+
+
+
+
diff --git a/utils/Hachi.config b/utils/Hachi.config
new file mode 100644
index 0000000..378a898
--- /dev/null
+++ b/utils/Hachi.config
@@ -0,0 +1,14 @@
+[config]
+input_dir = .\\input
+output_dir = .\\output
+PLAYBOOK_JSON = .\\utils\\Playbooksig.json
+MITRE_JSON = .\\utils\\mitre.json
+DB_PATH = .\\utils\\hachi.db
+SIG_CHECK_EXE = .\\utils\\sigcheck64.exe
+QUEUE_NAME = hachi
+
+[logging]
+log_verbosity = info
+log_backup_count = 5
+log_date_format = '%%a, %%d %%b %%Y %%H:%%M:%%S'
+log_rotate_at = midnight
\ No newline at end of file
diff --git a/utils/Playbooksig.json b/utils/Playbooksig.json
new file mode 100644
index 0000000..cfe68a9
--- /dev/null
+++ b/utils/Playbooksig.json
@@ -0,0 +1,327 @@
+{
+ "APT18":[
+ "T1059",
+ "T1043",
+ "T1133",
+ "T1083",
+ "T1107",
+ "T1027",
+ "T1060",
+ "T1105",
+ "T1053",
+ "T1071",
+ "T1082",
+ "T1078"
+ ],
+ "APT28":[
+ "T1134",
+ "T1119",
+ "T1067",
+ "T1059",
+ "T1092",
+ "T1122",
+ "T1090",
+ "T1003",
+ "T1002",
+ "T1213",
+ "T1005",
+ "T1025",
+ "T1001",
+ "T1074",
+ "T1140",
+ "T1173",
+ "T1114",
+ "T1203",
+ "T1211",
+ "T1068",
+ "T1210",
+ "T1083",
+ "T1107",
+ "T1158",
+ "T1070",
+ "T1056",
+ "T1037",
+ "T1040",
+ "T1027",
+ "T1137",
+ "T1075",
+ "T1120",
+ "T1086",
+ "T1057",
+ "T1105",
+ "T1091",
+ "T1014",
+ "T1085",
+ "T1113",
+ "T1064",
+ "T1193",
+ "T1192",
+ "T1071",
+ "T1221",
+ "T1099",
+ "T1199",
+ "T1204",
+ "T1078"
+ ],
+ "APT32":[
+ "T1087",
+ "T1017",
+ "T1009",
+ "T1059",
+ "T1043",
+ "T1003",
+ "T1094",
+ "T1002",
+ "T1022",
+ "T1073",
+ "T1189",
+ "T1041",
+ "T1203",
+ "T1068",
+ "T1083",
+ "T1107",
+ "T1222",
+ "T1158",
+ "T1070",
+ "T1036",
+ "T1031",
+ "T1112",
+ "T1170",
+ "T1046",
+ "T1050",
+ "T1096",
+ "T1027",
+ "T1137",
+ "T1075",
+ "T1097",
+ "T1086",
+ "T1012",
+ "T1060",
+ "T1117",
+ "T1105",
+ "T1018",
+ "T1053",
+ "T1064",
+ "T1035",
+ "T1216",
+ "T1045",
+ "T1193",
+ "T1192",
+ "T1071",
+ "T1082",
+ "T1016",
+ "T1049",
+ "T1033",
+ "T1099",
+ "T1065",
+ "T1204",
+ "T1078",
+ "T1100",
+ "T1077",
+ "T1047"
+ ],
+ "DarkHotel":[
+ "T1116",
+ "T1140",
+ "T1189",
+ "T1056",
+ "T1027",
+ "T1057",
+ "T1060",
+ "T1091",
+ "T1064",
+ "T1063",
+ "T1023",
+ "T1193",
+ "T1082",
+ "T1016",
+ "T1080",
+ "T1204"
+ ],
+ "FIN8":[
+ "T1059",
+ "T1043",
+ "T1003",
+ "T1002",
+ "T1074",
+ "T1048",
+ "T1068",
+ "T1107",
+ "T1070",
+ "T1112",
+ "T1027",
+ "T1086",
+ "T1076",
+ "T1105",
+ "T1018",
+ "T1053",
+ "T1064",
+ "T1063",
+ "T1193",
+ "T1192",
+ "T1032",
+ "T1204",
+ "T1078",
+ "T1077",
+ "T1047"
+ ],
+ "Lazarus":[
+ "T1134",
+ "T1098",
+ "T1010",
+ "T1067",
+ "T1110",
+ "T1059",
+ "T1043",
+ "T1223",
+ "T1090",
+ "T1003",
+ "T1024",
+ "T1002",
+ "T1485",
+ "T1132",
+ "T1022",
+ "T1005",
+ "T1074",
+ "T1089",
+ "T1488",
+ "T1487",
+ "T1189",
+ "T1048",
+ "T1041",
+ "T1203",
+ "T1008",
+ "T1083",
+ "T1107",
+ "T1158",
+ "T1056",
+ "T1026",
+ "T1050",
+ "T1027",
+ "T1057",
+ "T1055",
+ "T1012",
+ "T1060",
+ "T1076",
+ "T1105",
+ "T1496",
+ "T1064",
+ "T1489",
+ "T1023",
+ "T1193",
+ "T1071",
+ "T1032",
+ "T1082",
+ "T1016",
+ "T1033",
+ "T1124",
+ "T1099",
+ "T1065",
+ "T1204",
+ "T1077",
+ "T1047"
+ ],
+ "Tropic Trooper":[
+ "T1197",
+ "T1043",
+ "T1140",
+ "T1073",
+ "T1203",
+ "T1158",
+ "T1046",
+ "T1135",
+ "T1050",
+ "T1027",
+ "T1057",
+ "T1055",
+ "T1063",
+ "T1193",
+ "T1032",
+ "T1082",
+ "T1033",
+ "T1221",
+ "T1004"
+ ],
+ "OilRig":[
+ "T1087",
+ "T1119",
+ "T1110",
+ "T1059",
+ "T1223",
+ "T1003",
+ "T1094",
+ "T1140",
+ "T1048",
+ "T1133",
+ "T1008",
+ "T1107",
+ "T1066",
+ "T1056",
+ "T1046",
+ "T1027",
+ "T1201",
+ "T1069",
+ "T1086",
+ "T1057",
+ "T1012",
+ "T1108",
+ "T1076",
+ "T1105",
+ "T1021",
+ "T1053",
+ "T1113",
+ "T1064",
+ "T1193",
+ "T1192",
+ "T1071",
+ "T1032",
+ "T1082",
+ "T1016",
+ "T1049",
+ "T1033",
+ "T1007",
+ "T1204",
+ "T1078",
+ "T1100",
+ "T1047"
+ ],
+ "Turla":[
+ "T1134",
+ "T1110",
+ "T1059",
+ "T1090",
+ "T1081",
+ "T1022",
+ "T1005",
+ "T1025",
+ "T1140",
+ "T1089",
+ "T1106",
+ "T1048",
+ "T1083",
+ "T1066",
+ "T1112",
+ "T1027",
+ "T1086",
+ "T1057",
+ "T1055",
+ "T1012",
+ "T1060",
+ "T1105",
+ "T1018",
+ "T1064",
+ "T1193",
+ "T1192",
+ "T1071",
+ "T1082",
+ "T1016",
+ "T1049",
+ "T1007",
+ "T1124",
+ "T1204",
+ "T1102",
+ "T1077",
+ "T1084",
+ "T1004"
+ ]
+}
\ No newline at end of file
diff --git a/utils/__init__.py b/utils/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/utils/config.py b/utils/config.py
new file mode 100644
index 0000000..ed1eb30
--- /dev/null
+++ b/utils/config.py
@@ -0,0 +1,71 @@
+import ConfigParser
+import sys
+from ConfigParser import SafeConfigParser
+
+# import warnings
+# warnings.filterwarnings("error")
+
+
+# http://stackoverflow.com/a/21190382
+reload(sys)
+sys.setdefaultencoding("utf8")
+
+
+class Config:
+ def __init__(self, filename=".\\utils\\Hachi.config"):
+
+ self.parser = SafeConfigParser()
+ self.parser.read(filename)
+ self.opts = dict({
+ "config": dict(),
+ "logging": dict()
+ })
+
+ def read_config(self):
+
+ self.opts["config"]["INPUT_DIR"] = self.parser.get("config", "input_dir")
+ self.opts["config"]["OUTPUT_DIR"] = self.parser.get("config", "output_dir")
+ self.opts["config"]["PLAYBOOK_JSON"] = self.parser.get("config", "PLAYBOOK_JSON")
+ self.opts["config"]["MITRE_JSON"] = self.parser.get("config", "MITRE_JSON")
+ self.opts["config"]["DB_PATH"] = self.parser.get("config", "DB_PATH")
+ self.opts["config"]["SIG_CHECK_EXE"] = self.parser.get("config", "SIG_CHECK_EXE")
+ self.opts["config"]["QUEUE_NAME"] = self.parser.get("config", "QUEUE_NAME")
+
+ self.opts["logging"]["log_verbosity"] = self.parser.get("logging", "log_verbosity")
+ self.opts["logging"]["log_backup_count"] = self.parser.get("logging", "log_backup_count")
+ self.opts["logging"]["log_date_format"] = self.parser.get("logging", "log_date_format")
+ self.opts["logging"]["log_rotate_at"] = self.parser.get("logging", "log_rotate_at")
+
+ return self.opts
+
+ def get_var(self, section, var):
+ try:
+ return self.parser.get(section, var)
+ except (ConfigParser.NoOptionError, ConfigParser.NoSectionError):
+ return None
+
+ def get_section(self, section):
+ try:
+ options = self.parser.items(section)
+ except ConfigParser.NoSectionError:
+ return None
+
+ opt_dict = dict()
+ for pairs in options:
+ opt_dict[pairs[0]] = pairs[1]
+
+ return opt_dict
+
+ def set_var(self, section, var, value):
+ try:
+ return self.parser.set(section, var, value)
+ except ConfigParser.NoSectionError:
+ return None
+
+ def list_config(self):
+ print "Configuration Options:"
+ for section in self.parser.sections():
+ print "%s" % (section)
+ for (name, value) in self.parser.items(section):
+ print "\t%s:\t%s" % (name, value)
+ return
diff --git a/utils/db_comm.py b/utils/db_comm.py
new file mode 100644
index 0000000..dfbc70d
--- /dev/null
+++ b/utils/db_comm.py
@@ -0,0 +1,67 @@
+import sqlite3
+from config import Config
+
+
+opts = Config().read_config()
+
+
+def insert(uid, hash, filename, status):
+ conn = sqlite3.connect(opts["config"]["DB_PATH"])
+ conn.execute("""INSERT INTO HACHI (UID,HASH,FILEPATH, STATUS) VALUES (?, ?, ?, ? );""", (uid, hash, filename, status))
+ conn.commit()
+ conn.close()
+
+
+def get_data():
+ conn = sqlite3.connect(opts["config"]["DB_PATH"])
+ cursor = conn.execute("SELECT uid, filepath, status from HACHI")
+ data = []
+ for row in cursor:
+ data.append(row)
+ conn.close()
+ return data
+
+
+def update(uid, value):
+ conn = sqlite3.connect(opts["config"]["DB_PATH"])
+ conn.execute("""UPDATE HACHI SET STATUS = ? where UID = ?;""", (value, uid))
+ conn.commit()
+ conn.close()
+
+
+def count(column_name):
+ conn = sqlite3.connect(opts["config"]["DB_PATH"])
+ cursor = conn.execute("""SELECT COUNT(?) from HACHI;""", (column_name,))
+ value = cursor.fetchone()[0]
+ conn.close()
+ return value
+
+
+def count_condition(column_name, cond_coulmn_name, value):
+ conn = sqlite3.connect(opts["config"]["DB_PATH"])
+ q = """SELECT COUNT(%s) FROM HACHI WHERE %s = "%s";""" %(column_name, cond_coulmn_name, value)
+ cursor = conn.execute(q)
+ value = cursor.fetchone()[0]
+ conn.close()
+ return value
+
+
+def get_column_val(uid_column, uid, column_name):
+ conn = sqlite3.connect(opts["config"]["DB_PATH"])
+ q = """SELECT %s FROM HACHI WHERE %s = "%s";""" % (column_name, uid_column, uid)
+ cursor = conn.execute(q)
+ value = cursor.fetchone()[0]
+ conn.close()
+ return value
+
+
+def create_table():
+ conn = sqlite3.connect(opts["config"]["DB_PATH"])
+ conn.execute('''CREATE TABLE HACHI
+ (UID CHAR(50) PRIMARY KEY NOT NULL,
+ hash CHAR(50),
+ filepath CHAR(50),
+ status TEXT,
+ timestamp DATETIME DEFAULT CURRENT_TIMESTAMP);''')
+ conn.close()
+
diff --git a/utils/digicheck.py b/utils/digicheck.py
new file mode 100644
index 0000000..dd86729
--- /dev/null
+++ b/utils/digicheck.py
@@ -0,0 +1,97 @@
+import subprocess
+from config import Config
+
+
+class DigitalSignatureCheck:
+ def __init__(self):
+ pass
+
+ opts = Config().read_config()
+ # Commandline input
+ _SIGCHECK_EXE = opts["config"]["SIG_CHECK_EXE"]
+ _SIGCHECK_ARGS = ' -i -h'
+
+ # extract record information
+ _DIGISIG_KEY_LIST = ["Verified", "Link date", "Signing date", "Catalog", "Signers", "Cert Status", "Valid Usage",
+ "Cert Issuer", "Serial Number", "Thumbprint", "Algorithm", "Valid from", "Valid to", "Company",
+ "Description", "Product", "Prod version", "File version", "MachineType", "MD5", "SHA1",
+ "SHA256", "IMP", ]
+ _DIGISIG_DATA_RECORD = {
+ "Verified": "n/a", "Link date": "n/a", "Signing date": "n/a", "Catalog": "n/a", "Signers": "n/a",
+ "Cert Status": "n/a",
+ "Valid Usage": "n/a", "Cert Issuer": "n/a", "Serial Number": "n/a", "Thumbprint": "n/a", "Algorithm": "n/a",
+ "Valid from": "n/a",
+ "Valid to": "n/a", "Company": "n/a", "Description": "n/a", "Product": "n/a", "Prod version": "n/a",
+ "File version": "n/a",
+ "MachineType": "n/a", "MD5": "n/a", "SHA1": "n/a", "SHA256": "n/a", "IMP": "n/a"
+ }
+
+ _REQ_DATA_FIELD = {"Verified": "n/a",
+ "Signing date": "n/a",
+ "Signers": "n/a",
+ "Cert Issuer": "n/a",
+ "Valid from": "n/a",
+ "Valid to": "n/a",
+ "Company": "n/a",
+ "Description": "n/a"
+ }
+ _DIGISIG_DATA = {}
+
+ Delimiter = "|"
+
+ def parse_sigcheck_output(self, output):
+ self._DIGISIG_DATA = dict(self._DIGISIG_DATA_RECORD)
+ result = output.split("\r\n")
+ signers_sig_flag = 0
+ key = ""
+ for line in result:
+ if len(line.split(":")) == 2:
+ # Key value pair is present
+ key = line.split(":")[0].strip("\t")
+ value = line.split(":")[1].strip("\t")
+ if key in self._DIGISIG_KEY_LIST:
+ if self._DIGISIG_DATA[key] == "n/a":
+ if key == "Signers":
+ signers_sig_flag = signers_sig_flag + 1
+ else:
+ self._DIGISIG_DATA[key] = value
+ elif (line.strip(" ") != "") and len(line.split(":")) == 1 and signers_sig_flag == 1:
+
+ # Get Signers information
+ publisher_value = line.strip("\t").strip(" ")
+ self._DIGISIG_DATA[key] = publisher_value
+
+ signers_sig_flag = signers_sig_flag + 1
+ elif len(line.split(":")) > 2:
+ other_fields = ["Catalog", "Valid from", "Valid to", "Link date", "Signing date"]
+
+ key = line.split(":")[0].strip("\t")
+ if key in other_fields:
+ value = ":".join(line.split(":")[1:]).strip("\t")
+ self._DIGISIG_DATA[key] = value
+
+ def run(self, filetoscan):
+
+ ExceptionOccured = False
+ cmd = ("%s %s \"%s\"") % (self._SIGCHECK_EXE, self._SIGCHECK_ARGS, filetoscan)
+ result = ""
+ try:
+ result = subprocess.check_output(cmd, shell=True)
+ except subprocess.CalledProcessError, e:
+ if e.returncode < 0:
+ ExceptionOccured = True
+ else:
+ result = e.output
+
+ if not ExceptionOccured:
+ try:
+ self.parse_sigcheck_output(result)
+ for key in self._DIGISIG_DATA:
+ if key in self._REQ_DATA_FIELD:
+ self._REQ_DATA_FIELD[key] = self._DIGISIG_DATA[key]
+ except Exception as e:
+ print(str(e))
+ self._DIGISIG_DATA = {}
+
+ else:
+ self._DIGISIG_DATA = {}
diff --git a/utils/graphity/__init__.py b/utils/graphity/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/utils/graphity/graphity.py b/utils/graphity/graphity.py
new file mode 100644
index 0000000..e5fa3c9
--- /dev/null
+++ b/utils/graphity/graphity.py
@@ -0,0 +1,651 @@
+#!/usr/bin/env python
+
+import re
+import json
+import r2pipe
+import graphityFunc
+from time import time
+import networkx as nx
+from base64 import b64decode
+from datetime import datetime
+from collections import Counter
+from graphityOps import patternScan, graphvizPlot
+from graphityUtils import gimmeDatApiName, getAllAttributes, check_pe_header
+
+
+# Checks whether an address is located in an executable section
+def isValidCode(callAddress, sectionsList):
+ # sectionsList contains executable sections as 2-element lists, containing start and end of each section
+ for execSection in sectionsList:
+ if execSection[0] <= int(callAddress, 16) < execSection[1]:
+ return True
+ return False
+
+
+# Returns a list of executable sections
+def getCodeSections():
+ returnSections = []
+
+ # regular expression to pick out the executable section(s)
+ execSection = re.compile("perm=....x")
+
+ # will return the section table from radare2
+ sections = R2PY.cmd("iS")
+
+ sectionData = {}
+
+ for line in sections.splitlines():
+ if re.search(execSection, line):
+ for element in line.split():
+ items = element.split('=')
+ sectionData[items[0]] = items[1]
+
+ start = int(sectionData['vaddr'], 16)
+ end = start + int(sectionData['vsz'])
+ psize = int(sectionData['sz'])
+ returnSections.append([start, end, psize])
+
+ return returnSections
+
+
+# Returns an executables imports as a list
+def getIat():
+ iatlist = []
+ cmd = "iij"
+ iatjson = json.loads(R2PY.cmd(cmd))
+ # print(iatjson)
+ for item in iatjson:
+ iatlist.append(hex(item['plt']))
+ return iatlist
+
+
+# Returns a dictionary of xrefs to symbols
+def crossRefScan():
+ cmd = "axtj @@ sym.*"
+ finalCalls = {}
+
+ # fixing the JSON... issue reported to radare2, keep in mind to remove workaround
+ out = R2PY.cmd(cmd)
+ out = out.strip("\n")
+ temp = out.replace("]", "],")
+ temp = temp.replace(",,", ",")
+ temp = temp.rstrip("\r\n")
+ if temp.endswith(","):
+ temp = temp[:-1]
+ temp = "[" + temp + "]"
+ xrefj = json.loads(temp)
+ # TODO check!!
+
+ for xrefitem in xrefj:
+ for xreflevel2 in xrefitem:
+
+ # not data xref means its code or call
+ if xreflevel2['type'] != 'd':
+ finalCalls[hex(xreflevel2['from'])] = xreflevel2['opcode']
+ pass
+
+ # data potentially means API referenced by register; please note these are rather uncommon in the long list of symbol refs
+ # thus, bottelneck in parsing speed lies in number of refs
+ if xreflevel2['type'] == 'd' and (
+ xreflevel2['opcode'].startswith('mov') or xreflevel2['opcode'].startswith('lea')):
+
+ # 'grepping' out the register from mov/lea operation
+ register = xreflevel2['opcode'].split()[1].replace(',', '')
+
+ # disassemble downwards; mmmaybe smarter to disassemble until end of function, but possible that there is no function at all
+ # TODO find end of function, just in case
+ cmd = "pd 300 @ " + hex(xreflevel2['from'])
+ moreDisasm = R2PY.cmd(cmd)
+
+ # possible branches towards target
+ realCall = "call %s" % register
+ aJmp = "jmp %s" % register
+
+ for disasmLine in moreDisasm.splitlines()[1:]:
+ if realCall in disasmLine or aJmp in disasmLine:
+ # found a call!!
+ temp = disasmLine + ";" + xreflevel2['opcode'].split(',')[1].rstrip()
+ tempSplit = temp.split()
+ finalCalls[hex(int(tempSplit[0], 16))] = ' '.join(tempSplit[1:])
+
+ elif register in disasmLine:
+ # TODO if mov dword abc, reg is found -> follow abc?
+ # TODO could be parsed in more detail, e.g. mov dword, reg won't change the reg
+ # print disasmLine
+
+ break
+ # pass
+ return finalCalls
+
+
+# Parses the binary for strings and their references to nodes
+def stringScan(debugDict):
+ # Workflow is: get string, get xrefs to string if any, get functions of xrefs if any; fit node in graph with the string
+ allMyStrings = []
+ return allMyStrings
+
+ # izzj parses entire binary
+ stringCmd = "izzj"
+ strings = R2PY.cmd(stringCmd)
+
+ parsedStrings = json.loads(strings)
+
+ debugDict['stringsDangling'] = []
+ debugDict['stringsNoRef'] = []
+
+ i = 0
+ j = 1
+ while i < len(parsedStrings["strings"]):
+ stringItem = parsedStrings["strings"][i]
+
+ # Strings when retrieved through izzj command are BASE64 encoded
+ thatOneString = b64decode(stringItem['string']).replace(b'\\', b' \\\\ ')
+ thatOneString.replace(b'\'', b'')
+
+ try:
+
+ thatOneString = thatOneString.decode()
+
+ xrefCmd = "axtj @ " + hex(stringItem['vaddr'])
+ stringXrefsJ = R2PY.cmd(xrefCmd)
+ # RN
+ stringXrefsJ = stringXrefsJ.replace("\"\"", "\"")
+ # print(stringXrefsJ)
+ # TODO this should be a list, but is returned as a string now?
+ # if stringXrefsJ != []:
+ if len(stringXrefsJ) > 2:
+ stringXrefs = json.loads(stringXrefsJ)
+
+ # check whether string item is root of list of strings
+ j = 1
+ lastItem = stringItem
+ while (i + j) < len(parsedStrings["strings"]):
+ nextStringItem = parsedStrings["strings"][i + j]
+ lastAddr = lastItem['vaddr']
+ lastSize = lastItem['size']
+
+ # string offsets are 4 byte aligned, TODO check whether this is always the case
+ padding = 4 - (lastSize % 4)
+ if padding == 4:
+ padding = 0
+ nextAddr = lastAddr + lastSize + padding
+
+ if nextAddr != nextStringItem['vaddr'] or hasXref(hex(nextStringItem['vaddr'])):
+ # end.. exit here
+ break
+ else:
+ thatOneString = thatOneString + "|" + b64decode(nextStringItem['string']).decode()
+ j = j + 1
+ lastItem = nextStringItem
+
+ # iterate refs on string, if any
+ for ref in stringXrefs:
+
+ # sort out strings with code ref, i.e. non-strings
+ if ref['type'] != 'c' and ref['type'] != 'C':
+ stringAddr = hex(ref['from'])
+ stringFuncRef = gimmeRespectiveFunction(stringAddr)
+ if stringFuncRef != '0x0':
+ allMyStrings.append([stringAddr, stringFuncRef, thatOneString])
+ else:
+ # TODO this is merely still useful strings, see how to fit them in the graphs and db
+ # RN print("DANGLING STRING NO FUNCREF %s %s" % (stringAddr, thatOneString))
+ debugDict['stringsDangling'].append(thatOneString)
+
+ else:
+ debugDict['stringsNoRef'].append(thatOneString)
+
+
+ except UnicodeDecodeError:
+ pass
+ if j > 1:
+ i = i + j
+ else:
+ i = i + 1
+
+ debugDict['stringsDanglingTotal'] = len(debugDict['stringsDangling'])
+ debugDict['stringsNoRefTotal'] = len(debugDict['stringsNoRef'])
+ return allMyStrings
+
+
+# Text whether xrefs exist for given address
+def hasXref(vaddr):
+ refs = R2PY.cmd("axtj @ " + vaddr)
+ if refs:
+ return True
+ else:
+ return False
+
+
+# Creating the NetworkX graph, nodes are functions, edges are calls or callbacks
+def createRawGraph():
+ graphity = nx.DiGraph()
+ debugDict = {}
+
+ functions = R2PY.cmd("aflj")
+ # print("Functions")
+ # print(functions)
+ # return {},{}
+ if functions:
+ functionList = json.loads(functions)
+ # print json.dumps(functionList, indent=4, sort_keys=True)
+ else:
+ functionList = []
+
+ # figuring out code section size total
+ sectionsList = getCodeSections()
+ xlen = 0
+ for execSec in sectionsList:
+ xlen = xlen + execSec[2]
+ debugDict['xsectionsize'] = xlen
+
+ # CREATING THE GRAPH
+
+ refsGlobalVar = 0
+ refsUnrecognized = 0
+ refsFunc = 0
+ debugDict['functions'] = len(functionList)
+
+ ### NetworkX Graph Structure ###
+
+ # FUNCTION as node, attributes: function address, size, calltype, list of calls, list of strings, count of calls; functiontype[Callback, Export], alias (e.g. export name), mnemonic distribution
+ # FUNCTIoN REFERENCE as edge (function address -> target address), attributes: ref offset (at)
+ # INDIRECT REFERENCE as edge (currently for threads and Windows hooks, also indirect code and indirect data references)
+ # API CALLS (list attribute of function node): address, API name
+ # STRINGS (list attribute of function node): address, string, evaluation
+
+ ####
+
+ # TODO add count of refs from A to B as weights to edges
+ # TODO count calls to global vars, to indirect targets
+
+ for item in functionList:
+ # print hex(item['offset'])
+ graphity.add_node(hex(item['offset']), size=item['realsz'], calltype=item['calltype'], calls=[], apicallcount=0,
+ strings=[], stringcount=0, functiontype='')
+
+ for item in functionList:
+
+ # TODO look into new values provided by aflj
+ # print(item)
+ if 'callrefs' in item:
+ for xref in item['callrefs']:
+
+ if xref['type'] == 'C':
+
+ # If an edge is added, that includes a non-existent node, the node will be added, but w/o the necessary attributes
+ # Thasss why we iterate twice, can theoretically be speeded up but needs testing
+ if hex(xref['addr']) in graphity:
+ if item['offset'] != xref['addr']:
+ graphity.add_edge(hex(item['offset']), hex(xref['addr']), pos=hex(xref['at']))
+ refsFunc = refsFunc + 1
+
+ elif hex(xref['addr']) in getIat():
+ pass
+
+ elif not isValidCode(hex(xref['addr']), sectionsList):
+ # TODO do something
+ '''print(
+ "DANGLING call to address outside code section, glob var, dynamic API loading %s -> %s" % (
+ hex(item['offset']), hex(xref['addr'])))'''
+ refsGlobalVar = refsGlobalVar + 1
+
+ else:
+ print(
+ "FAIL: Call to code thats not a function, an import/symbol or otherwise recognized. Missed function perhaps. %s -> %s" % (
+ hex(item['offset']), hex(xref['addr'])))
+ refsUnrecognized = refsUnrecognized + 1
+
+ print('* %s Graph created with NetworkX ' % str(datetime.now()))
+ debugDict['refsFunctions'] = refsFunc
+ debugDict['refsGlobalVar'] = refsGlobalVar
+ debugDict['refsUnrecognized'] = refsUnrecognized
+
+ apiRefs = crossRefScan()
+
+ callNum = len(apiRefs)
+ missesNum = 0
+
+ # FITTING GRAPH WITH API REFS
+
+ for call in apiRefs:
+
+ # get the address of the function, that contains the call to a given symbol
+ funcAddress = gimmeRespectiveFunction(call)
+ # TODO check if funcAddress is the real function address
+ if funcAddress in graphity:
+
+ # node(funcAddress) has attribute calls, which contains a list of API calls
+ api = gimmeDatApiName(apiRefs[call])
+
+ graphity.node[funcAddress]['calls'].append([call, api])
+
+ # detected API call reference does not resolve to a function offset, insert handling for this here
+ else:
+ # print("DANGLING API CALL %s %s" % (call, apiRefs[call]))
+ missesNum = missesNum + 1
+
+ # debug: print total API refs and functionless API refs, maybe indicator for obfuscated code
+ print('* %s Graph extended with API calls, %d calls in total, %d dangling w/o function reference ' % (
+ str(datetime.now()), callNum, missesNum))
+ debugDict['apiTotal'] = callNum
+ debugDict['apiMisses'] = missesNum
+
+ # FITTING GRAPH WITH STRING REFS
+
+ allTheStrings = stringScan(debugDict)
+ stringrefs = 0
+
+ for aString in allTheStrings:
+
+ stringAddr = aString[0]
+ stringFunc = aString[1]
+ stringData = aString[2]
+
+ # add string to respective function node in graph
+ if stringFunc in graphity:
+ graphity.node[stringFunc]['strings'].append([stringAddr, stringData])
+ stringrefs = stringrefs + 1
+
+ else:
+ print("\n*** BIG FAIL *** String's function not in graph %s %s" % (stringFunc, stringData))
+
+ print('* %s Graph extended with string references ' % (str(datetime.now())))
+ debugDict['stringsReferencedTotal'] = stringrefs
+
+ return graphity, debugDict
+
+
+# Tag exports of DLLs
+# TODO : check whether exports are coming back after bugfix (?)
+def analyzeExports(graphity):
+ exportsj = json.loads(R2PY.cmd("iEj"))
+ for item in exportsj:
+
+ exportAddress = hex(item['vaddr'])
+ exportName = item['name']
+
+ exportFunction = gimmeRespectiveFunction(exportAddress)
+
+ if exportFunction in graphity:
+ graphity.node[exportFunction]['functiontype'] = 'Export'
+ graphity.node[exportFunction]['alias'] = exportName
+
+
+# Removing thunks as they make my graphs fat, replace by API calls
+def thunkPruning(graphity):
+ for aNode in graphity.nodes(data=True):
+
+ # most obvious thunks, other thunks exist too, len seen was 11, 13
+ # TODO !!!!!!!! check for 64bit
+ # TODO check with radare for thunk detection?
+ # funclets that contain nothing but a jump to an import, and do not call other functions
+ if len(aNode[1]['calls']) == 1 and aNode[1]['size'] == 6 and not graphity.successors(aNode[0]):
+
+ thunk = aNode[0]
+ thunkApi = aNode[1]['calls'][0]
+
+ # need to go on with radare from here, cause graphity doesn't know all the addressed of the xrefs to thunks from within a function
+ # getting all xrefs on thunk, then getting function its located in to get to node of graph
+ temp = R2PY.cmd("axtj " + thunk)
+
+ thunkRefs = []
+ if temp:
+ thunkRefs = json.loads(temp)
+
+ for aRef in thunkRefs:
+
+ thunkCallAddr = hex(aRef['from'])
+ thunkFuncRef = gimmeRespectiveFunction(thunkCallAddr)
+
+ # if thunk's xrefs include a detected function then add thunk as a regular API call to calls list of respective node
+ if thunkFuncRef != '0x0':
+ graphity.node[thunkFuncRef]['calls'].append([thunkCallAddr, thunkApi[1]])
+
+ # after xref to thunk has been added to all calling functions, remove thunk node from graph
+ graphity.remove_node(thunk)
+
+
+# Adding edges to indirectly referenced functions, thread handlers and hook functions for now only
+def tagCallbacks(graphity):
+ for aNode in graphity.nodes(data=True):
+ for call in aNode[1]['calls']:
+
+ xrefTarget = ''
+ # TODO consider this bad practise, do something smarter, not sure yet what, consider _beginthread API etc. etc.
+ # also, maybe this is fixed in radare later, so consider this code redundant by then
+ if 'CreateThread' in call[1]:
+ xrefTarget = getCallback(call[0], 3)
+
+ if 'SetWindowsHookEx' in call[1]:
+ xrefTarget = getCallback(call[0], 2)
+
+ if xrefTarget:
+ #print (xrefTarget, aNode[0])
+ addIndirectEdge(graphity, aNode[0], xrefTarget, "apicallback", "Callback")
+
+ # implicitly filters out callbacks fixed already - gets all nodes with zero in-degre
+ # TODO see if feasible for all functions, even with such already having in edges
+ for aNode in graphity.nodes(data=True):
+ if graphity.in_degree(aNode[0]) == 0:
+ jay = R2PY.cmd("axtj @ " + aNode[0])
+ jay = jay.rstrip()
+ if jay:
+ xrefs = json.loads(jay)
+ for xref in xrefs:
+
+ # if xref is code its almost certainly an edge to add
+ if xref['type'] == 'c':
+
+ # TODO circle back on jumptable-as-a-function bug from r2
+ # really ugly workaround, really really ugly..
+ if not 'dword [' in xref['opcode']:
+ addIndirectEdge(graphity, hex(xref['from']), aNode[0], "coderef", "IndirectCode")
+
+ # if xref is data
+ if xref['type'] == 'd':
+
+ opcd = xref['opcode']
+ # TODO run more tests on this list not sure these are all possible cases
+ # TODO make datarefs optional!
+ if opcd.startswith('push') or opcd.startswith('lea') or opcd.startswith('mov'):
+ #print (hex(xref['from']), opcd)
+ addIndirectEdge(graphity, hex(xref['from']), aNode[0], "dataref", "IndirectData")
+ else:
+ # TODO look into add reg, ThreadRoutine -> as xref
+ print ("up for discussion: " + hex(xref['from']), xref['type'], xref['opcode'])
+
+
+def addIndirectEdge(graphity, fromAddr, toAddr, calltype, functiontype):
+ fromNode = gimmeRespectiveFunction(fromAddr)
+ toNode = gimmeRespectiveFunction(toAddr)
+ if fromNode in graphity and toNode in graphity:
+ graphity.node[toNode]['functiontype'] = functiontype
+ graphity.add_edge(fromNode, toNode, calltype=calltype)
+ # print ("added callback edge", fromNode, toNode, calltype, "\n")
+ else:
+ print ("Something went wrong with indirect edge ", fromAddr, toAddr, calltype)
+
+
+# Parsing the handler offset out of the function arguments
+def getCallback(call, argcount):
+ # simplistic: walk up the code until xref to code is found, works as long as API only receives one code ref, works well with Windows APIs
+ disasmMore = "pd -30 @" + call
+ upwards = R2PY.cmd(disasmMore)
+
+ for otherLine in reversed(upwards.splitlines()):
+ if 'push' in otherLine:
+ argcount = argcount - 1
+
+ # TODO better done with a regex, bug prone
+ if not argcount:
+ address = otherLine.split("push", 1)[1].split()[0]
+ if 'fcn.' in address:
+ return hex(int(address.split('.')[1], 16))
+ if '0x' in address:
+ return hex(int(address.split('0x')[1], 16))
+ else:
+ return ''
+
+
+# WORKAROUND until function detection - bug? feature? in radare is fixed and export vaddr equal actual offsets again
+def gimmeRespectiveFunction(address):
+ if address:
+ return R2PY.cmd("?v $FB @ " + address).strip("\r\n").strip("\n").strip("\r")
+ return ''
+
+
+def mnemonicism(offset):
+ mnems = []
+ fsize = 0
+ weight = 0
+
+ funcdump = R2PY.cmd("pdfj @ " + offset)
+ if funcdump:
+ dumpj = json.loads(funcdump)
+ for item in dumpj["ops"]:
+ # print(item)
+ if "type" in item:
+ mnems.append(item["type"])
+ # print (item["type"], item["opcode"])
+ fsize = dumpj["size"]
+
+ # print ("\n" + offset + " " + str(fsize))
+ mnemdict = Counter(mnems)
+ # for mnem in sorted(mnemdict):
+ # print (mnem, mnemdict[mnem])
+
+ for mnem in mnemdict:
+ if mnem in ['shl', 'shr', 'mul', 'div', 'rol', 'ror', 'sar', 'load', 'store']:
+ weight += mnemdict[mnem]
+ return (weight * 10) / fsize
+
+
+# TODO count how many above certain threshold, see how close they are together in the graph?
+
+
+# super graph creation function, radare-analyses the sample, puts together all of the graph and debug info
+def graphMagix(filepath, allAtts, deactivatecache):
+ global R2PY
+
+ print('* %s R2 started analysis ' % str(datetime.now()))
+
+ BENCH['r2_start'] = time()
+ print("filepath:" + filepath)
+
+ R2PY = r2pipe.open(filepath)
+
+ R2PY.cmd("e asm.lines = false")
+ R2PY.cmd("e asm.fcnlines = false")
+ R2PY.cmd("e anal.autoname= false")
+ R2PY.cmd("e anal.jmptbl = true")
+ R2PY.cmd("e anal.hasnext = true")
+ R2PY.cmd("e anal.bb.maxsize = 1M")
+ # R2PY.cmd("e src.null = true")
+ R2PY.cmd("aaa")
+ # R2PY.cmd("afr")
+ # R2PY.cmd("afr @@ sym*")
+
+
+ BENCH['r2_end'] = time()
+ print('* %s R2 finished analysis' % str(datetime.now()))
+
+ # GRAPH CREATION
+ graphity, debug = createRawGraph()
+
+ # TODO testing lib code detected
+ # flagLibraryCode(graphity)
+
+ # DLL PROCESSING
+ if 'DLL' in allAtts['filetype']:
+ analyzeExports(graphity)
+
+ # Thunk pruning, thunks are unnecessary information in the graph
+ thunkPruning(graphity)
+
+ # handler tagging
+ tagCallbacks(graphity)
+
+ # update api and string count attributes
+ for aNode in graphity.nodes(data=True):
+ aNode[1]['apicallcount'] = len(aNode[1]['calls'])
+ aNode[1]['stringcount'] = len(aNode[1]['strings'])
+
+ # calc mnemonic dist
+ for aNode in graphity.nodes():
+ graphity.node[aNode]['mnemonicism'] = mnemonicism(aNode)
+
+ BENCH['graph_end'] = time()
+
+
+ return graphity, debug
+
+
+def get_behaviors(filepath, dst_file, out_dir):
+ global BENCH
+ BENCH = {}
+
+ behaviours = {}
+ if check_pe_header(filepath):
+ print('* %s Parsing %s ' % (str(datetime.now()), filepath))
+ allAtts = getAllAttributes(filepath)
+ graphity, debug = graphMagix(filepath, allAtts, True) # args.deactivatecache)
+
+ # BEHAVIOR
+ print('* %s Scanning for API patterns ' % str(datetime.now()))
+ BENCH['behavior_start'] = time()
+ allThePatterns = graphityFunc.funcDict
+
+ for patty in allThePatterns:
+ # print(patty)
+ findings = patternScan(graphity, allThePatterns[patty])
+ # print("Findings:")
+ # print(findings)
+ for hit in findings:
+ if not False in hit['patterns'].values():
+ #print("For %s found %s" % (patty, str(hit['patterns'])))
+ if patty in behaviours:
+ list_hit = behaviours[patty]
+ list_hit.append(hit['patterns'])
+ behaviours[patty] = list_hit
+ else:
+ behaviours[patty] = [hit['patterns']]
+ BENCH['behavior_end'] = time()
+
+ ret_info = {}
+ function_list = {}
+ # print("printing behaviors found above")
+ if behaviours:
+ for behav in behaviours:
+ info = behaviours[behav]
+ # print(info)
+ for entry in info:
+ for name in entry:
+ if not str(entry[name]) in function_list:
+ function_list[str(entry[name])] = behav
+ # print(entry)
+ # print function_list
+
+ base_file = dst_file.replace(".behav.json", "")
+ for funct in function_list:
+ R2PY.cmd("s." + funct)
+ pseudo_code = R2PY.cmd("pdc")
+ code_file = base_file + "." + function_list[funct] + "_" + funct + ".c"
+ with open(code_file, "w") as out:
+ for line in pseudo_code.split("\n"):
+ line = line.rstrip()
+ if line:
+ out.write(line + "\n")
+
+ # print(function_list)
+ ret_info["Suspicious Behaviors"] = behaviours
+ with open(dst_file, "w") as out:
+ out.write(json.dumps(ret_info, sort_keys=True, indent=4))
+
+ print('* %s Plotting routine starting ' % str(datetime.now()))
+ BENCH['plotting_start'] = time()
+ graphvizPlot(graphity, allAtts, function_list, out_dir)
+ BENCH['plotting_end'] = time()
+ print('* %s Plotting routine finished ' % str(datetime.now()))
+
+ return ret_info
diff --git a/utils/graphity/graphityFunc.py b/utils/graphity/graphityFunc.py
new file mode 100644
index 0000000..500eb28
--- /dev/null
+++ b/utils/graphity/graphityFunc.py
@@ -0,0 +1,215 @@
+#!/usr/bin/env python
+
+
+funcDict = {
+ #
+ 'THREAD_CREATE': ['CreateThread'],
+ 'RTL_THREAD_CREATE': ['RtlCreateUserThread'],
+ 'ZW_THREAD_CREATE': ['ZwCreateThread'],
+
+ 'PROCESS_ENUM': ['CreateToolhelp32Snapshot', 'Process32First', 'Process32Next'],
+ 'MODULE_ENUM': ['CreateToolhelp32Snapshot', 'Module32First', 'Module32Next'],
+ 'PROCESS_ENUM_1': ['EnumProcesses'],
+ 'MODULE_ENUM_1': ['EnumProcessModules'],
+
+ 'WIN_EXEC': ['WinExec'],
+ 'SHELL_EXEC': ['ShellExecute'],
+ 'PROCESS_CREATE': ['CreateProcess'],
+ 'PROCESS_CREATE_INTR': ['CreateProcessInternal'],
+ 'PROCESS_CREATE_USER': ['CreateProcessAsUser'],
+ 'PROCESS_CREATE_LOGON': ['CreateProcessWithLogon'],
+ 'PROCESS_CREATE_1': ['system'],
+ 'PROCESS_CREATE_2': ['ZwCreateProcess'],
+
+ 'PROCESS_TERM': ['TerminateProcess'],
+ 'PROCESS_SUSPEND_': ['ZwSuspendProcess'],
+ 'PROCESS_TERM_1': ['ZwTerminateProcess'],
+
+ 'REMOTE_THREAD_INJECTION': ['CreateThread', 'WriteProcessMemory','ResumeThread'],
+ 'REMOTE_THREAD_1': ['CreateRemoteThread'],
+ 'RETRO_INJECTION': ['GetCurrentProcess', 'CreatePipe', 'DuplicateHandle'],
+ 'MEMORY_WRITE': ['WriteProcessMemory'],
+ 'MEMORY_READ': ['ReadProcessMemory'],
+ 'MEMORY_READ_1': ['Toolhelp32ReadProcessMemory'],
+ 'MEMORY_READ_2': ['ZwReadVirtualMemory'],
+
+ 'EXIT_SYSTEM': ['ExitWindows'],
+ 'EXIT_SYSTEM_1': ['InitiateSystemShutdown'],
+
+ 'ANTI-SANDBOX_1': ['GetForegroundWindow', 'Sleep'],
+ 'ANTI-SANDBOX_2': ['GetCursorPos', 'Sleep'],
+ 'ANTI-SANDBOX_3': ['GetLastInputInfo', 'Sleep'],
+ 'ANTI-SANDBOX_4': ['GetTickCount', 'Sleep'],
+
+ 'WINHOOK': ['SetWindowsHook'],
+
+ 'TIME_ZONE': ['GetTimeZoneInformation'],
+ 'USER': ['LogonUser'],
+ 'USER_IMPERSONATE': ['ImpersonateLoggedOnUser'],
+
+ # Autostarts & infiltration
+ 'REG_SETVAL': ['RegOpenKey', 'RegSetValue'],
+ 'REG_QUERY': ['RegOpenKey', 'RegQueryValue'],
+
+ 'CREATE_SERVICE': ['OpenSCManager', 'CreateService'], # 'OpenService', 'StartService'],
+ 'CREATE_START_SERVICE': ['OpenSCManager', 'CreateService'],
+
+ #'RES_DROPPER_1': ['FindResource', 'LoadResource', 'CreateFile', 'WriteFile'],
+ 'RES_DROPPER': ['FindResource', 'LoadResource'], # 'LockResource', 'SizeofResource'],
+ 'LOAD_RES': ['LoadResource'],
+ 'UPDATE_RESOURCE': ['BeginUpdateResource', 'UpdateResource', 'EndUpdateResource'],
+
+ # Dynamic API loading
+ 'APILOADING': ['GetProcAddress'],
+ #'APILOADING2': ['GetModuleHandle', 'GetProcAddress'],
+
+ # File interaction
+ 'WRITE_FILE': ['CreateFile', 'WriteFile'],
+ 'FILE_WRITE_1': ['FlushFileBuffers'],
+ 'FILE_WRITE_2': ['FlushViewOfFile'],
+ 'FILE_WRITE_3': ['WriteFile'],
+ 'FILE_WRITE_4': ['fflush'],
+ 'FILE_WRITE_5': ['fprintf'],
+ 'FILE_WRITE_6': ['fputs'],
+ 'FILE_WRITE_7': ['fwrite'],
+ 'FILE_WRITE_8': ['ZwWriteFile'],
+
+ 'READ_FILE': ['CreateFile', 'ReadFile'],
+
+ 'TEMP_FILE_WRITE': ['GetTempFileName', 'CreateFile', 'WriteFile'],
+ 'FPRINT': ['fopen', 'fprintf'],
+
+ 'FILE_COPY': ['CopyFile'],
+ 'FILE_DELETE': ['DeleteFile'],
+ 'FILE_DELETE_1': ['ZwDeleteFile'],
+ 'FILE_MOVE': ['MoveFile'],
+ 'FILE_MOVE_1': ['MoveFileEx'],
+
+ 'DIR_DELETE': ['RemoveDirectory'],
+ 'DIR_SYS': ['GetSystemDirectory'],
+ 'DIR_SYSWIN': ['GetSystemWindowsDirectory'],
+ 'DIR_WIN': ['GetWindowsDirectory'],
+
+ # Malware activity
+ 'DRIVES_ITER_1': ['GetLogicalDriveStrings'],
+ 'DRIVES_ITER_2': ['GetDriveType'],
+ 'FILE_ITER': ['FindFirstFile', 'FindNextFile'],
+ 'WINDOW': ['CreateWindow', 'RegisterClass', 'DispatchMessage'],
+
+ 'SCREENSHOT': ['CreateCompatibleDC', 'GetDeviceCaps', 'CreateCompatibleBitmap', 'BitBlt'],
+
+ # encryption and compression
+ 'CRYPT_ENCRYPT': ['CryptEncrypt'],
+ 'CRYPT_DECRYPT': ['CryptDecrypt'],
+ 'CRYPT_HASH': ['CryptCreateHash', 'CryptDestroyHash', 'CryptGetHashParam', 'CryptHashData', 'CryptSetHashParam', 'CheckSumMappedFile'],
+
+ 'ENCODE': ['RtlEncodePointer'],
+ 'DECODE': ['RtlDecodePointer'],
+ 'COMPRESS': ['RtlCompressBuffer'],
+ 'DECOMPRESS': ['RtlDecompressBuffer'],
+
+ 'VOLUME_ENUM': ['FindFirstVolume', 'FindNextVolume'],
+
+ # Network activity
+ 'WSASEND': ['gethostbyname', 'send'],
+ 'LISTEN': ['listen'],
+ 'RECV': ['recv'],
+ 'WSARECV': ['WSARecv'],
+ 'SEND': ['send'],
+ 'WASSEND' : ['WSASend'],
+ 'SEND_TO': ['sendto'],
+ 'WSASEND_TO': ['WSASendTo'],
+ 'RECV_FROM': ['recvfrom'],
+ 'WSARECV_FROM': ['WSARecvFrom'],
+
+ 'DOWNLOAD_FILE_CACHE': ['URLDownloadToCacheFile'],
+ 'DOWNLOAD_FILE': ['URLDownloadToFile'],
+
+ 'ICMP6_MGMT': ['Icmp6CreateFile', 'Icmp6SendEcho2'],
+ 'ICMP_MGMT': ['IcmpCreateFile', 'IcmpSendEcho'],
+ 'ICMP_MGMT_1': ['IcmpCreateFile', 'IcmpSendEcho2'],
+
+ 'DOWNLOADER': ['URLDownloadToCacheFile'],
+ 'DOWNLOADER_1': ['URLDownloadToFile', 'WinExec'],
+ 'DOWNLOADER_2': ['URLDownloadToFile', 'ShellExecute'],
+ 'DOWNLOADER_3': ['URLDownloadToFile', 'CreateProcess'],
+
+ 'INET_DOWNLOAD': ['InternetOpen', 'InternetReadFile'],
+ 'INET_UPLOAD': ['InternetOpen', 'InternetWriteFile'],
+
+ 'FTP_GET': ['FtpOpenFile', 'FtpGetFile'],
+ 'FTP_PUT': ['FtpOpenFile', 'FtpPutFile'],
+
+ 'CACHE_ENUM': ['FindFirstUrlCacheEntry', 'FindNextUrlCacheEntry'],
+ 'CACHE_INFO': ['GetUrlCacheEntryInfo'],
+
+ 'NET_USER_ADD': ['NetUserAdd'],
+ 'NET_USER_ENUM': ['NetUserEnum'],
+ 'NET_SHARE': ['NetShareEnum', 'NetShareAdd'],
+ 'WNET_SHARE': ['WNetAddConnection2'],
+
+ # Host information
+ 'HOST_INFO_1': ['gethostbyname'],
+ 'HOST_INFO_2': ['gethostname'],
+ 'HOST_INFO_3': ['getnameinfo'],
+ 'HOST_INFO_4': ['GetNameInfo'],
+ 'DISK_INFO_1': ['GetDriveType'],
+ 'DISK_INFO_2': ['GetDiskFreeSpace'],
+ 'DISK_INFO_3': ['GetLogicalDrives'],
+ 'DISK_INFO_4': ['GetLogicalDriveStrings'],
+ 'DISK_INFO_5': ['ZwQueryDirectoryFile'],
+ 'DISK_INFO_6': ['DriveSpace'],
+ 'DESKTOP_ENUM': [ 'OpenWindowStation', 'EnumDesktops', 'EnumWindowStations', 'EnumDesktopWindows'],
+ 'OS_INFO_1': ['GetVersion'],
+ 'OS_INFO_2': ['GetVersionEx'],
+ 'OS_INFO_3': ['RtlGetVersion'],
+ 'SYSTEM_INFO': ['GetSystemInfo'],
+ 'SYSTEM_INFO_1': ['ZwQuerySystemInformation'],
+ 'SYSTEM_INFO_2': ['SystemParametersInfo'],
+ 'SYSTEM_INFO_LOCALE': ['GetLocaleInfo'],
+
+ # misc
+ 'DRIVER_CTRL': ['DeviceIoControl'],
+ 'DRIVER_CTRL_1': ['ZwDeviceIoControlFile'],
+ 'SERVICE_HANDLER': ['RegisterServiceCtrlHandler'],
+
+ 'COM_OBJECT': ['CoCreateInstance', 'CoGetClassObject'],
+ 'COM_OBJECT_1': ['CoInitialize'],
+ 'LDAP': ['ldap_first_attribute'],
+ 'LDAP_1': ['ldap_first_entry'],
+ 'RANDOM_GEN_1': ['rand'],
+ 'RANDOM_GEN_2': ['srand'],
+ 'RANDOM_GEN_3': ['RtlRandom'],
+ 'SLEEP_1': ['Sleep'],
+ 'SLEEP_2': ['ZwDelayExecution'],
+
+ # multimedia
+ 'AUDIO_IN': ['waveInOpen', 'waveInStart'],
+ 'AUDIO_OUT': ['waveOutOpen', 'waveOutWrite'],
+
+ # keyboard
+ 'KEYBOARD_INFO': ['GetKeyboardLayout'],
+ 'KEYBOARD_INPUT_1': ['BlockInput'],
+ 'KEYBOARD_INPUT_2': ['GetAsyncKeyState'],
+ 'KEYBOARD_INPUT_3': ['GetKeyState'],
+ 'KEYBOARD_INPUT_4': ['GetRawInputData'],
+ 'KEYBOARD_INPUT_5': ['RegisterRawInputDevices'],
+ 'KEYBOARD_INPUT_6': ['SendInput'],
+ 'KEYBOARD_INPUT_7': ['VkKeyScan'],
+ 'MOUSE': ['TrackMouseEvent'],
+ 'MOUSE_1': ['_TrackMouseEvent'],
+
+ # printer
+ 'PRINTER': ['EnumPrinters', 'OpenPrinter', 'GetDefaultPrinter'],
+
+}
+
+# TODO extend on those, and add more:
+# spawn a process
+# move file, delete, create dir -
+# regenumkey
+# createmutex
+# fopen, fread, fwrite
+# clipboard
+# screen capture etc.
+
diff --git a/utils/graphity/graphityOps.py b/utils/graphity/graphityOps.py
new file mode 100644
index 0000000..4cab2f5
--- /dev/null
+++ b/utils/graphity/graphityOps.py
@@ -0,0 +1,148 @@
+import copy
+import os
+
+import networkx as nx
+
+
+### SCANNING ###
+
+# searching nodes and nearby nodes a pattern defined by graphityFunc.py
+def patternScan(graphity, pattern):
+
+ # search is performed by defining "anchor" node, where initial pattern is found
+ # search then moved from there 1 level up to search surrounding nodes (number of levels could be increased)
+ # pattern lists for now are kept rather small
+ # TODO determine distance between found patterns to see which functionalities lie close to each other
+ patternNum = len(pattern)
+ anchorList = []
+
+ allCalls = nx.get_node_attributes(graphity, 'calls')
+ #print("AllCalls")
+ #print(allCalls)
+ for function in allCalls:
+ #print("check:" + function)
+ # TODO make this prettier!
+ for call in allCalls[function]:
+ api = call[1]
+ anchorpat = pattern[0]
+ # print(anchorpat, call[1])
+ if anchorpat in api:
+ #print("anchor: " + anchorpat)
+ if not list(filter(lambda daAnchor: daAnchor['address'] == function, anchorList)):
+ # maintain a dict of patterns per anchor to keep track of found patterns
+ patternCheck = {}
+ for item in pattern:
+ patternCheck[item] = False
+ patternCheck[anchorpat] = function
+ #print(patternCheck)
+ anchorList.append({'address':function, 'patterns':patternCheck})
+ # anchor nodes found and more than one pattern searched for
+ if patternNum > 1 and len(anchorList) > 0:
+ for anchor in anchorList:
+
+ functionalityScanForApi(graphity, anchor, anchor['address'], patternNum)
+ if False in anchor['patterns'].values():
+
+ anchorNeighbors = nx.all_neighbors(graphity, anchor['address'])
+ for neighbor in anchorNeighbors:
+ functionalityScanForApi(graphity, anchor, neighbor, patternNum)
+
+ return anchorList
+
+
+# Search for a specific pattern within a node, orient by anchor pattern
+def functionalityScanForApi(graphity, anchor, seNode, patternNum):
+
+ for patt in anchor['patterns']:
+
+ # anchor has a dict that saves which patterns were found already
+ for call in graphity.node[seNode]['calls']:
+ api = call[1]
+
+ # found a pattern in an api call, that hasnt been found before
+ if patt in api and anchor['patterns'][patt] == False:
+ anchor['patterns'][patt] = seNode
+
+ if not False in anchor['patterns'].values():
+ # all patterns found - done
+ break
+
+# Graph plotting with pydotplus from within NetworkX, format is dot
+def graphvizPlot(graphity, allAtts, function_list, out_dir):
+ graphity_new = copy.deepcopy(graphity)
+ for aNode in graphity_new.nodes(data=True):
+ if aNode[0] not in function_list:
+ graphity_new.remove_node(aNode[0])
+ pydotMe = nx.drawing.nx_pydot.to_pydot(graphity_new)
+
+ for node in pydotMe.get_nodes():
+ #continue
+ # get node address to be able to fetch node directly from graphity to preserve data types of attributes
+ nodeaddr = node.to_string().split()[0].replace('\"', '')
+ finalString = ''
+
+ if str(nodeaddr) not in function_list:
+ print("Still Inside")
+ continue
+ # print("Entered:"+str(nodeaddr))
+ if node.get('calls') != '[]' or node.get('strings') != '[]':
+
+ finalList = []
+
+ # fetching string and call lists directly from graphity
+ callList = graphity.node[nodeaddr]['calls']
+ stringList = graphity.node[nodeaddr]['strings']
+
+ for item in callList:
+ finalList.append(str(item[0]) + ": [C] " + str(item[1]))
+ for otem in stringList:
+ finalList.append(str(otem[0]) + ": [S] " + str(otem[1]))
+
+ finalList.sort()
+ finalString = '\n'.join(finalList)
+ name = ""
+ if str(nodeaddr) in function_list:
+ name = str(function_list[str(nodeaddr)])
+ if node.get('functiontype') == 'Export':
+ label = "Export " + nodeaddr + node.get('alias')
+ label = name+ '\n' + label + "\n" + finalString
+ node.set_fillcolor('yellow')
+ node.set_style('filled,setlinewidth(3.0)')
+ node.set_label(label)
+
+ elif node.get('functiontype') == 'Callback':
+ label = name+ '\n'+ "Callback " + nodeaddr + "\n" + finalString
+ node.set_fillcolor('skyblue')
+ node.set_style('filled,setlinewidth(3.0)')
+ node.set_label(label)
+
+ elif node.get('functiontype').startswith('Indirect'):
+ label = name + '\n'+ "IndirectRef " + nodeaddr + "\n" + finalString
+ node.set_fillcolor('red')
+ node.set_style('filled,setlinewidth(3.0)')
+ node.set_label(label)
+
+ elif finalString != '':
+ finalString = name+ '\n'+ nodeaddr + "\n" + finalString
+ node.set_fillcolor('orange')
+ node.set_style('filled,setlinewidth(3.0)')
+ node.set_label(finalString)
+
+
+ #print(finalString)
+ graphinfo = "SAMPLE " + allAtts['filename'] + "\nType: " + allAtts['filetype'] + \
+ "\nSize: " + str(allAtts['filesize']) + "\nMD5: " + allAtts['md5'] + "\nImphash:\t\t" +\
+ allAtts['imphash'] + "\nCompilation time:\t" + allAtts['compilationts'] + "\nEntrypoint section:\t" + \
+ allAtts['sectionep']
+
+
+ graphname = allAtts['filename'] + ".png"
+ print(graphname)
+ try:
+ # TODO pydotplus throws an error sometimes (Error: /tmp/tmp6XgKth: syntax error in line 92 near '[') look into pdp code to see why
+ out_filename = os.path.join(os.path.abspath(out_dir), graphname)
+ print(out_filename)
+ pydotMe.write_png(out_filename)
+ except Exception as e:
+ print("ERROR drawing graph")
+ print(str(e))
\ No newline at end of file
diff --git a/utils/graphity/graphityUtils.py b/utils/graphity/graphityUtils.py
new file mode 100644
index 0000000..701b8d7
--- /dev/null
+++ b/utils/graphity/graphityUtils.py
@@ -0,0 +1,280 @@
+import math
+import time
+import pefile
+import struct
+from io import open
+from hashlib import sha1, md5
+from collections import Counter
+from os.path import basename, getsize
+
+
+
+# receives a string, containing a symbol a la radare2
+# returns the sole API name
+
+def gimmeDatApiName(wholeString):
+ separators = ['.dll_', '.sys_', '.exe_', '.sym_']
+
+ for sep in separators:
+
+ if sep in wholeString:
+ apiName = wholeString.split(sep)[1].replace(']', '')
+ return apiName
+
+ elif sep.upper() in wholeString:
+ apiName = wholeString.split(sep.upper())[1].replace(']', '')
+ return apiName
+
+ return wholeString
+
+
+# checks whether a string is pure ascii
+
+def is_ascii(myString):
+ try:
+ myString.decode('ascii')
+ return True
+ except UnicodeDecodeError:
+ return False
+
+
+
+
+
+def stringCharVariance(seString):
+ charFrequs = Counter(seString)
+ total = 0
+ for letter in charFrequs:
+ if charFrequs[letter] < 4:
+ total += (charFrequs[letter] - 1)
+ elif charFrequs[letter] < 5:
+ total += (charFrequs[letter] - 0.75)
+ elif charFrequs[letter] < 6:
+ total += (charFrequs[letter] - 0.5)
+ elif charFrequs[letter] < 7:
+ total += (charFrequs[letter] - 0.25)
+ else:
+ total += charFrequs[letter]
+
+ # print (seString, total)
+
+ return total / float(len(seString) * 2)
+
+
+# Check for PE header, return false if not a PE
+def check_pe_header(filepath):
+ try:
+ with open(filepath, 'rb') as fp:
+ if (fp.read(2) == b'MZ'):
+ fp.read(58)
+ peoff = struct.unpack('i', fp.read(4))
+ advance = peoff[0] - 64
+ fp.read(advance)
+ if (fp.read(2) == b'PE'):
+ return True
+ return False
+
+ except(Exception) as e:
+ print("LOG - PE Parsing Error, sure this is a PE file?")
