diff --git a/c2/shell/create-unix-reverse-shell.yml b/c2/shell/create-unix-reverse-shell.yml new file mode 100644 index 000000000..c743da9af --- /dev/null +++ b/c2/shell/create-unix-reverse-shell.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: create unix reverse shell + namespace: c2/shell + author: joakim@intezer.com + scope: function + att&ck: + - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] + mbc: + - Impact::Remote Access::Reverse Shell [B0022.001] + examples: + - 7351f8a40c5450557b24622417fc478d:0x40231E + features: + - or: + - and: + - match: duplicate stdin and stdout + - match: create process diff --git a/c2/shell/execute-shell-command-received-from-socket.yml b/c2/shell/execute-shell-command-received-from-socket.yml new file mode 100644 index 000000000..28348e407 --- /dev/null +++ b/c2/shell/execute-shell-command-received-from-socket.yml @@ -0,0 +1,14 @@ +rule: + meta: + name: execute shell command received from socket + namespace: c2/shell + author: joakim@intezer.com + scope: function + att&ck: + - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] + examples: + - 7351f8a40c5450557b24622417fc478d:0x406549 + features: + - and: + - match: receive data on socket + - api: system diff --git a/collection/get-current-user.yml b/collection/get-current-user.yml new file mode 100644 index 000000000..b87b39178 --- /dev/null +++ b/collection/get-current-user.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: get current user + namespace: collection + author: joakim@intezer.com + scope: function + examples: + - 7351f8a40c5450557b24622417fc478d:0x405438 + features: + - or: + - and: + - api: geteuid + - api: getpwuid + - api: getlogin + - api: getlogin_r + - api: cuserid diff --git a/collection/network/get-mac-address.yml b/collection/network/get-mac-address.yml index 961554a02..4096b47eb 100644 --- a/collection/network/get-mac-address.yml +++ b/collection/network/get-mac-address.yml @@ -2,21 +2,27 @@ rule: meta: name: get MAC address namespace: collection/network - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function att&ck: - Discovery::System Information Discovery [T1082] examples: - al-khaser_x64.exe_:0x14001A1BC features: - - and: - - api: iphlpapi.GetAdaptersInfo - - or: - - offset: 0x194 = IP_ADAPTER_INFO.Address - - offset: 0x195 = IP_ADAPTER_INFO.Address+1 - - offset: 0x196 = IP_ADAPTER_INFO.Address+2 - - offset: 0x197 = IP_ADAPTER_INFO.Address+3 - - offset: 0x198 = IP_ADAPTER_INFO.Address+4 - - offset: 0x199 = IP_ADAPTER_INFO.Address+5 - - optional: - - string: "%02X-%02X-%02X-%02X-%02X-%02X" + - or: + - and: + - api: iphlpapi.GetAdaptersInfo + - or: + - offset: 0x194 = IP_ADAPTER_INFO.Address + - offset: 0x195 = IP_ADAPTER_INFO.Address+1 + - offset: 0x196 = IP_ADAPTER_INFO.Address+2 + - offset: 0x197 = IP_ADAPTER_INFO.Address+3 + - offset: 0x198 = IP_ADAPTER_INFO.Address+4 + - offset: 0x199 = IP_ADAPTER_INFO.Address+5 + - optional: + - string: "%02X-%02X-%02X-%02X-%02X-%02X" + - and: + - match: read file + - string: /\/sys\/class\/net\/\S+\/address/ diff --git a/communication/socket/receive/receive-data-on-socket.yml b/communication/socket/receive/receive-data-on-socket.yml index 8ca73ad5e..614799593 100644 --- a/communication/socket/receive/receive-data-on-socket.yml +++ b/communication/socket/receive/receive-data-on-socket.yml @@ -2,7 +2,9 @@ rule: meta: name: receive data on socket namespace: communication/socket/receive - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function mbc: - Communication::Socket Communication::Receive Data [C0001.006] @@ -17,3 +19,4 @@ rule: - api: ws2_32.WSARecvEx - api: ws2_32.WSARecvFrom - api: ws2_32.WSARecvMsg + - api: recv diff --git