rules: add QUIC / msquic detection rule#1108
Open
AdityaSkhorne wants to merge 4 commits intomandiant:masterfrom
Open
rules: add QUIC / msquic detection rule#1108AdityaSkhorne wants to merge 4 commits intomandiant:masterfrom
AdityaSkhorne wants to merge 4 commits intomandiant:masterfrom
Conversation
mike-hunhoff
requested changes
Jan 28, 2026
| @@ -0,0 +1,34 @@ | |||
| rule: | |||
| meta: | |||
| name: detect usage of msquic (QUIC) APIs | |||
Collaborator
There was a problem hiding this comment.
please review the rule name documentation and modify accordingly.
Comment on lines
+7
to
+8
| scopes: | ||
| static: function |
Collaborator
There was a problem hiding this comment.
please review the scopes section of the meta block documentation and modify accordingly.
| mbc: | ||
| - Communication::Network Communication::QUIC Client/Server [C0005.001] | ||
| examples: | ||
| - 05be49819139a3fdcdbddbdefd298398779521f3d68daa25275cc77508e42310.exe:0x401000 |
Collaborator
There was a problem hiding this comment.
please review the examples section of the meta block documentation and modify accordingly.
Comment on lines
+30
to
+34
| - string: msquic | ||
| - string: msquic.dll | ||
| - string: quiche | ||
| - string: ngtcp2 | ||
| - string: "quic-go" |
Collaborator
There was a problem hiding this comment.
please review the file string and substring documentation and modify accordingly. Also, provide descriptions for each string to help readers understand their purpose and relevance to the rule detection.
| scopes: | ||
| static: function | ||
| mbc: | ||
| - Communication::Network Communication::QUIC Client/Server [C0005.001] |
Collaborator
There was a problem hiding this comment.
I don't see this listed in MBC. Can you provide a direct reference or update to the correct behaviour?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a focused rule to detect usage of QUIC-related APIs and libraries, with emphasis on Microsoft msquic and other QUIC implementations.
Changes
Why
QUIC is increasingly used in modern network stacks and can be abused by malware for covert C2 and data exfiltration. Covering msquic and other QUIC libs improves capa's ability to surface these behaviors.
Testing
Author: adityashankarkhorne@gmail.com
Note on provenance:
This contribution was created with assistance from an AI tool (ChatGPT). I reviewed and edited the content and confirm I have the right to submit it under the project's license. I accept responsibility for the submission and its licensing.