+ return False
+ return False
+
+
+# SAMPLE ATTRIBUTE GETTERS
+
+# MD5
+# filename
+# filetype
+# ssdeep
+# imphash
+# size
+# compilationTS
+# address of EP
+# EP section
+# number of section
+# original filename
+# number TLS sections
+
+def sha1hash(path):
+ with open(path, 'rb') as f:
+ return sha1(f.read()).hexdigest()
+
+
+def md5hash(path):
+ with open(path, 'rb') as f:
+ return md5(f.read()).hexdigest()
+
+
+def getFilename(path):
+ return basename(path)
+
+
+def getFiletype(path):
+ return ""
+
+
+# return magic.from_file(path)
+
+def getFilesize(path):
+ return getsize(path)
+
+
+def getPeSubsystem(path):
+ pass
+
+
+def getSsdeep(path):
+ return "" # pydeep.hash_file(path)
+
+
+def getImphash(pe):
+ return pe.get_imphash()
+
+
+def getCompilationTS(pe):
+ return time.strftime("%Y-%m-%d %H:%M:%S", time.gmtime(pe.FILE_HEADER.TimeDateStamp))
+
+
+def getEPAddress(pe):
+ return pe.OPTIONAL_HEADER.AddressOfEntryPoint
+
+
+def getSectionCount(pe):
+ return pe.FILE_HEADER.NumberOfSections
+
+
+def getOriginalFilename(pe):
+ oriFilename = ""
+ if hasattr(pe, 'VS_VERSIONINFO'):
+ if hasattr(pe, 'FileInfo'):
+ for entry in pe.FileInfo:
+ if hasattr(entry, 'StringTable'):
+ for st_entry in entry.StringTable:
+ ofn = st_entry.entries.get(b'OriginalFilename')
+ if ofn:
+ if isinstance(ofn, bytes):
+ oriFilename = ofn.decode()
+ else:
+ oriFilename = ofn
+ return oriFilename
+
+
+def getEPSection(pe):
+ name = ''
+ if hasattr(pe, 'OPTIONAL_HEADER'):
+ ep = pe.OPTIONAL_HEADER.AddressOfEntryPoint
+ else:
+ return False
+ pos = 0
+ for sec in pe.sections:
+ if (ep >= sec.VirtualAddress) and (ep < (sec.VirtualAddress + sec.Misc_VirtualSize)):
+ name = sec.Name.replace(b'\x00', b'')
+ break
+ else:
+ pos += 1
+ if name:
+ return (name.decode('utf-8', 'ignore') + "|" + pos.__str__())
+ return ''
+
+
+def getTLSSectionCount(pe):
+ idx = 0
+ if (hasattr(pe, 'DIRECTORY_ENTRY_TLS') and pe.DIRECTORY_ENTRY_TLS and pe.DIRECTORY_ENTRY_TLS.struct
+ and pe.DIRECTORY_ENTRY_TLS.struct.AddressOfCallBacks):
+ callback_array_rva = pe.DIRECTORY_ENTRY_TLS.struct.AddressOfCallBacks - pe.OPTIONAL_HEADER.ImageBase
+
+ while True:
+ func = pe.get_dword_from_data(pe.get_data(callback_array_rva + 4 * idx, 4), 0)
+ if func == 0:
+ break
+ idx += 1
+ return idx
+
+
+# Returns Entropy value for given data chunk
+def Hvalue(data):
+ if not data:
+ return 0.0
+
+ occurences = Counter(bytearray(data))
+
+ entropy = 0
+ for x in occurences.values():
+ p_x = float(x) / len(data)
+ if p_x > 0:
+ entropy += - p_x * math.log(p_x, 2)
+
+ return entropy
+
+
+def getCodeSectionSize(pe):
+ for section in pe.sections:
+ print(section)
+
+
+def getSectionInfo(pe):
+ # Section info: names, sizes, entropy vals
+ sects = []
+ vadd = []
+ ent = []
+ secnumber = getSectionCount(pe)
+
+ for i in range(12):
+
+ if (i + 1 > secnumber):
+ strip = ""
+ strap = ""
+ entropy = ""
+
+ else:
+ stuff = pe.sections[i]
+ strip = stuff.Name.replace(b'\x00', b'')
+ strap = stuff.SizeOfRawData
+
+ entropy = Hvalue(stuff.get_data())
+
+ section_name = ""
+ try:
+ if strip != "":
+ section_name = strip.decode()
+ except:
+ section_name = "PARSINGERR"
+
+ sects.append(section_name)
+ ent.append(entropy)
+ vadd.append(strap)
+
+ secinfo = sects + vadd + ent
+ return secinfo
+
+
+# ATTRIBUTES: md5, sha1, filename, filetype, ssdeep, filesize, imphash, compilationts, addressep, sectionep,
+# sectioncount, sectioninfo, tlssections, originalfilename
+
+def getAllAttributes(path):
+ allAtts = {'md5': md5hash(path), 'sha1': sha1hash(path), 'filename': getFilename(path),
+ 'filetype': getFiletype(path), 'ssdeep': getSsdeep(path), 'filesize': getFilesize(path)}
+
+ try:
+ pe = pefile.PE(path)
+ if (pe.DOS_HEADER.e_magic == int(0x5a4d) and pe.NT_HEADERS.Signature == int(0x4550)):
+ allAtts['imphash'] = getImphash(pe)
+ allAtts['compilationts'] = getCompilationTS(pe)
+ allAtts['addressep'] = getEPAddress(pe)
+ allAtts['sectionep'] = getEPSection(pe)
+ allAtts['sectioncount'] = getSectionCount(pe)
+ allAtts['sectioninfo'] = getSectionInfo(pe)
+ allAtts['tlssections'] = getTLSSectionCount(pe)
+ allAtts['originalfilename'] = getOriginalFilename(pe)
+
+ except (pefile.PEFormatError):
+ allAtts['imphash'] = ''
+ allAtts['compilationts'] = ''
+ allAtts['addressep'] = ''
+ allAtts['sectionep'] = ''
+ allAtts['sectioncount'] = ''
+ allAtts['sectioninfo'] = ''
+ allAtts['tlssections'] = ''
+ allAtts['originalfilename'] = ''
+
+ return allAtts
diff --git a/utils/hachi.db b/utils/hachi.db
new file mode 100644
index 0000000..4724f37
Binary files /dev/null and b/utils/hachi.db differ
diff --git a/utils/mitre.json b/utils/mitre.json
new file mode 100644
index 0000000..6f7863d
--- /dev/null
+++ b/utils/mitre.json
@@ -0,0 +1,1325 @@
+{
+ "Initial Access": {
+ "T1189": {
+ "name": "Drive-by Compromise",
+ "description": "A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation."
+ },
+
+ "T1190": {
+ "name": "Exploit Public-Facing Application",
+ "description": "The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL) , standard services (like SMB or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services. Depending on the flaw being exploited this may include Exploitation for Defense Evasion."
+ },
+
+ "T1133": {
+ "name": "External Remote Services",
+ "description": "Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally."
+ },
+
+ "T1200": {
+ "name": "Hardware Additions",
+ "description": "Computer accessories, computers, or networking hardware may be introduced into a system as a vector to gain execution. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping , man-in-the middle encryption breaking , keystroke injection , kernel memory reading via DMA , adding new wireless access to an existing network , and others."
+ },
+
+ "T1091": {
+ "name": "Replication Through Removable Media",
+ "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself."
+ },
+
+ "T1193": {
+ "name": "Spearphishing Attachment",
+ "description": "Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution."
+ },
+
+ "T1192": {
+ "name": "Spearphishing Link",
+ "description": "Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments."
+ },
+
+ "T1194": {
+ "name": "Spearphishing via Service",
+ "description": "Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels."
+ },
+
+ "T1195": {
+ "name": "Supply Chain Compromise",
+ "description": "Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise."
+ },
+
+ "T1199": {
+ "name": "Trusted Relationship",
+ "description": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network."
+ },
+
+ "T1078": {
+ "name": "Valid Accounts",
+ "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access."
+ }
+ },
+ "Execution": {
+ "T1155": {
+ "name": "AppleScript",
+ "description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program."
+ },
+
+ "T1191": {
+ "name": "CMSTP",
+ "description": "The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections."
+ },
+
+ "T1059": {
+ "name": "Command-Line Interface",
+ "description": "Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd, which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task)."
+ },
+
+ "T1223": {
+ "name": "Compiled HTML File",
+ "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe)."
+ },
+
+ "T1196": {
+ "name": "Control Panel Items",
+ "description": "Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file."
+ },
+
+ "T1173": {
+ "name": "Dynamic Data Exchange",
+ "description": "Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution."
+ },
+
+ "T1106": {
+ "name": "Execution through API",
+ "description": "Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters."
+ },
+
+ "T1129": {
+ "name": "Execution through Module Load",
+ "description": "The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API."
+ },
+
+ "T1203": {
+ "name": "Exploitation for Client Execution",
+ "description": "Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility."
+ },
+
+ "T1061": {
+ "name": "Graphical User Interface",
+ "description": "The Graphical User Interfaces (GUI) is a common way to interact with an operating system. Adversaries may use a system's GUI during an operation, commonly through a remote interactive session such as Remote Desktop Protocol, instead of through a Command-Line Interface, to search for information and execute files via mouse double-click events, the Windows Run command , or other potentially difficult to monitor interactions."
+ },
+
+ "T1118": {
+ "name": "InstallUtil",
+ "description": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe. InstallUtil.exe is digitally signed by Microsoft."
+ },
+
+ "T1152": {
+ "name": "Launchctl",
+ "description": "Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made . Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute \"arg\" \"arg\" \"arg\". Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges."
+ },
+
+ "T1168": {
+ "name": "Local Job Scheduling",
+ "description": "On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, at, and launchd. Unlike Scheduled Task on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH)."
+ },
+
+ "T1177": {
+ "name": "LSASS Driver",
+ "description": "The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process."
+ },
+
+ "T1170": {
+ "name": "Mshta",
+ "description": "Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .hta. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser."
+ },
+
+ "T1086": {
+ "name": "PowerShell",
+ "description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer."
+ },
+
+ "T1121": {
+ "name": "Regsvcs/Regasm",
+ "description": "Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft."
+ },
+
+ "T1117": {
+ "name": "Regsvr32",
+ "description": "Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries."
+ },
+
+ "T1085": {
+ "name": "Rundll32",
+ "description": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations."
+ },
+
+ "T1053": {
+ "name": "Scheduled Task",
+ "description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system."
+ },
+
+ "T1064": {
+ "name": "Scripting",
+ "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts."
+ },
+
+ "T1035": {
+ "name": "Service Execution",
+ "description": "Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation."
+ },
+
+ "T1218": {
+ "name": "Signed Binary Proxy Execution",
+ "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques."
+ },
+
+ "T1216": {
+ "name": "Signed Script Proxy Execution",
+ "description": "Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts."
+ },
+
+ "T1153": {
+ "name": "Source",
+ "description": "The source command loads functions into the current shell or executes files in the current context. This built-in command can be run in two different ways source /path/to/filename [arguments] or . /path/to/filename [arguments]. Take note of the space after the \".\". Without a space, a new shell is created that runs the program instead of running the program within the current context. This is often used to make certain features or functions available to a shell or to update a specific shell's environment."
+ },
+
+ "T1151": {
+ "name": "Space after Filename",
+ "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to \"evil.txt \" (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed ."
+ },
+
+ "T1072": {
+ "name": "Third-party Software",
+ "description": "Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). If an adversary gains access to these systems, then they may be able to execute code."
+ },
+
+ "T1154": {
+ "name": "Trap",
+ "description": "The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received."
+ },
+
+ "T1127": {
+ "name": "Trusted Developer Utilities",
+ "description": "There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions."
+ },
+
+ "T1204": {
+ "name": "User Execution",
+ "description": "An adversary may rely upon specific actions by a user in order to gain execution. This may be direct code execution, such as when a user opens a malicious executable delivered via Spearphishing Attachment with the icon and apparent extension of a document file. It also may lead to other execution techniques, such as when a user clicks on a link delivered via Spearphishing Link that leads to exploitation of a browser or application vulnerability via Exploitation for Client Execution. While User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it."
+ },
+
+ "T1047": {
+ "name": "Windows Management Instrumentation",
+ "description": "Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135."
+ },
+
+ "T1028": {
+ "name": "Windows Remote Management",
+ "description": "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell."
+ },
+
+ "T1220": {
+ "name": "XSL Script Processing",
+ "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages."
+ }
+ },
+ "Persistence": {
+ "T1156": {
+ "name": ".bash_profile and .bashrc",
+ "description": "~/.bash_profile and ~/.bashrc are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), ~/.bash_profile is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, ~/.bashrc is executed. This allows users more fine grained control over when they want certain commands executed."
+ },
+ "T1015": {
+ "name": "Accessibility Features",
+ "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system."
+ },
+ "T1098": {
+ "name": "Account Manipulation",
+ "description": "Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to subvert password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain."
+ },
+ "T1182": {
+ "name": "AppCert DLLs",
+ "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec."
+ },
+ "T1103": {
+ "name": "AppInit DLLs",
+ "description": "Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. Similar to Process Injection, these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer."
+ },
+ "T1138": {
+ "name": "Application Shimming",
+ "description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses Hooking to redirect the code as necessary in order to communicate with the OS."
+ },
+ "T1131": {
+ "name": "Authentication Package",
+ "description": "Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system."
+ },
+ "T1197": {
+ "name": "BITS Jobs",
+ "description": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations."
+ },
+ "T1067": {
+ "name": "Bootkit",
+ "description": "A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR)."
+ },
+ "T1176": {
+ "name": "Browser Extensions",
+ "description": "Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access."
+ },
+ "T1042": {
+ "name": "Change Default File Association",
+ "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened."
+ },
+ "T1109": {
+ "name": "Component Firmware",
+ "description": "Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks."
+ },
+ "T1122": {
+ "name": "Component Object Model Hijacking",
+ "description": "The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection."
+ },
+ "T1136": {
+ "name": "Create Account",
+ "description": "Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system."
+ },
+ "T1038": {
+ "name": "DLL Search Order Hijacking",
+ "description": "Windows systems use a common method to look for required DLLs to load into a program. Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence."
+ },
+ "T1157": {
+ "name": "Dylib Hijacking",
+ "description": "macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence."
+ },
+ "T1133": {
+ "name": "External Remote Services",
+ "description": "Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally."
+ },
+ "T1044": {
+ "name": "File System Permissions Weakness",
+ "description": "Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM."
+ },
+ "T1158": {
+ "name": "Hidden Files and Directories",
+ "description": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS)."
+ },
+ "T1179": {
+ "name": "Hooking",
+ "description": "Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions."
+ },
+ "T1062": {
+ "name": "Hypervisor",
+ "description": "A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system. A malicious hypervisor of this nature could be used to persist on systems through interruption."
+ },
+ "T1183": {
+ "name": "Image File Execution Options Injection",
+ "description": "Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\\dbg\\ntsd.exe -g notepad.exe”)."
+ },
+ "T1215": {
+ "name": "Kernel Modules and Extensions",
+ "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0). Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects."
+ },
+ "T1159": {
+ "name": "Launch Agent",
+ "description": "Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents . These launch agents have property list files which point to the executables that will be launched ."
+ },
+ "T1160": {
+ "name": "Launch Daemon",
+ "description": "Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons . These LaunchDaemons have property list files which point to the executables that will be launched ."
+ },
+ "T1152": {
+ "name": "Launchctl",
+ "description": "Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made . Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute arg arg arg. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges."
+ },
+ "T1161": {
+ "name": "LC_LOAD_DYLIB Addition",
+ "description": "Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies . There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time ."
+ },
+ "T1168": {
+ "name": "Local Job Scheduling",
+ "description": "On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, at, and launchd. Unlike Scheduled Task on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH)."
+ },
+ "T1162": {
+ "name": "Login Item",
+ "description": "MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them . Users have direct control over login items installed using a shared file list which are also visible in System Preferences . These login items are stored in the user's ~/Library/Preferences/ directory in a plist file called com.apple.loginitems.plist . Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in . The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like AppleScript can do this as well ."
+ },
+ "T1037": {
+ "name": "Logon Scripts",
+ "description": "Windows allows logon scripts to be run whenever a specific user or group of users log into a system. The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server."
+ },
+ "T1177": {
+ "name": "LSASS Driver",
+ "description": "The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process."
+ },
+ "T1031": {
+ "name": "Modify Existing Service",
+ "description": "Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg."
+ },
+ "T1128": {
+ "name": "Netsh Helper DLL",
+ "description": "Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh."
+ },
+ "T1050": {
+ "name": "New Service",
+ "description": "When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry."
+ },
+ "T1137": {
+ "name": "Office Application Startup",
+ "description": "Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started."
+ },
+ "T1034": {
+ "name": "Path Interception",
+ "description": "Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of cmd in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function."
+ },
+ "T1150": {
+ "name": "Plist Modification",
+ "description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges)."
+ },
+ "T1205": {
+ "name": "Port Knocking",
+ "description": "Port Knocking is a well-established method used by both defenders and adversaries to hide open ports from access. To enable a port, an adversary sends a series of packets with certain characteristics before the port will be opened. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports, but can involve unusual flags, specific strings or other unique characteristics. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software."
+ },
+ "T1013": {
+ "name": "Port Monitors",
+ "description": "A port monitor can be set through the API call to set a DLL to be loaded at startup. This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors."
+ },
+ "T1163": {
+ "name": "Rc.common",
+ "description": "During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts . In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used."
+ },
+ "T1164": {
+ "name": "Re-opened Applications",
+ "description": "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist."
+ },
+ "T1108": {
+ "name": "Redundant Access",
+ "description": "Adversaries may use more than one remote access tool with varying command and control protocols as a hedge against detection. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Valid Accounts to use External Remote Services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network."
+ },
+ "T1060": {
+ "name": "Registry Run Keys / Startup Folder",
+ "description": "Adding an entry to the \"run keys \" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level."
+ },
+ "T1053": {
+ "name": "Scheduled Task",
+ "description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system."
+ },
+ "T1180": {
+ "name": "Screensaver",
+ "description": "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations."
+ },
+ "T1101": {
+ "name": "Security Support Provider",
+ "description": "Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called."
+ },
+ "T1058": {
+ "name": "Service Registry Permissions Weakness",
+ "description": "Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through Access Control Lists and permissions."
+ },
+ "T1166": {
+ "name": "Setuid and Setgid",
+ "description": "When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively . Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x \" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]."
+ },
+ "T1023": {
+ "name": "Shortcut Modification",
+ "description": "Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program."
+ },
+ "T1198": {
+ "name": "SIP and Trust Provider Hijacking",
+ "description": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature."
+ },
+ "T1165": {
+ "name": "Startup Items",
+ "description": "Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items . This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory."
+ },
+ "T1019": {
+ "name": "System Firmware",
+ "description": "The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer."
+ },
+ "T1501": {
+ "name": "Systemd Service",
+ "description": "Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems."
+ },
+ "T1209": {
+ "name": "Time Providers",
+ "description": "The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients."
+ },
+ "T1154": {
+ "name": "Trap",
+ "description": "The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received."
+ },
+ "T1078": {
+ "name": "Valid Accounts",
+ "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access."
+ },
+ "T1100": {
+ "name": "Web Shell",
+ "description": "A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client)."
+ },
+ "T1084": {
+ "name": "Windows Management Instrumentation Event Subscription",
+ "description": "Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts. Examples of events that may be subscribed to are the wall clock time or the computer's uptime. Several threat groups have reportedly used this technique to maintain persistence."
+ },
+ "T1004": {
+ "name": "Winlogon Helper DLL",
+ "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon."
+ }
+ },
+ "Privilege Escalation": {
+ "T1134": {
+ "name": "Access Token Manipulation",
+ "description": "Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas."
+ },
+ "T1015": {
+ "name": "Accessibility Features",
+ "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system."
+ },
+ "T1182": {
+ "name": "AppCert DLLs",
+ "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec."
+ },
+ "T1103": {
+ "name": "AppInit DLLs",
+ "description": "Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. Similar to Process Injection, these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer."
+ },
+ "T1138": {
+ "name": "Application Shimming",
+ "description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses Hooking to redirect the code as necessary in order to communicate with the OS."
+ },
+ "T1088": {
+ "name": "Bypass User Account Control",
+ "description": "Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action."
+ },
+ "T1038": {
+ "name": "DLL Search Order Hijacking",
+ "description": "Windows systems use a common method to look for required DLLs to load into a program. Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence."
+ },
+ "T1157": {
+ "name": "Dylib Hijacking",
+ "description": "macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence."
+ },
+ "T1068": {
+ "name": "Exploitation for Privilege Escalation",
+ "description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform Privilege Escalation to include use of software exploitation to circumvent those restrictions."
+ },
+ "T1181": {
+ "name": "Extra Window Memory Injection",
+ "description": "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value."
+ },
+ "T1044": {
+ "name": "File System Permissions Weakness",
+ "description": "Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM."
+ },
+ "T1179": {
+ "name": "Hooking",
+ "description": "Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions."
+ },
+ "T1183": {
+ "name": "Image File Execution Options Injection",
+ "description": "Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\\dbg\\ntsd.exe -g notepad.exe”)."
+ },
+ "T1160": {
+ "name": "Launch Daemon",
+ "description": "Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons . These LaunchDaemons have property list files which point to the executables that will be launched ."
+ },
+ "T1050": {
+ "name": "New Service",
+ "description": "When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry."
+ },
+ "T1034": {
+ "name": "Path Interception",
+ "description": "Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of cmd in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function."
+ },
+ "T1150": {
+ "name": "Plist Modification",
+ "description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges)."
+ },
+ "T1013": {
+ "name": "Port Monitors",
+ "description": "A port monitor can be set through the API call to set a DLL to be loaded at startup. This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors."
+ },
+ "T1055": {
+ "name": "Process Injection",
+ "description": "Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process."
+ },
+ "T1053": {
+ "name": "Scheduled Task",
+ "description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system."
+ },
+ "T1058": {
+ "name": "Service Registry Permissions Weakness",
+ "description": "Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through Access Control Lists and permissions."
+ },
+ "T1166": {
+ "name": "Setuid and Setgid",
+ "description": "When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively . Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 \\[file\\] or via shorthand naming, chmod u+s \\[file\\]."
+ },
+ "T1178": {
+ "name": "SID-History Injection",
+ "description": "The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. An account can hold additional SIDs in the SID-History Active Directory attribute , allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens)."
+ },
+ "T1165": {
+ "name": "Startup Items",
+ "description": "Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items . This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory."
+ },
+ "T1169": {
+ "name": "Sudo",
+ "description": "The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the idea of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL ."
+ },
+ "T1206": {
+ "name": "Sudo Caching",
+ "description": "The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\" Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout that is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again)."
+ },
+ "T1078": {
+ "name": "Valid Accounts",
+ "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access."
+ },
+ "T1100": {
+ "name": "Web Shell",
+ "description": "A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client)."
+ }
+ },
+ "Defense Evasion": {
+ "T1134": {
+ "name": "Access Token Manipulation",
+ "description": "Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command runas."
+ },
+ "T1009": {
+ "name": "Binary Padding",
+ "description": "Some security tools inspect files with static signatures to determine if they are known malicious. Adversaries may add data to files to increase the size beyond what security tools are capable of handling or to change the file hash to avoid hash-based blacklists."
+ },
+ "T1197": {
+ "name": "BITS Jobs",
+ "description": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations."
+ },
+ "T1088": {
+ "name": "Bypass User Account Control",
+ "description": "Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action."
+ },
+ "T1146": {
+ "name": "Clear Command History",
+ "description": "macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as unset HISTFILE, export HISTFILESIZE=0, history -c, rm ~/.bash_history."
+ },
+ "T1191": {
+ "name": "CMSTP",
+ "description": "The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections."
+ },
+ "T1116": {
+ "name": "Code Signing",
+ "description": "Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries . The certificates used during an operation may be created, forged, or stolen by the adversary."
+ },
+ "T1500": {
+ "name": "Compile After Delivery",
+ "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to Obfuscated Files or Information, text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW."
+ },
+ "T1223": {
+ "name": "Compiled HTML File",
+ "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. CHM content is displayed using underlying components of the Internet Explorer browser loaded by the HTML Help executable program (hh.exe)."
+ },
+ "T1109": {
+ "name": "Component Firmware",
+ "description": "Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks."
+ },
+ "T1122": {
+ "name": "Component Object Model Hijacking",
+ "description": "The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection."
+ },
+ "T1196": {
+ "name": "Control Panel Items",
+ "description": "Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file."
+ },
+ "T1207": {
+ "name": "DCShadow",
+ "description": "DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a Domain Controller (DC). Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys."
+ },
+ "T1140": {
+ "name": "Deobfuscate/Decode Files or Information",
+ "description": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities present on the system."
+ },
+ "T1089": {
+ "name": "Disabling Security Tools",
+ "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting."
+ },
+ "T1038": {
+ "name": "DLL Search Order Hijacking",
+ "description": "Windows systems use a common method to look for required DLLs to load into a program. Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence."
+ },
+ "T1073": {
+ "name": "DLL Side-Loading",
+ "description": "Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL."
+ },
+ "T1480": {
+ "name": "Execution Guardrails",
+ "description": "Execution guardrails constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target."
+ },
+ "T1211": {
+ "name": "Exploitation for Defense Evasion",
+ "description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them."
+ },
+ "T1181": {
+ "name": "Extra Window Memory Injection",
+ "description": "Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value."
+ },
+ "T1107": {
+ "name": "File Deletion",
+ "description": "Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process."
+ },
+ "T1222": {
+ "name": "File Permissions Modification",
+ "description": "File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.)."
+ },
+ "T1006": {
+ "name": "File System Logical Offsets",
+ "description": "Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools."
+ },
+ "T1144": {
+ "name": "Gatekeeper Bypass",
+ "description": "In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution."
+ },
+ "T1484": {
+ "name": "Group Policy Modification",
+ "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain."
+ },
+ "T1158": {
+ "name": "Hidden Files and Directories",
+ "description": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS)."
+ },
+ "T1147": {
+ "name": "Hidden Users",
+ "description": "Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. By using the Create Account technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: sudo dscl . -create /Users/username UniqueID 401 ."
+ },
+ "T1143": {
+ "name": "Hidden Window",
+ "description": "The configurations for how applications run on macOS and OS X are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window ."
+ },
+ "T1148": {
+ "name": "HISTCONTROL",
+ "description": "The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands."
+ },
+ "T1183": {
+ "name": "Image File Execution Options Injection",
+ "description": "Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger."
+ },
+ "T1054": {
+ "name": "Indicator Blocking",
+ "description": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include modifying sensor settings stored in configuration files and/or Registry keys to disable or maliciously redirect event telemetry."
+ },
+ "T1066": {
+ "name": "Indicator Removal from Tools",
+ "description": "If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems."
+ },
+ "T1070": {
+ "name": "Indicator Removal on Host",
+ "description": "Adversaries may delete or alter generated artifacts on a host system, including logs and potentially captured files such as quarantined malware. Locations and format of logs will vary, but typical organic system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/* ."
+ },
+ "T1202": {
+ "name": "Indirect Command Execution",
+ "description": "Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command-Line Interface, Run window, or via scripts."
+ },
+ "T1130": {
+ "name": "Install Root Certificate",
+ "description": "Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website."
+ },
+ "T1118": {
+ "name": "InstallUtil",
+ "description": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is located in the .NET directories on a Windows system: C:\\Windows\\Microsoft.NET\\Framework\\v\\InstallUtil.exe and C:\\Windows\\Microsoft.NET\\Framework64\\v\\InstallUtil.exe. InstallUtil.exe is digitally signed by Microsoft."
+ },
+ "T1152": {
+ "name": "Launchctl",
+ "description": "Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made . Running a command from launchctl is as simple as launchctl submit -l -- /Path/to/thing/to/execute \"arg\" \"arg\" \"arg\". Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges."
+ },
+ "T1149": {
+ "name": "LC_MAIN Hijacking",
+ "description": "As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD . The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different . By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same."
+ },
+ "T1036": {
+ "name": "Masquerading",
+ "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed."
+ },
+ "T1112": {
+ "name": "Modify Registry",
+ "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution."
+ },
+ "T1170": {
+ "name": "Mshta",
+ "description": "Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .hta. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser."
+ },
+ "T1126": {
+ "name": "Network Share Connection Removal",
+ "description": "Windows shared drive and Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\\share /delete command."
+ },
+ "T1096": {
+ "name": "NTFS File Attributes",
+ "description": "Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition."
+ },
+ "T1027": {
+ "name": "Obfuscated Files or Information",
+ "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses."
+ },
+ "T1150": {
+ "name": "Plist Modification",
+ "description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges)."
+ },
+ "T1205": {
+ "name": "Port Knocking",
+ "description": "Port Knocking is a well-established method used by both defenders and adversaries to hide open ports from access. To enable a port, an adversary sends a series of packets with certain characteristics before the port will be opened. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports, but can involve unusual flags, specific strings or other unique characteristics. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software."
+ },
+ "T1186": {
+ "name": "Process Doppelgänging",
+ "description": "Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction."
+ },
+ "T1093": {
+ "name": "Process Hollowing",
+ "description": "Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to Process Injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis."
+ },
+ "T1055": {
+ "name": "Process Injection",
+ "description": "Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process."
+ },
+ "T1108": {
+ "name": "Redundant Access",
+ "description": "Adversaries may use more than one remote access tool with varying command and control protocols as a hedge against detection. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Valid Accounts to use External Remote Services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network."
+ },
+ "T1121": {
+ "name": "Regsvcs/Regasm",
+ "description": "Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft."
+ },
+ "T1117": {
+ "name": "Regsvr32",
+ "description": "Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries."
+ },
+ "T1014": {
+ "name": "Rootkit",
+ "description": "Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware."
+ },
+ "T1085": {
+ "name": "Rundll32",
+ "description": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations."
+ },
+ "T1064": {
+ "name": "Scripting",
+ "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts."
+ },
+ "T1218": {
+ "name": "Signed Binary Proxy Execution",
+ "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques."
+ },
+ "T1216": {
+ "name": "Signed Script Proxy Execution",
+ "description": "Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts."
+ },
+ "T1198": {
+ "name": "SIP and Trust Provider Hijacking",
+ "description": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature."
+ },
+ "T1045": {
+ "name": "Software Packing",
+ "description": "Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory."
+ },
+ "T1151": {
+ "name": "Space after Filename",
+ "description": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to \"evil.txt \" (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed ."
+ },
+ "T1221": {
+ "name": "Template Injection",
+ "description": "Microsoft’s Open Office XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered."
+ },
+ "T1099": {
+ "name": "Timestomp",
+ "description": "Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools."
+ },
+ "T1127": {
+ "name": "Trusted Developer Utilities",
+ "description": "There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions."
+ },
+ "T1078": {
+ "name": "Valid Accounts",
+ "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access."
+ },
+ "T1497": {
+ "name": "Virtualization/Sandbox Evasion",
+ "description": "Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads."
+ },
+ "T1102": {
+ "name": "Web Service",
+ "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system."
+ },
+ "T1220": {
+ "name": "XSL Script Processing",
+ "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages."
+ }
+ },
+ "Credential Access": {
+ "T1098": {
+ "name": "Account Manipulation",
+ "description": "Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to subvert password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain."
+ },
+ "T1139": {
+ "name": "Bash History",
+ "description": "Bash keeps track of the commands users type on the command-line with the \"history \" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials."
+ },
+ "T1110": {
+ "name": "Brute Force",
+ "description": "Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained."
+ },
+ "T1003": {
+ "name": "Credential Dumping",
+ "description": "Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information."
