Added RICH IDs for VS2019 Update 4.

Added an alert for imports related to mapping injection.
JusticeRage · Jan 5, 2020 · f70173a · f70173a
1 parent 2ed0c07
commit f70173a
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 0 deletions.
diff --git a/bin/attack.py b/bin/attack.py
@@ -21,6 +21,7 @@
                                                              ("Defense Evasion", "Process Injection")],
     "Code injection capabilities (process doppelganging)":  [("Defense Evasion", "Process Doppelgänging"),
                                                              ("Defense Evasion", "Process Injection")],
+	"Code injection capabilities (mapping injection)":      [("Defense Evasion", "Process Injection")],
     "Possibly attempts GINA replacement":                   [("Persistence", "Winlogon Helper DLL"),
                                                              ("Defense Evasion", "Process Injection")],
     "Uses functions commonly found in keyloggers":          [("Credential Access", "Input Prompt")],

diff --git a/manape/nt_values.cpp b/manape/nt_values.cpp
@@ -677,6 +677,7 @@ const flag_dict COMP_ID_PRODID =
                                 ("VS 2015/2017/2019 runtime 27821",            0x6CAD)
                                 ("VS2019 Update 2 compiler 27905",             0x6D01)
                                 ("VS2019 Update 3 compiler 28107",             0x6DCB)
+                                ("VS2019 Update 4 compiler 28314",             0x6E9A)
     ;
 
 // ----------------------------------------------------------------------------

diff --git a/plugins/plugin_imports.cpp b/plugins/plugin_imports.cpp
@@ -39,6 +39,8 @@ std::string vanilla_injection = "(Nt)?VirtualAlloc.*|(Nt)?WriteProcessMemory|Cre
 
 std::string process_hollowing = "(Nt)?WriteProcessMemory|(Nt)?WriteVirtualMemory|(Wow64)?SetThreadContext|(Nt)?ResumeThread|(Nt)?SetContextThread";
 
+std::string mapping_injection = "CreateFileMapping(Numa)?(A|W)|MapViewOfFile(Ex)?(2|3)?|CreateRemoteThread(Ex)?";
+
 std::string power_loader = "FindWindow(A|W)|GetWindowLong(A|W)";
 
 std::string atom_bombing = "GlobalAddAtom(A|W)|GlobalGetAtomName(A|W)|QueueUserAPC";
@@ -224,6 +226,7 @@ class ImportsPlugin : public IPlugin
 		check_functions(pe, process_hollowing, MALICIOUS, "Code injection capabilities (process hollowing)", AT_LEAST_THREE, res);
 		check_functions(pe, power_loader, MALICIOUS, "Code injection capabilities (PowerLoader)", AT_LEAST_TWO, res);
 		check_functions(pe, atom_bombing, MALICIOUS, "Code injection capabilities (atom bombing)", AT_LEAST_THREE, res);
+		check_functions(pe, mapping_injection, MALICIOUS, "Code injection capabilities (mapping injection)", AT_LEAST_THREE, res);
 		check_functions(pe, process_doppelganging, MALICIOUS, "Code injection capabilities (process doppelganging)", AT_LEAST_THREE, res);
 		check_functions(pe, registry_api, NO_OPINION, "Can access the registry", AT_LEAST_ONE, res);
 		check_functions(pe, process_creation_api, NO_OPINION, "Possibly launches other programs", AT_LEAST_ONE, res);