a/communication/socket/send/send-data-on-socket.yml b/communication/socket/send/send-data-on-socket.yml index b06b05c2d..db1e27a5e 100644 --- a/communication/socket/send/send-data-on-socket.yml +++ b/communication/socket/send/send-data-on-socket.yml @@ -2,7 +2,9 @@ rule: meta: name: send data on socket namespace: communication/socket/send - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function mbc: - Communication::Socket Communication::Send Data [C0001.007] @@ -15,3 +17,4 @@ rule: - api: ws2_32.WSASend - api: ws2_32.WSASendMsg - api: ws2_32.WSASendTo + - api: send diff --git a/communication/socket/tcp/connect-tcp-socket.yml b/communication/socket/tcp/connect-tcp-socket.yml index 767c267b2..25d8ac396 100644 --- a/communication/socket/tcp/connect-tcp-socket.yml +++ b/communication/socket/tcp/connect-tcp-socket.yml @@ -2,7 +2,9 @@ rule: meta: name: connect TCP socket namespace: communication/socket/tcp - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function mbc: - Communication::Socket Communication::Connect Socket [C0001.004] @@ -12,6 +14,7 @@ rule: - and: - match: create TCP socket - or: + - api: connect - api: ws2_32.connect - api: ws2_32.WSAConnect - api: ConnectEx diff --git a/communication/socket/tcp/create-tcp-socket.yml b/communication/socket/tcp/create-tcp-socket.yml index 4fcd0c40b..7b172c9e4 100644 --- a/communication/socket/tcp/create-tcp-socket.yml +++ b/communication/socket/tcp/create-tcp-socket.yml @@ -2,7 +2,9 @@ rule: meta: name: create TCP socket namespace: communication/socket/tcp - author: william.ballenthin@fireeye.com + author: + - william.ballenthin@fireeye.com + - joakim@intezer.com scope: basic block mbc: - Communication::Socket Communication::Create TCP Socket [C0001.011] @@ -16,3 +18,4 @@ rule: - or: - api: ws2_32.socket - api: ws2_32.WSASocket + - api: socket diff --git a/communication/socket/udp/send/create-udp-socket.yml b/communication/socket/udp/send/create-udp-socket.yml index 63527250a..f24ff64db 100644 --- a/communication/socket/udp/send/create-udp-socket.yml +++ b/communication/socket/udp/send/create-udp-socket.yml @@ -2,7 +2,9 @@ rule: meta: name: create UDP socket namespace: communication/socket/udp/send - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: basic block mbc: - Communication::Socket Communication::Create UDP Socket [C0001.010] @@ -14,3 +16,4 @@ rule: - or: - api: ws2_32.socket - api: ws2_32.WSASocket + - api: socket diff --git a/host-interaction/file-system/change-file-permission.yml b/host-interaction/file-system/change-file-permission.yml new file mode 100644 index 000000000..6413fe2b4 --- /dev/null +++ b/host-interaction/file-system/change-file-permission.yml @@ -0,0 +1,14 @@ +rule: + meta: + name: change file permission + namespace: host-interaction/file-system + author: joakim@intezer.com + scope: basic block + examples: + - 7351f8a40c5450557b24622417fc478d:0x407C68 + features: + - or: + - api: chown + - api: fchown + - api: lchown + - api: fchownat diff --git a/host-interaction/file-system/read/read-file.yml b/host-interaction/file-system/read/read-file.yml index e2f6026f0..c3f76b3a1 100644 --- a/host-interaction/file-system/read/read-file.yml +++ b/host-interaction/file-system/read/read-file.yml @@ -2,7 +2,9 @@ rule: meta: name: read file namespace: host-interaction/file-system/read - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function mbc: - File System::Read File [C0051] @@ -23,3 +25,19 @@ rule: - api: ZwReadFile - api: _read - api: fread + - and: + - optional: + - match: create or open file + - or: + - api: fgetc + - api: fgets + - api: getc + - api: getchar + - api: read + - api: getline + - api: getdelim + - api: fgetwc + - api: getwc + - api: fscanf + - api: vfscanf + - api: fread diff --git a/host-interaction/file-system/write/write-file.yml b/host-interaction/file-system/write/write-file.yml index 2b3d4e3d7..f99d4cac4 100644 --- a/host-interaction/file-system/write/write-file.yml +++ b/host-interaction/file-system/write/write-file.yml @@ -2,7 +2,9 @@ rule: meta: name: write file namespace: host-interaction/file-system/write - author: william.ballenthin@fireeye.com + author: + - william.ballenthin@fireeye.com + - joakim@intezer.com scope: function mbc: - File System::Writes File [C0052] @@ -11,22 +13,37 @@ rule: # ntdll - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x1400025C4 features: - - and: - - optional: + - or: + - and: + - optional: + - or: + - and: + - number: 0x40000000 = GENERIC_WRITE + - or: + - api: kernel32.CreateFile + - and: + - number: 0x2 = FILE_WRITE_DATA + - or: + - api: NtCreateFile + - api: ZwCreateFile - or: - - and: - - number: 0x40000000 = GENERIC_WRITE - - or: - - api: kernel32.CreateFile - - and: - - number: 0x2 = FILE_WRITE_DATA - - or: - - api: NtCreateFile - - api: ZwCreateFile - - or: - - api: kernel32.WriteFile - - api: kernel32.WriteFileEx - - api: NtWriteFile - - api: ZwWriteFile - - api: _fwrite - - api: fwrite + - api: kernel32.WriteFile + - api: kernel32.WriteFileEx + - api: NtWriteFile + - api: ZwWriteFile + - api: _fwrite + - api: fwrite + - and: + - optional: + - match: create or open file + - or: + - api: fputc + - api: fputs + - api: putc + - api: write + - api: fputwc + - api: putwc + - api: fputws + - api: write + - api: fwrite + - api: putwchar diff --git a/host-interaction/hardware/cpu/get-cpu-information.yml b/host-interaction/hardware/cpu/get-cpu-information.yml index cf7d3cc14..6d9b02ef0 100644 --- a/host-interaction/hardware/cpu/get-cpu-information.yml +++ b/host-interaction/hardware/cpu/get-cpu-information.yml @@ -2,13 +2,22 @@ rule: meta: name: get CPU information namespace: host-interaction/hardware/cpu - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function att&ck: - Discovery::System Information Discovery [T1082] examples: - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145B5A features: - - and: - - match: query or enumerate registry value - - string: /Hardware\\Description\\System\\CentralProcessor/i + - or: + - and: + - match: query or enumerate registry value + - string: /Hardware\\Description\\System\\CentralProcessor/i + - and: + - match: read file + - string: "/proc/cpuinfo" + - and: + - api: system + - string: /\/proc\/cpuinfo/ diff --git a/host-interaction/hardware/memory/get-memory-information.yml b/host-interaction/hardware/memory/get-memory-information.yml new file mode 100644 index 000000000..a68e700e6 --- /dev/null +++ b/host-interaction/hardware/memory/get-memory-information.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: get memory information + namespace: host-interaction/hardware/memory + author: joakim@intezer.com + scope: function + att&ck: + - Discovery::System Information Discovery [T1082] + examples: + - 7351f8a40c5450557b24622417fc478d:0x405438 + features: + - or: + - and: + - match: read file + - string: "/proc/meminfo" + - and: + - api: system + - or: + - string: /\/proc\/meminfo/ + - string: /^free/ diff --git a/host-interaction/mutex/lock-file.yml b/host-interaction/mutex/lock-file.yml new file mode 100644 index 000000000..bfbd0841e --- /dev/null +++ b/host-interaction/mutex/lock-file.yml @@ -0,0 +1,15 @@ +rule: + meta: + name: lock file + namespace: host-interaction/mutex + author: joakim@intezer.com + scope: basic block + mbc: + - Process::Create Mutex [C0042] + examples: + - 7351f8a40c5450557b24622417fc478d:0x40858F + features: + - and: + - api: fcntl + - number: 1 = F_WRLCK + - number: 6 = F_SETLK diff --git a/host-interaction/network/address/get-local-ipv4-addresses.yml b/host-interaction/network/address/get-local-ipv4-addresses.yml index b390613dd..642a3ca80 100644 --- a/host-interaction/network/address/get-local-ipv4-addresses.yml +++ b/host-interaction/network/address/get-local-ipv4-addresses.yml @@ -2,7 +2,9 @@ rule: meta: name: get local IPv4 addresses namespace: host-interaction/network/address - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function att&ck: - Discovery::System Network Configuration Discovery [T1016] @@ -11,6 +13,7 @@ rule: - 4C0553285D724DCAF5909924B4E3E90A:0x402010 features: - or: + - api: getsockname - and: - api: GetAdaptersInfo - offset: 0x1B0 = IP_ADAPTER_INFO.IpAddressList.IpAddress diff --git a/host-interaction/network/dns/resolve/resolve-dns.yml b/host-interaction/network/dns/resolve/resolve-dns.yml index bbbaf45d1..08f0c336b 100644 --- a/host-interaction/network/dns/resolve/resolve-dns.yml +++ b/host-interaction/network/dns/resolve/resolve-dns.yml @@ -5,6 +5,7 @@ rule: author: - william.ballenthin@fireeye.com - johnk3r + - joakim@intezer.com scope: function mbc: - Communication::DNS Communication::Resolve [C0011.001] @@ -20,3 +21,7 @@ rule: - api: getaddrinfo - api: GetAddrInfo - api: GetAddrInfoEx + - api: gethostbyname + - api: getaddrinfo + - api: getnameinfo + - api: gethostent diff --git a/host-interaction/network/interface/get-networking-interfaces.yml b/host-interaction/network/interface/get-networking-interfaces.yml index 55bccec3e..10a0130a2 100644 --- a/host-interaction/network/interface/get-networking-interfaces.yml +++ b/host-interaction/network/interface/get-networking-interfaces.yml @@ -2,7 +2,9 @@ rule: meta: name: get networking interfaces namespace: host-interaction/network/interface - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function att&ck: - Discovery::System Network Configuration Discovery [T1016] @@ -12,3 +14,4 @@ rule: - or: - api: iphlpapi.GetIfTable - api: iphlpapi.GetAdaptersInfo + - api: getifaddrs diff --git a/host-interaction/os/hostname/get-hostname.yml b/host-interaction/os/hostname/get-hostname.yml index 803dbc8da..64cf16531 100644 --- a/host-interaction/os/hostname/get-hostname.yml +++ b/host-interaction/os/hostname/get-hostname.yml @@ -2,15 +2,19 @@ rule: meta: name: get hostname namespace: host-interaction/os/hostname - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function att&ck: - Discovery::System Information Discovery [T1082] examples: - 9324D1A8AE37A36AE560C37448C9705A:0x4052A0 + - 7351f8a40c5450557b24622417fc478d:0x405438 features: - or: - api: kernel32.GetComputerName - api: kernel32.GetComputerNameEx - api: GetComputerObjectName - api: ws2_32.gethostname + - api: gethostname diff --git a/host-interaction/os/info/get-system-information.yml b/host-interaction/os/info/get-system-information.yml index 4228ed88a..038d8a202 100644 --- a/host-interaction/os/info/get-system-information.yml +++ b/host-interaction/os/info/get-system-information.yml @@ -2,7 +2,9 @@ rule: meta: name: get system information namespace: host-interaction/os/info - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function att&ck: - Discovery::System Information Discovery [T1082] @@ -17,3 +19,7 @@ rule: - api: ntdll.RtlGetNativeSystemInformation - api: ZwQuerySystemInformation - api: ZwQuerySystemInformationEx + - api: sysconf + - and: + - api: system + - string: "lshw" diff --git a/host-interaction/os/version/get-kernel-version.yml b/host-interaction/os/version/get-kernel-version.yml new file mode 100644 index 000000000..0cb12972b --- /dev/null +++ b/host-interaction/os/version/get-kernel-version.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: get kernel version + namespace: host-interaction/os/version + author: joakim@intezer.com + scope: function + att&ck: + - Discovery::System Information Discovery [T1082] + examples: + - 7351f8a40c5450557b24622417fc478d:0x405438 + features: + - or: + - and: + - api: system + - string: "uname" + - api: uname diff --git a/host-interaction/os/version/get-linux-distribution.yml b/host-interaction/os/version/get-linux-distribution.yml new file mode 100644 index 000000000..d3a1dfc45 --- /dev/null +++ b/host-interaction/os/version/get-linux-distribution.yml @@ -0,0 +1,17 @@ +rule: + meta: + name: get Linux distribution + namespace: host-interaction/os/version + author: joakim@intezer.com + scope: function + att&ck: + - Discovery::System Information Discovery [T1082] + examples: + - 7351f8a40c5450557b24622417fc478d:0x405438 + features: + - and: + - or: + - string: "/etc/os-release" + - string: "/etc/lsb-release" + - string: "/etc/issue" + - match: read file diff --git a/host-interaction/process/create/create-process.yml b/host-interaction/process/create/create-process.yml index 4b10a8acd..2702bd508 100644 --- a/host-interaction/process/create/create-process.yml +++ b/host-interaction/process/create/create-process.yml @@ -2,7 +2,9 @@ rule: meta: name: create process namespace: host-interaction/process/create - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: basic block mbc: - Process::Create Process [C0017] @@ -26,3 +28,13 @@ rule: - api: ZwCreateProcessEx - api: ntdll.ZwCreateUserProcess - api: ntdll.RtlCreateUserProcess + - api: execve + - api: execl + - api: execlp + - api: execle + - api: execv + - api: execvp + - api: execvpe + - api: posix_spawn + - api: posix_spawnp + - api: popen diff --git a/host-interaction/process/terminate/terminate-process-via-kill.yml b/host-interaction/process/terminate/terminate-process-via-kill.yml new file mode 100644 index 000000000..7529ce652 --- /dev/null +++ b/host-interaction/process/terminate/terminate-process-via-kill.yml @@ -0,0 +1,21 @@ +rule: + meta: + name: terminate process via kill + namespace: host-interaction/process/terminate + author: joakim@intezer.com + scope: basic block + mbc: + - Process::Terminate Process [C0018] + examples: + - 7351f8a40c5450557b24622417fc478d:0x402424 + features: + - and: + - api: kill + - or: + - number: 1 = SIGHUP - controlling terminal closed + - number: 2 = SIGINT - interupt process stream, ctrl-C + - number: 3 = SIGQUIT - like ctrl-C but with a core dump + - number: 6 = SIGABRT + - number: 9 = SIGKILL - terminate immediately/hard kill + - number: 15 = SIGTERM - terminate whenever/soft kill + - number: 19 = SIGSTOP - Pause the process / free command line, ctrl-Z diff --git a/host-interaction/thread/create/create-thread.yml b/host-interaction/thread/create/create-thread.yml index 9966ab42c..82337a20f 100644 --- a/host-interaction/thread/create/create-thread.yml +++ b/host-interaction/thread/create/create-thread.yml @@ -5,6 +5,7 @@ rule: author: - moritz.raabe@fireeye.com - michael.hunhoff@fireeye.com + - joakim@intezer.com scope: basic block mbc: - Process::Create Thread [C0038] @@ -26,3 +27,4 @@ rule: - api: ntdll.NtCreateThreadEx - api: ntdll.ZwCreateThread - api: ntdll.ZwCreateThreadEx + - api: pthread_create diff --git a/lib/create-or-open-file.yml b/lib/create-or-open-file.yml index c900c0d4f..935c01263 100644 --- a/lib/create-or-open-file.yml +++ b/lib/create-or-open-file.yml @@ -1,7 +1,9 @@ rule: meta: name: create or open file - author: michael.hunhoff@fireeye.com + author: + - michael.hunhoff@fireeye.com + - joakim@intezer.com lib: true scope: basic block mbc: @@ -18,3 +20,9 @@ rule: - api: ZwCreateFile - api: NtOpenFile - api: NtCreateFile + - api: fopen + - api: fopen64 + - api: fdopen + - api: freopen + - api: open + - api: openat diff --git a/lib/duplicate-stdin-and-stdout.yml b/lib/duplicate-stdin-and-stdout.yml new file mode 100644 index 000000000..f170def17 --- /dev/null +++ b/lib/duplicate-stdin-and-stdout.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: duplicate stdin and stdout + author: joakim@intezer.com + lib: true + scope: basic block + examples: + - 7351f8a40c5450557b24622417fc478d:0x40236D + features: + - and: + - api: dup2 + - number: 0 = STDIN + - number: 1 = STDOUT diff --git a/linking/runtime-linking/link-function-at-runtime.yml b/linking/runtime-linking/link-function-at-runtime.yml index a182aeca7..e989226ca 100644 --- a/linking/runtime-linking/link-function-at-runtime.yml +++ b/linking/runtime-linking/link-function-at-runtime.yml @@ -2,7 +2,9 @@ rule: meta: name: link function at runtime namespace: linking/runtime-linking - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function att&ck: - Execution::Shared Modules [T1129] @@ -10,14 +12,22 @@ rule: - 9324D1A8AE37A36AE560C37448C9705A:0x404130 - Practical Malware Analysis Lab 01-04.exe_:0x401350 features: - - and: - - or: - - api: kernel32.LoadLibrary - - api: kernel32.GetModuleHandle - - api: kernel32.GetModuleHandleEx - - api: ntdll.LdrLoadDll - - or: - - api: kernel32.GetProcAddress - - api: ntdll.LdrGetProcedureAddress - - optional: - - characteristic: indirect call + - or: + - and: + - or: + - api: kernel32.LoadLibrary + - api: kernel32.GetModuleHandle + - api: kernel32.GetModuleHandleEx + - api: ntdll.LdrLoadDll + - or: + - api: kernel32.GetProcAddress + - api: ntdll.LdrGetProcedureAddress + - optional: + - characteristic: indirect call + - and: + - or: + - api: dlopen + - api: dlmopen + - or: + - api: dlsym + - api: dlvsym diff --git a/linking/runtime-linking/link-many-functions-at-runtime.yml b/linking/runtime-linking/link-many-functions-at-runtime.yml index 9a221c338..d45e88bd9 100644 --- a/linking/runtime-linking/link-many-functions-at-runtime.yml +++ b/linking/runtime-linking/link-many-functions-at-runtime.yml @@ -2,19 +2,29 @@ rule: meta: name: link many functions at runtime namespace: linking/runtime-linking - author: moritz.raabe@fireeye.com + author: + - moritz.raabe@fireeye.com + - joakim@intezer.com scope: function att&ck: - Execution::Shared Modules [T1129] examples: - b7b5e1253710d8927cbe07d52d2d2e10:0x401000 features: - - and: - - or: - - api: kernel32.LoadLibrary - - api: kernel32.GetModuleHandle - - api: kernel32.GetModuleHandleEx - - api: ntdll.LdrLoadDll - - or: - - count(api(kernel32.GetProcAddress)): 5 or more - - count(api(ntdll.LdrGetProcedureAddress)): 5 or more + - or: + - and: + - or: + - api: kernel32.LoadLibrary + - api: kernel32.GetModuleHandle + - api: kernel32.GetModuleHandleEx + - api: ntdll.LdrLoadDll + - or: + - count(api(kernel32.GetProcAddress)): 5 or more + - count(api(ntdll.LdrGetProcedureAddress)): 5 or more + - and: + - or: + - api: dlopen + - api: dlmopen + - or: + - count(api(dlsym)): 5 or more + - count(api(dlvsym)): 5 or more diff --git a/nursery/capture-network-configuration-via-ifconfig.yml b/nursery/capture-network-configuration-via-ifconfig.yml new file mode 100644 index 000000000..2ef740309 --- /dev/null +++ b/nursery/capture-network-configuration-via-ifconfig.yml @@ -0,0 +1,12 @@ +rule: + meta: + name: capture network configuration via ifconfig + namespace: collection/network + author: joakim@intezeer.com + scope: basic block + att&ck: + - Discovery::System Network Configuration Discovery [T1016] + features: + - and: + - string: /ifconfig/ + - api: system diff --git a/nursery/collect-ssh-keys.yml b/nursery/collect-ssh-keys.yml new file mode 100644 index 000000000..4bfce84f3 --- /dev/null +++ b/nursery/collect-ssh-keys.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: collect ssh keys + namespace: collection + author: joakim@intezer.com + scope: function + att&ck: + - Credential Access::Unsecured Credentials::Private Keys [T1552.004] + features: + - and: + - match: read file + - or: + - string: /\/\.ssh\/id_rsa/ diff --git a/nursery/enumerate-processes-via-procfs.yml b/nursery/enumerate-processes-via-procfs.yml new file mode 100644 index 000000000..b0c5710b1 --- /dev/null +++ b/nursery/enumerate-processes-via-procfs.yml @@ -0,0 +1,21 @@ +rule: + meta: + name: enumerate processes via procfs + namespace: host-interaction/process/list + author: joakim@intezer.com + scope: function + att&ck: + - Discovery::Process Discovery [T1057] + - Discovery::Software Discovery [T1518] + features: + - and: + - string: "/proc" + - or: + - and: + - match: create or open file + - or: + - api: getdents + - api: getdents64 + - and: + - api: opendir + - api: readdir diff --git a/nursery/interact-with-iptables.yml b/nursery/interact-with-iptables.yml new file mode 100644 index 000000000..ed980ff15 --- /dev/null +++ b/nursery/interact-with-iptables.yml @@ -0,0 +1,13 @@ +rule: + meta: + name: interact with iptables + namespace: host-interaction/firewall + author: joakim@intezer.com + scope: basic block + att&ck: + - Discovery::Software Discovery::Security Software Discovery [T1518.001] + - Defense Evasion::Impair Defenses::Disable or Modify System Firewall [T1562.004] + features: + - and: + - api: system + - string: /iptables/ diff --git a/persistence/persist-via-desktop-autostart.yml b/persistence/persist-via-desktop-autostart.yml new file mode 100644 index 000000000..dff058e84 --- /dev/null +++ b/persistence/persist-via-desktop-autostart.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: persist via .desktop autostart + namespace: persistence + author: joakim@intezer.com + scope: function + att&ck: + - Persistence::Boot or Logon Autostart Execution::XDG Autostart Entries [T1547.013] + examples: + - 7351f8a40c5450557b24622417fc478d:0x407D11 + features: + - and: + - match: write file + - or: + - string: /\/\.config\/autostart\/.+\.desktop/ + - string: /\/etc\/xdg\/autostart/ diff --git a/persistence/persist-via-shell-profile-or-rc-file.yml b/persistence/persist-via-shell-profile-or-rc-file.yml new file mode 100644 index 000000000..78e378167 --- /dev/null +++ b/persistence/persist-via-shell-profile-or-rc-file.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: persist via shell profile or rc file + namespace: persistence + author: joakim@intezer.com + scope: function + att&ck: + - Persistence::Event Triggered Execution::Unix Shell Configuration Modification [T1546.004] + examples: + - 7351f8a40c5450557b24622417fc478d:0x407D11 + features: + - and: + - match: write file + - or: + - string: /\/\.bash_profile/ + - string: /\/\.bash_login/ + - string: /\/\.bashrc/ + - string: /\/\.profile/ + - string: "/etc/profile" + - string: /\/etc\/profile\.d\// diff --git a/persistence/service/persist-via-rc-script.yml b/persistence/service/persist-via-rc-script.yml new file mode 100644 index 000000000..354303bbc --- /dev/null +++ b/persistence/service/persist-via-rc-script.yml @@ -0,0 +1,16 @@ +rule: + meta: + name: persist via rc script + namespace: persistence/service + author: joakim@intezer.com + scope: function + att&ck: + - Persistence::Boot or Logon Initialization Scripts::RC Scripts [T1037.004] + examples: + - 7351f8a40c5450557b24622417fc478d:0x407D11 + features: + - and: + - match: write file + - or: + - string: /\/etc\/init.d\// + - string: /\/etc\/rc[0-9].d\//