+ },
+ "T1081": {
+ "name": "Credentials in Files",
+ "description": "Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords."
+ },
+ "T1214": {
+ "name": "Credentials in Registry",
+ "description": "The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons."
+ },
+ "T1212": {
+ "name": "Exploitation for Credential Access",
+ "description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions. Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained."
+ },
+ "T1187": {
+ "name": "Forced Authentication",
+ "description": "The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources. Web Distributed Authoring and Versioning (WebDAV) is typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443."
+ },
+ "T1179": {
+ "name": "Hooking",
+ "description": "Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions."
+ },
+ "T1056": {
+ "name": "Input Capture",
+ "description": "Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception."
+ },
+ "T1141": {
+ "name": "Input Prompt",
+ "description": "When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Account Control)."
+ },
+ "T1208": {
+ "name": "Kerberoasting",
+ "description": "Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service )."
+ },
+ "T1142": {
+ "name": "Keychain",
+ "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials."
+ },
+ "T1171": {
+ "name": "LLMNR/NBT-NS Poisoning and Relay",
+ "description": "Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name."
+ },
+ "T1040": {
+ "name": "Network Sniffing",
+ "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data."
+ },
+ "T1174": {
+ "name": "Password Filter DLL",
+ "description": "Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts."
+ },
+ "T1145": {
+ "name": "Private Keys",
+ "description": "Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures."
+ },
+ "T1167": {
+ "name": "Securityd Memory",
+ "description": "In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password."
+ },
+ "T1111": {
+ "name": "Two-Factor Authentication Interception",
+ "description": "Use of two- or multifactor authentication is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. Adversaries may target authentication mechanisms, such as smart cards, to gain access to systems, services, and network resources."
+ }
+ },
+
+ "Discovery": {
+ "T1087": {
+ "name": "Account Discovery",
+ "description": "Adversaries may attempt to get a listing of local system or domain accounts."
+ },
+ "T1010": {
+ "name": "Application Window Discovery",
+ "description": "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger."
+ },
+ "T1217": {
+ "name": "Browser Bookmark Discovery",
+ "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure."
+ },
+ "T1482": {
+ "name": "Domain Trust Discovery",
+ "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify Lateral Movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts."
+ },
+ "T1083": {
+ "name": "File and Directory Discovery",
+ "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system."
+ },
+ "T1046": {
+ "name": "Network Service Scanning",
+ "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system."
+ },
+ "T1135": {
+ "name": "Network Share Discovery",
+ "description": "Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network."
+ },
+ "T1040": {
+ "name": "Network Sniffing",
+ "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data."
+ },
+ "T1201": {
+ "name": "Password Policy Discovery",
+ "description": "Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through Brute Force. An adversary may attempt to access detailed information about the password policy used within an enterprise network. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts)."
+ },
+ "T1120": {
+ "name": "Peripheral Device Discovery",
+ "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions."
+ },
+ "T1069": {
+ "name": "Permission Groups Discovery",
+ "description": "Adversaries may attempt to find local system or domain-level groups and permissions settings."
+ },
+ "T1057": {
+ "name": "Process Discovery",
+ "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network."
+ },
+ "T1012": {
+ "name": "Query Registry",
+ "description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software."
+ },
+ "T1018": {
+ "name": "Remote System Discovery",
+ "description": "Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems."
+ },
+ "T1063": {
+ "name": "Security Software Discovery",
+ "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. These checks may be built into early-stage remote access tools."
+ },
+ "T1082": {
+ "name": "System Information Discovery",
+ "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture."
+ },
+ "T1016": {
+ "name": "System Network Configuration Discovery",
+ "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route."
+ },
+ "T1049": {
+ "name": "System Network Connections Discovery",
+ "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network."
+ },
+ "T1033": {
+ "name": "System Owner/User Discovery",
+ "description": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs."
+ },
+ "T1007": {
+ "name": "System Service Discovery",
+ "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist / svc \" using Tasklist, and \"net start \" using Net, but adversaries may also use other tools as well."
+ },
+ "T1124": {
+ "name": "System Time Discovery",
+ "description": "The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network."
+ },
+ "T1497": {
+ "name": "Virtualization/Sandbox Evasion",
+ "description": "Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads."
+ }
+ },
+ "Lateral Movement": {
+ "T1155": {
+ "name": "AppleScript",
+ "description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program."
+ },
+ "T1017": {
+ "name": "Application Deployment Software",
+ "description": "Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment."
+ },
+ "T1175": {
+ "name": "Distributed Component Object Model",
+ "description": "Windows Distributed Component Object Model (DCOM) is transparent middleware that extends the functionality of Component Object Model (COM) beyond a local computer using remote procedure call (RPC) technology. COM is a component of the Windows application programming interface (API) that enables interaction between software objects. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE)."
+ },
+ "T1210": {
+ "name": "Exploitation of Remote Services",
+ "description": "Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system."
+ },
+ "T1037": {
+ "name": "Logon Scripts",
+ "description": "Windows allows logon scripts to be run whenever a specific user or group of users log into a system. The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server."
+ },
+ "T1075": {
+ "name": "Pass the Hash",
+ "description": "Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems."
+ },
+ "T1097": {
+ "name": "Pass the Ticket",
+ "description": "Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system."
+ },
+ "T1076": {
+ "name": "Remote Desktop Protocol",
+ "description": "Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS."
+ },
+ "T1105": {
+ "name": "Remote File Copy",
+ "description": "Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp."
+ },
+ "T1021": {
+ "name": "Remote Services",
+ "description": "An adversary may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user."
+ },
+ "T1091": {
+ "name": "Replication Through Removable Media",
+ "description": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself."
+ },
+ "T1051": {
+ "name": "Shared Webroot",
+ "description": "Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or Web content directory and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured."
+ },
+ "T1184": {
+ "name": "SSH Hijacking",
+ "description": "Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair."
+ },
+ "T1080": {
+ "name": "Taint Shared Content",
+ "description": "Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally."
+ },
+ "T1072": {
+ "name": "Third-party Software",
+ "description": "Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). If an adversary gains access to these systems, then they may be able to execute code."
+ },
+ "T1077": {
+ "name": "Windows Admin Shares",
+ "description": "Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$."
+ },
+ "T1028": {
+ "name": "Windows Remote Management",
+ "description": "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell."
+ }
+ },
+ "Collection": {
+ "T1123": {
+ "name": "Audio Capture",
+ "description": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information."
+ },
+ "T1119": {
+ "name": "Automated Collection",
+ "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of Scripting to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools."
+ },
+ "T1115": {
+ "name": "Clipboard Data",
+ "description": "Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications."
+ },
+ "T1213": {
+ "name": "Data from Information Repositories",
+ "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information."
+ },
+ "T1005": {
+ "name": "Data from Local System",
+ "description": "Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration."
+ },
+ "T1039": {
+ "name": "Data from Network Shared Drive",
+ "description": "Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration."
+ },
+ "T1025": {
+ "name": "Data from Removable Media",
+ "description": "Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration."
+ },
+ "T1074": {
+ "name": "Data Staged",
+ "description": "Collected data is staged in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Data Compressed or Data Encrypted."
+ },
+ "T1114": {
+ "name": "Email Collection",
+ "description": "Adversaries may target user email to collect sensitive information from a target."
+ },
+ "T1056": {
+ "name": "Input Capture",
+ "description": "Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception."
+ },
+ "T1185": {
+ "name": "Man in the Browser",
+ "description": "Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques."
+ },
+ "T1113": {
+ "name": "Screen Capture",
+ "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations."
+ },
+ "T1125": {
+ "name": "Video Capture",
+ "description": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files."
+ }
+ },
+ "Command and Control": {
+ "T1043": {
+ "name": "Commonly Used Port",
+ "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as."
+ },
+ "T1092": {
+ "name": "Communication Through Removable Media",
+ "description": "Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access."
+ },
+ "T1090": {
+ "name": "Connection Proxy",
+ "description": "A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap."
+ },
+ "T1094": {
+ "name": "Custom Command and Control Protocol",
+ "description": "Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing Standard Application Layer Protocol. Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack."
+ },
+ "T1024": {
+ "name": "Custom Cryptographic Protocol",
+ "description": "Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext."
+ },
+ "T1132": {
+ "name": "Data Encoding",
+ "description": "Command and control (C2) information is encoded using a standard data encoding system. Use of data encoding may be to adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, UTF-8, or other binary-to-text and character encoding systems. Some data encoding systems may also result in data compression, such as gzip."
+ },
+ "T1001": {
+ "name": "Data Obfuscation",
+ "description": "Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request."
+ },
+ "T1172": {
+ "name": "Domain Fronting",
+ "description": "Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. The technique involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored)."
+ },
+ "T1483": {
+ "name": "Domain Generation Algorithms",
+ "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions."
+ },
+ "T1008": {
+ "name": "Fallback Channels",
+ "description": "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds."
+ },
+ "T1188": {
+ "name": "Multi-hop Proxy",
+ "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source."
+ },
+ "T1104": {
+ "name": "Multi-Stage Channels",
+ "description": "Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult."
+ },
+ "T1026": {
+ "name": "Multiband Communication",
+ "description": "Some adversaries may split communications between different protocols. There could be one protocol for inbound command and control and another for outbound data, allowing it to bypass certain firewall restrictions. The split could also be random to simply avoid data threshold alerts on any one communication."
+ },
+ "T1079": {
+ "name": "Multilayer Encryption",
+ "description": "An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a custom encryption scheme within a protocol encryption scheme such as HTTPS or SMTPS."
+ },
+ "T1205": {
+ "name": "Port Knocking",
+ "description": "Port Knocking is a well-established method used by both defenders and adversaries to hide open ports from access. To enable a port, an adversary sends a series of packets with certain characteristics before the port will be opened. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports, but can involve unusual flags, specific strings or other unique characteristics. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software."
+ },
+ "T1219": {
+ "name": "Remote Access Tools",
+ "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries."
+ },
+ "T1105": {
+ "name": "Remote File Copy",
+ "description": "Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp."
+ },
+ "T1071": {
+ "name": "Standard Application Layer Protocol",
+ "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server."
+ },
+ "T1032": {
+ "name": "Standard Cryptographic Protocol",
+ "description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files."
+ },
+ "T1095": {
+ "name": "Standard Non-Application Layer Protocol",
+ "description": "Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL)."
+ },
+ "T1065": {
+ "name": "Uncommonly Used Port",
+ "description": "Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured."
+ },
+ "T1102": {
+ "name": "Web Service",
+ "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system."
+ }
+ },
+ "Exfiltration": {
+ "T1020": {
+ "name": "Automated Exfiltration",
+ "description": "Data, such as sensitive documents, may be exfiltrated through the use of automated processing or Scripting after being gathered during Collection."
+ },
+ "T1002": {
+ "name": "Data Compressed",
+ "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib."
+ },
+ "T1022": {
+ "name": "Data Encrypted",
+ "description": "Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip."
+ },
+ "T1030": {
+ "name": "Data Transfer Size Limits",
+ "description": "An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts."
+ },
+ "T1048": {
+ "name": "Exfiltration Over Alternative Protocol",
+ "description": "Data exfiltration is performed with a different protocol from the main command and control protocol or channel. The data is likely to be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, or some other network protocol. Different channels could include Internet Web services such as cloud storage."
+ },
+ "T1041": {
+ "name": "Exfiltration Over Command and Control Channel",
+ "description": "Data exfiltration is performed over the Command and Control channel. Data is encoded into the normal communications channel using the same protocol as command and control communications."
+ },
+ "T1011": {
+ "name": "Exfiltration Over Other Network Medium",
+ "description": "Exfiltration could occur over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel. Adversaries could choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network."
+ },
+ "T1052": {
+ "name": "Exfiltration Over Physical Medium",
+ "description": "In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems."
+ },
+ "T1029": {
+ "name": "Scheduled Transfer",
+ "description": "Data exfiltration may be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability."
+ }
+ },
+ "Impact": {
+ "T1485": {
+ "name": "Data Destruction",
+ "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure."
+ },
+ "T1486": {
+ "name": "Data Encrypted for Impact",
+ "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted. In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR."
+ },
+ "T1491": {
+ "name": "Defacement",
+ "description": "Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion."
+ },
+ "T1488": {
+ "name": "Disk Content Wipe",
+ "description": "Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources."
+ },
+ "T1487": {
+ "name": "Disk Structure Wipe",
+ "description": "Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources."
+ },
+ "T1499": {
+ "name": "Endpoint Denial of Service",
+ "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion."
+ },
+ "T1495": {
+ "name": "Firmware Corruption",
+ "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot. Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards."
+ },
+ "T1490": {
+ "name": "Inhibit System Recovery",
+ "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact."
+ },
+ "T1498": {
+ "name": "Network Denial of Service",
+ "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion."
+ },
+ "T1496": {
+ "name": "Resource Hijacking",
+ "description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability."
+ },
+ "T1494": {
+ "name": "Runtime Data Manipulation",
+ "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user. By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making."
+ },
+ "T1489": {
+ "name": "Service Stop",
+ "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment."
+ },
+ "T1492": {
+ "name": "Stored Data Manipulation",
+ "description": "Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making."
+ },
+ "T1493": {
+ "name": "Transmitted Data Manipulation",
+ "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making."
+ }
+ }
+}
\ No newline at end of file
diff --git a/utils/mitre_table.py b/utils/mitre_table.py
new file mode 100644
index 0000000..a267301
--- /dev/null
+++ b/utils/mitre_table.py
@@ -0,0 +1,57 @@
+def table_creation(sig_json, mitre_json):
+ mitre_table_json = [
+ {"Initial Access": {}},
+ {"Execution": {}},
+ {"Persistence": {}},
+ {"Privilege Escalation": {}},
+ {"Defense Evasion": {}},
+ {"Credential Access": {}},
+ {"Discovery": {}},
+ {"Lateral Movement": {}},
+ {"Collection": {}},
+ {"Command and Control": {}},
+ {"Exfiltration": {}},
+ {"Impact": {}}
+ ]
+
+ keys = list()
+ total_table_entry = 0
+ for matched_tid in sig_json:
+ for tactic in mitre_json:
+ if matched_tid in mitre_json[tactic]:
+ for i in range(0, len(mitre_table_json)):
+ if tactic in mitre_table_json[i]:
+ mitre_table_json[i][tactic][matched_tid] = mitre_json[tactic][matched_tid]
+ total_table_entry = total_table_entry + 1
+
+ tid_len = []
+ for i in range(0, len(mitre_table_json)):
+ for tactic in mitre_table_json[i]:
+ tid_len.append(len(mitre_table_json[i][tactic]))
+
+ table_code = []
+ for i in range(0, len(mitre_table_json)):
+ for key in mitre_table_json[i]:
+ keys.append(key)
+ table_code.append(keys)
+ added_count = 0
+ for i in range(0, len(sig_json.keys())):
+ row = []
+ for j in range(0, len(mitre_table_json)):
+ if tid_len[j] != 0:
+ for key in mitre_table_json[j]:
+ counter = 0
+ for tid in mitre_table_json[j][key]:
+ if i == counter:
+ row.append({"name": mitre_table_json[j][key][tid]["name"], "id": tid})
+ added_count = added_count + 1
+ tid_len[j] = tid_len[j] - 1
+ break
+ else:
+ counter = counter + 1
+ else:
+ row.append("")
+ table_code.append(row)
+ if added_count == total_table_entry:
+ break
+ return table_code
diff --git a/utils/peparser.py b/utils/peparser.py
new file mode 100644
index 0000000..a7fafd5
--- /dev/null
+++ b/utils/peparser.py
@@ -0,0 +1,152 @@
+#!/usr/bin/env python
+import os
+import time
+import zlib
+import string
+import pefile
+import hashlib
+
+Win32 = False
+Win64 = False
+isDll = False
+Highlights = list()
+
+
+def hashes(data, algo="sha256"):
+ if not data:
+ return None
+ algo = algo.lower()
+ if algo == "crc32":
+ return int("%d" % (zlib.crc32(data) & 0xffffffff))
+ elif algo == "adler32":
+ return "%d" % (zlib.adler32(data) & 0xffffffff)
+ elif algo == "md5":
+ hasher = hashlib.md5()
+ elif algo == "sha128":
+ hasher = hashlib.sha1()
+ elif algo == "sha224":
+ hasher = hashlib.sha224()
+ elif algo == "sha256":
+ hasher = hashlib.sha256()
+ elif algo == "sha384":
+ hasher = hashlib.sha384()
+ elif algo == "sha512":
+ hasher = hashlib.sha512()
+ else:
+ return None
+
+ hasher.update(data)
+ return hasher.hexdigest()
+
+
+def get_metadata(filename, pe):
+ metadata = dict()
+ metadata["size"] = os.path.getsize(filename)
+ metadata["imphash"] = pe.get_imphash()
+ with open(filename, "rb") as f:
+ filedata = f.read()
+ metadata["crc32"] = hashes(data=filedata, algo="crc32")
+ metadata["md5"] = hashes(data=filedata, algo="md5")
+ metadata["sha128"] = hashes(data=filedata, algo="sha128")
+ metadata["sha256"] = hashes(data=filedata, algo="sha256")
+ metadata["ssdeep"] = hashes(data=filedata, algo="ssdeep")
+ return metadata
+
+
+def get_imagefileheader(pe):
+ global Win32, Win64, isDll
+ imagefileheader = dict()
+ imagefileheader["Machine"] = hex(pe.FILE_HEADER.Machine if pe and hasattr(pe, "FILE_HEADER") and pe.FILE_HEADER and
+ hasattr(pe.FILE_HEADER, "Machine") and pe.FILE_HEADER.Machine else 0)
+ imagefileheader["NumberOfSections"] = hex(pe.FILE_HEADER.NumberOfSections if pe and hasattr(pe, "FILE_HEADER") and
+ pe.FILE_HEADER and
+ hasattr(pe.FILE_HEADER, "NumberOfSections") and pe.FILE_HEADER.NumberOfSections else 0)
+ imagefileheader["TimeDateStamp"] = pe.FILE_HEADER.TimeDateStamp if pe and hasattr(pe, "FILE_HEADER") and pe.FILE_HEADER and hasattr(pe.FILE_HEADER, "TimeDateStamp") and pe.FILE_HEADER.TimeDateStamp else 0
+ if imagefileheader["TimeDateStamp"] != 0:
+ pe_year = int(time.ctime(imagefileheader["TimeDateStamp"]).split()[-1])
+ this_year = int(time.gmtime(time.time())[0])
+ if pe_year > this_year or pe_year < 2000:
+ Highlights.append("TimeDateStamp of the file is Suspicious.")
+ imagefileheader["TimeDateStamp"] = time.ctime(imagefileheader["TimeDateStamp"])
+ else:
+ Highlights.append("TimeDateStamp of the file is zero.")
+ imagefileheader["Characteristics"] = pe.FILE_HEADER.Characteristics if pe and hasattr(pe, "FILE_HEADER") and pe.FILE_HEADER and hasattr(pe.FILE_HEADER, "Characteristics") and pe.FILE_HEADER.Characteristics else 0
+ if (imagefileheader["Characteristics"] & 0x0100) == 0x0100:
+ Win32 = True
+ elif (imagefileheader["Characteristics"] & 0x0020) == 0x0020:
+ Win64 = True
+ if (imagefileheader["Characteristics"] & 0x2000) == 0x2000:
+ isDll = True
+ imagefileheader["Characteristics"] = hex(imagefileheader["Characteristics"])
+ return imagefileheader
+
+
+def get_imageoptionalheader(pe):
+ global Win32, Win64, isDll
+ imageoptionalheader = dict()
+ imageoptionalheader["Magic"] = hex(pe.OPTIONAL_HEADER.Magic if pe and hasattr(pe, "OPTIONAL_HEADER") and pe.OPTIONAL_HEADER and hasattr(pe.OPTIONAL_HEADER, "Magic") and pe.OPTIONAL_HEADER.Magic else 0)
+ imageoptionalheader["AddressOfEntryPoint"] = hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint if pe and hasattr(pe, "OPTIONAL_HEADER") and pe.OPTIONAL_HEADER and hasattr(pe.OPTIONAL_HEADER, "AddressOfEntryPoint") else 0)
+ if pe and hasattr(pe, "OPTIONAL_HEADER") and pe.OPTIONAL_HEADER and hasattr(pe.OPTIONAL_HEADER, "CheckSum"):
+ if pe.OPTIONAL_HEADER.CheckSum == 0:
+ imageoptionalheader["CheckSum"] = pe.OPTIONAL_HEADER.CheckSum
+ else:
+ imageoptionalheader["CheckSum"] = hex(pe.OPTIONAL_HEADER.CheckSum)
+ else:
+ imageoptionalheader["CheckSum"] = None
+ imageoptionalheader["Subsystem"] = pe.OPTIONAL_HEADER.Subsystem if pe and hasattr(pe, "OPTIONAL_HEADER") and pe.OPTIONAL_HEADER and hasattr(pe.OPTIONAL_HEADER, "Subsystem") and pe.OPTIONAL_HEADER.Subsystem else None
+ bitVal = None
+ if Win32:
+ bitVal = "Win32"
+ elif Win64:
+ bitVal = "Win64"
+ if isDll:
+ file_type = "DLL"
+ else:
+ file_type = "EXE"
+ if imageoptionalheader["Subsystem"] == 0x03:
+ Highlights.append("The file being analysed is a Portable executable file! More sepecifically, it is a "+bitVal+" "+file_type+" file for the Windows Console Subsystem.")
+ elif imageoptionalheader["Subsystem"] == 0x02:
+ Highlights.append("The file being analysed is a Portable executable file! More sepecifically, it is a "+bitVal+" "+file_type+" file for the Windows GUI Subsystem.")
+ elif imageoptionalheader["Subsystem"] == 0x01:
+ Highlights.append("The file being analysed is a Portable executable file! More sepecifically, it is a "+bitVal+" "+file_type+" file for the Windows Native Subsystem.")
+
+ imageoptionalheader["DllCharacteristics"] = hex(pe.OPTIONAL_HEADER.DllCharacteristics if pe and hasattr(pe, "OPTIONAL_HEADER") and pe.OPTIONAL_HEADER and hasattr(pe.OPTIONAL_HEADER, "DllCharacteristics") and pe.OPTIONAL_HEADER.DllCharacteristics else 0)
+ return imageoptionalheader
+
+
+def get_imagesections(pe):
+ if len(pe.sections):
+ imagesections = list()
+ for section in pe.sections:
+ if section and hasattr(section, "Characteristics") and section.Characteristics:
+ perms = list()
+ perms += "R" if section.Characteristics & 0x40000000 else "-"
+ perms += "W" if section.Characteristics & 0x80000000 else "-"
+ perms += "X" if section.Characteristics & 0x20000000 else "-"
+ perms = "".join(perms)
+ else:
+ perms = None
+ imagesections.append({
+ "Name": "".join([c for c in section.Name if c in string.printable]),
+ "VirtualSize": hex(section.Misc_VirtualSize if section and hasattr(section, "Misc_VirtualSize") and
+ section.Misc_VirtualSize else 0),
+ "SizeOfRawData": hex(section.SizeOfRawData if section and hasattr(section, "SizeOfRawData") and
+ section.SizeOfRawData else 0),
+ "entropy": section.get_entropy(),
+ "permissions": perms,
+ })
+ else:
+ imagesections = None
+ return imagesections
+
+
+def parse(filename):
+ peparsed = dict()
+ pe = pefile.PE(filename)
+ peparsed["metadata"] = get_metadata(filename, pe)
+ peparsed["IMAGE_FILE_HEADER"] = get_imagefileheader(pe)
+ peparsed["IMAGE_OPTIONAL_HEADER"] = get_imageoptionalheader(pe)
+ peparsed["IMAGE_SECTIONS"] = get_imagesections(pe)
+ return peparsed
+
+
diff --git a/utils/playbookSig.py b/utils/playbookSig.py
new file mode 100644
index 0000000..335ff97
--- /dev/null
+++ b/utils/playbookSig.py
@@ -0,0 +1,38 @@
+import json
+
+
+def playbooksig(playbook_json, matched_sig_file, outputfile_campaign):
+ with open(matched_sig_file) as fp:
+ matched_json = json.load(fp)
+ with open(playbook_json) as fs:
+ playbook_sig = json.load(fs)
+ max = 0
+ matched_campaign_name = "Not Matched"
+ max_campaign_per = 0
+ for campaign in playbook_sig.keys():
+ matched_tid_count = 0
+ for tid_name in playbook_sig[campaign]:
+ if tid_name in matched_json.keys():
+ matched_tid_count = matched_tid_count + 1
+ if matched_tid_count > max:
+ matched_campaign_name = campaign
+ max_campaign_per = matched_tid_count * 100 / len(playbook_sig[campaign])
+ else:
+ if matched_tid_count == max:
+ macthed_wrt_campaign = max * 100 / len(playbook_sig[campaign])
+ if macthed_wrt_campaign > max_campaign_per:
+ max_campaign_per = macthed_wrt_campaign
+ matched_campaign_name = campaign
+ max = matched_tid_count if matched_tid_count > max else max
+ json_data = {"Matched campaign": "Not Matched"}
+ if matched_campaign_name != "Not Matched":
+ json_data["Matched campaign"] = matched_campaign_name
+ macthed_wrt_campaign = max * 100 / len(playbook_sig[matched_campaign_name])
+ matched_wrt_sample = max * 100 / len(matched_json.keys())
+ json_data["Activity matching percent with campaign"] = str(macthed_wrt_campaign)
+ json_data["Activity matching percent with Sample"] = str(matched_wrt_sample)
+
+ with open(outputfile_campaign, 'w') as fw:
+ json_report = json.dumps(json_data, sort_keys=True, indent=4)
+ fw.write(json_report.encode('utf-8'))
+
diff --git a/utils/sigcheck64.exe b/utils/sigcheck64.exe
new file mode 100644
index 0000000..9079033
Binary files /dev/null and b/utils/sigcheck64.exe differ
diff --git a/utils/yarascan.py b/utils/yarascan.py
new file mode 100644
index 0000000..601992b
--- /dev/null
+++ b/utils/yarascan.py
@@ -0,0 +1,41 @@
+import yara
+
+
+class YaraScan:
+ def __init__(self):
+ self.yara_sig_matched = {}
+ self.yara_idsig_matched = {}
+
+ def yara_callback_desc(self, data):
+ # print data
+ if data['matches']:
+ tag = ""
+ if len(data['tags']) > 0:
+ tag = data['tags'][0]
+ if tag not in self.yara_sig_matched.keys():
+ self.yara_sig_matched[tag] = {}
+ if data['rule'] not in self.yara_sig_matched[tag].keys():
+ self.yara_sig_matched[tag][data['rule']] = {}
+ if 'description' in data['meta']:
+ self.yara_sig_matched[tag][data['rule']]['description'] = data['meta']['description']
+ self.yara_sig_matched[tag][data['rule']]['indicators_matched'] = []
+ for string in data['strings']:
+ try:
+ if string[2].decode('windows-1252') \
+ not in self.yara_sig_matched[tag][data['rule']]['indicators_matched']:
+ self.yara_sig_matched[tag][data['rule']]['indicators_matched'].\
+ append(string[2].decode('windows-1252'))
+ except:
+ continue
+ yara.CALLBACK_CONTINUE
+
+ def yara_callback(self, data):
+ if data['matches']:
+ tag = ""
+ if len(data['tags']) > 0:
+ tag = data['tags'][0]
+ if tag not in self.yara_idsig_matched.keys():
+ self.yara_idsig_matched[tag] = []
+ if data['rule'] not in self.yara_idsig_matched[tag]:
+ self.yara_idsig_matched[tag].append(data['rule'])
+ yara.CALLBACK_CONTINUE
\ No newline at end of file
diff --git a/yara_sigs/file/compiler.yar b/yara_sigs/file/compiler.yar
new file mode 100644
index 0000000..58253fd
--- /dev/null
+++ b/yara_sigs/file/compiler.yar
@@ -0,0 +1,603 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+import "pe"
+import "math"
+
+rule IsPE32 : PECheck
+{
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint16(uint32(0x3C)+0x18) == 0x010B
+}
+
+rule IsPE64 : PECheck
+{
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint16(uint32(0x3C)+0x18) == 0x020B
+}
+
+rule IsNET_EXE : PECheck
+{
+ condition:
+ pe.imports ("mscoree.dll","_CorExeMain")
+}
+
+rule IsNET_DLL : PECheck
+{
+ condition:
+ pe.imports ("mscoree.dll","_CorDllMain")
+}
+
+rule IsDLL : PECheck
+{
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ (uint16(uint32(0x3C)+0x16) & 0x2000) == 0x2000
+
+}
+
+rule IsConsole : PECheck
+{
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint16(uint32(0x3C)+0x5C) == 0x0003
+}
+
+rule IsWindowsGUI : PECheck
+{
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint16(uint32(0x3C)+0x5C) == 0x0002
+}
+
+rule IsPacked : PECheck
+{
+ meta:
+ description = "Entropy Check"
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint32(uint32(0x3C)) == 0x00004550 and
+ math.entropy(0, filesize) >= 7.0
+}
+
+
+rule HasOverlay : PECheck
+{
+ meta:
+ author="_pusher_"
+ description = "Overlay Check"
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint32(uint32(0x3C)) == 0x00004550 and
+ //stupid check if last section is 0
+ //not (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x0 and
+
+ (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) < filesize
+
+}
+
+rule HasTaggantSignature : PECheck
+{
+ meta:
+ author="_pusher_"
+ description = "TaggantSignature Check"
+ date="2016-07"
+ strings:
+ $a0 = { 54 41 47 47 ?? ?? ?? ?? ?? ?? 00 00 ?? 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 09 30 07 06 05 2B 0E 03 02 1A 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 01 A0 82 ?? ?? 04 82 ?? ?? ?? 00 01 00 ?? ?? }
+ //$c0 = { 06 09 2A 86 }
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint32(uint32(0x3C)) == 0x00004550 and
+ //TAGG+4E==packerid
+ //(uint32be(@a0+0x4E) == 0x0B51D132) and
+ //(uint32be(@a0+0x12) == 0x006092a86) and
+ //(uint32be(@a0+0x12)) == uint32be(@c0) and
+
+ //uint32be(@a0+0x04) < (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) and
+ $a0
+}
+
+
+rule HasDigitalSignature : PECheck
+{
+ meta:
+ author="_pusher_"
+ description = "DigitalSignature Check"
+ date="2016-07"
+ strings:
+ //size check is wildcarded
+ $a0 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0B 30 09 06 05 2B 0E 03 02 1A 05 00 30 68 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 5A 30 58 30 33 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 25 03 01 00 A0 20 A2 1E 80 1C 00 3C 00 3C 00 3C 00 4F 00 62 00 73 00 6F 00 6C 00 65 00 74 00 65 00 3E 00 3E 00 3E 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 }
+ $a1 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0B 30 09 06 05 2B 0E 03 02 1A 05 00 30 ?? 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 ?? 30 ?? 30 ?? 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 ?? 03 01 00 A0 ?? A2 ?? 80 00 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 }
+ $a2 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0E 30 ?? 06 ?? ?? 86 48 86 F7 0D 02 05 05 00 30 67 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 59 30 57 30 33 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 25 03 01 00 A0 20 A2 1E 80 1C 00 3C 00 3C 00 3C 00 4F 00 62 00 73 00 6F 00 6C 00 65 00 74 00 65 00 3E 00 3E 00 3E 30 20 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 04 }
+ $a3 = { ?? ?? ?? ?? 00 02 02 00 30 82 ?? ?? 06 09 2A 86 48 86 F7 0D 01 07 02 A0 82 ?? ?? 30 82 ?? ?? 02 01 01 31 0F 30 ?? 06 ?? ?? 86 48 01 65 03 04 02 01 05 00 30 78 06 0A 2B 06 01 04 01 82 37 02 01 04 A0 6A 30 68 30 33 06 0A 2B 06 01 04 01 82 37 02 01 0F 30 25 03 01 00 A0 20 A2 1E 80 1C 00 3C 00 3C 00 3C 00 4F 00 62 00 73 00 6F 00 6C 00 65 00 74 00 65 00 3E 00 3E 00 3E 30 31 30 0D 06 09 60 86 48 01 65 03 04 02 01 05 00 04 }
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint32(uint32(0x3C)) == 0x00004550 and
+ (for any of ($a*) : ($ in ( (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size)..filesize)) )
+ //its not always like this:
+ //and uint32(@a0) == (filesize-(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size))
+}
+
+rule HasDebugData : PECheck
+{
+ meta:
+ author = "_pusher_"
+ description = "DebugData Check"
+ date="2016-07"
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint32(uint32(0x3C)) == 0x00004550 and
+ //orginal
+ //((uint32(uint32(0x3C)+0xA8) >0x0) and (uint32be(uint32(0x3C)+0xAC) >0x0))
+ //((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) x64/x32
+ (IsPE32 or IsPE64) and
+ ((uint32(uint32(0x3C)+0xA8+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)) >0x0) and (uint32be(uint32(0x3C)+0xAC+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)) >0x0))
+}
+
+rule IsBeyondImageSize : PECheck
+{
+ meta:
+ author = "_pusher_"
+ date = "2016-07"
+ description = "Data Beyond ImageSize Check"
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint32(uint32(0x3C)) == 0x00004550 and
+ for any i in (0..pe.number_of_sections-1):
+ (
+ (pe.sections[i].virtual_address+pe.sections[i].virtual_size) > (uint32(uint32(0x3C)+0x50)) or
+ (pe.sections[i].raw_data_offset+pe.sections[i].raw_data_size) > filesize
+ )
+}
+
+rule ImportTableIsBad : PECheck
+{
+ meta:
+ author = "_pusher_ & mrexodia"
+ date = "2016-07"
+ description = "ImportTable Check"
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint32(uint32(0x3C)) == 0x00004550 and
+ (IsPE32 or IsPE64) and
+ ( //Import_Table_RVA+Import_Data_Size .. cannot be outside imagesize
+ ((uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) )) + (uint32(uint32(0x3C)+0x84+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)))) > (uint32(uint32(0x3C)+0x50))
+ or
+ (((uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) )) + (uint32(uint32(0x3C)+0x84+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)))) == 0x0)
+ //or
+
+ //doest work
+ //pe.imports("", "")
+
+ //need to check if this is ok.. 15:06 2016-08-12
+ //uint32( uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5))+uint32(uint32(0x3C)+0x34)) == 0x408000
+ //this works..
+ //uint32(uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5))+uint32(uint32(0x3C)+0x34) == 0x408000
+
+ //uint32be(uint32be(0x409000)) == 0x005A
+ //pe.image_base
+ //correct:
+
+ //uint32(uint32(0x3C)+0x80)+pe.image_base == 0x408000
+
+ //this works (file offset):
+ //$a0 at 0x4000
+ //this does not work rva:
+ //$a0 at uint32(0x0408000)
+
+ //(uint32(uint32(uint32(0x3C)+0x80)+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5))+pe.image_base) == 0x0)
+
+ or
+ //tiny PE files..
+ (uint32(0x3C)+0x80+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) > filesize)
+
+ //or
+ //uint32(uint32(0x3C)+0x80) == 0x21000
+ //uint32(uint32(uint32(0x3C)+0x80)) == 0x0
+ //pe.imports("", "")
+ )
+}
+
+rule ExportTableIsBad : PECheck
+{
+ meta:
+ author = "_pusher_ & mrexodia"
+ date = "2016-07"
+ description = "ExportTable Check"
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint32(uint32(0x3C)) == 0x00004550 and
+ (IsPE32 or IsPE64) and
+ ( //Export_Table_RVA+Export_Data_Size .. cannot be outside imagesize
+ ((uint32(uint32(0x3C)+0x78+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5) )) + (uint32(uint32(0x3C)+0x7C+((uint16(uint32(0x3C)+0x18) & 0x200) >> 5)))) > (uint32(uint32(0x3C)+0x50))
+ )
+}
+
+
+rule HasModified_DOS_Message : PECheck
+{
+ meta:
+ author = "_pusher_"
+ description = "DOS Message Check"
+ date="2016-07"
+ strings:
+ $a0 = "This program must be run under Win32" wide ascii nocase
+ $a1 = "This program cannot be run in DOS mode" wide ascii nocase
+ //UniLink
+ $a2 = "This program requires Win32" wide ascii nocase
+ $a3 = "This program must be run under Win64" wide ascii nocase
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint32(uint32(0x3C)) == 0x00004550 and not
+ (for any of ($a*) : ($ in (0x0..uint32(0x3c) )))
+}
+
+rule HasRichSignature : PECheck
+{
+ meta:
+ author = "_pusher_"
+ description = "Rich Signature Check"
+ date="2016-07"
+ strings:
+ $a0 = "Rich" ascii
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ uint32(uint32(0x3C)) == 0x00004550 and
+ (for any of ($a*) : ($ in (0x0..uint32(0x3c) )))
+}
+
+rule IsSuspicious
+{
+ meta:
+ author="_pusher_"
+ date = "2016-07"
+ description="Might be PE Virus"
+ condition:
+ uint32(0x20) == 0x20202020
+}
+
+rule IsGoLink
+{
+ meta:
+ author="_pusher_"
+ date = "2016-08"
+ description="www.GoDevTool.com"
+ strings:
+ $a0 = { 47 6F 4C 69 6E 6B }
+ condition:
+ // MZ signature at offset 0 and ...
+ uint16(0) == 0x5A4D and
+ // ... PE signature at offset stored in MZ header at 0x3C
+ $a0 at 0x40
+
+}
+
+
+rule borland_cpp {
+ meta:
+ author = "_pusher_"
+ description = "Borland C++"
+ date = "2015-08"
+ version = "0.1"
+ strings:
+ $c0 = { 59 5F 6A 00 E8 ?? ?? ?? ?? 59 68 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A 00 E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 A0 ?? ?? ?? ?? C3 A1 ?? ?? ?? ?? C3 }
+ $c1 = { A1 ?? ?? ?? ?? C1 E0 02 A3 ?? ?? ?? ?? 52 6A 00 E8 ?? ?? ?? ?? 8B D0 E8 ?? ?? ?? ?? 5A E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? 59 68 ?? ?? ?? ?? 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A 00 E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 A0 ?? ?? ?? ?? C3 A1 ?? ?? ?? ?? C3 }
+ $c2 = { 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? 6A 00 E9 ?? ?? ?? ?? E9 ?? ?? ?? ?? 33 C0 A0 ?? ?? ?? ?? C3 A1 ?? ?? ?? ?? C3 }
+ condition:
+ (
+ //linker 2.25 and 5.00
+ ((pe.linker_version.major == 2) and (pe.linker_version.minor == 25 )) or
+ ((pe.linker_version.major == 5) and (pe.linker_version.minor == 0 ))
+ ) and
+ any of them
+}
+
+rule borland_delphi {
+ meta:
+ author = "_pusher_"
+ description = "Borland Delphi 2.0 - 7.0 / 2005 - 2007"
+ date = "2016-03"
+ version = "0.2"
+ strings:
+ $c0 = { 53 8B D8 33 C0 A3 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? FF A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? 33 C0 A3 }
+ $c1 = { 53 8B D8 33 C0 A3 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? 33 C0 A3 ?? ?? ?? ?? 8D 43 08 A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5B C3 }
+ //some x64 version of delphi
+ $c2 = { 53 48 83 EC 20 48 89 CB C7 05 ?? ?? ?? ?? ?? ?? ?? ?? 48 33 C9 E8 ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? 48 8B 05 ?? ?? ?? ?? 48 89 05 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 8D 43 10 48 89 05 ?? ?? ?? ?? 48 8D 05 ?? FC FF FF 48 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 89 D9 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 83 C4 20 5B C3 }
+ //unusual delphi version unknown version (unpackme- FSG 1.31 - dulek)
+ $c3 = { 50 6A 00 E8 ?? ?? ?? ?? BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 C7 42 08 00 00 00 00 C7 42 0C 00 00 00 00 E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 }
+ //delphi2
+ $c4 = { E8 ?? ?? ?? ?? 6A ?? E8 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 05 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 0A ?? ?? ?? B8 ?? ?? ?? ?? C3 }
+ //delphi3
+ $c5 = { 50 6A 00 E8 ?? ?? FF FF BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 55 8B EC 33 C0 }
+ //delphi5
+ $c6 = { 50 6A ?? E8 ?? ?? FF FF BA ?? ?? ?? ?? 52 89 05 ?? ?? ?? ?? 89 42 04 C7 42 08 ?? ?? ?? ?? C7 42 0C ?? ?? ?? ?? E8 ?? ?? ?? ?? 5A 58 E8 ?? ?? ?? ?? C3 }
+ condition:
+ any of them
+ and
+ (
+ //if its not linker 2.25 its been modified (unpacked usually)
+ //unknown x64 build of delphi
+ ((pe.linker_version.major == 2) and (pe.linker_version.minor == 25 )) or ((pe.linker_version.major == 8) and (pe.linker_version.minor == 0 ))
+ //unpacked files usually have this linker:
+ or ((pe.linker_version.major == 0) and (pe.linker_version.minor == 0 )) )
+ //could check for dvclal.. maybe too much
+}
+
+rule free_pascal {
+ meta:
+ author = "_pusher_"
+ description = "Free Pascal"
+ date = "2015-08"
+ version = "0.1"
+ strings:
+ $c0 = { 55 89 E5 83 ?? ?? 89 5D FC B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? A0 ?? ?? ?? ?? 84 C0 75 0C 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 }
+ $c1 = { 55 89 E5 53 B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 80 3D ?? ?? ?? ?? 00 75 0C 6A 00 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? A1 ?? ?? ?? ?? A3 ?? ?? ?? ?? B8 }
+ $c2 = { 55 89 E5 83 EC 04 89 5D FC B8 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? A0 ?? ?? ?? ?? 84 C0 75 05 E8 ?? ?? ?? ?? C7 05 }
+ condition:
+ any of them
+}
+
+rule borland_delphi_dll {
+ meta:
+ author = "_pusher_"
+ description = "Borland Delphi DLL"
+ date = "2015-08"
+ version = "0.1"
+ info = "one is at entrypoint"
+ strings:
+ $c0 = { BA ?? ?? ?? ?? 83 7D 0C 01 75 ?? 50 52 C6 05 ?? ?? ?? ?? ?? 8B 4D 08 89 0D ?? ?? ?? ?? 89 4A 04 }
+ $c1 = { 55 8B EC 83 C4 ?? B8 ?? ?? ?? ?? E8 ?? ?? FF FF E8 ?? ?? FF FF 8D 40 00 }
+ condition:
+ any of them
+}
+
+rule borland_component {
+ meta:
+ author = "_pusher_"
+ description = "Borland Component"
+ date = "2015-08"
+ version = "0.1"
+ strings:
+ $c0 = { E9 ?? ?? ?? FF 8D 40 00 }
+ condition:
+ $c0 at pe.entry_point
+}
+
+rule PureBasic : Neil Hodgson
+{
+ meta:
+ author="_pusher_"
+ date="2016-07"
+ strings:
+ //make check for msvrt.dll
+ $c0 = { 55 8B EC 6A 00 68 00 10 00 00 6A ?? FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? C7 05 ?? ?? ?? ?? 00 00 00 00 C7 05 ?? ?? ?? ?? 10 00 00 00 A1 ?? ?? ?? ?? 50 6A ?? 8B 0D ?? ?? ?? ?? 51 FF 15 ?? ?? ?? ?? A3 ?? ?? ?? ?? 5D C3 CC CC CC CC CC CC CC CC CC }
+ $c1 = { 68 ?? ?? 00 00 68 00 00 00 00 68 ?? ?? ?? 00 E8 ?? ?? ?? 00 83 C4 0C 68 00 00 00 00 E8 ?? ?? ?? 00 A3 ?? ?? ?? 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? ?? ?? 00 A3 }
+ $aa0 = "\x00MSVCRT.dll\x00" ascii
+ $aa1 = "\x00CRTDLL.dll\x00" ascii
+ condition:
+ (for any of ($c0,$c1) : ( $ at pe.entry_point )) and
+ (any of ($aa*) ) and
+ ((pe.linker_version.major == 2) and (pe.linker_version.minor == 50 ))
+}
+
+rule PureBasicDLL : Neil Hodgson
+{
+ meta:
+ author="malware-lu"
+strings:
+ $a0 = { 83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?? ?? ?? 10 E8 }
+
+condition:
+ $a0 at pe.entry_point
+}
+
+rule PureBasic4xDLL : Neil Hodgson
+{
+ meta:
+ author="malware-lu"
+strings:
+ $a0 = { 83 7C 24 08 01 75 0E 8B 44 24 04 A3 ?? ?? ?? 10 E8 22 00 00 00 83 7C 24 08 02 75 00 83 7C 24 08 00 75 05 E8 ?? 00 00 00 83 7C 24 08 03 75 00 B8 01 00 00 00 C2 0C 00 68 00 00 00 00 68 00 10 00 00 68 00 00 00 00 E8 ?? 0F 00 00 A3 }
+
+condition:
+ $a0 at pe.entry_point
+}
+
+rule SkDUndetectabler : SkDrat {
+ meta:
+ author = "_pusher_"
+ condition:
+ (
+ borland_delphi or //check All FSG or
+ ((pe.linker_version.major == 6) and (pe.linker_version.minor == 0 ))
+ )
+ and
+ (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size < filesize) and
+ //is overlay at offset 2A00,1A00,C00,745,739
+ //pe.overlay & pe.overlay_size would have been prettier
+ (
+ (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000739) or
+ (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000745) or
+ //Uncompressed
+ (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00000C00) or
+ (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00002A00) or
+ (pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size == 0x00001A00)
+ )
+ and
+ //is xored MZ ?
+ (
+ uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x6275 or
+ uint16(pe.sections[pe.number_of_sections-1].raw_data_offset+pe.sections[pe.number_of_sections-1].raw_data_size) == 0x4057
+ )
+}
+
+/* usefull ? 18:53 2016-08-12
+rule MicrosoftVisualCV80
+{
+ meta:
+ author="malware-lu"
+strings:
+ $a0 = { 6A 14 68 ?? ?? ?? ?? E8 ?? ?? ?? ?? BB 94 00 00 00 53 6A 00 8B ?? ?? ?? ?? ?? FF D7 50 FF ?? ?? ?? ?? ?? 8B F0 85 F6 75 0A 6A 12 E8 ?? ?? ?? ?? 59 EB 18 89 1E 56 FF ?? ?? ?? ?? ?? 56 85 C0 75 14 50 FF D7 50 FF ?? ?? ?? ?? ?? B8 }
+
+condition:
+ $a0 at pe.entry_point
+}
+*/
+
+rule Cygwin : Red Hat
+{
+ meta:
+ author = "_pusher_"
+ date = "2016-07"
+ strings:
+ $a0 = "cygwin1.dll" ascii nocase
+ $aa1 = "cygwin_internal"
+ $aa2 = "cygwin_detach_dll"
+ condition:
+ (
+ (pe.linker_version.major == 2) and (pe.linker_version.minor == 56 ) or
+ (pe.linker_version.major == 2) and (pe.linker_version.minor == 24 ) or
+ (pe.linker_version.major == 2) and (pe.linker_version.minor == 25 )
+ )
+ and
+ ($a0 and (any of ($aa*) ))
+}
+
+rule MinGW_1
+{
+ meta:
+ author = "_pusher_"
+ date = "2016-07"
+ strings:
+ $a0 = "msvcrt.dll" ascii nocase
+ $aa1 = "Mingw-w64 runtime failure:"
+ $aa2 = "-LIBGCCW32-EH-3-SJLJ-GTHR-MINGW32" wide ascii nocase
+ $aa3 = "_mingw32_init_mainargs"
+ //too wild ?
+ $aa4 = "mingw32"
+ $aa5 = "-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32" wide ascii nocase
+ $aa6 = "-GCCLIBCYGMING-EH-TDM1-SJLJ-GTHR-MINGW32" wide ascii nocase
+ $aa7 = "Mingw runtime failure:"
+ condition:
+ (
+ (pe.linker_version.major == 2) and (pe.linker_version.minor == 56 ) or
+ (pe.linker_version.major == 2) and ((pe.linker_version.minor >= 21) and (pe.linker_version.minor <= 25))
+ )
+ and
+ ($a0 and (any of ($aa*) ))
+}
+
+rule FASM : flat assembler {
+//abit weak, needs more targets & testing
+ meta:
+ author = "_pusher_"
+ date = "2016-01"
+ description = "http://flatassembler.net"
+ //strings:
+ //$c0 = { 55 89 E5 83 EC 1C 8D 45 E4 6A 1C 50 FF 75 08 FF 15 ?? ?? ?? ?? 8B 45 E8 C9 C2 04 00 }
+ condition:
+ (
+ //linker 1.60..1.79
+ (pe.linker_version.major == 1) and ((pe.linker_version.minor >= 60) and (pe.linker_version.minor < 80))
+ )
+ //and $c0
+}
+
+rule AutoIt
+{
+ meta:
+ author = "_pusher_"
+ date = "2016-07"
+ description = "www.autoitscript.com/site/autoit/"
+ strings:
+ $aa0 = "AutoIt has detected the stack has become corrupt.\n\nStack corruption typically occurs when either the wrong calling convention is used or when the function is called with the wrong number of arguments.\n\nAutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention." wide ascii nocase
+ $aa1 = "AutoIt Error" wide ascii nocase
+ $aa2 = "Missing right bracket ')' in expression." wide ascii nocase
+ $aa3 = "Missing operator in expression." wide ascii nocase
+ $aa4 = "Unbalanced brackets in expression." wide ascii nocase
+ $aa5 = "Error parsing function call." wide ascii nocase
+
+ $aa6 = ">>>AUTOIT NO CMDEXECUTE<<<" wide ascii nocase
+ $aa7 = "#requireadmin" wide ascii nocase
+ $aa8 = "#OnAutoItStartRegister" wide ascii nocase
+ $aa9 = "#notrayicon" wide ascii nocase
+ $aa10 = "Cannot parse #include" wide ascii nocase
+ condition:
+ 5 of ($aa*)
+}
+
+
+rule PellesC : Pelle Orinius
+{
+ meta:
+ author = "_pusher_"
+ date = "2016-08"
+ description = "www.smorgasbordet.com/pellesc"
+ strings:
+ $aa0 = " -- terminating\x0D\x0A\x00 -- terminating\x0A\x00CRT: \x00unexpected error\x00" wide ascii nocase
+ $aa1 = "unhandled exception (main)\x00unhandled exception in thread\x00unable to create thread\x00unable to destroy semaphore\x00" wide ascii nocase
+ $aa2 = "unable to wait on semaphore\x00unable to post semaphore\x00unable to init semaphore\x00unable to unlock mutex\x00unable to lock mutex\x00unable to init mutex\x00" wide ascii nocase
+ $aa3 = "invalid stream lock number\x00corrupt per-thread data\x00out of memory\x00unable to init threads\x00unable to init HEAP" wide ascii nocase
+ condition:
+ 3 of ($aa*) and
+ (pe.linker_version.major == 2) and (pe.linker_version.minor == 50 )
+}
+
+rule QtFrameWork
+{
+ meta:
+ author="_pusher_"
+ date="2016-08"
+ strings:
+ $aa0 = "\x00Qt5Core.dll\x00" ascii
+ $aa1 = "\x00QtCore4.dll\x00" ascii
+ condition:
+ (any of ($aa*) )
+}
+
+/* usefull ? 18:32 2016-08-10
+rule masm32_tasm32
+{
+ meta:
+ author = "PEiD"
+ description = "MASM32 / TASM32"
+ group = "20"
+ function = "0"
+ strings:
+ $a0 = { 6A ?? E8 ?? ?? ?? ?? A3 }
+ condition:
+ $a0
+}
+*/
diff --git a/yara_sigs/file/crypto.yar b/yara_sigs/file/crypto.yar
new file mode 100644
index 0000000..6bc732e
--- /dev/null
+++ b/yara_sigs/file/crypto.yar
@@ -0,0 +1,1434 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+*/
+
+rule Big_Numbers0 : Crypto_Algorithms
+{
+ meta:
+ author = "_pusher_"
+ description = "Looks for big numbers 20:sized"
+ date = "2016-07"
+ strings:
+ $c0 = /[0-9a-fA-F]{20}/ fullword ascii
+ condition:
+ $c0
+}
+
+rule Big_Numbers1 : Crypto_Algorithms
+{
+ meta:
+ author = "_pusher_"
+ description = "Looks for big numbers 32:sized"
+ date = "2016-07"
+ strings:
+ $c0 = /[0-9a-fA-F]{32}/ fullword wide ascii
+ condition:
+ $c0
+}
+
+rule Big_Numbers2 : Crypto_Algorithms
+{
+ meta:
+ author = "_pusher_"
+ description = "Looks for big numbers 48:sized"
+ date = "2016-07"
+ strings:
+ $c0 = /[0-9a-fA-F]{48}/ fullword wide ascii
+ condition:
+ $c0
+}
+
+rule Big_Numbers3 : Crypto_Algorithms
+{
+ meta:
+ author = "_pusher_"
+ description = "Looks for big numbers 64:sized"
+ date = "2016-07"
+ strings:
+ $c0 = /[0-9a-fA-F]{64}/ fullword wide ascii
+ condition:
+ $c0
+}
+
+rule Big_Numbers4 : Crypto_Algorithms
+{
+ meta:
+ author = "_pusher_"
+ description = "Looks for big numbers 128:sized"
+ date = "2016-08"
+ strings:
+ $c0 = /[0-9a-fA-F]{128}/ fullword wide ascii
+ condition:
+ $c0
+}
+
+rule Big_Numbers5 : Crypto_Algorithms
+{
+ meta:
+ author = "_pusher_"
+ description = "Looks for big numbers 256:sized"
+ date = "2016-08"
+ strings:
+ $c0 = /[0-9a-fA-F]{256}/ fullword wide ascii
+ condition:
+ $c0
+}
+
+rule Prime_Constants_char : Crypto_Algorithms {
+ meta:
+ author = "_pusher_"
+ description = "List of primes [char]"
+ date = "2016-07"
+ strings:
+ $c0 = { 03 05 07 0B 0D 11 13 17 1D 1F 25 29 2B 2F 35 3B 3D 43 47 49 4F 53 59 61 65 67 6B 6D 71 7F 83 89 8B 95 97 9D A3 A7 AD B3 B5 BF C1 C5 C7 D3 DF E3 E5 E9 EF F1 FB }
+ condition:
+ $c0
+}
+
+rule Prime_Constants_long : Crypto_Algorithms {
+ meta:
+ author = "_pusher_"
+ description = "List of primes [long]"
+ date = "2016-07"
+ strings:
+ $c0 = { 03 00 00 00 05 00 00 00 07 00 00 00 0B 00 00 00 0D 00 00 00 11 00 00 00 13 00 00 00 17 00 00 00 1D 00 00 00 1F 00 00 00 25 00 00 00 29 00 00 00 2B 00 00 00 2F 00 00 00 35 00 00 00 3B 00 00 00 3D 00 00 00 43 00 00 00 47 00 00 00 49 00 00 00 4F 00 00 00 53 00 00 00 59 00 00 00 61 00 00 00 65 00 00 00 67 00 00 00 6B 00 00 00 6D 00 00 00 71 00 00 00 7F 00 00 00 83 00 00 00 89 00 00 00 8B 00 00 00 95 00 00 00 97 00 00 00 9D 00 00 00 A3 00 00 00 A7 00 00 00 AD 00 00 00 B3 00 00 00 B5 00 00 00 BF 00 00 00 C1 00 00 00 C5 00 00 00 C7 00 00 00 D3 00 00 00 DF 00 00 00 E3 00 00 00 E5 00 00 00 E9 00 00 00 EF 00 00 00 F1 00 00 00 FB 00 00 00 }
+ condition:
+ $c0
+}
+
+
+rule Advapi_Hash_API : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Looks for advapi API functions"
+ date = "2016-07"
+ strings:
+ $advapi32 = "advapi32.dll" wide ascii nocase
+ $CryptCreateHash = "CryptCreateHash" wide ascii
+ $CryptHashData = "CryptHashData" wide ascii
+ $CryptAcquireContext = "CryptAcquireContext" wide ascii
+ condition:
+ $advapi32 and ($CryptCreateHash and $CryptHashData and $CryptAcquireContext)
+}
+
+rule Crypt32_CryptBinaryToString_API : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Looks for crypt32 CryptBinaryToStringA function"
+ date = "2016-08"
+ strings:
+ $crypt32 = "crypt32.dll" wide ascii nocase
+ $CryptBinaryToStringA = "CryptBinaryToStringA" wide ascii
+ condition:
+ $crypt32 and ($CryptBinaryToStringA)
+}
+
+rule CRC32c_poly_Constant : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for CRC32c (Castagnoli) [poly]"
+ date = "2016-08"
+ strings:
+ $c0 = { 783BF682 }
+ condition:
+ $c0
+}
+
+rule CRC32_poly_Constant : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for CRC32 [poly]"
+ date = "2015-05"
+ version = "0.1"
+ strings:
+ $c0 = { 2083B8ED }
+ condition:
+ $c0
+}
+
+rule CRC32_table : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for CRC32 table"
+ date = "2015-05"
+ version = "0.1"
+ strings:
+ $c0 = { 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 }
+ condition:
+ $c0
+}
+
+rule CRC32_table_lookup : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "CRC32 table lookup"
+ date = "2015-06"
+ version = "0.1"
+ strings:
+ $c0 = { 8B 54 24 08 85 D2 7F 03 33 C0 C3 83 C8 FF 33 C9 85 D2 7E 29 56 8B 74 24 08 57 8D 9B 00 00 00 00 0F B6 3C 31 33 F8 81 E7 FF 00 00 00 C1 E8 08 33 04 BD ?? ?? ?? ?? 41 3B CA 7C E5 5F 5E F7 D0 C3 }
+ condition:
+ $c0
+}
+
+rule CRC32b_poly_Constant : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for CRC32b [poly]"
+ date = "2016-04"
+ version = "0.1"
+ strings:
+ $c0 = { B71DC104 }
+ condition:
+ $c0
+}
+
+
+rule CRC16_table : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for CRC16 table"
+ date = "2016-04"
+ version = "0.1"
+ strings:
+ $c0 = { 00 00 21 10 42 20 63 30 84 40 A5 50 C6 60 E7 70 08 81 29 91 4A A1 6B B1 8C C1 AD D1 CE E1 EF F1 31 12 10 02 73 32 52 22 B5 52 94 42 F7 72 D6 62 39 93 18 83 7B B3 5A A3 BD D3 9C C3 FF F3 DE E3 }
+ condition:
+ $c0
+}
+
+
+rule FlyUtilsCnDES_ECB_Encrypt : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for FlyUtils.CnDES Encrypt ECB function"
+ date = "2016-07"
+ strings:
+ $c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B D9 89 55 F8 89 45 FC 8B 7D 08 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 80 7D 18 00 74 1A 0F B6 55 18 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 80 7D 1C 00 74 1A 0F B6 55 1C 8D 4D E8 8B 45 FC E8 ?? ?? ?? ?? 8B 55 E8 8D 45 FC E8 ?? ?? ?? ?? 85 DB 75 07 E8 ?? ?? ?? ?? 8B D8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 53 6A 00 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 8B 45 F4 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 }
+ condition:
+ $c0
+}
+
+rule FlyUtilsCnDES_ECB_Decrypt : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for FlyUtils.CnDES Decrypt ECB function"
+ date = "2016-07"
+ strings:
+ $c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D E8 89 5D EC 8B F9 89 55 F8 89 45 FC 8B 5D 18 8B 75 20 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 84 DB 74 18 8B D3 8D 4D EC 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 EC 8D 45 F8 E8 ?? ?? ?? ?? 85 FF 75 07 E8 ?? ?? ?? ?? 8B F8 85 F6 75 07 E8 ?? ?? ?? ?? 8B F0 8B 4D FC B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 57 6A 00 33 C9 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F0 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 6A 00 6A 00 56 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 50 FF 75 14 FF 75 10 8B 45 0C 50 8B 4D F8 8B 55 F0 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 6A 00 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 08 8B 45 F0 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 EB 12 E9 ?? ?? ?? ?? 8B 45 08 E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F0 33 D2 89 55 F0 E8 ?? ?? ?? ?? C3 }
+ condition:
+ $c0
+}
+
+rule Elf_Hash : Crypto_Algorithms {
+ meta:
+ author = "_pusher_"
+ description = "Look for ElfHash"
+ date = "2015-06"
+ version = "0.3"
+ strings:
+ $c0 = { 53 56 33 C9 8B DA 4B 85 DB 7C 25 43 C1 E1 04 33 D2 8A 10 03 CA 8B D1 81 E2 00 00 00 F0 85 D2 74 07 8B F2 C1 EE 18 33 CE F7 D2 23 CA 40 4B 75 DC 8B C1 5E 5B C3 }
+ $c1 = { 53 33 D2 85 C0 74 2B EB 23 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 D7 8B C2 5B C3 }
+ $c2 = { 53 56 33 C9 8B D8 85 D2 76 23 C1 E1 04 33 C0 8A 03 03 C8 8B C1 25 00 00 00 F0 85 C0 74 07 8B F0 C1 EE 18 33 CE F7 D0 23 C8 43 4A 75 DD 8B C1 5E 5B C3 }
+ $c3 = { 53 56 57 8B F2 8B D8 8B FB 53 E8 ?? ?? ?? ?? 6B C0 02 71 05 E8 ?? ?? ?? ?? 8B D7 33 C9 8B D8 83 EB 01 71 05 E8 ?? ?? ?? ?? 85 DB 7C 2C 43 C1 E1 04 0F B6 02 03 C8 71 05 E8 ?? ?? ?? ?? 83 C2 01 B8 00 00 00 F0 23 C1 85 C0 74 07 8B F8 C1 EF 18 33 CF F7 D0 23 C8 4B 75 D5 8B C1 99 F7 FE 8B C2 85 C0 7D 09 03 C6 71 05 E8 ?? ?? ?? ?? 5F 5E 5B C3 }
+ $c4 = { 53 33 D2 EB 2C 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CE 8B C2 5B C3 }
+ $c5 = { 89 C2 31 C0 85 D2 74 30 2B 42 FC 74 2B 89 C1 29 C2 31 C0 53 0F B6 1C 11 01 C3 8D 04 1B C1 EB 14 8D 04 C5 00 00 00 00 81 E3 00 0F 00 00 31 D8 83 C1 01 75 E0 C1 E8 04 5B C3 }
+ $c6 = { 53 33 D2 85 C0 74 38 EB 30 8B D9 80 C3 BF 80 EB 1A 73 03 80 C1 20 C1 E2 04 81 E1 FF 00 00 00 03 D1 8B CA 81 E1 00 00 00 F0 85 C9 74 07 8B D9 C1 EB 18 33 D3 F7 D1 23 D1 40 8A 08 84 C9 75 CA 8B C2 5B C3 }
+ condition:
+ any of them
+}
+
+rule BLOWFISH_Constants : Crypto_Algorithms{
+ meta:
+ author = "phoul (@phoul)"
+ description = "Look for Blowfish constants"
+ date = "2014-01"
+ version = "0.1"
+ strings:
+ $c0 = { D1310BA6 }
+ $c1 = { A60B31D1 }
+ $c2 = { 98DFB5AC }
+ $c3 = { ACB5DF98 }
+ $c4 = { 2FFD72DB }
+ $c5 = { DB72FD2F }
+ $c6 = { D01ADFB7 }
+ $c7 = { B7DF1AD0 }
+ $c8 = { 4B7A70E9 }
+ $c9 = { E9707A4B }
+ $c10 = { F64C261C }
+ $c11 = { 1C264CF6 }
+ condition:
+ 6 of them
+}
+
+rule MD5_Constants : Crypto_Algorithms{
+ meta:
+ author = "phoul (@phoul)"
+ description = "Look for MD5 constants"
+ date = "2014-01"
+ version = "0.2"
+ strings:
+ // Init constants
+ $c0 = { 67452301 }
+ $c1 = { efcdab89 }
+ $c2 = { 98badcfe }
+ $c3 = { 10325476 }
+ $c4 = { 01234567 }
+ $c5 = { 89ABCDEF }
+ $c6 = { FEDCBA98 }
+ $c7 = { 76543210 }
+ // Round 2
+ $c8 = { F4D50d87 }
+ $c9 = { 78A46AD7 }
+ condition:
+ 5 of them
+}
+
+rule MD5_API : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Looks for MD5 API"
+ date = "2016-07"
+ strings:
+ $advapi32 = "advapi32.dll" wide ascii nocase
+ $cryptdll = "cryptdll.dll" wide ascii nocase
+ $MD5Init = "MD5Init" wide ascii
+ $MD5Update = "MD5Update" wide ascii
+ $MD5Final = "MD5Final" wide ascii
+ condition:
+ ($advapi32 or $cryptdll) and ($MD5Init and $MD5Update and $MD5Final)
+}
+
+rule RC6_Constants : Crypto_Algorithms{
+ meta:
+ author = "chort (@chort0)"
+ description = "Look for RC6 magic constants in binary"
+ reference = "https://twitter.com/mikko/status/417620511397400576"
+ reference2 = "https://twitter.com/dyngnosis/status/418105168517804033"
+ date = "2013-12"
+ version = "0.2"
+ strings:
+ $c1 = { B7E15163 }
+ $c2 = { 9E3779B9 }
+ $c3 = { 6351E1B7 }
+ $c4 = { B979379E }
+ condition:
+ 2 of them
+}
+
+rule RIPEMD160_Constants : Crypto_Algorithms{
+ meta:
+ author = "phoul (@phoul)"
+ description = "Look for RIPEMD-160 constants"
+ date = "2014-01"
+ version = "0.1"
+ strings:
+ $c0 = { 67452301 }
+ $c1 = { EFCDAB89 }
+ $c2 = { 98BADCFE }
+ $c3 = { 10325476 }
+ $c4 = { C3D2E1F0 }
+ $c5 = { 01234567 }
+ $c6 = { 89ABCDEF }
+ $c7 = { FEDCBA98 }
+ $c8 = { 76543210 }
+ $c9 = { F0E1D2C3 }
+ condition:
+ 5 of them
+}
+
+rule SHA1_Constants : Crypto_Algorithms{
+ meta:
+ author = "phoul (@phoul)"
+ description = "Look for SHA1 constants"
+ date = "2014-01"
+ version = "0.1"
+ strings:
+ $c0 = { 67452301 }
+ $c1 = { EFCDAB89 }
+ $c2 = { 98BADCFE }
+ $c3 = { 10325476 }
+ $c4 = { C3D2E1F0 }
+ $c5 = { 01234567 }
+ $c6 = { 89ABCDEF }
+ $c7 = { FEDCBA98 }
+ $c8 = { 76543210 }
+ $c9 = { F0E1D2C3 }
+ //added by _pusher_ 2016-07 - last round
+ $c10 = { D6C162CA }
+ condition:
+ 5 of them
+}
+
+rule SHA512_Constants : Crypto_Algorithms{
+ meta:
+ author = "phoul (@phoul)"
+ description = "Look for SHA384/SHA512 constants"
+ date = "2014-01"
+ version = "0.1"
+ strings:
+ $c0 = { 428a2f98 }
+ $c1 = { 982F8A42 }
+ $c2 = { 71374491 }
+ $c3 = { 91443771 }
+ $c4 = { B5C0FBCF }
+ $c5 = { CFFBC0B5 }
+ $c6 = { E9B5DBA5 }
+ $c7 = { A5DBB5E9 }
+ $c8 = { D728AE22 }
+ $c9 = { 22AE28D7 }
+ condition:
+ 5 of them
+}
+
+rule TEAN : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for TEA Encryption"
+ date = "2016-08"
+ strings:
+ $c0 = { 2037EFC6 }
+ condition:
+ $c0
+}
+
+rule WHIRLPOOL_Constants : Crypto_Algorithms{
+ meta:
+ author = "phoul (@phoul)"
+ description = "Look for WhirlPool constants"
+ date = "2014-02"
+ version = "0.1"
+ strings:
+ $c0 = { 18186018c07830d8 }
+ $c1 = { d83078c018601818 }
+ $c2 = { 23238c2305af4626 }
+ $c3 = { 2646af05238c2323 }
+ condition:
+ 2 of them
+}
+
+rule DarkEYEv3_Cryptor : Crypto_Algorithms{
+ meta:
+ description = "Rule to detect DarkEYEv3 encrypted executables (often malware)"
+ author = "Florian Roth"
+ reference = "http://darkeyev3.blogspot.fi/"
+ date = "2015-05-24"
+ hash0 = "6b854b967397f7de0da2326bdd5d39e710e2bb12"
+ hash1 = "d53149968eca654fc0e803f925e7526fdac2786c"
+ hash2 = "7e3a8940d446c57504d6a7edb6445681cca31c65"
+ hash3 = "d3dd665dd77b02d7024ac16eb0949f4f598299e7"
+ hash4 = "a907a7b74a096f024efe57953c85464e87275ba3"
+ hash5 = "b1c422155f76f992048377ee50c79fe164b22293"
+ hash6 = "29f5322ce5e9147f09e0a86cc23a7c8dc88721b9"
+ hash7 = "a0382d7c12895489cb37efef74c5f666ea750b05"
+ hash8 = "f3d5b71b7aeeb6cc917d5bb67e2165cf8a2fbe61"
+ score = 55
+ strings:
+ $s0 = "\\DarkEYEV3-"
+ condition:
+ uint16(0) == 0x5a4d and $s0
+}
+
+rule Miracl_powmod : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "Miracl powmod"
+ strings:
+ $c0 = { 53 55 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 18 02 00 00 85 C0 0F 85 EC 01 00 00 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 12 00 00 00 8B 86 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 06 8B 4E 10 3B C1 74 2E 8B 7C 24 1C 57 E8 ?? ?? ?? ?? 83 C4 04 83 F8 02 7C 33 8B 57 04 8B 0E 51 8B 02 50 E8 ?? ?? ?? ?? 83 C4 08 83 F8 01 0F 84 58 01 00 00 EB 17 8B 7C 24 1C 6A 02 57 E8 ?? ?? ?? ?? 83 C4 08 85 C0 0F 84 3F 01 00 00 8B 8E C4 01 00 00 8B 54 24 18 51 52 E8 ?? ?? ?? ?? 8B 86 CC }
+ condition:
+ $c0
+}
+
+rule Miracl_crt : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "Miracl crt"
+ strings:
+ $c0 = { 51 56 57 E8 ?? ?? ?? ?? 8B 74 24 10 8B F8 89 7C 24 08 83 7E 0C 02 0F 8C 99 01 00 00 8B 87 18 02 00 00 85 C0 0F 85 8B 01 00 00 8B 57 1C 42 8B C2 89 57 1C 83 F8 18 7D 17 C7 44 87 20 4A 00 00 00 8B 87 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 46 04 8B 54 24 14 53 55 8B 08 8B 02 51 50 E8 ?? ?? ?? ?? 8B 4E 0C B8 01 00 00 00 83 C4 08 33 ED 3B C8 89 44 24 18 0F 8E C5 00 00 00 BF 04 00 00 00 8B 46 04 8B 0C 07 8B 10 8B 44 24 1C 51 52 8B 0C 07 51 E8 ?? ?? ?? ?? 8B 56 04 8B 4E 08 8B 04 }
+ condition:
+ $c0
+}
+
+rule CryptoPP_a_exp_b_mod_c : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "CryptoPP a_exp_b_mod_c"
+ strings:
+ $c0 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC ?? 00 00 00 56 8B B4 24 B0 00 00 00 57 6A 00 8B CE C7 44 24 0C 00 00 00 00 E8 ?? ?? ?? ?? 84 C0 0F 85 16 01 00 00 8D 4C 24 24 E8 ?? ?? ?? ?? BF 01 00 00 00 56 8D 4C 24 34 89 BC 24 A4 00 00 00 E8 ?? ?? ?? ?? 8B 06 8D 4C 24 3C 50 6A 00 C6 84 24 A8 00 00 00 02 E8 ?? ?? ?? ?? 8D 4C 24 48 C6 84 24 A0 00 00 00 03 E8 ?? ?? ?? ?? C7 44 24 24 ?? ?? ?? ?? 8B 8C 24 AC 00 00 00 8D 54 24 0C 51 52 8D 4C 24 2C C7 84 24 A8 }
+ $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 4C 56 57 33 FF 8D 44 24 0C 89 7C 24 08 C7 44 24 10 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 89 44 24 14 8B 74 24 70 8D 4C 24 18 56 89 7C 24 60 E8 ?? ?? ?? ?? 8B 76 08 8D 4C 24 2C 56 57 C6 44 24 64 01 E8 ?? ?? ?? ?? 8D 4C 24 40 C6 44 24 5C 02 E8 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 8B 4C 24 6C 8B 54 24 68 8B 74 24 64 51 52 56 8D 4C 24 18 C7 44 24 68 03 00 00 00 E8 ?? ?? ?? ?? 8B 7C 24 4C 8B 4C 24 48 8B D7 33 C0 F3 }
+ $c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 34 56 57 33 FF 8D 44 24 0C 89 7C 24 08 C7 44 24 10 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 89 44 24 14 8B 74 24 58 8D 4C 24 18 56 89 7C 24 48 E8 ?? ?? ?? ?? 8B 0E C6 44 24 44 01 51 57 8D 4C 24 2C E8 ?? ?? ?? ?? 8D 4C 24 30 C6 44 24 44 02 E8 ?? ?? ?? ?? C7 44 24 0C ?? ?? ?? ?? 8B 54 24 54 8B 44 24 50 8B 74 24 4C 52 50 56 8D 4C 24 18 C7 44 24 50 03 00 00 00 E8 ?? ?? ?? ?? 8B 4C 24 30 8B 7C 24 34 33 C0 F3 AB 8B 4C }
+ condition:
+ any of them
+}
+
+rule CryptoPP_modulo : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "CryptoPP modulo"
+ strings:
+ $c0 = { 83 EC 20 53 55 8B 6C 24 2C 8B D9 85 ED 89 5C 24 08 75 18 8D 4C 24 0C E8 ?? ?? ?? ?? 8D 44 24 0C 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D FF 56 85 CD 57 75 09 8B 53 04 8B 02 23 C1 EB 76 8B CB E8 ?? ?? ?? ?? 83 FD 05 8B C8 77 2D 33 F6 33 FF 49 85 C0 74 18 8B 53 04 8D 41 01 8D 14 8A 8B 0A 03 F1 83 D7 00 48 83 EA 04 85 C0 77 F1 6A 00 55 57 56 E8 ?? ?? ?? ?? EB 3B 33 C0 8B D1 49 85 D2 74 32 8B 54 24 10 33 DB 8D 71 01 8B 52 04 8D 3C 8A 8B 17 33 ED 0B C5 8B 6C 24 34 33 C9 53 0B CA 55 }
+ $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 2C 56 57 8B F1 33 FF 8D 4C 24 20 89 7C 24 08 E8 ?? ?? ?? ?? 8D 4C 24 0C 89 7C 24 3C E8 ?? ?? ?? ?? 8B 44 24 48 8D 4C 24 0C 50 56 8D 54 24 28 51 52 C6 44 24 4C 01 E8 ?? ?? ?? ?? 8B 74 24 54 83 C4 10 8D 44 24 20 8B CE 50 E8 ?? ?? ?? ?? 8B 7C 24 18 8B 4C 24 14 8B D7 33 C0 F3 AB 52 E8 ?? ?? ?? ?? 8B 7C 24 30 8B 4C 24 2C 8B D7 33 C0 C7 44 24 10 ?? ?? ?? ?? 52 F3 AB E8 ?? ?? ?? ?? 8B 4C 24 3C 83 C4 08 8B C6 64 89 }
+ $c2 = { 83 EC 24 53 55 8B 6C 24 30 8B D9 85 ED 89 5C 24 08 75 18 8D 4C 24 0C E8 ?? ?? ?? ?? 8D 44 24 0C 68 ?? ?? ?? ?? 50 E8 ?? ?? ?? ?? 8D 4D FF 56 85 CD 57 75 09 8B 53 0C 8B 02 23 C1 EB 76 8B CB E8 ?? ?? ?? ?? 83 FD 05 8B C8 77 2D 33 F6 33 FF 49 85 C0 74 18 8B 53 0C 8D 41 01 8D 14 8A 8B 0A 03 F1 83 D7 00 48 83 EA 04 85 C0 77 F1 6A 00 55 57 56 E8 ?? ?? ?? ?? EB 3B 33 C0 8B D1 49 85 D2 74 32 8B 54 24 10 33 DB 8D 71 01 8B 52 0C 8D 3C 8A 8B 17 33 ED 0B C5 8B 6C 24 38 33 C9 53 0B CA 55 }
+ $c3 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 1C 56 57 8B F1 33 FF 8D 4C 24 0C 89 7C 24 08 E8 ?? ?? ?? ?? 8D 4C 24 18 89 7C 24 2C E8 ?? ?? ?? ?? 8B 44 24 38 8D 4C 24 18 50 56 8D 54 24 14 51 52 C6 44 24 3C 01 E8 ?? ?? ?? ?? 8B 74 24 44 83 C4 10 8D 44 24 0C 8B CE 50 E8 ?? ?? ?? ?? 8B 4C 24 18 8B 7C 24 1C 33 C0 F3 AB 8B 4C 24 1C 51 E8 ?? ?? ?? ?? 8B 4C 24 10 8B 7C 24 14 33 C0 F3 AB 8B 54 24 14 52 E8 ?? ?? ?? ?? 8B 4C 24 2C 83 C4 08 8B C6 64 89 0D 00 00 00 }
+ condition:
+ any of them
+}
+
+rule FGint_MontgomeryModExp : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-06"
+ version = "0.2"
+ description = "FGint MontgomeryModExp"
+ strings:
+ $c0 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 }
+ $c1 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 }
+ $c2 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 ?? 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 ?? 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 ?? E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 }
+ $c3 = { 55 8B EC 83 C4 ?? 53 56 57 33 DB 89 5D ?? 8B F1 8B DA 89 45 D0 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 47 4C 47 00 64 FF 30 64 89 20 8D 55 D4 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B CF 8B D6 8B 45 D0 E8 ?? ?? ?? ?? 8D 55 D4 8B C7 E8 ?? ?? ?? ?? 3C 02 75 0D 8D 45 D4 E8 ?? ?? ?? ?? E9 02 02 00 00 }
+ condition:
+ any of them
+}
+
+rule FGint_FGIntModExp : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-05"
+ description = "FGint FGIntModExp"
+ strings:
+ $c0 = { 55 8B EC 83 C4 E8 53 56 57 33 DB 89 5D ?? 8B F1 89 55 ?? 8B D8 8B 7D 08 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 46 04 8B 40 04 83 E0 01 83 F8 01 75 0F 57 8B CE 8B 55 ?? 8B C3 E8 ?? ?? ?? ?? EB ?? 8D 55 ?? 8B 45 ?? E8 ?? ?? ?? ?? 8B D7 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 F4 8B C3 E8 ?? ?? ?? ?? 8B 45 }
+ condition:
+ $c0
+}
+
+rule FGint_MulByInt : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-05"
+ description = "FGint MulByInt"
+ strings:
+ $c0 = { 53 56 57 55 83 C4 E8 89 4C 24 04 8B EA 89 04 24 8B 04 24 8B 40 04 8B 00 89 44 24 08 8B 44 24 08 83 C0 02 50 8D 45 04 B9 01 00 00 00 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 83 C4 04 33 F6 8B 7C 24 08 85 FF 76 6D BB 01 00 00 00 8B 04 24 8B 40 04 8B 04 98 33 D2 89 44 24 10 89 54 24 14 8B 44 24 04 33 D2 52 50 8B 44 24 18 8B 54 24 1C ?? ?? ?? ?? ?? 89 44 24 10 89 54 24 14 8B C6 33 D2 03 44 24 10 13 54 24 14 89 44 24 10 89 54 24 14 8B 44 24 10 25 FF FF FF 7F 8B 55 04 89 04 9A 8B 44 24 10 8B 54 24 14 0F AC D0 1F C1 EA 1F 8B F0 43 4F 75 98 }
+ condition:
+ $c0
+}
+
+rule FGint_DivMod : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-05"
+ description = "FGint FGIntDivMod"
+ strings:
+ $c0 = { 55 8B EC 83 C4 BC 53 56 57 8B F1 89 55 F8 89 45 FC 8B 5D 08 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 FC 8A 00 88 45 D7 8B 45 F8 8A 00 88 45 D6 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B D3 8B 45 FC E8 ?? ?? ?? ?? 8D 55 E0 8B 45 F8 E8 ?? ?? ?? ?? 8B 55 F8 8B 45 FC }
+ condition:
+ $c0
+}
+
+rule FGint_FGIntDestroy : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-05"
+ description = "FGint FGIntDestroy"
+ strings:
+ $c0 = { 53 8B D8 8D 43 04 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 5B C3 }
+ condition:
+ $c0
+}
+
+rule FGint_Base10StringToGInt : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-06"
+ version = "0.2"
+ description = "FGint Base10StringToGInt"
+ strings:
+ $c0 = { 55 8B EC B9 04 00 00 00 6A 00 6A 00 49 75 F9 51 53 56 57 8B DA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC ?? ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC ?? ?? ?? ?? ?? 8B 45 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? EB 18 C6 45 EB 01 EB 12 8D 45 FC }
+ $c1 = { 55 8B EC 83 C4 D8 53 56 57 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D E4 89 4D EC 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 0F 42 45 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 8A 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D4 8D 45 E4 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E4 BA 28 42 45 00 E8 ?? ?? ?? ?? 75 18 C6 45 EB 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 EB 01 }
+ $c2 = { 55 8B EC 83 C4 D8 53 56 33 C9 89 4D D8 89 4D DC 89 4D E0 89 4D F8 89 4D F4 8B DA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 A6 32 47 00 64 FF 30 64 89 20 EB 12 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 8B 45 FC 0F B6 00 2C 2D 74 11 04 FD 2C 0A 72 0B 8B 45 FC E8 ?? ?? ?? ?? 48 7F D3 8D 45 E0 50 B9 01 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 45 E0 BA BC 32 47 00 E8 ?? ?? ?? ?? 75 18 C6 45 E9 00 8D 45 FC B9 01 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? EB 18 C6 45 E9 01 }
+
+ condition:
+ any of them
+}
+
+rule FGint_ConvertBase256to64 : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-05"
+ description = "FGint ConvertBase256to64"
+ strings:
+ $c0 = { 55 8B EC 81 C4 EC FB FF FF 53 56 57 33 C9 89 8D EC FB FF FF 89 8D F0 FB FF FF 89 4D F8 8B FA 89 45 FC B9 00 01 00 00 8D 85 F4 FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 F4 FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 7E 2F BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F4 FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E5 EB }
+ condition:
+ $c0
+}
+
+rule FGint_ConvertHexStringToBase256String : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-06"
+ version = "0.2"
+ description = "FGint ConvertHexStringToBase256String"
+ strings:
+ $c0 = { 55 8B EC 83 C4 F0 53 56 33 C9 89 4D F0 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? D1 F8 79 03 83 D0 00 85 C0 7E 5F 89 45 F4 BE 01 00 00 00 8B C6 03 C0 8B 55 FC 8A 54 02 FF 8B 4D FC 8A 44 01 FE 3C 3A 73 0A 8B D8 80 EB 30 C1 E3 04 EB 08 8B D8 80 EB 37 C1 E3 04 80 FA 3A 73 07 80 EA 30 0A DA EB 05 80 EA 37 0A DA 8D 45 F0 8B D3 }
+ condition:
+ $c0
+}
+
+rule FGint_Base256StringToGInt : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-05"
+ description = "FGint Base256StringToGInt"
+ strings:
+ $c0 = { 55 8B EC 81 C4 F8 FB FF FF 53 56 57 33 C9 89 4D F8 8B FA 89 45 FC 8B 45 FC ?? ?? ?? ?? ?? B9 00 01 00 00 8D 85 F8 FB FF FF 8B 15 ?? ?? ?? ?? ?? ?? ?? ?? ?? 33 C0 55 ?? ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F8 ?? ?? ?? ?? ?? 8D 85 F8 FB FF FF BA FF 00 00 00 ?? ?? ?? ?? ?? 8B 45 FC ?? ?? ?? ?? ?? 8B D8 85 DB 7E 34 BE 01 00 00 00 8D 45 F8 8B 55 FC 0F B6 54 32 FF 8B 94 95 F8 FB FF FF ?? ?? ?? ?? ?? 46 4B 75 E5 EB 12 8D 45 F8 B9 01 00 00 00 BA 01 00 00 00 ?? ?? ?? ?? ?? 8B 45 F8 80 38 30 75 0F }
+ condition:
+ $c0
+}
+
+rule FGint_FGIntToBase256String : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-06"
+ version = "0.2"
+ description = "FGint FGIntToBase256String"
+ strings:
+ $c0 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC E8 ?? ?? ?? ?? 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4B 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 8A 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 ?? ?? ?? ?? 4B 75 B5 }
+ $c1 = { 55 8B EC 33 C9 51 51 51 51 53 56 8B F2 33 D2 55 68 ?? ?? ?? ?? 64 FF 32 64 89 22 8D 55 FC E8 ?? ?? ?? ?? EB 10 8D 45 FC 8B 4D FC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 25 07 00 00 80 79 05 48 83 C8 F8 40 85 C0 75 D8 8B 45 FC 85 C0 74 05 83 E8 04 8B 00 8B D8 85 DB 79 03 83 C3 07 C1 FB 03 8B C6 E8 ?? ?? ?? ?? 85 DB 76 4C 8D 45 F4 50 B9 08 00 00 00 BA 01 00 00 00 8B 45 FC E8 ?? ?? ?? ?? 8B 55 F4 8D 45 FB E8 ?? ?? ?? ?? 8D 45 F0 0F B6 55 FB E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8D 45 FC B9 08 00 00 00 BA 01 00 00 00 E8 }
+ condition:
+ any of them
+}
+
+rule FGint_ConvertBase256StringToHexString : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-05"
+ description = "FGint ConvertBase256StringToHexString"
+ strings:
+ $c0 = { 55 8B EC 33 C9 51 51 51 51 51 51 53 56 57 8B F2 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B C6 E8 ?? ?? ?? ?? 8B 45 FC E8 ?? ?? ?? ?? 8B F8 85 FF 0F 8E AB 00 00 00 C7 45 F8 01 00 00 00 8B 45 FC 8B 55 F8 8A 5C 10 FF 33 C0 8A C3 C1 E8 04 83 F8 0A 73 1E 8D 45 F4 33 D2 8A D3 C1 EA 04 83 C2 30 E8 ?? ?? ?? ?? 8B 55 F4 8B C6 E8 ?? ?? ?? ?? EB 1C 8D 45 F0 33 D2 8A D3 C1 EA 04 83 C2 37 E8 ?? ?? ?? ?? 8B 55 F0 8B C6 E8 ?? ?? ?? ?? 8B C3 24 0F 3C 0A 73 22 8D 45 EC 8B D3 80 E2 0F 81 E2 FF 00 00 00 83 C2 30 E8 ?? ?? ?? ?? 8B 55 EC 8B C6 E8 ?? ?? ?? ?? EB 20 8D 45 E8 8B D3 80 E2 0F 81 E2 FF 00 00 00 83 C2 37 }
+ condition:
+ $c0
+}
+
+
+rule FGint_PGPConvertBase256to64 : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2016-08"
+ description = "FGint PGPConvertBase256to64"
+ strings:
+ $c0 = { 55 8B EC 81 C4 E8 FB FF FF 53 56 57 33 C9 89 8D E8 FB FF FF 89 4D F8 89 4D F4 89 4D F0 8B FA 89 45 FC B9 00 01 00 00 8D 85 EC FB FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 85 EC FB FF FF BA FF 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 E8 ?? ?? ?? ?? 8B 45 FC 8B 00 E8 ?? ?? ?? ?? 8B D8 85 DB 7E 22 BE 01 00 00 00 8D 45 F8 8B 55 FC 8B 12 0F B6 54 32 FF 8B 94 95 EC FB FF FF E8 ?? ?? ?? ?? 46 4B 75 E3 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 85 D2 75 0A 8D 45 F0 E8 ?? ?? ?? ?? EB 4B 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 83 FA 04 75 1C 8D 45 F8 BA 4C 33 40 00 E8 ?? ?? ?? ?? 8D 45 F0 BA 58 33 40 00 E8 ?? ?? ?? ?? EB 1A 8D 45 F8 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B C7 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? B9 06 00 00 00 99 F7 F9 8B D8 85 DB 7E 57 8D 45 F4 50 B9 06 00 00 00 BA 01 00 00 00 8B 45 F8 E8 ?? ?? ?? ?? 8D 45 EC 8B 55 F4 E8 ?? ?? ?? ?? 8D 85 E8 FB FF FF 8B 55 EC 8A 92 ?? ?? ?? ?? E8 }
+ condition:
+ $c0
+}
+
+
+rule FGint_RSAEncrypt : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-05"
+ description = "FGint RSAEncrypt"
+ strings:
+ $c0 = { 55 8B EC 83 C4 D0 53 56 57 33 DB 89 5D D0 89 5D DC 89 5D D8 89 5D D4 8B F9 89 55 F8 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 E0 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 55 DC 8B C7 E8 ?? ?? ?? ?? 8B 45 DC E8 ?? ?? ?? ?? 8B D8 8D 55 DC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 DC 8B 4D DC BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B F3 4E EB 10 }
+ condition:
+ $c0
+}
+
+rule FGint_RsaDecrypt : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "FGint RsaDecrypt"
+ strings:
+ $c0 = { 55 8B EC 83 C4 A0 53 56 57 33 DB 89 5D A0 89 5D A4 89 5D A8 89 5D B4 89 5D B0 89 5D AC 89 4D F8 8B FA 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 }
+ condition:
+ $c0
+}
+
+rule FGint_RSAVerify : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ description = "FGint RSAVerify"
+ strings:
+ $c0 = { 55 8B EC 83 C4 E0 53 56 8B F1 89 55 F8 89 45 FC 8B 5D 0C 8B 45 FC E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 E8 8B 45 F8 E8 ?? ?? ?? ?? 8D 55 F0 8B 45 FC E8 ?? ?? ?? ?? 8D 4D E0 8B D3 8D 45 F0 E8 ?? ?? ?? ?? 8D 55 F0 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 E0 50 8B CB 8B D6 8D 45 E8 E8 ?? ?? ?? ?? 8D 55 E8 8D 45 E0 E8 ?? ?? ?? ?? 8D 55 F0 8D 45 E8 E8 ?? ?? ?? ?? 3C 02 8B 45 08 0F 94 00 8D 45 E8 E8 ?? ?? ?? ?? 8D 45 F0 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? B9 03 00 00 00 E8 ?? ?? ?? ?? 8D 45 F8 BA 02 00 00 00 E8 ?? ?? ?? ?? C3 }
+ condition:
+ $c0
+}
+
+rule FGint_FindPrimeGoodCurveAndPoint : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-06"
+ description = "FGint FindPrimeGoodCurveAndPoint"
+ version = "0.1"
+ strings:
+ $c0 = { 55 8B EC 83 C4 F4 53 56 57 33 DB 89 5D F4 89 4D FC 8B FA 8B F0 33 C0 55 }
+ condition:
+ $c0
+}
+
+rule FGint_ECElGamalEncrypt : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2016-08"
+ description = "FGint ECElGamalEncrypt"
+ version = "0.1"
+ strings:
+ $c0 = { 55 8B EC 81 C4 3C FF FF FF 53 56 57 33 DB 89 5D D8 89 5D D4 89 5D D0 8B 75 10 8D 7D 8C A5 A5 A5 A5 A5 8B 75 14 8D 7D A0 A5 A5 A5 A5 A5 8B 75 18 8D 7D DC A5 A5 8B 75 1C 8D 7D E4 A5 A5 8B F1 8D 7D EC A5 A5 8B F2 8D 7D F4 A5 A5 89 45 FC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 A0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 8C 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 78 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 64 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 50 FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 85 3C FF FF FF 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 7D CF }
+ $c1 = { 55 8B EC 83 C4 A8 53 56 57 33 DB 89 5D A8 89 5D AC 89 5D BC 89 5D B8 89 5D B4 89 4D F4 89 55 F8 89 45 FC 8B 75 0C 8B 45 FC E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 71 14 41 00 64 FF 30 64 89 20 8D 55 BC 8B C6 E8 ?? ?? ?? ?? 8B 45 BC E8 ?? ?? ?? ?? 8B D8 8D 55 BC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 BC 8B 4D BC BA 8C 14 41 00 E8 ?? ?? ?? ?? 8B FB 4F EB 10 8D 45 BC 8B 4D BC BA 98 14 41 00 E8 ?? ?? ?? ?? 8B 45 BC }
+ condition:
+ $c0 or $c1
+}
+
+rule FGint_ECAddPoints : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-06"
+ description = "FGint ECAddPoints"
+ version = "0.1"
+ strings:
+ $c0 = { 55 8B EC 83 C4 A8 53 56 57 8B 75 0C 8D 7D F0 A5 A5 8B F1 8D 7D F8 A5 A5 8B F2 8D 7D A8 A5 A5 A5 A5 A5 8B F0 8D 7D BC A5 A5 A5 A5 A5 8B 5D 08 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 A8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 }
+ condition:
+ $c0
+}
+
+rule FGint_ECPointKMultiple : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-06"
+ description = "FGint ECPointKMultiple"
+ version = "0.1"
+ strings:
+ $c0 = { 55 8B EC 83 C4 BC 53 56 57 33 DB 89 5D E4 8B 75 0C 8D 7D E8 A5 A5 8B F1 8D 7D F0 A5 A5 8B F2 8D 7D F8 A5 A5 8B F0 8D 7D D0 A5 A5 A5 A5 A5 8B 5D 08 8D 45 D0 8B 15 ?? ?? ?? 00 E8 ?? ?? ?? ?? 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 }
+ condition:
+ $c0
+}
+
+rule FGint_ECPointDestroy : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-06"
+ description = "FGint ECPointDestroy"
+ version = "0.1"
+ strings:
+ $c0 = { 53 8B D8 8B C3 E8 ?? ?? ?? ?? 8D 43 08 E8 ?? ?? ?? ?? 5B C3 }
+ condition:
+ $c0
+}
+
+rule FGint_DSAPrimeSearch : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2016-08"
+ description = "FGint DSAPrimeSearch"
+ version = "0.1"
+ strings:
+ $c0 = { 55 8B EC 83 C4 DC 53 56 8B DA 8B F0 8D 45 F8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 4D F8 8B D6 8B C6 E8 ?? ?? ?? ?? 8D 4D E8 8B D6 8B C3 E8 ?? ?? ?? ?? 8D 55 F0 B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 4D E0 8D 55 E8 8B C3 E8 ?? ?? ?? ?? 8D 45 E8 E8 ?? ?? ?? ?? 8D 4D E8 8D 55 F0 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 E0 E8 ?? ?? ?? ?? 8D 45 F0 E8 ?? ?? ?? ?? 8B 45 EC 8B 40 04 83 E0 01 85 C0 75 18 8D 4D E0 8B D6 8D 45 E8 E8 ?? ?? ?? ?? 8D 55 E8 8D 45 E0 E8 ?? ?? ?? ?? 8B D3 8D 45 E8 E8 ?? ?? ?? ?? C6 45 DF 00 EB 26 8D 4D E8 8D 55 F8 8B C3 E8 ?? ?? ?? ?? 8B D3 8D 45 E8 E8 ?? ?? ?? ?? 8D 4D DF 8B C3 BA 05 00 00 00 E8 ?? ?? ?? ?? 80 7D DF 00 74 D4 8D 45 F8 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? B9 04 00 00 00 E8 ?? ?? ?? ?? C3 }
+ condition:
+ $c0
+}
+
+rule FGint_DSASign : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2016-08"
+ description = "FGint DSASign"
+ version = "0.1"
+ strings:
+ $c0 = { 55 8B EC 83 C4 CC 53 56 57 89 4D FC 8B DA 8B F8 8B 75 14 8B 45 10 E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 45 F4 50 8B CF 8B D6 8B 45 FC E8 ?? ?? ?? ?? 8D 4D D4 8B D3 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8B C6 E8 ?? ?? ?? ?? 8D 55 EC 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 D4 8B 45 18 E8 ?? ?? ?? ?? 8D 4D DC 8D 55 E4 8D 45 EC E8 ?? ?? ?? ?? 8D 45 EC E8 ?? ?? ?? ?? 8D 45 E4 E8 ?? ?? ?? ?? 8D 45 CC 50 8B CB 8D 55 DC 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 DC E8 ?? ?? ?? ?? 8B 55 0C 8D 45 D4 E8 ?? ?? ?? ?? 8B 55 08 8D 45 CC E8 ?? ?? ?? ?? 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 CC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? B9 06 00 00 00 E8 }
+ condition:
+ $c0
+}
+
+rule FGint_DSAVerify : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2016-08"
+ description = "FGint DSAVerify"
+ version = "0.1"
+ strings:
+ $c0 = { 55 8B EC 83 C4 B4 53 56 57 89 4D FC 8B DA 8B F0 8B 7D 08 8B 45 14 E8 ?? ?? ?? ?? 8B 45 10 E8 ?? ?? ?? ?? 8B 45 0C E8 ?? ?? ?? ?? 8D 45 F4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 EC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 DC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 CC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 BC 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B4 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 CC 8B 45 0C E8 ?? ?? ?? ?? 8D 4D F4 8B D3 8D 45 CC E8 ?? ?? ?? ?? 8D 55 C4 8B 45 14 E8 ?? ?? ?? ?? 8D 45 EC 50 8B CB 8D 55 F4 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 ?? ?? ?? ?? 8D 55 D4 8B 45 10 E8 ?? ?? ?? ?? 8D 45 E4 50 8B CB 8D 55 F4 8D 45 D4 E8 ?? ?? ?? ?? 8D 45 F4 E8 ?? ?? ?? ?? 8D 45 C4 50 8B CE 8D 55 EC 8B 45 FC E8 ?? ?? ?? ?? 8D 45 BC 50 8B CE 8D 55 E4 8B 45 18 E8 ?? ?? ?? ?? 8D 45 B4 50 8B CE 8D 55 BC 8D 45 C4 E8 ?? ?? ?? ?? 8D 45 C4 E8 }
+ condition:
+ $c0
+}
+
+
+rule DES_Long : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-05"
+ description = "DES [long]"
+ strings:
+ $c0 = { 10 80 10 40 00 00 00 00 00 80 10 00 00 00 10 40 10 00 00 40 10 80 00 00 00 80 00 40 00 80 10 00 00 80 00 00 10 00 10 40 10 00 00 00 00 80 00 40 10 00 10 00 00 80 10 40 00 00 10 40 10 00 00 00 }
+ condition:
+ $c0
+}
+
+rule DES_sbox : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-05"
+ description = "DES [sbox]"
+ strings:
+ $c0 = { 00 04 01 01 00 00 00 00 00 00 01 00 04 04 01 01 04 00 01 01 04 04 01 00 04 00 00 00 00 00 01 00 00 04 00 00 00 04 01 01 04 04 01 01 00 04 00 00 04 04 00 01 04 00 01 01 00 00 00 01 04 00 00 00 }
+ condition:
+ $c0
+}
+
+rule DES_pbox_long : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ date = "2015-05"
+ description = "DES [pbox] [long]"
+ strings:
+ $c0 = { 0F 00 00 00 06 00 00 00 13 00 00 00 14 00 00 00 1C 00 00 00 0B 00 00 00 1B 00 00 00 10 00 00 00 00 00 00 00 0E 00 00 00 16 00 00 00 19 00 00 00 04 00 00 00 11 00 00 00 1E 00 00 00 09 00 00 00 01 00 00 00 07 00 00 00 17 00 00 00 0D 00 00 00 1F 00 00 00 1A 00 00 00 02 00 00 00 08 00 00 00 12 00 00 00 0C 00 00 00 1D 00 00 00 05 00 00 00 }
+ condition:
+ $c0
+}
+
+rule OpenSSL_BN_mod_exp2_mont : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "OpenSSL BN_mod_exp2_mont"
+ strings:
+ $c0 = { B8 30 05 00 00 E8 ?? ?? ?? ?? 8B 84 24 48 05 00 00 53 33 DB 56 8B 08 57 89 5C 24 24 89 5C 24 30 8A 01 89 5C 24 28 A8 01 89 5C 24 0C 75 24 68 89 00 00 00 68 ?? ?? ?? ?? 6A 66 6A 76 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 30 05 00 00 C3 8B 94 24 48 05 00 00 52 E8 ?? ?? ?? ?? 8B F0 8B 84 24 54 05 00 00 50 E8 ?? ?? ?? ?? 83 C4 08 3B F3 8B F8 75 20 3B FB 75 1C 8B 8C 24 40 05 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 30 05 00 00 C3 3B F7 89 74 24 18 7F 04 89 }
+ condition:
+ $c0
+}
+
+rule OpenSSL_BN_mod_exp_mont : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "OpenSSL BN_mod_exp_mont"
+ strings:
+ $c0 = { B8 A0 02 00 00 E8 ?? ?? ?? ?? 53 56 57 8B BC 24 BC 02 00 00 33 F6 8B 07 89 74 24 24 89 74 24 20 89 74 24 0C F6 00 01 75 24 68 72 01 00 00 68 ?? ?? ?? ?? 6A 66 6A 6D 6A 03 E8 ?? ?? ?? ?? 83 C4 14 33 C0 5F 5E 5B 81 C4 A0 02 00 00 C3 8B 8C 24 B8 02 00 00 51 E8 ?? ?? ?? ?? 8B D8 83 C4 04 3B DE 89 5C 24 18 75 1C 8B 94 24 B0 02 00 00 6A 01 52 E8 ?? ?? ?? ?? 83 C4 08 5F 5E 5B 81 C4 A0 02 00 00 C3 55 8B AC 24 C4 02 00 00 55 E8 ?? ?? ?? ?? 55 E8 ?? ?? ?? ?? 8B F0 55 89 74 24 24 E8 }
+ condition:
+ $c0
+}
+
+rule OpenSSL_BN_mod_exp_recp : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "OpenSSL BN_mod_exp_recp"
+ strings:
+ $c0 = { B8 C8 02 00 00 E8 ?? ?? ?? ?? 8B 84 24 D4 02 00 00 55 56 33 F6 50 89 74 24 1C 89 74 24 18 E8 ?? ?? ?? ?? 8B E8 83 C4 04 3B EE 89 6C 24 0C 75 1B 8B 8C 24 D4 02 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5E 5D 81 C4 C8 02 00 00 C3 53 57 8B BC 24 EC 02 00 00 57 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B D8 83 C4 08 3B DE 0F 84 E7 02 00 00 8D 54 24 24 52 E8 ?? ?? ?? ?? 8B B4 24 EC 02 00 00 83 C4 04 8B 46 0C 85 C0 74 32 56 53 E8 ?? ?? ?? ?? 83 C4 08 85 C0 0F 84 BA 02 00 00 57 8D 44 24 28 53 }
+ condition:
+ $c0
+}
+
+rule OpenSSL_BN_mod_exp_simple : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "OpenSSL BN_mod_exp_simple"
+ strings:
+ $c0 = { B8 98 02 00 00 E8 ?? ?? ?? ?? 8B 84 24 A4 02 00 00 55 56 33 ED 50 89 6C 24 1C 89 6C 24 18 E8 ?? ?? ?? ?? 8B F0 83 C4 04 3B F5 89 74 24 0C 75 1B 8B 8C 24 A4 02 00 00 6A 01 51 E8 ?? ?? ?? ?? 83 C4 08 5E 5D 81 C4 98 02 00 00 C3 53 57 8B BC 24 BC 02 00 00 57 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 8B D8 83 C4 08 3B DD 0F 84 71 02 00 00 8D 54 24 28 52 E8 ?? ?? ?? ?? 8B AC 24 BC 02 00 00 8B 84 24 B4 02 00 00 57 55 8D 4C 24 34 50 51 C7 44 24 30 01 00 00 00 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F }
+ condition:
+ $c0
+}
+
+rule OpenSSL_BN_mod_exp_inverse : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "OpenSSL BN_mod_exp_inverse"
+ strings:
+ $c0 = { B8 18 00 00 00 E8 ?? ?? ?? ?? 53 55 56 57 8B 7C 24 38 33 C0 57 89 44 24 20 89 44 24 24 E8 ?? ?? ?? ?? 57 E8 ?? ?? ?? ?? 57 89 44 24 1C E8 ?? ?? ?? ?? 57 8B F0 E8 ?? ?? ?? ?? 57 89 44 24 28 E8 ?? ?? ?? ?? 57 8B E8 E8 ?? ?? ?? ?? 57 8B D8 E8 ?? ?? ?? ?? 8B F8 8B 44 24 54 50 89 7C 24 38 E8 ?? ?? ?? ?? 83 C4 20 89 44 24 24 85 C0 8B 44 24 2C 0F 84 78 05 00 00 85 C0 75 05 E8 ?? ?? ?? ?? 85 C0 89 44 24 1C 0F 84 63 05 00 00 8B 4C 24 14 6A 01 51 E8 ?? ?? ?? ?? 6A 00 57 E8 }
+ condition:
+ $c0
+}
+
+rule OpenSSL_DSA : Crypto_Algorithms
+{
+ meta:
+ author="_pusher_"
+ date="2016-08"
+ strings:
+ $a0 = "bignum_data" wide ascii nocase
+ $a1 = "DSA_METHOD" wide ascii nocase
+ $a2 = "PDSA" wide ascii nocase
+ $a3 = "dsa_mod_exp" wide ascii nocase
+ $a4 = "bn_mod_exp" wide ascii nocase
+ $a5 = "dsa_do_verify" wide ascii nocase
+ $a6 = "dsa_sign_setup" wide ascii nocase
+ $a7 = "dsa_do_sign" wide ascii nocase
+ $a8 = "dsa_paramgen" wide ascii nocase
+ $a9 = "BN_MONT_CTX" wide ascii nocase
+ condition:
+ 7 of ($a*)
+}
+
+rule FGint_RsaSign : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "FGint RsaSign"
+ strings:
+ $c0 = { 55 8B EC 83 C4 B8 53 56 57 89 4D F8 8B FA 89 45 FC 8B 75 0C 8B 5D 10 8B 45 FC E8 ?? ?? ?? ?? 8D 45 F0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 E0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 D0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 C0 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8D 45 B8 8B 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8D 55 F0 }
+ condition:
+ $c0
+}
+
+
+rule LockBox_RsaEncryptFile : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "LockBox RsaEncryptFile"
+ strings:
+ $c0 = { 55 8B EC 83 C4 F8 53 56 8B F1 8B DA 6A 20 8B C8 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 FC 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 68 FF FF 00 00 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8A 45 08 50 8B CE 8B 55 F8 8B 45 FC E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? C3 }
+ condition:
+ $c0
+}
+
+rule LockBox_DecryptRsaEx : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "LockBox DecryptRsaEx"
+ strings:
+ $c0 = { 55 8B EC 83 C4 F4 53 56 57 89 4D F8 89 55 FC 8B D8 33 C0 8A 43 04 0F B7 34 45 ?? ?? ?? ?? 0F B7 3C 45 ?? ?? ?? ?? 8B CE B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F4 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B 55 FC 8B CE 8B 45 F4 E8 ?? ?? ?? ?? 6A 00 B1 02 8B D3 8B 45 F4 E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 3B C7 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F4 E8 ?? ?? ?? ?? 8B C8 8B 55 F8 8B 45 F4 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 }
+ condition:
+ $c0
+}
+
+rule LockBox_EncryptRsaEx : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "LockBox EncryptRsaEx"
+ strings:
+ $c0 = { 55 8B EC 83 C4 F8 53 56 57 89 4D FC 8B FA 8B F0 33 C0 8A 46 04 0F B7 1C 45 ?? ?? ?? ?? 8B CB B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 45 F8 33 C0 55 68 ?? ?? ?? ?? 64 FF 30 64 89 20 8B D7 8B 4D 08 8B 45 F8 E8 ?? ?? ?? ?? 6A 01 B1 02 8B D6 8B 45 F8 E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 3B C3 7E 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 45 F8 E8 ?? ?? ?? ?? 8B C8 8B 55 FC 8B 45 F8 E8 ?? ?? ?? ?? 33 C0 5A 59 59 64 89 10 68 ?? ?? ?? ?? 8B 45 F8 E8 }
+ condition:
+ $c0
+}
+
+rule LockBox_TlbRsaKey : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "LockBox TlbRsaKey"
+ strings:
+ $c0 = { 53 56 84 D2 74 08 83 C4 F0 E8 ?? ?? ?? ?? 8B DA 8B F0 33 D2 8B C6 E8 ?? ?? ?? ?? 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 0C 33 C0 8A 46 04 8B 15 ?? ?? ?? ?? 0F B7 0C 42 B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 89 46 10 8B C6 84 DB 74 0F E8 ?? ?? ?? ?? 64 8F 05 00 00 00 00 83 C4 0C 8B C6 5E 5B C3 }
+ condition:
+ $c0
+}
+
+rule BigDig_bpInit : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "BigDig bpInit"
+ strings:
+ $c0 = { 56 8B 74 24 0C 6A 04 56 E8 ?? ?? ?? ?? 8B C8 8B 44 24 10 83 C4 08 85 C9 89 08 75 04 33 C0 5E C3 89 70 08 C7 40 04 00 00 00 00 5E C3 }
+ condition:
+ $c0
+}
+
+rule BigDig_mpModExp : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "BigDig mpModExp"
+ strings:
+ $c0 = { 56 8B 74 24 18 85 F6 75 05 83 C8 FF 5E C3 53 55 8B 6C 24 18 57 56 55 E8 ?? ?? ?? ?? 8B D8 83 C4 08 BF 00 00 00 80 8B 44 9D FC 85 C7 75 04 D1 EF 75 F8 83 FF 01 75 08 BF 00 00 00 80 4B EB 02 D1 EF 8B 44 24 18 56 8B 74 24 18 50 56 E8 ?? ?? ?? ?? 83 C4 0C 85 DB 74 4F 8D 6C 9D FC 8B 4C 24 24 8B 54 24 20 51 52 56 56 56 E8 ?? ?? ?? ?? 8B 45 00 83 C4 14 85 C7 74 19 8B 44 24 24 8B 4C 24 20 8B 54 24 18 50 51 52 56 56 E8 ?? ?? ?? ?? 83 C4 14 83 FF 01 75 0B 4B BF 00 00 00 80 83 ED 04 EB }
+ condition:
+ $c0
+}
+
+rule BigDig_mpModInv : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "BigDig mpModInv"
+ strings:
+ $c0 = { 81 EC 2C 07 00 00 8D 84 24 CC 00 00 00 53 56 8B B4 24 44 07 00 00 57 56 6A 01 50 E8 ?? ?? ?? ?? 8B 8C 24 4C 07 00 00 56 8D 94 24 80 02 00 00 51 52 E8 ?? ?? ?? ?? 8D 84 24 BC 01 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 64 07 00 00 56 8D 4C 24 30 53 51 E8 ?? ?? ?? ?? 8D 54 24 38 56 52 BF 01 00 00 00 E8 ?? ?? ?? ?? 83 C4 34 85 C0 0F 85 ED 00 00 00 8D 44 24 0C 56 50 8D 8C 24 78 02 00 00 56 8D 94 24 48 03 00 00 51 8D 84 24 18 04 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C 24 BC 01 00 00 56 8D 94 }
+ condition:
+ $c0
+}
+
+rule BigDig_mpModMult : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "BigDig mpModMult"
+ strings:
+ $c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 98 01 00 00 8D 54 24 00 56 8B B4 24 B0 01 00 00 57 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 C0 01 00 00 8B 94 24 B4 01 00 00 8D 3C 36 56 50 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 57 50 E8 ?? ?? ?? ?? 83 C4 2C 33 C0 5F 5E 81 C4 98 01 00 00 C3 }
+ condition:
+ $c0
+}
+
+rule BigDig_mpModulo : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "BigDig mpModulo"
+ strings:
+ $c0 = { 8B 44 24 10 81 EC 30 03 00 00 8B 8C 24 38 03 00 00 8D 54 24 00 56 8B B4 24 40 03 00 00 57 8B BC 24 4C 03 00 00 57 50 56 51 8D 84 24 B0 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 94 24 54 03 00 00 8D 4C 24 20 57 51 52 E8 ?? ?? ?? ?? 8D 44 24 2C 56 50 E8 ?? ?? ?? ?? 8D 8C 24 CC 01 00 00 56 51 E8 ?? ?? ?? ?? 83 C4 34 33 C0 5F 5E 81 C4 30 03 00 00 C3 }
+ condition:
+ $c0
+}
+
+rule BigDig_spModExpB : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "BigDig spModExpB"
+ strings:
+ $c0 = { 53 8B 5C 24 10 55 56 BE 00 00 00 80 85 F3 75 04 D1 EE 75 F8 8B 6C 24 14 8B C5 D1 EE 89 44 24 18 74 48 57 8B 7C 24 20 EB 04 8B 44 24 1C 57 50 50 8D 44 24 28 50 E8 ?? ?? ?? ?? 83 C4 10 85 F3 74 14 8B 4C 24 1C 57 55 8D 54 24 24 51 52 E8 ?? ?? ?? ?? 83 C4 10 D1 EE 75 D0 8B 44 24 14 8B 4C 24 1C 5F 5E 89 08 5D 33 C0 5B C3 8B 54 24 10 5E 5D 5B 89 02 33 C0 C3 }
+ condition:
+ $c0
+}
+
+rule BigDig_spModInv : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "BigDig spModInv"
+ strings:
+ $c0 = { 51 8B 4C 24 10 55 56 BD 01 00 00 00 33 F6 57 8B 7C 24 18 89 6C 24 0C 85 C9 74 42 53 8B C7 33 D2 F7 F1 8B C7 8B F9 8B DA 33 D2 F7 F1 8B CB 0F AF C6 03 C5 8B EE 8B F0 8B 44 24 10 F7 D8 85 DB 89 44 24 10 75 D7 85 C0 5B 7D 13 8B 44 24 1C 8B 4C 24 14 2B C5 5F 89 01 5E 33 C0 5D 59 C3 8B 54 24 14 5F 5E 33 C0 89 2A 5D 59 C3 }
+ condition:
+ $c0
+}
+
+rule BigDig_spModMult : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "BigDig spModMult"
+ strings:
+ $c0 = { 8B 44 24 0C 8B 4C 24 08 83 EC 08 8D 54 24 00 50 51 52 E8 ?? ?? ?? ?? 8B 44 24 24 6A 02 8D 4C 24 10 50 51 E8 ?? ?? ?? ?? 8B 54 24 24 89 02 33 C0 83 C4 20 C3 }
+ condition:
+ $c0
+}
+
+rule CryptoPP_ApplyFunction : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "CryptoPP ApplyFunction"
+ strings:
+ $c0 = { 51 8D 41 E4 56 8B 74 24 0C 83 C1 F0 50 51 8B 4C 24 18 C7 44 24 0C 00 00 00 00 51 56 E8 ?? ?? ?? ?? 83 C4 10 8B C6 5E 59 C2 08 00 }
+ $c1 = { 51 53 56 8B F1 57 6A 00 C7 44 24 10 00 00 00 00 8B 46 04 8B 48 04 8B 5C 31 04 8D 7C 31 04 E8 ?? ?? ?? ?? 50 8B CF FF 53 10 8B 44 24 18 8D 56 08 83 C6 1C 52 56 8B 74 24 1C 50 56 E8 ?? ?? ?? ?? 83 C4 10 8B C6 5F 5E 5B 59 C2 08 00 }
+ condition:
+ any of them
+}
+
+rule CryptoPP_RsaFunction : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "CryptoPP RsaFunction"
+ strings:
+ $c0 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 81 EC 9C 00 00 00 8B 84 24 B0 00 00 00 53 55 56 33 ED 8B F1 57 3B C5 89 B4 24 A8 00 00 00 89 6C 24 10 BF 01 00 00 00 74 18 C7 06 ?? ?? ?? ?? C7 46 20 ?? ?? ?? ?? 89 7C 24 10 89 AC 24 B4 00 00 00 8D 4E 04 E8 ?? ?? ?? ?? 8D 4E 10 89 BC 24 B4 00 00 00 E8 ?? ?? ?? ?? 8B 06 BB ?? ?? ?? ?? BF ?? ?? ?? ?? 8B 48 04 C7 04 31 ?? ?? ?? ?? 8B 16 8B 42 04 8B 54 24 10 83 CA 02 8D 48 E0 89 54 24 10 89 4C 30 FC 89 5C 24 18 89 7C }
+ $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 1C 53 8B 5C 24 1C 56 8B F1 57 33 C9 89 74 24 10 3B C1 89 4C 24 0C 74 7B C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 3B D9 75 06 89 4C 24 28 EB 0E 8B 43 04 8B 50 0C 8D 44 1A 04 89 44 24 28 8B 56 3C C7 44 24 0C 07 00 00 00 8B 42 04 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 56 3C C7 46 38 ?? ?? ?? ?? 8B 42 04 C7 44 30 3C }
+ $c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 08 8B 44 24 18 56 8B F1 57 85 C0 89 74 24 0C C7 44 24 08 00 00 00 00 74 63 C7 46 04 ?? ?? ?? ?? C7 46 3C ?? ?? ?? ?? C7 46 30 ?? ?? ?? ?? C7 46 34 ?? ?? ?? ?? 8B 46 3C C7 44 24 08 07 00 00 00 8B 48 04 C7 44 31 3C ?? ?? ?? ?? 8B 56 3C 8B 42 08 C7 44 30 3C ?? ?? ?? ?? 8B 4E 3C C7 46 38 ?? ?? ?? ?? 8B 51 04 C7 44 32 3C ?? ?? ?? ?? 8B 46 3C 8B 48 08 C7 44 31 3C ?? ?? ?? ?? C7 06 ?? ?? ?? ?? 8D 7E 04 6A 00 8B CF }
+ condition:
+ any of them
+}
+
+rule CryptoPP_Integer_constructor : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "CryptoPP Integer constructor"
+ strings:
+ $c0 = { 8B 44 24 08 56 83 F8 08 8B F1 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 8D 04 95 00 00 00 00 89 16 50 E8 ?? ?? ?? ?? 8B 4C 24 0C 89 46 04 C7 46 08 00 00 00 00 89 08 8B 0E 8B 46 04 83 C4 04 49 74 0F 57 8D 78 04 33 C0 F3 AB 8B C6 5F 5E C2 08 00 8B C6 5E C2 08 00 }
+ $c1 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8B F1 89 74 24 04 C7 06 ?? ?? ?? ?? 6A 08 C7 44 24 14 00 00 00 00 C7 46 08 02 00 00 00 E8 ?? ?? ?? ?? 89 46 0C C7 46 10 00 00 00 00 C7 06 ?? ?? ?? ?? 8B 46 0C 83 C4 04 C7 40 04 00 00 00 00 8B 4E 0C 8B C6 5E C7 01 00 00 00 00 8B 4C 24 04 64 89 0D 00 00 00 00 83 C4 10 C3 }
+ $c2 = { 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 51 56 8B F1 57 89 74 24 08 C7 06 ?? ?? ?? ?? 8B 7C 24 1C C7 44 24 14 00 00 00 00 8B CF E8 ?? ?? ?? ?? 83 F8 08 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 85 D2 89 56 08 76 12 8D 04 95 00 00 00 00 50 E8 ?? ?? ?? ?? 83 C4 04 EB 02 33 C0 89 46 0C 8B 4F 10 89 4E 10 }
+ $c3 = { 56 57 8B 7C 24 0C 8B F1 8B CF E8 ?? ?? ?? ?? 83 F8 08 77 09 8B 14 85 ?? ?? ?? ?? EB 37 83 F8 10 77 07 BA 10 00 00 00 EB 2B 83 F8 20 77 07 BA 20 00 00 00 EB 1F 83 F8 40 77 07 BA 40 00 00 00 EB 13 48 50 E8 ?? ?? ?? ?? BA 01 00 00 00 8B C8 83 C4 04 D3 E2 8D 04 95 00 00 00 00 89 16 50 E8 ?? ?? ?? ?? 8B 16 89 46 04 8B 4F 08 83 C4 04 89 4E 08 8B 4F 04 85 D2 76 0D 2B C8 8B 3C 01 89 38 83 C0 04 4A 75 F5 8B C6 5F 5E C2 04 00 }
+ condition:
+ any of them
+}
+
+rule RijnDael_AES : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ description = "RijnDael AES"
+ date = "2016-06"
+ strings:
+ $c0 = { A5 63 63 C6 84 7C 7C F8 }
+ condition:
+ $c0
+}
+
+rule RijnDael_AES_CHAR : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ description = "RijnDael AES (check2) [char]"
+ date = "2016-06"
+ strings:
+ $c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 }
+ condition:
+ $c0
+}
+
+rule RijnDael_AES_CHAR_inv : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ description = "RijnDael AES S-inv [char]"
+ //needs improvement
+ date = "2016-07"
+ strings:
+ $c0 = { 48 38 47 00 88 17 33 D2 8A 56 0D 8A 92 48 38 47 00 88 57 01 33 D2 8A 56 0A 8A 92 48 38 47 00 88 57 02 33 D2 8A 56 07 8A 92 48 38 47 00 88 57 03 33 D2 8A 56 04 8A 92 }
+ condition:
+ $c0
+}
+
+rule RijnDael_AES_LONG : Crypto_Algorithms
+{ meta:
+ author = "_pusher_"
+ description = "RijnDael AES"
+ date = "2016-06"
+ strings:
+ $c0 = { 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76 CA 82 C9 7D FA 59 47 F0 AD D4 A2 AF 9C A4 72 C0 }
+ condition:
+ $c0
+}
+
+rule RsaRef2_NN_modExp : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "RsaRef2 NN_modExp"
+ strings:
+ $c0 = { 81 EC 1C 02 00 00 53 55 56 8B B4 24 30 02 00 00 57 8B BC 24 44 02 00 00 57 8D 84 24 A4 00 00 00 56 50 E8 ?? ?? ?? ?? 8B 9C 24 4C 02 00 00 57 53 8D 8C 24 B4 00 00 00 56 8D 94 24 3C 01 00 00 51 52 E8 ?? ?? ?? ?? 57 53 8D 84 24 4C 01 00 00 56 8D 8C 24 D4 01 00 00 50 51 E8 ?? ?? ?? ?? 8D 54 24 50 57 52 E8 ?? ?? ?? ?? 8B 84 24 78 02 00 00 8B B4 24 74 02 00 00 50 56 C7 44 24 60 01 00 00 00 E8 ?? ?? ?? ?? 8D 48 FF 83 C4 44 8B E9 89 4C 24 18 85 ED 0F 8C AF 00 00 00 8D 34 AE 89 74 24 }
+ condition:
+ any of them
+}
+
+rule RsaRef2_NN_modInv : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "RsaRef2 NN_modInv"
+ strings:
+ $c0 = { 81 EC A4 04 00 00 53 56 8B B4 24 BC 04 00 00 57 8D 84 24 ?? 00 00 00 56 50 E8 ?? ?? ?? ?? 8D 8C 24 1C 01 00 00 BF 01 00 00 00 56 51 89 BC 24 A0 00 00 00 E8 ?? ?? ?? ?? 8B 94 24 C8 04 00 00 56 8D 84 24 AC 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 9C 24 D8 04 00 00 56 8D 4C 24 2C 53 51 E8 ?? ?? ?? ?? 8D 54 24 34 56 52 E8 ?? ?? ?? ?? 83 C4 30 85 C0 0F 85 ED 00 00 00 8D 44 24 0C 56 50 8D 8C 24 A0 01 00 00 56 8D 94 24 AC 02 00 00 51 8D 84 24 34 03 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C 24 2C 01 }
+ condition:
+ $c0
+}
+
+rule RsaRef2_NN_modMult : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "RsaRef2 NN_modMult"
+ strings:
+ $c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 68 08 01 00 00 8D 4C 24 2C 6A 00 51 E8 ?? ?? ?? ?? 83 C4 30 5E 81 C4 08 01 00 00 C3 }
+ condition:
+ $c0
+}
+
+rule RsaRef2_RsaPrivateDecrypt : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "RsaRef2 RsaPrivateDecrypt"
+ strings:
+ $c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8B 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6B 8A 4C 24 09 B8 02 00 00 00 3A C8 75 5E 8D 4E FF 3B C8 76 0D 8A 54 04 08 84 D2 74 05 40 3B C1 72 F3 40 3B C6 73 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A 8D 51 0B }
+ condition:
+ $c0
+}
+
+rule RsaRef2_RsaPrivateEncrypt : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "RsaRef2 RsaPrivateEncrypt"
+ strings:
+ $c0 = { 8B 44 24 14 8B 54 24 10 81 EC 80 00 00 00 8D 4A 0B 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 80 00 00 00 C3 8B CE B8 02 00 00 00 2B CA C6 44 24 04 00 49 C6 44 24 05 01 3B C8 76 23 53 55 8D 69 FE 57 8B CD 83 C8 FF 8B D9 8D 7C 24 12 C1 E9 02 F3 AB 8B CB 83 E1 03 F3 AA 8D 45 02 5F 5D 5B 52 8B 94 24 94 00 00 00 C6 44 04 08 00 8D 44 04 09 52 50 E8 ?? ?? ?? ?? 8B 8C 24 A4 00 00 00 8B 84 24 98 00 00 00 51 8B 8C 24 98 00 00 00 8D 54 24 14 56 52 50 51 E8 }
+ condition:
+ $c0
+}
+
+rule RsaRef2_RsaPublicDecrypt : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "RsaRef2 RsaPublicDecrypt"
+ strings:
+ $c0 = { 8B 44 24 14 81 EC 84 00 00 00 8B 8C 24 94 00 00 00 56 8B 30 83 C6 07 C1 EE 03 3B CE 76 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 50 8B 84 24 98 00 00 00 51 8D 4C 24 0C 50 8D 54 24 14 51 52 E8 ?? ?? ?? ?? 83 C4 14 85 C0 0F 85 8E 00 00 00 39 74 24 04 74 0D B8 06 04 00 00 5E 81 C4 84 00 00 00 C3 8A 44 24 08 84 C0 75 6E 80 7C 24 09 01 75 67 B8 02 00 00 00 8D 4E FF 3B C8 76 0D B2 FF 38 54 04 08 75 05 40 3B C1 72 F5 8A 4C 04 08 40 84 C9 75 45 8B 94 24 ?? 00 00 00 8B CE 2B C8 89 0A }
+ condition:
+ $c0
+}
+
+rule RsaRef2_RsaPublicEncrypt : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "RsaRef2 RsaPublicEncrypt"
+ strings:
+ $c0 = { 8B 44 24 14 81 EC 84 00 00 00 53 8B 9C 24 98 00 00 00 57 8B 38 83 C7 07 8D 4B 0B C1 EF 03 3B CF 76 0E 5F B8 06 04 00 00 5B 81 C4 84 00 00 00 C3 8B D7 55 2B D3 56 BE 02 00 00 00 C6 44 24 14 00 8D 6A FF C6 44 24 15 02 3B EE 76 28 8B 84 24 AC 00 00 00 8D 4C 24 13 50 6A 01 51 E8 ?? ?? ?? ?? 8A 44 24 1F 83 C4 0C 84 C0 74 E1 88 44 34 14 46 3B F5 72 D8 8B 94 24 A0 00 00 00 53 8D 44 34 19 52 50 C6 44 34 20 00 E8 ?? ?? ?? ?? 8B 8C 24 B4 00 00 00 8B 84 24 A8 00 00 00 51 8B 8C 24 A8 00 }
+ condition:
+ $c0
+}
+
+rule RsaEuro_NN_modInv : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "RsaEuro NN_modInv"
+ strings:
+ $c0 = { 81 EC A4 04 00 00 53 56 8B B4 24 BC 04 00 00 57 8D 44 24 0C 56 50 E8 ?? ?? ?? ?? 8D 8C 24 1C 01 00 00 BF 01 00 00 00 56 51 89 7C 24 1C E8 ?? ?? ?? ?? 8B 94 24 C8 04 00 00 56 8D 84 24 AC 01 00 00 52 50 E8 ?? ?? ?? ?? 8B 9C 24 D8 04 00 00 56 8D 8C 24 B0 00 00 00 53 51 E8 ?? ?? ?? ?? 8D 94 24 B8 00 00 00 56 52 E8 ?? ?? ?? ?? 83 C4 30 85 C0 0F 85 F8 00 00 00 8D 84 24 ?? 00 00 00 56 50 8D 8C 24 A0 01 00 00 56 8D 94 24 AC 02 00 00 51 8D 84 24 34 03 00 00 52 50 E8 ?? ?? ?? ?? 8D 8C }
+ condition:
+ $c0
+}
+
+rule RsaEuro_NN_modMult : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "RsaEuro NN_modMult"
+ strings:
+ $c0 = { 8B 44 24 0C 8B 4C 24 08 81 EC 08 01 00 00 8D 54 24 00 56 8B B4 24 20 01 00 00 56 50 51 52 E8 ?? ?? ?? ?? 8B 84 24 2C 01 00 00 56 8D 0C 36 50 8B 84 24 28 01 00 00 8D 54 24 1C 51 52 50 E8 ?? ?? ?? ?? 83 C4 24 5E 81 C4 08 01 00 00 C3 }
+ condition:
+ $c0
+}
+
+rule Miracl_Big_constructor : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "Miracl Big constructor"
+ strings:
+ $c0 = { 56 8B F1 6A 00 E8 ?? ?? ?? ?? 83 C4 04 89 06 8B C6 5E C3 }
+ condition:
+ $c0
+}
+
+rule Miracl_mirvar : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "Miracl mirvar"
+ strings:
+ $c0 = { 56 E8 ?? ?? ?? ?? 8B 88 18 02 00 00 85 C9 74 04 33 C0 5E C3 8B 88 8C 00 00 00 85 C9 75 0E 6A 12 E8 ?? ?? ?? ?? 83 C4 04 33 C0 5E C3 8B 80 38 02 00 00 6A 01 50 E8 ?? ?? ?? ?? 8B F0 83 C4 08 85 F6 75 02 5E C3 8D 46 04 8B C8 8B D0 83 E1 03 2B D1 83 C2 08 89 10 8B 44 24 08 85 C0 74 0A 56 50 E8 ?? ?? ?? ?? 83 C4 08 8B C6 5E C3 }
+ $c1 = { 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 2C 02 00 00 85 C0 74 05 5F 33 C0 5E C3 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 17 00 00 00 8B 86 40 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 86 8C 00 00 00 85 C0 75 16 6A 12 E8 ?? ?? ?? ?? 8B 46 1C 83 C4 04 48 89 46 1C 5F 33 C0 5E C3 8B 46 18 6A 01 8D 0C 85 0C 00 00 00 51 E8 ?? ?? ?? ?? 8B F8 83 C4 08 85 FF 75 0C 8B 46 1C 5F 48 89 46 1C 33 C0 5E C3 8D 47 04 8B D0 8B C8 83 E2 03 2B CA 83 C1 08 89 08 8B 44 24 0C 85 C0 74 0A 57 50 E8 }
+ $c2 = { 56 57 E8 ?? ?? ?? ?? 8B F0 8B 86 18 02 00 00 85 C0 74 05 5F 33 C0 5E C3 8B 56 1C 42 8B C2 89 56 1C 83 F8 18 7D 17 C7 44 86 20 17 00 00 00 8B 86 2C 02 00 00 85 C0 74 05 E8 ?? ?? ?? ?? 8B 86 8C 00 00 00 85 C0 75 16 6A 12 E8 ?? ?? ?? ?? 8B 46 1C 83 C4 04 48 89 46 1C 5F 33 C0 5E C3 8B 86 A4 02 00 00 6A 01 50 E8 ?? ?? ?? ?? 8B F8 83 C4 08 85 FF 75 0C 8B 46 1C 5F 48 89 46 1C 33 C0 5E C3 8D 47 04 8B C8 8B D0 83 E1 03 2B D1 83 C2 08 89 10 8B 44 24 0C 85 C0 74 0A 57 50 E8 }
+ condition:
+ any of them
+}
+
+rule Miracl_mirsys_init : Crypto_Algorithms
+{ meta:
+ author = "Maxx"
+ description = "Miracl mirsys init"
+ strings:
+ $c0 = { 53 55 57 E8 ?? ?? ?? ?? A3 ?? ?? ?? ?? E8 ?? ?? ?? ?? 33 DB A3 ?? ?? ?? ?? 3B C3 75 06 5F 5D 33 C0 5B C3 89 58 1C A1 ?? ?? ?? ?? BD 01 00 00 00 89 58 20 A1 ?? ?? ?? ?? 8B 50 1C 42 89 50 1C A1 ?? ?? ?? ?? 8B 48 1C C7 44 88 20 1D 00 00 00 8B 15 ?? ?? ?? ?? 89 9A 14 02 00 00 A1 ?? ?? ?? ?? 89 98 70 01 00 00 8B 0D ?? ?? ?? ?? 89 99 78 01 00 00 8B 15 ?? ?? ?? ?? 89 9A 98 01 00 00 A1 ?? ?? ?? ?? 89 58 14 8B 44 24 14 3B C5 0F 84 6C 05 00 00 3D 00 00 00 80 0F 87 61 05 00 00 50 E8 }
+ condition:
+ $c0
+}
+
+/* //gives many false positives sorry Storm Shadow
+rule x509_public_key_infrastructure_cert : Crypto_Algorithms
+{ meta:
+ desc = "X.509 PKI Certificate"
+ ext = "crt"
+ strings:
+ $c0 = { 30 82 ?? ?? 30 82 ?? ?? }
+ condition:
+ $c0
+}
+
+rule pkcs8_private_key_information_syntax_standard : Crypto_Algorithms
+{ meta:
+ desc = "Found PKCS #8: Private-Key"
+ ext = "key"
+ strings:
+ $c0 = { 30 82 ?? ?? 02 01 00 }
+ condition:
+ $c0
+}
+*/
+
+rule BASE64_table : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for Base64 table"
+ date = "2015-07"
+ version = "0.1"
+ strings:
+ $c0 = { 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F }
+ condition:
+ $c0
+}
+
+rule Delphi_Random : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for Random function"
+ date = "2015-08"
+ version = "0.1"
+ strings:
+ $c0 = { 53 31 DB 69 93 ?? ?? ?? ?? 05 84 08 08 42 89 93 ?? ?? ?? ?? F7 E2 89 D0 5B C3 }
+ //x64 rad
+ $c1 = { 8B 05 ?? ?? ?? ?? 69 C0 05 84 08 08 83 C0 01 89 05 ?? ?? ?? ?? 8B C9 8B C0 48 0F AF C8 48 C1 E9 20 89 C8 C3 }
+ condition:
+ any of them
+}
+
+rule Delphi_RandomRange : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for RandomRange function"
+ date = "2016-06"
+ version = "0.1"
+ strings:
+ $c0 = { 56 8B F2 8B D8 3B F3 7D 0E 8B C3 2B C6 E8 ?? ?? ?? ?? 03 C6 5E 5B C3 8B C6 2B C3 E8 ?? ?? ?? ?? 03 C3 5E 5B C3 }
+ condition:
+ $c0
+}
+
+rule Delphi_FormShow : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for Form.Show function"
+ date = "2016-06"
+ version = "0.1"
+ strings:
+ $c0 = { 53 8B D8 B2 01 8B C3 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5B C3 }
+ //x64 rad
+ $c1 = { 53 48 83 EC 20 48 89 CB 48 89 D9 B2 01 E8 ?? ?? ?? ?? 48 89 D9 E8 ?? ?? ?? ?? 48 83 C4 20 5B C3 }
+ condition:
+ any of them
+}
+
+rule Delphi_CompareCall : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for Compare string function"
+ date = "2016-07"
+ strings:
+ $c0 = { 53 56 57 89 C6 89 D7 39 D0 0F 84 8F 00 00 00 85 F6 74 68 85 FF 74 6B 8B 46 FC 8B 57 FC 29 D0 77 02 01 C2 52 C1 EA 02 74 26 8B 0E 8B 1F 39 D9 75 58 4A 74 15 8B 4E 04 8B 5F 04 39 D9 75 4B 83 C6 08 83 C7 08 4A 75 E2 EB 06 83 C6 04 83 C7 04 5A 83 E2 03 74 22 8B 0E 8B 1F 38 D9 75 41 4A 74 17 38 FD 75 3A 4A 74 10 81 E3 00 00 FF 00 81 E1 00 00 FF 00 39 D9 75 27 01 C0 EB 23 8B 57 FC 29 D0 EB 1C 8B 46 FC 29 D0 EB 15 5A 38 D9 75 10 38 FD 75 0C C1 E9 10 C1 EB 10 38 D9 75 02 38 FD 5F 5E 5B C3 }
+ //newer delphi
+ $c1 = { 39 D0 74 30 85 D0 74 22 8B 48 FC 3B 4A FC 75 24 01 C9 01 C8 01 CA F7 D9 53 8B 1C 01 3B 1C 11 75 07 83 C1 04 78 F3 31 C0 5B C3}
+ //x64
+ $c2 = { 41 56 41 55 57 56 53 48 83 EC 20 48 89 D3 48 3B CB 75 05 48 33 C0 EB 74 48 85 C9 75 07 8B 43 FC F7 D8 EB 68 48 85 DB 75 05 8B 41 FC EB 5E 8B 79 FC 44 8B 6B FC 89 FE 41 3B F5 7E 03 44 89 EE E8 ?? ?? ?? ?? 49 89 C6 48 89 D9 E8 ?? ?? ?? ?? 48 89 C1 85 F6 7E 30 41 0F B7 06 0F B7 11 2B C2 85 C0 75 29 83 FE 01 74 1E 41 0F B7 46 02 0F B7 51 02 2B C2 85 C0 75 15 49 83 C6 04 48 83 C1 04 83 EE 02 85 F6 7F D0 90 8B C7 41 2B C5 48 83 C4 20 5B 5E 5F 41 5D 41 5E C3 }
+ condition:
+ any of them
+}
+
+rule Delphi_Copy : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for Copy function"
+ date = "2016-06"
+ version = "0.1"
+ strings:
+ $c0 = { 53 85 C0 74 2D 8B 58 FC 85 DB 74 26 4A 7C 1B 39 DA 7D 1F 29 D3 85 C9 7C 19 39 D9 7F 11 01 C2 8B 44 24 08 E8 ?? ?? ?? ?? EB 11 31 D2 EB E5 89 D9 EB EB 8B 44 24 08 E8 ?? ?? ?? ?? 5B C2 04 00 }
+ //x64 rad
+ $c1 = { 53 48 83 EC 20 48 89 CB 44 89 C0 48 33 C9 48 85 D2 74 03 8B 4A FC 83 F8 01 7D 05 48 33 C0 EB 09 83 E8 01 3B C1 7E 02 89 C8 45 85 C9 7D 05 48 33 C9 EB 0A 2B C8 41 3B C9 7E 03 44 89 C9 49 89 D8 48 63 C0 48 8D 14 42 89 C8 4C 89 C1 41 89 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 }
+ condition:
+ any of them
+}
+
+rule Delphi_IntToStr : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for IntToStr function"
+ date = "2016-04"
+ version = "0.1"
+ strings:
+ $c0 = { 55 8B EC 81 C4 00 FF FF FF 53 56 8B F2 8B D8 FF 75 0C FF 75 08 8D 85 00 FF FF FF E8 ?? ?? ?? ?? 8D 95 00 FF FF FF 8B C6 E8 ?? ?? ?? ?? EB 0E 8B 0E 8B C6 BA ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 06 E8 ?? ?? ?? ?? 33 D2 8A D3 3B C2 72 E3 5E 5B 8B E5 5D C2 08 00 }
+ //x64 rad
+ $c1 = { 53 48 83 EC 20 48 89 CB 48 85 D2 7D 10 48 89 D9 48 F7 DA 41 B0 01 E8 ?? ?? ?? ?? EB 0B 48 89 D9 4D 33 C0 E8 ?? ?? ?? ?? 48 89 D8 48 83 C4 20 5B C3 }
+ condition:
+ any of them
+}
+
+
+rule Delphi_StrToInt : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for StrToInt function"
+ date = "2016-06"
+ version = "0.1"
+ strings:
+ $c0 = { 53 56 83 C4 F4 8B D8 8B D4 8B C3 E8 ?? ?? ?? ?? 8B F0 83 3C 24 00 74 19 89 5C 24 04 C6 44 24 08 0B 8D 54 24 04 A1 ?? ?? ?? ?? 33 C9 E8 ?? ?? ?? ?? 8B C6 83 C4 0C 5E 5B C3 }
+ //x64 rad
+ $c1 = { 55 56 53 48 83 EC 40 48 8B EC 48 89 CB 48 89 D9 48 8D 55 3C E8 ?? ?? ?? ?? 89 C6 83 7D 3C 00 74 1B 48 89 5D 20 C6 45 28 11 48 8B 0D ?? ?? ?? ?? 48 8D 55 20 4D 33 C0 E8 ?? ?? ?? ?? 89 F0 48 8D 65 40 5B 5E 5D C3 }
+ condition:
+ any of them
+}
+
+rule Delphi_DecodeDate : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for DecodeDate (DecodeDateFully) function"
+ date = "2016-06"
+ version = "0.1"
+ strings:
+ $c0 = { 55 8B EC 83 C4 E8 53 56 89 4D F4 89 55 F8 89 45 FC 8B 5D 08 FF 75 10 FF 75 0C 8D 45 E8 E8 ?? ?? ?? ?? 8B 4D EC 85 C9 7F 24 8B 45 FC 66 C7 00 00 00 8B 45 F8 66 C7 00 00 00 8B 45 F4 66 C7 00 00 00 66 C7 03 00 00 33 D2 E9 F2 00 00 00 8B C1 BE 07 00 00 00 99 F7 FE 42 66 89 13 49 66 BB 01 00 81 F9 B1 3A 02 00 7C 13 81 E9 B1 3A 02 00 66 81 C3 90 01 81 F9 B1 3A 02 00 7D ED 8D 45 F2 50 8D 45 F0 66 BA AC 8E 91 E8 ?? ?? ?? ?? 66 83 7D F0 04 75 0A 66 FF 4D F0 66 81 45 F2 AC 8E 66 6B 45 F0 64 66 03 D8 8D 45 F2 50 8D 4D F0 0F B7 45 F2 66 BA B5 05 E8 ?? ?? ?? ?? 66 8B 45 F0 C1 E0 02 66 03 D8 8D 45 F2 50 8D 4D F0 0F B7 45 F2 66 BA 6D 01 E8 ?? ?? ?? ?? 66 83 7D F0 04 75 0A 66 FF 4D F0 66 81 45 F2 6D 01 66 03 5D F0 8B C3 E8 ?? ?? ?? ?? 8B D0 33 C0 8A C2 8D 04 40 8D 34 C5 ?? ?? ?? ?? 66 B8 01 00 0F B7 C8 66 8B 4C 4E FE 66 89 4D F0 66 8B 4D F2 66 3B 4D F0 72 0B 66 8B 4D F0 66 29 4D F2 40 EB DF 8B 4D FC 66 89 19 8B 4D F8 66 89 01 66 8B 45 F2 40 8B 4D F4 66 89 01 8B C2 5E 5B 8B E5 5D C2 0C 00 }
+ //x64
+ $c1 = { 55 41 55 57 56 53 48 83 EC 30 48 8B EC 48 89 D3 4C 89 C6 4C 89 CF E8 ?? ?? ?? ?? 48 8B C8 48 C1 E9 20 85 C9 7F 23 66 C7 03 00 00 66 C7 06 00 00 66 C7 07 00 00 48 8B 85 80 00 00 00 66 C7 00 00 00 48 33 C0 E9 19 01 00 00 4C 8B 85 80 00 00 00 41 C7 C1 07 00 00 00 8B C1 99 41 F7 F9 66 83 C2 01 66 41 89 10 83 E9 01 66 41 BD 01 00 81 F9 B1 3A 02 00 7C 14 81 E9 B1 3A 02 00 66 41 81 C5 90 01 81 F9 B1 3A 02 00 7D EC 90 66 BA AC 8E 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 66 83 7D 2C 04 75 0B 66 83 6D 2C 01 66 81 45 2E AC 8E 66 6B 45 2C 64 66 44 03 E8 0F B7 4D 2E 66 BA B5 05 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 48 0F B7 45 2C 03 C0 03 C0 66 44 03 E8 0F B7 4D 2E 66 BA 6D 01 4C 8D 45 2C 4C 8D 4D 2E E8 ?? ?? ?? ?? 66 83 7D 2C 04 75 0B 66 83 6D 2C 01 66 81 45 2E 6D 01 66 44 03 6D 2C 44 89 E9 E8 ?? ?? ?? ?? 48 8D 0D ?? ?? ?? ?? 48 0F B6 D0 48 8D 14 52 48 8D 14 D1 66 B9 01 00 4C 0F B7 C1 4E 0F B7 44 42 FE 66 44 89 45 2C 4C 0F B7 45 2E 66 44 3B 45 2C 72 10 4C 0F B7 45 2C 66 44 29 45 2E 66 }
+ condition:
+ any of them
+}
+
+
+rule Unknown_Random : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for Random function"
+ date = "2016-07"
+ strings:
+ $c0 = { 55 8B EC 52 8B 45 08 69 15 ?? ?? ?? ?? 05 84 08 08 42 89 15 ?? ?? ?? ?? F7 E2 8B C2 5A C9 C2 04 00 }
+ condition:
+ $c0
+}
+
+rule VC6_Random : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for Random function"
+ date = "2016-02"
+ strings:
+ $c0 = { A1 ?? ?? ?? ?? 69 C0 FD 43 03 00 05 C3 9E 26 00 A3 ?? ?? ?? ?? C1 F8 10 25 FF 7F 00 00 C3 }
+ condition:
+ $c0
+}
+
+rule VC8_Random : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for Random function"
+ date = "2016-01"
+ version = "0.1"
+ strings:
+ $c0 = { E8 ?? ?? ?? ?? 8B 48 14 69 C9 FD 43 03 00 81 C1 C3 9E 26 00 89 48 14 8B C1 C1 E8 10 25 FF 7F 00 00 C3 }
+ condition:
+ $c0
+}
+
+rule DCP_RIJNDAEL_Init : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for DCP RijnDael Init"
+ date = "2016-07"
+ strings:
+ $c0 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 ?? ?? ?? ?? 8B D7 8B 4D FC 8B C3 8B 38 FF 57 ?? 85 F6 75 25 8D 43 38 33 C9 BA 10 00 00 00 E8 ?? ?? ?? ?? 8D 4B 38 8D 53 38 8B C3 8B 30 FF 56 ?? 8B C3 8B 10 FF 52 ?? EB 16 8D 53 38 8B C6 B9 10 00 00 00 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 52 ?? 5F 5E 5B 59 5D C2 04 00 }
+ condition:
+ $c0
+}
+
+rule DCP_RIJNDAEL_EncryptECB : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for DCP RijnDael EncryptECB"
+ date = "2016-07"
+ strings:
+ $c0 = { 53 56 57 55 83 C4 B4 89 0C 24 8D 74 24 08 8D 7C 24 28 80 78 30 00 75 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 0A 89 0F 8B CA 83 C1 04 8B 09 8D 5F 04 89 0B 8B CA 83 C1 08 8B 09 8D 5F 08 89 0B 83 C2 0C 8B 12 8D 4F 0C 89 11 8B 50 58 83 EA 02 85 D2 0F 82 3B 01 00 00 42 89 54 24 04 33 D2 8B 0F 8B DA C1 E3 02 33 4C D8 5C 89 0E 8D 4F 04 8B 09 33 4C D8 60 8D 6E 04 89 4D 00 8D 4F 08 8B 09 33 4C D8 64 8D 6E 08 89 4D 00 8D 4F 0C 8B 09 33 4C D8 68 8D 5E 0C 89 0B 33 C9 8A 0E 8D 0C 8D }
+ condition:
+ $c0
+}
+
+rule DCP_BLOWFISH_Init : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for DCP Blowfish Init"
+ date = "2016-07"
+ strings:
+ $c0 = { 53 56 57 55 8B F2 8B F8 8B CF B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B D8 8B C3 8B 10 FF 52 34 8B C6 E8 ?? ?? ?? ?? 50 8B C6 E8 ?? ?? ?? ?? 8B D0 8B C3 59 8B 30 FF 56 3C 8B 43 3C 85 C0 79 03 83 C0 07 C1 F8 03 E8 ?? ?? ?? ?? 8B F0 8B D6 8B C3 8B 08 FF 51 40 8B 47 40 8B 6B 3C 3B C5 7D 0F 6A 00 8B C8 8B D6 8B C7 8B 38 FF 57 30 EB 0D 6A 00 8B D6 8B CD 8B C7 8B 38 FF 57 30 8B 53 3C 85 D2 79 03 83 C2 07 C1 FA 03 8B C6 B9 FF 00 00 00 E8 ?? ?? ?? ?? 8B 53 3C 85 D2 79 03 83 C2 07 C1 FA 03 8B C6 E8 ?? ?? ?? ?? 8B C3 E8 ?? ?? ?? ?? 5D 5F 5E 5B C3 }
+ condition:
+ $c0
+}
+
+
+rule DCP_BLOWFISH_EncryptCBC : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for DCP Blowfish EncryptCBC"
+ date = "2016-07"
+ strings:
+ $c0 = { 55 8B EC 83 C4 F0 53 56 57 89 4D F8 89 55 FC 8B D8 80 7B 34 00 75 16 B9 ?? ?? ?? ?? B2 01 A1 ?? ?? ?? ?? E8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 8B 7D 08 85 FF 79 03 83 C7 07 C1 FF 03 85 FF 7E 56 BE 01 00 00 00 6A 08 8B 45 FC 8B D6 4A C1 E2 03 03 C2 8D 4D F0 8D 53 54 E8 ?? ?? ?? ?? 8D 4D F0 8D 55 F0 8B C3 E8 ?? ?? ?? ?? 8B 55 F8 8B C6 48 C1 E0 03 03 D0 8D 45 F0 B9 08 00 00 00 E8 ?? ?? ?? ?? 8D 53 54 8D 45 F0 B9 08 00 00 00 E8 ?? ?? ?? ?? 46 4F 75 AF 8B 75 08 81 E6 07 00 00 80 79 05 4E 83 CE F8 46 85 F6 74 26 8D 4D F0 8D 53 54 8B C3 E8 ?? ?? ?? ?? 56 8B 4D F8 03 4D 08 2B CE 8B 55 FC 03 55 08 2B D6 8D 45 F0 E8 ?? ?? ?? ?? 8D 45 F0 B9 FF 00 00 00 BA 08 00 00 00 E8 ?? ?? ?? ?? 5F 5E 5B 8B E5 5D C2 04 00 }
+ condition:
+ $c0
+}
+
+rule DCP_DES_Init : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for DCP Des Init"
+ date = "2016-02"
+ strings:
+ $c0 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 FE F9 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 5C 85 F6 75 25 8D 43 38 33 C9 BA 08 00 00 00 E8 F3 A9 FA FF 8D 4B 38 8D 53 38 8B C3 8B 30 FF 56 6C 8B C3 8B 10 FF 52 48 EB 16 8D 53 38 8B C6 B9 08 00 00 00 E8 6E A7 FA FF 8B C3 8B 10 FF 52 48 5F 5E 5B 59 5D C2 04 00 }
+ $c1 = { 55 8B EC 51 53 56 57 89 4D FC 8B FA 8B D8 8B 75 08 56 8B D7 8B 4D FC 8B C3 E8 EE D4 FF FF 8B D7 8B 4D FC 8B C3 8B 38 FF 57 74 85 F6 75 2B 8D 43 40 B9 FF 00 00 00 BA 08 00 00 00 E8 ?? ?? ?? ?? 8D 4B 40 8D 53 40 8B C3 8B 30 FF 96 84 00 00 00 8B C3 8B 10 FF 52 58 EB 16 8D 53 40 8B C6 B9 08 00 00 00 E8 ?? ?? ?? ?? 8B C3 8B 10 FF 52 58 5F 5E 5B 59 5D C2 04 00 }
+ condition:
+ any of them
+}
+
+
+rule DCP_DES_EncryptECB : Crypto_Algorithms{
+ meta:
+ author = "_pusher_"
+ description = "Look for DCP Des EncryptECB"
+ date = "2016-02"
+ strings:
+ $c0 = { 53 80 78 ?? 00 75 16 B9 ?? ?? ?? 00 B2 01 A1 ?? ?? ?? 00 E8 ?? ?? ?? FF E8 ?? ?? ?? FF 8D 58 ?? 53 E8 ?? ?? FF FF 5B C3 }
+ condition:
+ any of them
+}
diff --git a/yara_sigs/file/packer.yar b/yara_sigs/file/packer.yar
new file mode 100644
index 0000000..fe3163a
--- /dev/null
+++ b/yara_sigs/file/packer.yar
@@ -0,0 +1,20221 @@
+/*
+ This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
+
+*/
+
+import "pe"
+
+rule emotet_packer {
+ meta:
+ description = "recent Emotet packer pdb string"
+ author = "Marc Salinas (@Bondey_m)"
+ reference = "330fb2954c1457149988cda98ca8401fbc076802ff44bb30894494b1c5531119"
+ reference = "d08a4dc159b17bde8887fa548b7d265108f5f117532d221adf7591fbad29b457"
+ reference = "7b5b8aaef86b1a7a8e7f28f0bda0bb7742a8523603452cf38170e5253f7a5c82"
+ reference = "e6abb24c70a205ab471028aee22c1f32690c02993b77ee0e77504eb360860776"
+ reference = "5684850a7849ab475227da91ada8ac5741e36f98780d9e3b01ae3085a8ef02fc"
+ reference = "acefdb67d5c0876412e4d079b38da1a5e67a7fcd936576c99cc712391d3a5ff5"
+ reference = "14230ba12360a172f9f242ac98121ca76e7c4450bfcb499c2af89aa3a1ef7440"
+ reference = "4fe9b38d2c32d0ee19d7be3c1a931b9448904aa72e888f40f43196e0b2207039"
+ reference = "e31028282c38cb13dd4ede7e9c8aa62d45ddae5ebaa0fe3afb3256601dbf5de7"
+ date = "2017-12-12"
+ strings:
+ $pdb1 = "123EErrrtools.pdb"
+ $pdb2= "gGEW\\F???/.pdb"
+
+ condition:
+ $pdb1 or $pdb2
+}
+
+rule silent_banker : banker
+{
+ meta:
+ author="malware-lu"
+ strings:
+ $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
+ $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
+ $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
+
+ condition:
+ $a or $b or $c
+}
+
+rule zbot : banker
+{
+ meta:
+ author="malware-lu"
+ strings:
+ $a = "__SYSTEM__" wide
+ $b = "*tanentry*"
+ $c = "*