From 8f863526c15d3e10a1e4125486eb8da2bfe5865a Mon Sep 17 00:00:00 2001 From: jtothej Date: Tue, 1 Aug 2023 20:25:13 +0800 Subject: [PATCH 1/2] Update and add Cabinet archive related rules --- .../compression/create-cabinet-file.yml | 23 +++++++++++++++++++ .../extract-files-from-cabinet.yml | 21 +++++++++++++++++ ...ate-file-compression-interface-context.yml | 6 +++-- ...e-file-decompression-interface-context.yml | 14 +++++++++++ nursery/add-file-to-cabinet-file.yml | 12 ---------- nursery/flush-cabinet-file.yml | 13 ----------- 6 files changed, 62 insertions(+), 27 deletions(-) create mode 100644 data-manipulation/compression/create-cabinet-file.yml create mode 100644 data-manipulation/compression/extract-files-from-cabinet.yml rename nursery/open-cabinet-file.yml => lib/create-file-compression-interface-context.yml (57%) create mode 100644 lib/create-file-decompression-interface-context.yml delete mode 100644 nursery/add-file-to-cabinet-file.yml delete mode 100644 nursery/flush-cabinet-file.yml diff --git a/data-manipulation/compression/create-cabinet-file.yml b/data-manipulation/compression/create-cabinet-file.yml new file mode 100644 index 000000000..5335792f3 --- /dev/null +++ b/data-manipulation/compression/create-cabinet-file.yml @@ -0,0 +1,23 @@ +rule: + meta: + name: create Cabinet file + namespace: data-manipulation/compression + authors: + - michael.hunhoff@mandiant.com + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Collection::Archive Collected Data::Archive via Library [T1560.002] + mbc: + - Data::Compress Data [C0024] + references: + - https://learn.microsoft.com/en-us/windows/win32/devnotes/creating-a-cabinet + examples: + - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0 + features: + - and: + - match: create File Compression Interface context + - or: + - api: cabinet.FCIAddFile = add file to Cabinet + - api: cabinet.FCIFlushFolder = flush current folder under construction + - api: cabinet.FCIFlushCabinet = completes current cabinet diff --git a/data-manipulation/compression/extract-files-from-cabinet.yml b/data-manipulation/compression/extract-files-from-cabinet.yml new file mode 100644 index 000000000..96d647dba --- /dev/null +++ b/data-manipulation/compression/extract-files-from-cabinet.yml @@ -0,0 +1,21 @@ +rule: + meta: + name: extract files from Cabinet + namespace: data-manipulation/compression + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Defense Evasion::Deobfuscate/Decode Files or Information [T1140] + mbc: + - Data::Decompress Data [C0025] + references: + - https://learn.microsoft.com/en-us/windows/win32/devnotes/extracting-files-from-a-cabinet + examples: + - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0 + features: + - and: + - match: create File Decompression Interface context + - or: + - api: cabinet.FDICopy + - api: cabinet.FDIDestroy diff --git a/nursery/open-cabinet-file.yml b/lib/create-file-compression-interface-context.yml similarity index 57% rename from nursery/open-cabinet-file.yml rename to lib/create-file-compression-interface-context.yml index 2ee425ee4..c012b9255 100644 --- a/nursery/open-cabinet-file.yml +++ b/lib/create-file-compression-interface-context.yml @@ -1,12 +1,14 @@ rule: meta: - name: open cabinet file - namespace: host-interaction/file-system + name: create File Compression Interface context authors: - michael.hunhoff@mandiant.com + lib: true scope: function references: - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files + examples: + - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0 features: - or: - api: cabinet.FCICreate diff --git a/lib/create-file-decompression-interface-context.yml b/lib/create-file-decompression-interface-context.yml new file mode 100644 index 000000000..6a1c055ec --- /dev/null +++ b/lib/create-file-decompression-interface-context.yml @@ -0,0 +1,14 @@ +rule: + meta: + name: create File Decompression Interface context + authors: + - jakub.jozwiak@mandiant.com + lib: true + scope: function + references: + - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files + examples: + - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0 + features: + - or: + - api: cabinet.FDICreate diff --git a/nursery/add-file-to-cabinet-file.yml b/nursery/add-file-to-cabinet-file.yml deleted file mode 100644 index 5988a5180..000000000 --- a/nursery/add-file-to-cabinet-file.yml +++ /dev/null @@ -1,12 +0,0 @@ -rule: - meta: - name: add file to cabinet file - namespace: host-interaction/file-system - authors: - - michael.hunhoff@mandiant.com - scope: function - references: - - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files - features: - - or: - - api: cabinet.FCIAddFile diff --git a/nursery/flush-cabinet-file.yml b/nursery/flush-cabinet-file.yml deleted file mode 100644 index b75ec4f63..000000000 --- a/nursery/flush-cabinet-file.yml +++ /dev/null @@ -1,13 +0,0 @@ -rule: - meta: - name: flush cabinet file - namespace: host-interaction/file-system - authors: - - michael.hunhoff@mandiant.com - scope: function - references: - - https://docs.microsoft.com/en-us/windows/win32/msi/cabinet-files - features: - - or: - - api: cabinet.FCIFlushFolder = flush current folder under construction - - api: cabinet.FCIFlushCabinet = completes current cabinet From ac09516cca968e54d6b5764405337cba3f290c21 Mon Sep 17 00:00:00 2001 From: jtothej Date: Thu, 23 Nov 2023 16:27:04 +0800 Subject: [PATCH 2/2] Rename Cabinet archive rules --- ...eate-cabinet-file.yml => create-cabinet-on-windows.yml} | 7 ++++--- ...les-from-cabinet.yml => extract-cabinet-on-windows.yml} | 4 ++-- ...eate-file-compression-interface-context-on-windows.yml} | 2 +- ...te-file-decompression-interface-context-on-windows.yml} | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) rename data-manipulation/compression/{create-cabinet-file.yml => create-cabinet-on-windows.yml} (74%) rename data-manipulation/compression/{extract-files-from-cabinet.yml => extract-cabinet-on-windows.yml} (84%) rename lib/{create-file-compression-interface-context.yml => create-file-compression-interface-context-on-windows.yml} (84%) rename lib/{create-file-decompression-interface-context.yml => create-file-decompression-interface-context-on-windows.yml} (83%) diff --git a/data-manipulation/compression/create-cabinet-file.yml b/data-manipulation/compression/create-cabinet-on-windows.yml similarity index 74% rename from data-manipulation/compression/create-cabinet-file.yml rename to data-manipulation/compression/create-cabinet-on-windows.yml index 5335792f3..7b259c6f1 100644 --- a/data-manipulation/compression/create-cabinet-file.yml +++ b/data-manipulation/compression/create-cabinet-on-windows.yml @@ -1,6 +1,6 @@ rule: meta: - name: create Cabinet file + name: create Cabinet on Windows namespace: data-manipulation/compression authors: - michael.hunhoff@mandiant.com @@ -16,8 +16,9 @@ rule: - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0 features: - and: - - match: create File Compression Interface context + - match: create File Compression Interface context on Windows - or: - api: cabinet.FCIAddFile = add file to Cabinet - api: cabinet.FCIFlushFolder = flush current folder under construction - - api: cabinet.FCIFlushCabinet = completes current cabinet + - api: cabinet.FCIFlushCabinet = complete current cabinet + - api: cabinet.FCIDestroy = delete an open FCI context diff --git a/data-manipulation/compression/extract-files-from-cabinet.yml b/data-manipulation/compression/extract-cabinet-on-windows.yml similarity index 84% rename from data-manipulation/compression/extract-files-from-cabinet.yml rename to data-manipulation/compression/extract-cabinet-on-windows.yml index 96d647dba..b371b1a65 100644 --- a/data-manipulation/compression/extract-files-from-cabinet.yml +++ b/data-manipulation/compression/extract-cabinet-on-windows.yml @@ -1,6 +1,6 @@ rule: meta: - name: extract files from Cabinet + name: extract Cabinet on Windows namespace: data-manipulation/compression authors: - jakub.jozwiak@mandiant.com @@ -15,7 +15,7 @@ rule: - 44bad2e2a9e387b86870f009d01833ea4618d2a7cda5f64fa84a19f3bdf4efaf:0x1400028E0 features: - and: - - match: create File Decompression Interface context + - match: create File Decompression Interface context on Windows - or: - api: cabinet.FDICopy - api: cabinet.FDIDestroy diff --git a/lib/create-file-compression-interface-context.yml b/lib/create-file-compression-interface-context-on-windows.yml similarity index 84% rename from lib/create-file-compression-interface-context.yml rename to lib/create-file-compression-interface-context-on-windows.yml index c012b9255..3afa6b24a 100644 --- a/lib/create-file-compression-interface-context.yml +++ b/lib/create-file-compression-interface-context-on-windows.yml @@ -1,6 +1,6 @@ rule: meta: - name: create File Compression Interface context + name: create File Compression Interface context on Windows authors: - michael.hunhoff@mandiant.com lib: true diff --git a/lib/create-file-decompression-interface-context.yml b/lib/create-file-decompression-interface-context-on-windows.yml similarity index 83% rename from lib/create-file-decompression-interface-context.yml rename to lib/create-file-decompression-interface-context-on-windows.yml index 6a1c055ec..b9a2bd5f3 100644 --- a/lib/create-file-decompression-interface-context.yml +++ b/lib/create-file-decompression-interface-context-on-windows.yml @@ -1,6 +1,6 @@ rule: meta: - name: create File Decompression Interface context + name: create File Decompression Interface context on Windows authors: - jakub.jozwiak@mandiant.com lib: true