Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add rules for various stealer techniques #960

Merged
merged 6 commits into from
Nov 15, 2024

Conversation

Still34
Copy link
Contributor

@Still34 Still34 commented Nov 9, 2024

Summary

This PR adds three new rules spotted amongst various types of infostealers/dumping tools (Stealc, Vidar, ChromeKatz),

  1. collection/browser/get-chrome-cookiemonster.yml
    • Detects strings related to locating processes related to Chromium's CookieMonster class
    • Typically used by infostealers or memory dumpers to extract Cookies directly from Chromium-based browsers
  2. collection/browser/get-chrome-elevation-service.yml
    • Detects IID and CLSIDs for Chrome ElevationService of various editions
    • Typically used by infostealers via RPC to decrypt App-bound Encryption-related data
  3. collection/get-steam-token.yml
    • Detects references to known Steam tokens
    • Typically used by Vidar and its relevant families of infostealer by scanning Steam process to retrieve the user login token.

Signed-off-by: Still Hsu <dev@stillu.cc>
Signed-off-by: Still Hsu <dev@stillu.cc>
Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

very nice, thank you!

Still34 added a commit to Still34/capa-testfiles that referenced this pull request Nov 10, 2024
Signed-off-by: Still Hsu <dev@stillu.cc>
Comment on lines 26 to 29
- bytes: CF BE 3A 46 0D 41 7F 40 8A F5 0D F3 5A 00 5C C8 = IID for Google Chrome
- bytes: E0 60 88 70 41 F6 11 46 88 95 7D 86 7D D3 67 5B = CLSID for Google Chrome
- substring: "{708860E0-F641-4611-8895-7D867DD3675B}"
description: CLSID for Google Chrome
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do I just do something like com/class: <class_name> # E0 60 88 70 41 F6 11 46 88 95 7D 86 7D D3 67 5B = CLSID for Google Chrome?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup, that's the right idea. And the comment is strictly for humans, it isn't parsed into the rule - we use a built in database of GUIDs.

...which may be a problem since I think it's only MS Windows COM entries, and may not include the Chome entries. I'd be curious to hear what happens if you try.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeaah I don't think that'll work then

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct, for this PR we can proceed using the bytes

Signed-off-by: Still Hsu <dev@stillu.cc>
…ope of the target

Signed-off-by: Still Hsu <dev@stillu.cc>
collection/get-steam-token.yml Show resolved Hide resolved
collection/get-steam-token.yml Outdated Show resolved Hide resolved
Signed-off-by: Still Hsu <dev@stillu.cc>
@mr-tz mr-tz merged commit 993785d into mandiant:master Nov 15, 2024
3 checks passed
@mr-tz
Copy link
Collaborator

mr-tz commented Nov 15, 2024

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants