mandiant · williballenthin · Aug 26, 2021 · Aug 25, 2021 · Aug 25, 2021 · Aug 25, 2021
diff --git a/anti-analysis/anti-forensic/self-deletion/self-delete.yml b/anti-analysis/anti-forensic/self-deletion/self-delete.yml
@@ -15,7 +15,7 @@ rule:
       - or:
         - match: get COMSPEC environment variable
         - string: "cmd.exe"
-      - match: create process
+      - match: host-interaction/process/create
       - string: /\/c\s*del\s*/
         description: "/c del"
       - optional:

diff --git a/c2/file-transfer/download-and-write-a-file.yml b/c2/file-transfer/download-and-write-a-file.yml
@@ -14,4 +14,4 @@ rule:
   features:
     - and:
       - match: receive data
-      - match: write file
+      - match: host-interaction/file-system/write
diff --git a/c2/file-transfer/write-and-execute-a-file.yml b/c2/file-transfer/write-and-execute-a-file.yml
@@ -12,5 +12,5 @@ rule:
       - Practical Malware Analysis Lab 01-04.exe_:0x4011FC
   features:
     - and:
-      - match: write file
-      - match: create process
+      - match: host-interaction/file-system/write
+      - match: host-interaction/process/create
diff --git a/c2/shell/create-unix-reverse-shell.yml → c2/shell/create-reverse-shell-on-linux.yml b/c2/shell/create-unix-reverse-shell.yml → c2/shell/create-reverse-shell-on-linux.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: create unix reverse shell
+    name: create reverse shell on Linux
     namespace: c2/shell
     author: [email protected]
     scope: function
@@ -11,7 +11,7 @@ rule:
     examples:
       - 7351f8a40c5450557b24622417fc478d:0x40231E
   features:
-    - or:
-      - and:
-        - match: duplicate stdin and stdout
-        - match: create process
+    - and:
+      - os: linux
+      - match: duplicate stdin and stdout
+      - match: host-interaction/process/create
diff --git a/c2/shell/create-reverse-shell.yml b/c2/shell/create-reverse-shell.yml
@@ -19,12 +19,12 @@ rule:
         - api: kernel32.ReadFile
         - api: kernel32.WriteFile
       - and:
-        - match: create process
+        - match: host-interaction/process/create
         - match: read pipe
         - match: write pipe
       - and:
         - match: create pipe
-        - match: create process
+        - match: host-interaction/process/create
         - basic block:
           - and:
             - count(api(SetHandleInformation)): 2 or more

diff --git a/...te-shell-command-received-from-socket.yml → ...command-received-from-socket-on-linux.yml b/...te-shell-command-received-from-socket.yml → ...command-received-from-socket-on-linux.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: execute shell command received from socket
+    name: execute shell command received from socket on Linux
     namespace: c2/shell
     author: [email protected]
     scope: function
@@ -10,5 +10,6 @@ rule:
       - 7351f8a40c5450557b24622417fc478d:0x406549
   features:
     - and:
+      - os: linux
       - match: receive data on socket
       - api: system
diff --git a/collection/acquire-credentials-from-windows-credential-manager.yml b/collection/acquire-credentials-from-windows-credential-manager.yml
@@ -18,7 +18,7 @@ rule:
       - api: CredEnumerate
       - and:
         - optional:
-          - match: create process
+          - match: host-interaction/process/create
         - or:
           - string: /vaultcmd(\.exe)?/
           - substring: "/listcreds:"

diff --git a/collection/get-current-user-on-linux.yml b/collection/get-current-user-on-linux.yml
@@ -0,0 +1,18 @@
+rule:
+  meta:
+    name: get current user on Linux
+    namespace: collection
+    author: [email protected]
+    scope: function
+    examples:
+      - 7351f8a40c5450557b24622417fc478d:0x405438
+  features:
+    - and:
+      - os: linux
+      - or:
+        - and:
+          - api: geteuid
+          - api: getpwuid
+        - api: getlogin
+        - api: getlogin_r
+        - api: cuserid
diff --git a/collection/get-current-user.yml b/collection/get-current-user.yml
diff --git a/collection/network/get-mac-address-on-windows.yml b/collection/network/get-mac-address-on-windows.yml
@@ -0,0 +1,24 @@
+rule:
+  meta:
+    name: get MAC address on Windows
+    namespace: collection/network
+    author:
+      - [email protected]
+    scope: function
+    att&ck:
+      - Discovery::System Information Discovery [T1082]
+    examples:
+      - al-khaser_x64.exe_:0x14001A1BC
+  features:
+    - and:
+      - os: windows
+      - api: iphlpapi.GetAdaptersInfo
+      - or:
+        - offset: 0x194 = IP_ADAPTER_INFO.Address
+        - offset: 0x195 = IP_ADAPTER_INFO.Address+1
+        - offset: 0x196 = IP_ADAPTER_INFO.Address+2
+        - offset: 0x197 = IP_ADAPTER_INFO.Address+3
+        - offset: 0x198 = IP_ADAPTER_INFO.Address+4
+        - offset: 0x199 = IP_ADAPTER_INFO.Address+5
+      - optional:
+        - string: "%02X-%02X-%02X-%02X-%02X-%02X"
diff --git a/collection/network/get-mac-address.yml b/collection/network/get-mac-address.yml
diff --git a/host-interaction/bootloader/disable-code-signing.yml b/host-interaction/bootloader/disable-code-signing.yml
@@ -10,5 +10,5 @@ rule:
       - 0596C4EA5AA8DEF47F22C85D75AACA95:0x10710B3  # old Necurs rootkit
   features:
     - and:
-      - match: create process
+      - match: host-interaction/process/create
       - string: /^bcdedit(\.exe)? -set TESTSIGNING ON/i
diff --git a/...on/file-system/change-file-permission.yml → ...ystem/change-file-permission-on-linux.yml b/...on/file-system/change-file-permission.yml → ...ystem/change-file-permission-on-linux.yml
@@ -1,14 +1,16 @@
 rule:
   meta:
-    name: change file permission
+    name: change file permission on Linux
     namespace: host-interaction/file-system
     author: [email protected]
     scope: basic block
     examples:
       - 7351f8a40c5450557b24622417fc478d:0x407C68
   features:
-    - or:
-      - api: chown
-      - api: fchown
-      - api: lchown
-      - api: fchownat
+    - and:
+      - os: windows
+      - or:
+        - api: chown
+        - api: fchown
+        - api: lchown
+        - api: fchownat
diff --git a/host-interaction/file-system/files/list/enumerate-files-on-linux.yml b/host-interaction/file-system/files/list/enumerate-files-on-linux.yml
@@ -0,0 +1,20 @@
+rule:
+  meta:
+    name: enumerate files on Linux
+    namespace: host-interaction/file-system/files/list
+    author: [email protected]
+    scope: function
+    att&ck:
+      - Discovery::File and Directory Discovery [T1083]
+  features:
+    - and:
+      - os: linux
+      - or:
+        - and:
+          - match: create or open file
+          - or:
+            - api: getdents
+            - api: getdents64
+        - and:
+          - api: opendir
+          - api: readdir
diff --git a/host-interaction/file-system/read/read-file-on-linux.yml b/host-interaction/file-system/read/read-file-on-linux.yml
@@ -0,0 +1,30 @@
+rule:
+  meta:
+    name: read file on Linux
+    namespace: host-interaction/file-system/read
+    author:
+      - [email protected]
+      - [email protected]
+    scope: function
+    mbc:
+      - File System::Read File [C0051]
+    examples:
+      - BFB9B5391A13D0AFD787E87AB90F14F5:0x1314567B
+  features:
+    - and:
+      - os: linux
+      - optional:
+        - match: create or open file
+      - or:
+        - api: fgetc
+        - api: fgets
+        - api: getc
+        - api: getchar
+        - api: read
+        - api: getline
+        - api: getdelim
+        - api: fgetwc
+        - api: getwc
+        - api: fscanf
+        - api: vfscanf
+        - api: fread
diff --git a/host-interaction/file-system/read/read-file-on-windows.yml b/host-interaction/file-system/read/read-file-on-windows.yml
@@ -0,0 +1,26 @@
+rule:
+  meta:
+    name: read file on Windows
+    namespace: host-interaction/file-system/read
+    author:
+      - [email protected]
+    scope: function
+    mbc:
+      - File System::Read File [C0051]
+    examples:
+      - BFB9B5391A13D0AFD787E87AB90F14F5:0x1314567B
+  features:
+    - and:
+      - os: windows
+      - optional:
+        - and:
+          - number: 0x80000000 = GENERIC_READ
+          - or:
+            - api: kernel32.CreateFile
+      - or:
+        - api: kernel32.ReadFile
+        - api: ReadFileEx
+        - api: NtReadFile
+        - api: ZwReadFile
+        - api: _read
+        - api: fread
diff --git a/host-interaction/file-system/read/read-file.yml b/host-interaction/file-system/read/read-file.yml
diff --git a/host-interaction/file-system/write/write-file-on-windows.yml b/host-interaction/file-system/write/write-file-on-windows.yml
@@ -0,0 +1,34 @@
+rule:
+  meta:
+    name: write file on Windows
+    namespace: host-interaction/file-system/write
+    author:
+      - [email protected]
+    scope: function
+    mbc:
+      - File System::Writes File [C0052]
+    examples:
+      - Practical Malware Analysis Lab 01-04.exe_:0x4011FC
+      # ntdll
+      - 563653399B82CD443F120ECEFF836EA3678D4CF11D9B351BB737573C2D856299:0x1400025C4
+  features:
+    - and:
+      - os: windows
+      - optional:
+        - or:
+          - and:
+            - number: 0x40000000 = GENERIC_WRITE
+            - or:
+              - api: kernel32.CreateFile
+          - and:
+            - number: 0x2 = FILE_WRITE_DATA
+            - or:
+              - api: NtCreateFile
+              - api: ZwCreateFile
+      - or:
+        - api: kernel32.WriteFile
+        - api: kernel32.WriteFileEx
+        - api: NtWriteFile
+        - api: ZwWriteFile
+        - api: _fwrite
+        - api: fwrite