Additional rules to support capa-scripts.#603
Additional rules to support capa-scripts.#603adamstorek wants to merge 2 commits intomandiant:masterfrom
Conversation
mike-hunhoff
left a comment
mike-hunhoff
left a comment
There was a problem hiding this comment.
great, thank you! I've left comments and suggestions for your review 🚀. I'm adding a "do not merge" tag for now as we won't be able to merge these rules until after the v4.0.0 release.
| - api: "System.Data.SqlClient.SqlConnection" | ||
| - api: "System.Data.SqlClient.SqlConnection::Open" | ||
| - api: "System.Data.SqlClient.SqlCommand" | ||
| - api: "System.Data.SqlClient.SqlCommand::ExecuteReader" |
There was a problem hiding this comment.
I've got questions here we can address offline.
| - 6f3261eaaabf369bd928d179641b73ffd768184dfd4e00124da462a3075d4239.aspx_ | ||
| features: | ||
| - and: | ||
| - api: "System.Data.SqlClient.SqlConnection" |
There was a problem hiding this comment.
| - api: "System.Data.SqlClient.SqlConnection" | |
| - api: System.Data.SqlClient.SqlConnection |
| features: | ||
| - and: | ||
| - api: "System.Data.SqlClient.SqlConnection" | ||
| - api: "System.Data.SqlClient.SqlConnection::Open" |
There was a problem hiding this comment.
| - api: "System.Data.SqlClient.SqlConnection::Open" | |
| - api: System.Data.SqlClient.SqlConnection::Open |
| - and: | ||
| - api: "System.Data.SqlClient.SqlConnection" | ||
| - api: "System.Data.SqlClient.SqlConnection::Open" | ||
| - api: "System.Data.SqlClient.SqlCommand" |
There was a problem hiding this comment.
| - api: "System.Data.SqlClient.SqlCommand" | |
| - api: System.Data.SqlClient.SqlCommand |
| - api: "System.Data.SqlClient.SqlConnection" | ||
| - api: "System.Data.SqlClient.SqlConnection::Open" | ||
| - api: "System.Data.SqlClient.SqlCommand" | ||
| - api: "System.Data.SqlClient.SqlCommand::ExecuteReader" |
There was a problem hiding this comment.
| - api: "System.Data.SqlClient.SqlCommand::ExecuteReader" | |
| - api: System.Data.SqlClient.SqlCommand::ExecuteReader |
| - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05] | ||
| - Cryptography::Encrypt Data::RSA [C0027.011] | ||
| examples: | ||
| - d460cae7d34c51059ef57c5aadb3de099469efbac5fffcf76d0528a511192a28.aspx_ |
There was a problem hiding this comment.
We can move this out of the nursery if we have a solid example.
There was a problem hiding this comment.
leads to the question if we expect a test case for binary and script and ...?!
| - and: | ||
| - api: System.Diagnostics.Process | ||
| - property: System.Diagnostics.Process.StartInfo::FileName | ||
| - api: System.Diagnostics.Process::Start No newline at end of file |
There was a problem hiding this comment.
Need to add empty line at end of rule - be sure to run the rule linter to ensure formatting is correct.
| - number: 0x8004 = CALG_SHA1 | ||
| - api: advapi32.CryptCreateHash | ||
| - or: | ||
| - api: "System.Security.Cryptography.SHA1" |
There was a problem hiding this comment.
| - api: "System.Security.Cryptography.SHA1" | |
| - api: System.Security.Cryptography.SHA1 |
| - api: advapi32.CryptCreateHash | ||
| - or: | ||
| - api: "System.Security.Cryptography.SHA1" | ||
| - api: "System.Security.Cryptography.SHA1CryptoServiceProvider" |
There was a problem hiding this comment.
| - api: "System.Security.Cryptography.SHA1CryptoServiceProvider" | |
| - api: System.Security.Cryptography.SHA1CryptoServiceProvider |
| - or: | ||
| - api: "System.Security.Cryptography.SHA1" | ||
| - api: "System.Security.Cryptography.SHA1CryptoServiceProvider" | ||
| - api: "System.Security.Cryptography.SHA1CryptoServiceProvider.ComputeHash" |
There was a problem hiding this comment.
| - api: "System.Security.Cryptography.SHA1CryptoServiceProvider.ComputeHash" | |
| - api: System.Security.Cryptography.SHA1CryptoServiceProvider.ComputeHash |
mr-tz
left a comment
mr-tz
left a comment
There was a problem hiding this comment.
great, please see my comments for further improvements
| - and: | ||
| - match: create process on Windows | ||
| - or: | ||
| - substring: "cmd.exe" | ||
| - substring: "powershell.exe" |
There was a problem hiding this comment.
is this sufficient to identify a reverse shell?
| @@ -0,0 +1,23 @@ | |||
| rule: | |||
| meta: | |||
| name: decrypt data using AES | |||
There was a problem hiding this comment.
| name: decrypt data using AES | |
| name: decrypt data using AES via .NET |
There was a problem hiding this comment.
to be consistent with following rule
| - number: 0x8003 = CALG_MD5 | ||
| - api: advapi32.CryptCreateHash | ||
| - and: | ||
| - format: dotnet |
There was a problem hiding this comment.
need to find a good solution for this, see mandiant/capa#1106 (reply in thread) and #601
| - Execution::Command and Scripting Interpreter::PowerShell [T1059.001] | ||
| examples: | ||
| - 692f7fd6d198e804d6af98eb9e390d61:0x6000004 | ||
| - 4f6fa6a45017397c7e1c9cd5a17235ccb1ff0f5087dfa6b7384552bf507e7fe1.aspx_ |
There was a problem hiding this comment.
so cool, that this just works :)
| - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05] | ||
| - Cryptography::Encrypt Data::RSA [C0027.011] | ||
| examples: | ||
| - d460cae7d34c51059ef57c5aadb3de099469efbac5fffcf76d0528a511192a28.aspx_ |
There was a problem hiding this comment.
leads to the question if we expect a test case for binary and script and ...?!
3 participants
I noticed that the current .NET rules missed a lot of functionality/API calls that the aspx test malware includes. I therefore modified the currently available rules and created new ones to fully leverage the capa-scripts extraction capabilities.