mandiant · mike-hunhoff · Oct 3, 2022 · Jul 28, 2022 · Aug 2, 2022 · Aug 2, 2022
diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-debugger-via-api.yml
@@ -4,6 +4,7 @@ rule:
     namespace: anti-analysis/anti-debugging/debugger-detection
     authors:
       - [email protected]
+      - [email protected]
     scope: function
     mbc:
       - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002]
@@ -18,3 +19,4 @@ rule:
       - api: WUDFPlatform.WudfIsAnyDebuggerPresent
       - api: WUDFPlatform.WudfIsKernelDebuggerPresent
       - api: WUDFPlatform.WudfIsUserDebuggerPresent
+      - property: System.Diagnostics.Debugger::IsAttached
diff --git a/communication/ftp/send/send-file-using-ftp-via-wininet.yml b/communication/ftp/send/send-file-using-ftp-via-wininet.yml
diff --git a/communication/ftp/send/send-file-using-ftp.yml b/communication/ftp/send/send-file-using-ftp.yml
@@ -0,0 +1,28 @@
+rule:
+  meta:
+    name: send file using FTP
+    namespace: communication/ftp/send
+    authors:
+      - [email protected]
+      - [email protected]
+    scope: function
+    mbc:
+      - Communication::FTP Communication::Send File [C0004.001]
+      - Communication::FTP Communication::WinINet [C0004.002]
+    examples:
+      - Practical Malware Analysis Lab 20-02.exe_:0x401380
+  features:
+    - or:
+      - and:
+        - api: wininet.FtpPutFile
+        - optional:
+          - or:
+            - api: wininet.FtpSetCurrentDirectory
+            - and:
+              - api: wininet.InternetConnect
+              - number: 0x15 = IPPORT_FTP
+      - and:
+        - api: System.Net.WebRequest::Create
+        - class: System.Net.FtpWebRequest
+        - string: STOR
+        - property: System.Net.WebRequest::Method
diff --git a/communication/http/read-http-header.yml b/communication/http/read-http-header.yml
@@ -4,11 +4,13 @@ rule:
     namespace: communication/http
     authors:
       - [email protected]
+      - [email protected]
     scope: function
     mbc:
       - Communication::HTTP Communication::Read Header [C0002.014]
     examples:
       - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10002A30
   features:
-    - and:
+    - or:
       - api: winhttp.WinHttpQueryHeaders
+      - property: System.Net.WebClient::Headers
diff --git a/communication/http/set-http-header.yml b/communication/http/set-http-header.yml
@@ -4,11 +4,13 @@ rule:
     namespace: communication/http
     authors:
       - [email protected]
+      - [email protected]
     scope: function
     mbc:
       - Communication::HTTP Communication::Set Header [C0002.013]
     examples:
       - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x1000E230
   features:
-    - and:
+    - or:
       - api: winhttp.WinHttpAddRequestHeaders
+      - property: System.Net.WebClient::Headers
diff --git a/communication/socket/tcp/create-tcp-socket.yml b/communication/socket/tcp/create-tcp-socket.yml
@@ -11,11 +11,13 @@ rule:
     examples:
       - Practical Malware Analysis Lab 01-01.dll_:0x10001010
   features:
-    - and:
-      - number: 6 = IPPROTO_TCP
-      - number: 1 = SOCK_STREAM
-      - number: 2 = AF_INET
-      - or:
-        - api: ws2_32.socket
-        - api: ws2_32.WSASocket
-        - api: socket
+    - or:
+      - and:
+        - number: 6 = IPPROTO_TCP
+        - number: 1 = SOCK_STREAM
+        - number: 2 = AF_INET
+        - or:
+          - api: ws2_32.socket
+          - api: ws2_32.WSASocket
+          - api: socket
+      - property: System.Net.Sockets.TcpClient::Client
diff --git a/host-interaction/file-system/get-common-file-path.yml b/host-interaction/file-system/get-common-file-path.yml
@@ -5,6 +5,7 @@ rule:
     authors:
       - [email protected]
       - [email protected]
+      - [email protected]
     scope: function
     att&ck:
       - Discovery::File and Directory Discovery [T1083]
@@ -30,3 +31,5 @@ rule:
       - api: shell32.SHGetSpecialFolderPath
       - api: shell32.SHGetSpecialFolderLocation
       - api: System.IO.Directory::GetCurrentDirectory
+      - property: System.Environment::SystemDirectory
+      - property: System.Environment::CurrentDirectory
diff --git a/host-interaction/file-system/meta/get-file-attributes.yml b/host-interaction/file-system/meta/get-file-attributes.yml
@@ -26,3 +26,4 @@ rule:
       - api: System.IO.File::GetLastAccessTimeUtc
       - api: System.IO.File::GetLastWriteTime
       - api: System.IO.File::GetLastWriteTimeUtc
+      - property: System.IO.FileSystemInfo::Attributes
diff --git a/host-interaction/file-system/meta/get-file-size.yml b/host-interaction/file-system/meta/get-file-size.yml
@@ -4,6 +4,7 @@ rule:
     namespace: host-interaction/file-system/meta
     authors:
       - [email protected]
+      - [email protected]
     scope: function
     att&ck:
       - Discovery::File and Directory Discovery [T1083]
@@ -13,3 +14,4 @@ rule:
     - or:
       - api: kernel32.GetFileSize
       - api: kernel32.GetFileSizeEx
+      - property: System.IO.FileInfo::Length
diff --git a/host-interaction/file-system/meta/set-file-attributes.yml b/host-interaction/file-system/meta/set-file-attributes.yml
@@ -26,3 +26,4 @@ rule:
       - api: System.IO.File::SetLastAccessTimeUtc
       - api: System.IO.File::SetLastWriteTime
       - api: System.IO.File::SetLastWriteTimeUtc
+      - property: System.IO.FileSystemInfo::Attributes
diff --git a/host-interaction/gui/enumerate-gui-resources.yml b/host-interaction/gui/enumerate-gui-resources.yml
@@ -18,3 +18,4 @@ rule:
       - api: EnumWindowStations
       - api: EnumDesktops
       - api: EnumWindows
+      - property: System.Windows.Forms.Screen::AllScreens
diff --git a/host-interaction/hardware/cpu/get-number-of-processors.yml b/host-interaction/hardware/cpu/get-number-of-processors.yml
@@ -4,6 +4,7 @@ rule:
     namespace: host-interaction/hardware/cpu
     authors:
       - [email protected]
+      - [email protected]
     scope: function
     att&ck:
       - Discovery::System Information Discovery [T1082]
@@ -12,12 +13,14 @@ rule:
     examples:
       - al-khaser_x86.exe_:0x432CB0
   features:
-    - and:
-      - match: PEB access
-      - or:
-        - and:
-          - arch: i386
-          - number: 0x64 = PEB->NumberOfProcessors
-        - and:
-          - arch: amd64
-          - number: 0xB8 = PEB->NumberOfProcessors
+    - or:
+      - and:
+        - match: PEB access
+        - or:
+          - and:
+            - arch: i386
+            - number: 0x64 = PEB->NumberOfProcessors
+          - and:
+            - arch: amd64
+            - number: 0xB8 = PEB->NumberOfProcessors
+      - property: System.Environment::ProcessorCount
diff --git a/host-interaction/hardware/storage/get-disk-information.yml b/host-interaction/hardware/storage/get-disk-information.yml
@@ -4,6 +4,7 @@ rule:
     namespace: host-interaction/hardware/storage
     authors:
       - [email protected]
+      - [email protected]
     scope: function
     att&ck:
       - Discovery::System Information Discovery [T1082]
@@ -19,3 +20,7 @@ rule:
       - api: kernel32.GetVolumePathNamesForVolumeName
       - api: kernel32.GetLogicalDriveStrings
       - api: kernel32.QueryDosDevice
+      - property: System.IO.DriveInfo::VolumeLabel
+      - property: System.IO.DriveInfo::DriveType
+      - property: System.IO.DriveInfo::DriveFormat
+      - property: System.IO.DriveInfo::Name
diff --git a/host-interaction/hardware/storage/get-disk-size.yml b/host-interaction/hardware/storage/get-disk-size.yml
@@ -4,6 +4,7 @@ rule:
     namespace: host-interaction/hardware/storage
     authors:
       - [email protected]
+      - [email protected]
     scope: function
     att&ck:
       - Discovery::System Information Discovery [T1082]
@@ -16,6 +17,9 @@ rule:
     - or:
       - api: kernel32.GetDiskFreeSpace
       - api: kernel32.GetDiskFreeSpaceEx
+      - property: System.IO.DriveInfo::TotalSize
+      - property: System.IO.DriveInfo::TotalFreeSpace
+      - property: System.IO.DriveInfo::AvailableFreeSpace
       - basic block:
         - and:
           - api: DeviceIoControl

diff --git a/host-interaction/network/domain/get-domain-information.yml b/host-interaction/network/domain/get-domain-information.yml
@@ -4,11 +4,14 @@ rule:
     namespace: host-interaction/network/domain
     authors:
       - [email protected]
+      - [email protected]
     description: Looks for imported Windows APIs being called to collect information about the Windows domain that a computer is connected to.
     scope: function
     att&ck:
       - Discovery::System Network Configuration Discovery [T1016]
     examples:
       - 9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x1001C184
   features:
-    - api: netapi32.DsRoleGetPrimaryDomainInformation
+    - or:
+      - api: netapi32.DsRoleGetPrimaryDomainInformation
+      - property: System.Net.NetworkInformation.IPGlobalProperties::DomainName
diff --git a/host-interaction/os/hostname/get-hostname.yml b/host-interaction/os/hostname/get-hostname.yml
@@ -5,6 +5,7 @@ rule:
     authors:
       - [email protected]
       - [email protected]
+      - [email protected]
     scope: function
     att&ck:
       - Discovery::System Information Discovery [T1082]
@@ -18,3 +19,4 @@ rule:
       - api: GetComputerObjectName
       - api: ws2_32.gethostname
       - api: gethostname
+      - property: System.Environment::MachineName
diff --git a/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml b/host-interaction/process/create/create-a-process-with-modified-io-handles-and-window.yml
@@ -4,6 +4,7 @@ rule:
     namespace: host-interaction/process/create
     authors:
       - [email protected]
+      - [email protected]
     scope: function
     mbc:
       - Process::Create Process [C0017]
@@ -12,24 +13,34 @@ rule:
     examples:
       - Practical Malware Analysis Lab 14-02.exe_:0x4011C0
   features:
-    - and:
-      - or:
-        - description: API functions that accept a pointer to a STARTUPINFO structure
-        - api: kernel32.CreateProcess
-        - api: kernel32.CreateProcessInternal
-        - api: advapi32.CreateProcessAsUser
-        - api: advapi32.CreateProcessWithLogon
-        - api: advapi32.CreateProcessWithToken
-      - number: 0x101 = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW
-        # STARTF_USESTDHANDLES indicates the hStdInput, hStdOutput, and hStdError members contain additional information
-        # STARTF_USESHOWWINDOW indicates the wShowWindow member contains additional information
-      - or:
-        - and:
-          - arch: i386
-          - number: 0x44 = StartupInfo.cb (size)
-        - and:
-          - arch: amd64
-          - number: 0x68 = StartupInfo.cb (size)
-        # STARTUPINFOEX size values not currently supported by this rule.
-      - optional:
-        - api: kernel32.GetStartupInfo
+    - or:
+      - and:
+        - or:
+          - description: API functions that accept a pointer to a STARTUPINFO structure
+          - api: kernel32.CreateProcess
+          - api: kernel32.CreateProcessInternal
+          - api: advapi32.CreateProcessAsUser
+          - api: advapi32.CreateProcessWithLogon
+          - api: advapi32.CreateProcessWithToken
+        - number: 0x101 = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW
+          # STARTF_USESTDHANDLES indicates the hStdInput, hStdOutput, and hStdError members contain additional information
+          # STARTF_USESHOWWINDOW indicates the wShowWindow member contains additional information
+        - or:
+          - and:
+            - arch: i386
+            - number: 0x44 = StartupInfo.cb (size)
+          - and:
+            - arch: amd64
+            - number: 0x68 = StartupInfo.cb (size)
+          # STARTUPINFOEX size values not currently supported by this rule.
+        - optional:
+          - api: kernel32.GetStartupInfo
+      - and:
+        - api: System.Diagnostics.Process::Start
+        - or:
+          - property: System.Diagnostics.ProcessStartInfo::UseShellExecute
+          - property: System.Diagnostics.ProcessStartInfo::Verb
+          - property: System.Diagnostics.ProcessStartInfo::WindowStyle
+          - property: System.Diagnostics.ProcessStartInfo::WorkingDirectory
+          - property: System.Diagnostics.ProcessStartInfo::FileName
+          - property: System.Diagnostics.ProcessStartInfo::Arguments
diff --git a/host-interaction/process/modules/list/enumerate-process-modules.yml b/host-interaction/process/modules/list/enumerate-process-modules.yml
@@ -4,6 +4,7 @@ rule:
     namespace: host-interaction/process/modules/list
     authors:
       - [email protected]
+      - [email protected]
     scope: function
     att&ck:
       - Discovery::Process Discovery [T1057]
@@ -36,3 +37,6 @@ rule:
                 - number: 0x10 = TH32CS_SNAPMODULE32
                 - number: 0x18 = TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32
               - api: kernel32.CreateToolhelp32Snapshot
+      - and:
+        - property: System.Diagnostics.Process::Modules
+        - property: System.Diagnostics.ProcessModuleCollection::Item
diff --git a/host-interaction/session/get-session-user-name.yml b/host-interaction/session/get-session-user-name.yml
@@ -21,3 +21,4 @@ rule:
           - api: wtsapi32.WTSQuerySessionInformation
           - number: 5 = WTSUserName
       - api: System.Security.Principal.WindowsIdentity::GetCurrent
+      - property: System.Environment::UserName
diff --git a/nursery/extract-zip-archive.yml b/nursery/extract-zip-archive.yml
@@ -0,0 +1,14 @@
+rule:
+  meta:
+    name: extract zip archive
+    namespace: host-interaction/file-system
+    authors:
+      - [email protected]
+    scope: function
+    att&ck:
+      - Discovery::File and Directory Discovery [T1083]
+  features:
+    - and:
+      - api: System.IO.Compression.ZipFile::Open
+      - property: System.IO.Compression.ZipArchive::Entries
+      - api: System.IO.Compression.ZipFileExtensions::ExtractToFile
diff --git a/nursery/set-http-cookie.yml b/nursery/set-http-cookie.yml
@@ -6,5 +6,6 @@ rule:
       - [email protected]
     scope: function
   features:
-    - and:
+    - or:
       - api: System.Net.CookieContainer::SetCookies
+      - property: System.Net.HttpWebRequest::CookieContainer