From 22fe57de2519b20c34c2441194f7544ff5d4eafc Mon Sep 17 00:00:00 2001
From: Matt Williams <13837569+mwilliams31@users.noreply.github.com>
Date: Thu, 26 Sep 2024 13:18:32 -0400
Subject: [PATCH 1/7] Add rule get-process-filename.yml

---
 .../process/get-process-filename.yml          | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 host-interaction/process/get-process-filename.yml

diff --git a/host-interaction/process/get-process-filename.yml b/host-interaction/process/get-process-filename.yml
new file mode 100644
index 00000000..31baee22
--- /dev/null
+++ b/host-interaction/process/get-process-filename.yml
@@ -0,0 +1,28 @@
+rule:
+  meta:
+    name: get process filename
+    namespace: host-interaction/process
+    authors:
+      - matthew.williams@mandiant.com
+    description: Retrieves the current process' filename. In the example sample, this was part of a sandbox evasion technique that computed and verified the checksum of the sample's filename.
+    scopes:
+      static: basic block
+      dynamic: unsupported # requires offset features
+    att&ck:
+      - Discovery::Process Discovery [T1057]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data
+    examples:
+      - cb948b13a5046a692ec3ed8cc16a9566:0x140013ee2
+  features:
+    - and:
+      # example:
+      # mov     rax, gs:60h     ; TEB.ProcessEnvironmentBlock
+      # mov     rcx, [rax+18h]  ; PEB64.Ldr
+      # mov     rax, [rcx+20h]  ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink
+      # mov     rcx, [rax+50h]  ; LDR_DATA_TABLE_ENTRY.FullDllName.Buffer
+      - arch: amd64
+      - characteristic: peb access
+      - offset: 0x18 = PEB->Ldr
+      - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink
+      - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName

From 634895a844904f82eaa30dc1b0a7ac35a7383e9f Mon Sep 17 00:00:00 2001
From: Matt Williams <13837569+mwilliams31@users.noreply.github.com>
Date: Fri, 27 Sep 2024 11:57:05 -0400
Subject: [PATCH 2/7] New rule: open-recentdocs-registry-key.yml

---
 nursery/open-recentdocs-registry-key.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 nursery/open-recentdocs-registry-key.yml

diff --git a/nursery/open-recentdocs-registry-key.yml b/nursery/open-recentdocs-registry-key.yml
new file mode 100644
index 00000000..87ff12f9
--- /dev/null
+++ b/nursery/open-recentdocs-registry-key.yml
@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: open RecentDocs registry key
+    namespace: host-interaction/registry
+    authors:
+      - matthew.williams@mandiant.com
+    description: In the example sample, a RecentDocs registry value was leveraged for anti-sandbox purposes. See the referenced Palo Alto blog for details.
+    scopes:
+      static: basic block
+      dynamic: call
+    mbc:
+      - Operating System::Registry::Open Registry Key [C0036.003]
+    references:
+      - https://www.magnetforensics.com/blog/what-is-mru-most-recently-used/
+      - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
+    # examples:
+      # - cb948b13a5046a692ec3ed8cc16a9566:0x140016dc9 (dynamic)
+  features:
+    - and:
+      - match: create or open registry key
+      - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs/i
\ No newline at end of file

From 53c5c4893ce0fbea650a01a0e542d332289be97d Mon Sep 17 00:00:00 2001
From: Matt Williams <13837569+mwilliams31@users.noreply.github.com>
Date: Fri, 27 Sep 2024 12:01:54 -0400
Subject: [PATCH 3/7] Added empty line at EOF

---
 nursery/open-recentdocs-registry-key.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nursery/open-recentdocs-registry-key.yml b/nursery/open-recentdocs-registry-key.yml
index 87ff12f9..104f90dc 100644
--- a/nursery/open-recentdocs-registry-key.yml
+++ b/nursery/open-recentdocs-registry-key.yml
@@ -18,4 +18,4 @@ rule:
   features:
     - and:
       - match: create or open registry key
-      - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs/i
\ No newline at end of file
+      - string: /SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs/i

From bbac4455b3c0d01cf1cfa40dc2125135c01b8375 Mon Sep 17 00:00:00 2001
From: Matt Williams <13837569+mwilliams31@users.noreply.github.com>
Date: Wed, 2 Oct 2024 15:27:27 -0400
Subject: [PATCH 4/7] Adding example VMRay archive

