Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected result for file scope rule with match features #605

Closed
mr-tz opened this issue Jun 2, 2021 · 7 comments
Closed

Unexpected result for file scope rule with match features #605

mr-tz opened this issue Jun 2, 2021 · 7 comments
Labels
bug Something isn't working
Milestone
v2.0.0

Comments

@mr-tz
Copy link
Collaborator

mr-tz commented Jun 2, 2021

Description

I'm not sure, but am expecting a different result on a file scope rule like this

rule:
  meta:
    name: test
    namespace: test
    scope: file
  features:
    - and:
      - match: create process
      - match: send data

result

capa tests/data/Practical\ Malware\ Analysis\ Lab\ 01-01.dll_ -t test
loading : 100%|███████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 568/568 [00:00<00:00, 1003.65 rules/s]
matching: 100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 5/5 [00:00<00:00, 308.97 functions/s, skipped 3 library functions (60%)]
+------------------------+------------------------------------------------------------------------------------+
| md5                    | 290934c61de9176ad682ffdd65f0a669                                                   |
| sha1                   | a4b35de71ca20fe776dc72d12fb2886736f43c22                                           |
| sha256                 | f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba                   |
| path                   | tests\data\Practical Malware Analysis Lab 01-01.dll_                               |
+------------------------+------------------------------------------------------------------------------------+


+-----------------------------+-------------------------------------------------------------------------------+
| MBC Objective               | MBC Behavior                                                                  |
|-----------------------------+-------------------------------------------------------------------------------|
| COMMAND AND CONTROL         | C2 Communication::Send Data [B0030.001]                                       |
| COMMUNICATION               | Socket Communication::Send Data [C0001.007]                                   |
| PROCESS                     | Create Process [C0017]                                                        |
+-----------------------------+-------------------------------------------------------------------------------+

+------------------------------------------------------+------------------------------------------------------+
| CAPABILITY                                           | NAMESPACE                                            |
|------------------------------------------------------+------------------------------------------------------|
| send data                                            | communication                                        |
| create process                                       | host-interaction/process/create                      |
+------------------------------------------------------+------------------------------------------------------+

expected (?)

+------------------------------------------------------+------------------------------------------------------+
| CAPABILITY                                           | NAMESPACE                                            |
|------------------------------------------------------+------------------------------------------------------|
| test                                                 | test                                                 |
+------------------------------------------------------+------------------------------------------------------+
@mr-tz
Copy link
Collaborator Author

mr-tz commented Jun 2, 2021

changing the and to or results in: 😕

+------------------------------------------------------+------------------------------------------------------+
| CAPABILITY                                           | NAMESPACE                                            |
|------------------------------------------------------+------------------------------------------------------|
| create process                                       | host-interaction/process/create                      |
| test                                                 | test                                                 |
+------------------------------------------------------+------------------------------------------------------+

@mr-tz
Copy link
Collaborator Author

mr-tz commented Jun 2, 2021

with

  features:
    - and:
      - match: create process
      - match: send data
      - string: "this is not here"

+------------------------------------------------------+------------------------------------------------------+
| CAPABILITY                                           | NAMESPACE                                            |
|------------------------------------------------------+------------------------------------------------------|
| send data                                            | communication                                        |
| create process                                       | host-interaction/process/create                      |
+------------------------------------------------------+------------------------------------------------------+

@mr-tz
Copy link
Collaborator Author

mr-tz commented Jun 2, 2021

there seems to be at least one issue with the -t option / sub-rule selection

@williballenthin williballenthin added the bug Something isn't working label Jun 2, 2021
@williballenthin williballenthin added this to the v2.0.0 milestone Jun 2, 2021
@williballenthin
Copy link
Collaborator

matched rules are not being reported to the file scope matcher correctly:

image

should see "create process" in there

@williballenthin
Copy link
Collaborator

"create process" is a basic block scope rule:

image

i bet basic block scope rule matches aren't being passed up to file scope

@williballenthin
Copy link
Collaborator

yeah, only function-scope matches were passed to file-scope matching.

@williballenthin
Copy link
Collaborator

image

@mr-tz mr-tz closed this as completed in 90ec848 Jun 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v2.0.0
Development

No branches or pull requests
2 participants
@williballenthin @mr-tz