-
Notifications
You must be signed in to change notification settings - Fork 164
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #839 from mandiant/dynamic-rules-mr-2
upgrade rules using updated script
- Loading branch information
Showing
860 changed files
with
3,220 additions
and
1,067 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-av | ||
| authors: | ||
| - [email protected] | ||
| scope: basic block | ||
| scopes: | ||
| static: basic block | ||
| dynamic: call | ||
| att&ck: | ||
| - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] | ||
| mbc: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-av | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| att&ck: | ||
| - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] | ||
| mbc: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-av | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| att&ck: | ||
| - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] | ||
| mbc: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-av | ||
| authors: | ||
| - [email protected] | ||
| scope: basic block | ||
| scopes: | ||
| static: basic block | ||
| dynamic: call | ||
| att&ck: | ||
| - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] | ||
| mbc: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,9 @@ rule: | |
| authors: | ||
| - [email protected] | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: call | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002] | ||
| - Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031] | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: unsupported # requires offset, mnemonic features | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: unsupported # requires mnemonic features | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection [B0001] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: basic block | ||
| scopes: | ||
| static: basic block | ||
| dynamic: thread | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016] | ||
| examples: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: basic block | ||
| scopes: | ||
| static: basic block | ||
| dynamic: unsupported # requires offset features | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: unsupported # requires offset, mnemonic features | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024] | ||
| references: | ||
|
|
@@ -13,8 +15,14 @@ rule: | |
| - al-khaser_x86.exe_:0x430D20 | ||
| features: | ||
| - and: | ||
| - basic block: | ||
| - and: | ||
| - count(number(2)): 2 or more | ||
| - api: SetHandleInformation | ||
| - or: | ||
| - description: SetHandleInformation(hMutex, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE); | ||
| - basic block: | ||
| - and: | ||
| - count(number(2)): 2 or more | ||
| - api: SetHandleInformation | ||
| - call: | ||
| - and: | ||
| - count(number(2)): 2 or more | ||
| - api: SetHandleInformation | ||
| - api: CloseHandle | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: unsupported # requires mnemonic features | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: unsupported # requires mnemonic features | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount [B0001.032] | ||
| examples: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033] | ||
| examples: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: basic block | ||
| scopes: | ||
| static: basic block | ||
| dynamic: unsupported # requires mnemonic features | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection [B0001] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: basic block | ||
| scopes: | ||
| static: basic block | ||
| dynamic: call | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::Memory Write Watching [B0001.010] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,21 +4,35 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection [B0001] | ||
| references: | ||
| - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ProcessJob.cpp | ||
| examples: | ||
| - al-khaser_x86.exe_:0x426730 | ||
| features: | ||
| - and: | ||
| - match: contain loop | ||
| - basic block: | ||
| - and: | ||
| - api: kernel32.QueryInformationJobObject | ||
| - number: 0x3 = JobObjectBasicProcessIdList | ||
| - basic block: | ||
| - and: | ||
| - api: kernel32.OpenProcess | ||
| - number: 0x400 = PROCESS_QUERY_INFORMATION | ||
| - or: | ||
| # static | ||
| - and: | ||
| - match: contain loop | ||
| - basic block: | ||
| - and: | ||
| - api: kernel32.QueryInformationJobObject | ||
| - number: 0x3 = JobObjectBasicProcessIdList | ||
| - basic block: | ||
| - and: | ||
| - api: kernel32.OpenProcess | ||
| - number: 0x400 = PROCESS_QUERY_INFORMATION | ||
| # dynamic | ||
| - and: | ||
| - call: | ||
| - and: | ||
| - api: kernel32.QueryInformationJobObject | ||
| - number: 0x3 = JobObjectBasicProcessIdList | ||
| - call: | ||
| - and: | ||
| - api: kernel32.OpenProcess | ||
| - number: 0x400 = PROCESS_QUERY_INFORMATION | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: basic block | ||
| scopes: | ||
| static: basic block | ||
| dynamic: call | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-debugging/debugger-detection | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: unsupported # requires mnemonic features | ||
| mbc: | ||
| - Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034] | ||
| examples: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,9 @@ rule: | |
| authors: | ||
| - [email protected] | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| att&ck: | ||
| - Defense Evasion::Debugger Evasion [T1622] | ||
| mbc: | ||
|
|
@@ -24,6 +26,12 @@ rule: | |
| - api: NtSetInformationThread | ||
| - api: ZwSetInformationThread | ||
| - number: 0x11 = ThreadHideFromDebugger | ||
| - call: | ||
| - and: | ||
| - or: | ||
| - api: NtSetInformationThread | ||
| - api: ZwSetInformationThread | ||
| - number: 0x11 = ThreadHideFromDebugger | ||
| - and: | ||
| - or: | ||
| - string: "NtSetInformationThread" | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,9 @@ rule: | |
| authors: | ||
| - [email protected] | ||
| description: Looks for instructions related to executing 64-bit code from a 32-bit process (Heaven's Gate) | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: unsupported # requires characteristic, mnemonic features | ||
| mbc: | ||
| - Defense Evasion::Disable or Evade Security Tools::Heavens Gate [F0004.008] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-disasm | ||
| authors: | ||
| - [email protected] | ||
| scope: file | ||
| scopes: | ||
| static: file | ||
| dynamic: file | ||
| mbc: | ||
| - Anti-Static Analysis::Disassembler Evasion [B0012] | ||
| examples: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-forensic/clear-logs | ||
| authors: | ||
| - [email protected] | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| att&ck: | ||
| - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001] | ||
| examples: | ||
|
|
@@ -24,3 +26,6 @@ rule: | |
| - basic block: | ||
| - and: | ||
| - string: /wevtutil(\.exe)?\s+(clear-log|cl)/i | ||
| - call: | ||
| - and: | ||
| - string: /wevtutil(\.exe)?\s+(clear-log|cl)/i | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,7 +4,9 @@ rule: | |
| namespace: anti-analysis/anti-forensic | ||
| authors: | ||
| - [email protected] | ||
| scope: basic block | ||
| scopes: | ||
| static: basic block | ||
| dynamic: thread | ||
| att&ck: | ||
| - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,9 @@ rule: | |
| authors: | ||
| - [email protected] | ||
| description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application. | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| att&ck: | ||
| - Defense Evasion::Indicator Removal [T1070] | ||
| references: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,9 @@ rule: | |
| authors: | ||
| - [email protected] | ||
| - "@_re_fox" | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: unsupported # requires characteristic, offset features | ||
| att&ck: | ||
| - Defense Evasion::Process Injection [T1055] | ||
| mbc: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,9 @@ rule: | |
| authors: | ||
| - [email protected] | ||
| - "@mr-tz" | ||
| scope: function | ||
| scopes: | ||
| static: function | ||
| dynamic: thread | ||
| att&ck: | ||
| - Defense Evasion::Indicator Removal::File Deletion [T1070.004] | ||
| mbc: | ||
|
|
||
Oops, something went wrong.