-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Import analyzer plugin rule suggestions vol. 2 #9
Labels
Comments
Thanks for these! I'll add them very soon as well. |
I'm pushing the commit adding the rest of the suggestions in a minute, let me know if you consider that this issue can be closed. |
Yeah, that's fine with me. |
JusticeRage
added a commit
that referenced
this issue
May 20, 2016
… DLLs (#9). Added new suspicious strings discovered in a recent TeslaCrypt sample (references to system programs and CLSIDs used for VM detection). Added a new PE function, `get_architecture()` to make the code more readable. Updated the PE specification in resources/ to the latest version. Removed a warning related to the TLS directory: a reserved field is no longer required to be NULL. Updated `SECTION_CHARACTERISTICS` with new flags. The imports plugin now looks for functions used to enumerate disk drives.
Sangrail
pushed a commit
to Sangrail/Manalyze
that referenced
this issue
Aug 30, 2016
suggestions from @henke37 (JusticeRage#9). Import research functions are now case insensitive by default (an option was added to control this behavior, test case added as well). A list of WMI namespaces was added to the suspicious strings.
Sangrail
pushed a commit
to Sangrail/Manalyze
that referenced
this issue
Aug 30, 2016
… DLLs (JusticeRage#9). Added new suspicious strings discovered in a recent TeslaCrypt sample (references to system programs and CLSIDs used for VM detection). Added a new PE function, `get_architecture()` to make the code more readable. Updated the PE specification in resources/ to the latest version. Removed a warning related to the TLS directory: a reserved field is no longer required to be NULL. Updated `SECTION_CHARACTERISTICS` with new flags. The imports plugin now looks for functions used to enumerate disk drives.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
LoadDriver
Yet another LoadLibrary replacementLoadTypeLib
Possible LoadLibrary replacement?waveInOpen|DirectSoundCaptureCreate
Records audioEnableRouter|SetAdapterIpAddress|SetIpInterfaceEntry
Messes with the network configurationOleGetClipboard
Reads the clipboardCertAddCertificateContextToStore|CertOpenSystemStore
Manipulates the system certificate storeInitiateShutdown|ExitWindows
Turns the system offWmi*
Uses WMISHTestTokenMembership|CheckTokenMembership|IsUserAnAdmin
Checks for privilegesSHEnumKeyEx
Another way to access the registeryThe text was updated successfully, but these errors were encountered: