-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add rules for various stealer techniques #960
Add rules for various stealer techniques #960
Conversation
Signed-off-by: Still Hsu <dev@stillu.cc>
Signed-off-by: Still Hsu <dev@stillu.cc>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
very nice, thank you!
Signed-off-by: Still Hsu <dev@stillu.cc>
- bytes: CF BE 3A 46 0D 41 7F 40 8A F5 0D F3 5A 00 5C C8 = IID for Google Chrome | ||
- bytes: E0 60 88 70 41 F6 11 46 88 95 7D 86 7D D3 67 5B = CLSID for Google Chrome | ||
- substring: "{708860E0-F641-4611-8895-7D867DD3675B}" | ||
description: CLSID for Google Chrome |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
consider using com/*
features for GUIDs, described here:
https://github.com/mandiant/capa-rules/blob/f880b13f08b2b3f603e41b87c999600d71a41e78/doc/format.md#com
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do I just do something like com/class: <class_name> # E0 60 88 70 41 F6 11 46 88 95 7D 86 7D D3 67 5B = CLSID for Google Chrome
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup, that's the right idea. And the comment is strictly for humans, it isn't parsed into the rule - we use a built in database of GUIDs.
...which may be a problem since I think it's only MS Windows COM entries, and may not include the Chome entries. I'd be curious to hear what happens if you try.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeaah I don't think that'll work then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess to fix it someone will have to PR over here https://github.com/mandiant/capa/blob/e8ad2072458568149697a856d6e83490b2ecdaa9/capa/features/com/classes.py ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct, for this PR we can proceed using the bytes
Signed-off-by: Still Hsu <dev@stillu.cc>
…ope of the target Signed-off-by: Still Hsu <dev@stillu.cc>
Signed-off-by: Still Hsu <dev@stillu.cc>
Signed-off-by: Still Hsu <dev@stillu.cc>
Thank you! |
Summary
This PR adds three new rules spotted amongst various types of infostealers/dumping tools (Stealc, Vidar, ChromeKatz),
collection/browser/get-chrome-cookiemonster.yml
collection/browser/get-chrome-elevation-service.yml
collection/get-steam-token.yml