.Security.Cryptography.SHA1"
- api: System.Security.Cryptography.SHA1

data-manipulation/hashing/sha1/hash-data-using-sha1.yml
@@ -22,3 +23,7 @@ rule:
- and:
- number: 0x8004 = CALG_SHA1
- api: advapi32.CryptCreateHash
- or:
- api: "System.Security.Cryptography.SHA1"
- api: "System.Security.Cryptography.SHA1CryptoServiceProvider"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- api: "System.Security.Cryptography.SHA1CryptoServiceProvider"
- api: System.Security.Cryptography.SHA1CryptoServiceProvider

data-manipulation/hashing/sha1/hash-data-using-sha1.yml
- or:
- api: "System.Security.Cryptography.SHA1"
- api: "System.Security.Cryptography.SHA1CryptoServiceProvider"
- api: "System.Security.Cryptography.SHA1CryptoServiceProvider.ComputeHash"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- api: "System.Security.Cryptography.SHA1CryptoServiceProvider.ComputeHash"
- api: System.Security.Cryptography.SHA1CryptoServiceProvider.ComputeHash

@mike-hunhoff mike-hunhoff added the dont merge Indicate a PR that is still being worked on label Aug 5, 2022
mr-tz
mr-tz requested changes Aug 8, 2022
View reviewed changes
Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great, please see my comments for further improvements

c2/shell/create-reverse-shell.yml
Comment on lines +36 to +40
- and:
- match: create process on Windows
- or:
- substring: "cmd.exe"
- substring: "powershell.exe"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this sufficient to identify a reverse shell?

data-manipulation/encryption/aes/decrypt-data-using-aes.yml
@@ -0,0 +1,23 @@
rule:
meta:
name: decrypt data using AES
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name: decrypt data using AES
name: decrypt data using AES via .NET

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to be consistent with following rule

data-manipulation/hashing/md5/hash-data-with-md5.yml
@@ -32,6 +32,5 @@ rule:
- number: 0x8003 = CALG_MD5
- api: advapi32.CryptCreateHash
- and:
- format: dotnet
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need to find a good solution for this, see mandiant/capa#1106 (reply in thread) and #601

load-code/powershell/run-powershell-expression.yml
scope: function
att&ck:
- Execution::Command and Scripting Interpreter::PowerShell [T1059.001]
examples:
- 692f7fd6d198e804d6af98eb9e390d61:0x6000004
- 4f6fa6a45017397c7e1c9cd5a17235ccb1ff0f5087dfa6b7384552bf507e7fe1.aspx_
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so cool, that this just works :)

nursery/encrypt-data-using-rsa.yml
- Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
- Cryptography::Encrypt Data::RSA [C0027.011]
examples:
- d460cae7d34c51059ef57c5aadb3de099469efbac5fffcf76d0528a511192a28.aspx_
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

leads to the question if we expect a test case for binary and script and ...?!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mike-hunhoff mike-hunhoff mike-hunhoff requested changes

@mr-tz mr-tz mr-tz requested changes

Assignees
No one assigned
Labels
dont merge Indicate a PR that is still being worked on
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adamstorek @mr-tz @mike-hunhoff