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>
---
 nursery/open-recentdocs-registry-key.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nursery/open-recentdocs-registry-key.yml b/nursery/open-recentdocs-registry-key.yml
index 104f90dc..b0fc6c04 100644
--- a/nursery/open-recentdocs-registry-key.yml
+++ b/nursery/open-recentdocs-registry-key.yml
@@ -13,8 +13,8 @@ rule:
     references:
       - https://www.magnetforensics.com/blog/what-is-mru-most-recently-used/
       - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
-    # examples:
-      # - cb948b13a5046a692ec3ed8cc16a9566:0x140016dc9 (dynamic)
+    examples:
+       - 86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa_min_archive.zip
   features:
     - and:
       - match: create or open registry key

From 4e1cf667f9ba6563146450cd54abed093550524d Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Thu, 3 Oct 2024 11:35:25 +0200
Subject: [PATCH 5/7] Update nursery/open-recentdocs-registry-key.yml

---
 nursery/open-recentdocs-registry-key.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nursery/open-recentdocs-registry-key.yml b/nursery/open-recentdocs-registry-key.yml
index b0fc6c04..3a3527c8 100644
--- a/nursery/open-recentdocs-registry-key.yml
+++ b/nursery/open-recentdocs-registry-key.yml
@@ -14,7 +14,7 @@ rule:
       - https://www.magnetforensics.com/blog/what-is-mru-most-recently-used/
       - https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
     examples:
-       - 86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa_min_archive.zip
+      - 86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa_min_archive.zip
   features:
     - and:
       - match: create or open registry key

From f240bbcf88099fe23d4d82830b359e2675ae05f1 Mon Sep 17 00:00:00 2001
From: Moritz <mr-tz@users.noreply.github.com>
Date: Thu, 3 Oct 2024 11:36:41 +0200
Subject: [PATCH 6/7] Rename nursery/open-recentdocs-registry-key.yml to
 host-interaction/registry/open-recentdocs-registry-key.yml

---
 .../registry}/open-recentdocs-registry-key.yml                    | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename {nursery => host-interaction/registry}/open-recentdocs-registry-key.yml (100%)

diff --git a/nursery/open-recentdocs-registry-key.yml b/host-interaction/registry/open-recentdocs-registry-key.yml
similarity index 100%
rename from nursery/open-recentdocs-registry-key.yml
rename to host-interaction/registry/open-recentdocs-registry-key.yml

From 67a6c0f3bf5f2408a0a82b2af7e02884b341ccc5 Mon Sep 17 00:00:00 2001
From: Matt Williams <13837569+mwilliams31@users.noreply.github.com>
Date: Wed, 16 Oct 2024 13:41:53 +0000
Subject: [PATCH 7/7] Added x86 support for get-process-filename.yml

---
 .../process/get-process-filename.yml          | 30 ++++++++++++-------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/host-interaction/process/get-process-filename.yml b/host-interaction/process/get-process-filename.yml
index 31baee22..bb310fd9 100644
--- a/host-interaction/process/get-process-filename.yml
+++ b/host-interaction/process/get-process-filename.yml
@@ -15,14 +15,22 @@ rule:
     examples:
       - cb948b13a5046a692ec3ed8cc16a9566:0x140013ee2
   features:
-    - and:
-      # example:
-      # mov     rax, gs:60h     ; TEB.ProcessEnvironmentBlock
-      # mov     rcx, [rax+18h]  ; PEB64.Ldr
-      # mov     rax, [rcx+20h]  ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink
-      # mov     rcx, [rax+50h]  ; LDR_DATA_TABLE_ENTRY.FullDllName.Buffer
-      - arch: amd64
-      - characteristic: peb access
-      - offset: 0x18 = PEB->Ldr
-      - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink
-      - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName
+    - or:
+      - and:
+        - arch: i386
+        - characteristic: peb access
+        - offset: 0x0C = PEB->Ldr
+        - offset: 0x14 = PEB->Ldr->InMemoryOrderModuleList->Flink
+        - offset: 0x28 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName
+
+      - and:
+        # example:
+        # mov     rax, gs:60h     ; TEB.ProcessEnvironmentBlock
+        # mov     rcx, [rax+18h]  ; PEB64.Ldr
+        # mov     rax, [rcx+20h]  ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink
+        # mov     rcx, [rax+50h]  ; LDR_DATA_TABLE_ENTRY.FullDllName.Buffer
+        - arch: amd64
+        - characteristic: peb access
+        - offset: 0x18 = PEB->Ldr
+        - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink
+        - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName