A set of rules for Linux ELFs #442
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| rule: | ||
| meta: | ||
| name: create unix reverse shell | ||
| namespace: c2/shell | ||
| author: [email protected] | ||
| scope: function | ||
| att&ck: | ||
| - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] | ||
| mbc: | ||
| - Impact::Remote Access::Reverse Shell [B0022.001] | ||
| examples: | ||
| - 7351f8a40c5450557b24622417fc478d:0x40231E | ||
| features: | ||
| - or: | ||
| - and: | ||
| - match: duplicate stdin and stdout | ||
| - match: create process | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| rule: | ||
| meta: | ||
| name: execute shell command received from socket | ||
| namespace: c2/shell | ||
| author: [email protected] | ||
| scope: function | ||
| att&ck: | ||
| - Execution::Command and Scripting Interpreter::Unix Shell [T1059.004] | ||
| examples: | ||
| - 7351f8a40c5450557b24622417fc478d:0x406549 | ||
| features: | ||
| - and: | ||
| - match: receive data on socket | ||
| - api: system |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| rule: | ||
| meta: | ||
| name: get current user | ||
|
There was a problem hiding this comment. Windows rule for this: There was a problem hiding this comment. Linux doesn't use the term session username. This checks for queries via the effective user id and extracting the user's info from "passwd" or the username of the user that started the process. |
||
| namespace: collection | ||
| author: [email protected] | ||
| scope: function | ||
| examples: | ||
| - 7351f8a40c5450557b24622417fc478d:0x405438 | ||
| features: | ||
| - or: | ||
| - and: | ||
| - api: geteuid | ||
| - api: getpwuid | ||
| - api: getlogin | ||
| - api: getlogin_r | ||
| - api: cuserid | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,21 +2,27 @@ rule: | |
| meta: | ||
| name: get MAC address | ||
| namespace: collection/network | ||
| author: | ||
| - [email protected] | ||
| - [email protected] | ||
| scope: function | ||
| att&ck: | ||
| - Discovery::System Information Discovery [T1082] | ||
| examples: | ||
| - al-khaser_x64.exe_:0x14001A1BC | ||
| features: | ||
| - or: | ||
| - and: | ||
| - api: iphlpapi.GetAdaptersInfo | ||
| - or: | ||
| - offset: 0x194 = IP_ADAPTER_INFO.Address | ||
| - offset: 0x195 = IP_ADAPTER_INFO.Address+1 | ||
| - offset: 0x196 = IP_ADAPTER_INFO.Address+2 | ||
| - offset: 0x197 = IP_ADAPTER_INFO.Address+3 | ||
| - offset: 0x198 = IP_ADAPTER_INFO.Address+4 | ||
| - offset: 0x199 = IP_ADAPTER_INFO.Address+5 | ||
| - optional: | ||
| - string: "%02X-%02X-%02X-%02X-%02X-%02X" | ||
| - and: | ||
| - match: read file | ||
| - string: /\/sys\/class\/net\/\S+\/address/ | ||
|
There was a problem hiding this comment. yuck these paths are ugly. i wonder if substring literals are common enough for us to introduce a new feature/format. perhaps something like:
note: this specific path isn't the best example because its actually a regex patter, but you get the idea. There was a problem hiding this comment. Yes, I think there's room for improvement here since this comes up a lot and has caused confusion (e.g. #390 (comment)). I like option 1 then option 2. There was a problem hiding this comment. It may look ugly because it needs a wildcard for the name of the network adapter. For example |
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,9 @@ rule: | |
| meta: | ||
| name: receive data on socket | ||
| namespace: communication/socket/receive | ||
| author: | ||
| - [email protected] | ||
| - [email protected] | ||
| scope: function | ||
| mbc: | ||
| - Communication::Socket Communication::Receive Data [C0001.006] | ||
|
|
@@ -17,3 +19,4 @@ rule: | |
| - api: ws2_32.WSARecvEx | ||
| - api: ws2_32.WSARecvFrom | ||
| - api: ws2_32.WSARecvMsg | ||
| - api: recv | ||
TcM1911 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,9 @@ rule: | |
| meta: | ||
| name: send data on socket | ||
| namespace: communication/socket/send | ||
| author: | ||
| - [email protected] | ||
| - [email protected] | ||
TcM1911 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| scope: function | ||
| mbc: | ||
| - Communication::Socket Communication::Send Data [C0001.007] | ||
|
|
@@ -15,3 +17,4 @@ rule: | |
| - api: ws2_32.WSASend | ||
| - api: ws2_32.WSASendMsg | ||
| - api: ws2_32.WSASendTo | ||
| - api: send | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,9 @@ rule: | |
| meta: | ||
| name: connect TCP socket | ||
| namespace: communication/socket/tcp | ||
| author: | ||
| - [email protected] | ||
| - [email protected] | ||
| scope: function | ||
| mbc: | ||
| - Communication::Socket Communication::Connect Socket [C0001.004] | ||
|
|
@@ -12,6 +14,7 @@ rule: | |
| - and: | ||
| - match: create TCP socket | ||
| - or: | ||
| - api: connect | ||
| - api: ws2_32.connect | ||
| - api: ws2_32.WSAConnect | ||
| - api: ConnectEx | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,9 @@ rule: | |
| meta: | ||
| name: create TCP socket | ||
| namespace: communication/socket/tcp | ||
| author: | ||
| - [email protected] | ||
| - [email protected] | ||
| scope: basic block | ||
| mbc: | ||
| - Communication::Socket Communication::Create TCP Socket [C0001.011] | ||
|
|
@@ -16,3 +18,4 @@ rule: | |
| - or: | ||
| - api: ws2_32.socket | ||
| - api: ws2_32.WSASocket | ||
| - api: socket | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,9 @@ rule: | |
| meta: | ||
| name: create UDP socket | ||
| namespace: communication/socket/udp/send | ||
| author: | ||
| - [email protected] | ||
| - [email protected] | ||
| scope: basic block | ||
| mbc: | ||
| - Communication::Socket Communication::Create UDP Socket [C0001.010] | ||
|
|
@@ -14,3 +16,4 @@ rule: | |
| - or: | ||
| - api: ws2_32.socket | ||
| - api: ws2_32.WSASocket | ||
| - api: socket | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| rule: | ||
| meta: | ||
| name: change file permission | ||
| namespace: host-interaction/file-system | ||
| author: [email protected] | ||
| scope: basic block | ||
| examples: | ||
| - 7351f8a40c5450557b24622417fc478d:0x407C68 | ||
| features: | ||
| - or: | ||
| - api: chown | ||
| - api: fchown | ||
| - api: lchown | ||
| - api: fchownat |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,9 @@ rule: | |
| meta: | ||
| name: read file | ||
| namespace: host-interaction/file-system/read | ||
| author: | ||
| - [email protected] | ||
| - [email protected] | ||
| scope: function | ||
| mbc: | ||
| - File System::Read File [C0051] | ||
|
|
@@ -23,3 +25,19 @@ rule: | |
| - api: ZwReadFile | ||
| - api: _read | ||
| - api: fread | ||
| - and: | ||
| - optional: | ||
| - match: create or open file | ||
| - or: | ||
| - api: fgetc | ||
| - api: fgets | ||
| - api: getc | ||
| - api: getchar | ||
| - api: read | ||
| - api: getline | ||
| - api: getdelim | ||
| - api: fgetwc | ||
| - api: getwc | ||
| - api: fscanf | ||
| - api: vfscanf | ||
| - api: fread | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,9 @@ rule: | |
| meta: | ||
| name: write file | ||
| namespace: host-interaction/file-system/write | ||
| author: | ||
| - [email protected] | ||
| - [email protected] | ||
| scope: function | ||
| mbc: | ||
| - File System::Writes File [C0052] | ||
|
|
@@ -11,22 +13,37 @@ rule: | |
| # ntdll | ||
| - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x1400025C4 | ||
| features: | ||
|
There was a problem hiding this comment. this file is getting a bit unruly. the logic tree is so deep that its tricky to interpret as a human. we should probably split this file into "write file on POSIX" and "write file on Windows". |
||
| - or: | ||
| - and: | ||
| - optional: | ||
| - or: | ||
| - and: | ||
| - number: 0x40000000 = GENERIC_WRITE | ||
| - or: | ||
| - api: kernel32.CreateFile | ||
| - and: | ||
| - number: 0x2 = FILE_WRITE_DATA | ||
| - or: | ||
| - api: NtCreateFile | ||
| - api: ZwCreateFile | ||
| - or: | ||
| - api: kernel32.WriteFile | ||
| - api: kernel32.WriteFileEx | ||
| - api: NtWriteFile | ||
| - api: ZwWriteFile | ||
| - api: _fwrite | ||
| - api: fwrite | ||
| - and: | ||
| - optional: | ||
| - match: create or open file | ||
| - or: | ||
| - api: fputc | ||
| - api: fputs | ||
| - api: putc | ||
| - api: write | ||
| - api: fputwc | ||
| - api: putwc | ||
| - api: fputws | ||
| - api: write | ||
| - api: fwrite | ||
| - api: putwchar | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,13 +2,22 @@ rule: | |
| meta: | ||
| name: get CPU information | ||
| namespace: host-interaction/hardware/cpu | ||
| author: | ||
| - [email protected] | ||
| - [email protected] | ||
| scope: function | ||
| att&ck: | ||
| - Discovery::System Information Discovery [T1082] | ||
| examples: | ||
| - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145B5A | ||
| features: | ||
| - or: | ||
| - and: | ||
| - match: query or enumerate registry value | ||
| - string: /Hardware\\Description\\System\\CentralProcessor/i | ||
| - and: | ||
| - match: read file | ||
| - string: "/proc/cpuinfo" | ||
| - and: | ||
| - api: system | ||
| - string: /\/proc\/cpuinfo/ | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| rule: | ||
| meta: | ||
| name: get memory information | ||
| namespace: host-interaction/hardware/memory | ||
| author: [email protected] | ||
| scope: function | ||
| att&ck: | ||
| - Discovery::System Information Discovery [T1082] | ||
| examples: | ||
| - 7351f8a40c5450557b24622417fc478d:0x405438 | ||
| features: | ||
| - or: | ||
| - and: | ||
| - match: read file | ||
| - string: "/proc/meminfo" | ||
| - and: | ||
| - api: system | ||
| - or: | ||
| - string: /\/proc\/meminfo/ | ||
| - string: /^free/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| rule: | ||
| meta: | ||
| name: lock file | ||
| namespace: host-interaction/mutex | ||
| author: [email protected] | ||
| scope: basic block | ||
| mbc: | ||
| - Process::Create Mutex [C0042] | ||
| examples: | ||
| - 7351f8a40c5450557b24622417fc478d:0x40858F | ||
| features: | ||
| - and: | ||
| - api: fcntl | ||
| - number: 1 = F_WRLCK | ||
| - number: 6 = F_SETLK |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,9 @@ rule: | |
| meta: | ||
| name: get local IPv4 addresses | ||
| namespace: host-interaction/network/address | ||
| author: | ||
| - [email protected] | ||
| - [email protected] | ||
| scope: function | ||
| att&ck: | ||
| - Discovery::System Network Configuration Discovery [T1016] | ||
|
|
@@ -11,6 +13,7 @@ rule: | |
| - 4C0553285D724DCAF5909924B4E3E90A:0x402010 | ||
| features: | ||
| - or: | ||
| - api: getsockname | ||
| - and: | ||
| - api: GetAdaptersInfo | ||
| - offset: 0x1B0 = IP_ADAPTER_INFO.IpAddressList.IpAddress | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,6 +5,7 @@ rule: | |
| author: | ||
| - [email protected] | ||
| - johnk3r | ||
| - [email protected] | ||
| scope: function | ||
| mbc: | ||
| - Communication::DNS Communication::Resolve [C0011.001] | ||
|
|
@@ -20,3 +21,7 @@ rule: | |
| - api: getaddrinfo | ||
| - api: GetAddrInfo | ||
| - api: GetAddrInfoEx | ||
| - api: gethostbyname | ||
| - api: getaddrinfo | ||
| - api: getnameinfo | ||
| - api: gethostent | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should document unix vs. linux and the preferred terms to use
I suspect the naming here comes from the ATT&CK name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes the name is from ATT&CK. Also this is a higher level rule that depends on a few lower level rules that can be OS dependent.