From da035e278b6c4e1da89e7eb87934a71955375bd9 Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Thu, 9 Nov 2023 19:01:05 +0100 Subject: [PATCH 01/12] identify .NET single file bundles --- ...led-with-dotnet-single-file-deployment.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 bundled-with-dotnet-single-file-deployment.yml diff --git a/bundled-with-dotnet-single-file-deployment.yml b/bundled-with-dotnet-single-file-deployment.yml new file mode 100644 index 00000000..6d536f9f --- /dev/null +++ b/bundled-with-dotnet-single-file-deployment.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: bundled with .NET single-file deployment + namespace: runtime/dotnet + authors: + - sara.rincon@mandiant.com + scope: file + references: + - https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file/overview?tabs=cli + - https://github.com/dotnet/runtime/blob/84de9b678613675e0444b265905c82d33dae33a8/src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs + examples: + - a83339b07cf2bf1aeda192de42760c625d4b2f106260f58c902d02f4766848d5 + features: + - or: + - and: + - match: contains PDB path + - string: "singlefilehost.pdb" + - export: DotNetRuntimeInfo + - export: corehost_initialize From fc0fda299bce9bb7fc261a277e39d9d790d0bca5 Mon Sep 17 00:00:00 2001 From: Capa Bot Date: Thu, 9 Nov 2023 18:01:18 +0000 Subject: [PATCH 02/12] Update rules number badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 74c41dce..e8d983f3 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # capa rules [![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-847-blue.svg)](rules) +[![Number of rules](https://img.shields.io/badge/rules-848-blue.svg)](rules) [![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. From 3089ba8d45d54ad0e8bfbd0b8417b2995245c457 Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Mon, 13 Nov 2023 10:38:01 +0100 Subject: [PATCH 03/12] Update bundled-with-dotnet-single-file-deployment.yml --- bundled-with-dotnet-single-file-deployment.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/bundled-with-dotnet-single-file-deployment.yml b/bundled-with-dotnet-single-file-deployment.yml index 6d536f9f..73b53f1e 100644 --- a/bundled-with-dotnet-single-file-deployment.yml +++ b/bundled-with-dotnet-single-file-deployment.yml @@ -15,5 +15,6 @@ rule: - and: - match: contains PDB path - string: "singlefilehost.pdb" + description = symbol file for the native executable when publish single file is true - export: DotNetRuntimeInfo - export: corehost_initialize From 3396236d3dfd8f5e84f86a12a5b83f129c9b72f8 Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Tue, 14 Nov 2023 13:35:42 +0100 Subject: [PATCH 04/12] Delete README.md --- README.md | 151 ------------------------------------------------------ 1 file changed, 151 deletions(-) delete mode 100644 README.md diff --git a/README.md b/README.md deleted file mode 100644 index e8d983f3..00000000 --- a/README.md +++ /dev/null @@ -1,151 +0,0 @@ -# capa rules - -[![Rule linter status](https://github.com/mandiant/capa-rules/workflows/CI/badge.svg)](https://github.com/mandiant/capa-rules/actions?query=workflow%3A%22CI%22) -[![Number of rules](https://img.shields.io/badge/rules-848-blue.svg)](rules) -[![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt) - -This is the standard collection of rules for [capa](https://github.com/mandiant/capa) - the tool to automatically identify capabilities of programs. - -## philosophy -Rule writing should be easy and fun! -A large rule corpus benefits everyone in the community and we encourage all kinds of contributions. - -Anytime you see something neat in malware, we want you to think of expressing it in a capa rule. -Then, we'll make it as painless as possible to share your rule here and distribute it to the capa users. - -## rule development - -capa uses a collection of rules to identify capabilities within a program. -These rules are easy to write, even for those new to reverse engineering. -By authoring rules, you can extend the capabilities that capa recognizes. -In some regards, capa rules are a mixture of the OpenIOC, Yara, and YAML formats. - -Here's an example of a capa rule: - -```yaml -rule: - meta: - name: hash data with CRC32 - namespace: data-manipulation/checksum/crc32 - authors: - - moritz.raabe@mandiant.com - scope: function - mbc: - - Data::Checksum::CRC32 [C0032.001] - examples: - - 2D3EDC218A90F03089CC01715A9F047F:0x403CBD - - 7D28CB106CB54876B2A5C111724A07CD:0x402350 # RtlComputeCrc32 - - 7EFF498DE13CC734262F87E6B3EF38AB:0x100084A6 - features: - - or: - - and: - - mnemonic: shr - - or: - - number: 0xEDB88320 - - bytes: 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 19 C4 6D 07 8F F4 6A 70 35 A5 63 E9 A3 95 64 9E = crc32_tab - - number: 8 - - characteristic: nzxor - - and: - - number: 0x8320 - - number: 0xEDB8 - - characteristic: nzxor - - api: RtlComputeCrc32 -``` - -capa interpets the content of these rules as it inspects executable files. -If you follow the guidelines of this rule format, then you can teach capa to identify new capabilities. - -The [doc/format.md](./doc/format.md) file describes exactly how to construct rules. -Please refer to it as you create rules for capa. - - -## namespace organization - -The organization of this repository mirrors the namespaces of the rules it contains. -capa uses namespaces to group like things together, especially when it renders its final report. -Namespaces are hierarchical, so the children of a namespace encodes its specific techniques. -In a few words each, the top level namespaces are: - - - [anti-analysis](./anti-analysis/) - packing, obfuscation, anti-X, etc. - - [collection](./collection/) - data that may be enumerated and collected for exfiltration - - [communication](./communication/) - HTTP, TCP, command and control (C2) traffic, etc. - - [compiler](./compiler/) - detection of build environments, such as MSVC, Delphi, or AutoIT - - [data-manipulation](./data-manipulation/) - encryption, hashing, etc. - - [executable](./executable/) - characteristics of the executable, such as PE sections or debug info - - [host-interaction](./host-interaction/) - access or manipulation of system resources, like processes or the Registry - - [impact](./impact/) - end goal - - [internal](./internal/) - used internally by capa to guide analysis - - [lib](./lib/) - building blocks to create other rules - - [linking](./linking/) - detection of dependencies, such as OpenSSL or Zlib - - [load-code](./load-code/) - runtime load and execution of code, such as embedded PE or shellcode - - [malware-family](./malware-family/) - detection of malware families - - [nursery](./nursery/) - staging ground for rules that are not quite polished - - [persistence](./persistence/) - all sorts of ways to maintain access - - [runtime](./runtime/) - detection of language runtimes, such as the .NET platform or Go - - [targeting](./targeting/) - special handling of systems, such as ATM machines - -We can easily add more top level namespaces as the need arises. - - -### library rules -capa supports rules matching other rule matches. -For example, the following rule set describes various methods of persistence. -Note that the rule `persistence` matches if either `run key` or `service` match against a sample. - -```yaml ---- -rule: - meta: - name: persistence - features: - or: - - match: run key - - match: service ---- -rule: - meta: - name: run key - features: - string: /CurrentVersion\/Run/i ---- -rule: - meta: - name: service - features: - api: CreateService -``` - -Using this feature, we can capture common logic into "library rules". -These rules don't get rendered as results but are used as building blocks to create other rules. -For example, there are quite a few ways to write to files on Windows, - so the following library rule makes it easy for other rules to thoroughly match file writing. - - ```yaml -rule: - meta: - name: write file - lib: True - features: - or: - api: WriteFile - api: fwrite - ... - ``` - -Set `rule.meta.lib=True` to declare a lib rule and place the rule file into the [lib](./lib/) rule directory. -Library rules should not have a namespace. -Library rules will not be rendered as results. -Capa will only attempt to match lib rules that are referenced by other rules, - so there's no performance overhead for defining many reusable library rules. - -### rule nursery -The rule [nursery](https://github.com/mandiant/capa-rules/tree/master/nursery) is a staging ground for rules that are not quite polished. Nursery rule logic should still be solid, though metadata may be incomplete. For example, rules that miss a public example of the technique. - -The rule engine matches regularly on nursery rules. However, our rule linter only enumerates missing rule data, but will not fail the CI build, because its understood that the rule is incomplete. - -We encourage contributors to create rules in the nursery, and hope that the community will work to "graduate" the rule once things are acceptable. - -Examples of things that would place a rule into the nursery: - - no real-world examples - - missing categorization - - (maybe) questions about fidelity (e.g. RC4 PRNG algorithm) From c9f2d7de9b7f56173f5b1dab30a867e2ace70aaa Mon Sep 17 00:00:00 2001 From: sara-rn <103417144+sara-rn@users.noreply.github.com> Date: Tue, 14 Nov 2023 13:37:18 +0100 Subject: [PATCH 05/12] Update bundled-with-dotnet-single-file-deployment.yml Co-authored-by: Moritz --- bundled-with-dotnet-single-file-deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundled-with-dotnet-single-file-deployment.yml b/bundled-with-dotnet-single-file-deployment.yml index 73b53f1e..c5e95114 100644 --- a/bundled-with-dotnet-single-file-deployment.yml +++ b/bundled-with-dotnet-single-file-deployment.yml @@ -15,6 +15,6 @@ rule: - and: - match: contains PDB path - string: "singlefilehost.pdb" - description = symbol file for the native executable when publish single file is true + description = symbol file for the native executable when PublishSingleFile is true - export: DotNetRuntimeInfo - export: corehost_initialize From 08b3d5c0a3ed918b81745bcb35ad290ec82e3eed Mon Sep 17 00:00:00 2001 From: sara-rn Date: Tue, 14 Nov 2023 17:48:57 +0100 Subject: [PATCH 06/12] identify .net single bundles as a file limitation --- ...led-with-dotnet-single-file-deployment.yml | 0 ...nternal-dotnet-bundled-file-limitation.yml | 20 +++++++++++++++++++ 2 files changed, 20 insertions(+) rename bundled-with-dotnet-single-file-deployment.yml => internal/limitation/file/bundled-with-dotnet-single-file-deployment.yml (100%) create mode 100644 internal/limitation/file/internal-dotnet-bundled-file-limitation.yml diff --git a/bundled-with-dotnet-single-file-deployment.yml b/internal/limitation/file/bundled-with-dotnet-single-file-deployment.yml similarity index 100% rename from bundled-with-dotnet-single-file-deployment.yml rename to internal/limitation/file/bundled-with-dotnet-single-file-deployment.yml diff --git a/internal/limitation/file/internal-dotnet-bundled-file-limitation.yml b/internal/limitation/file/internal-dotnet-bundled-file-limitation.yml new file mode 100644 index 00000000..d34b54d1 --- /dev/null +++ b/internal/limitation/file/internal-dotnet-bundled-file-limitation.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: (internal) .NET single file bundles limitation + namespace: internal/limitation/file + authors: + - "@sara-rn + description: | + This sample appears to be built with the single-file deployment in .NET. + + Single-file deployment allows all the application-dependent files to be bundled into a single binary. + The size of the single file in a self-contained application is large since it includes the runtime and the framework libraries. + The main application and the libraries are contained in the overlay section. + You may need to extract the runtime configuration files such as *.deps.json and *.runtimeconfig.json files to determines the main .NET library to be analyzed. + + scope: file + examples: + - a83339b07cf2bf1aeda192de42760c625d4b2f106260f58c902d02f4766848d5 + features: + - or: + - match: runtime/dotnet/bundled-with-dotnet-single-file-deployment \ No newline at end of file From 8e8a7d956c422d05e272827d90daf4a1ad8e87a6 Mon Sep 17 00:00:00 2001 From: sara-rn Date: Wed, 15 Nov 2023 13:47:54 +0100 Subject: [PATCH 07/12] added single file deployment rule to executable/installer/dotnet --- ...led-with-dotnet-single-file-deployment.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml diff --git a/executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml b/executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml new file mode 100644 index 00000000..6d536f9f --- /dev/null +++ b/executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml @@ -0,0 +1,19 @@ +rule: + meta: + name: bundled with .NET single-file deployment + namespace: runtime/dotnet + authors: + - sara.rincon@mandiant.com + scope: file + references: + - https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file/overview?tabs=cli + - https://github.com/dotnet/runtime/blob/84de9b678613675e0444b265905c82d33dae33a8/src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs + examples: + - a83339b07cf2bf1aeda192de42760c625d4b2f106260f58c902d02f4766848d5 + features: + - or: + - and: + - match: contains PDB path + - string: "singlefilehost.pdb" + - export: DotNetRuntimeInfo + - export: corehost_initialize From 2227807e35106bb6600ea2ef98d5cd4e0d7d43b2 Mon Sep 17 00:00:00 2001 From: sara-rn Date: Wed, 15 Nov 2023 13:57:12 +0100 Subject: [PATCH 08/12] lint + rule in executable/installer/dotnet --- ...led-with-dotnet-single-file-deployment.yml | 20 ------------------- ...tnet-single-file-deployment-limitation.yml | 20 +++++++++++++++++++ 2 files changed, 20 insertions(+), 20 deletions(-) delete mode 100644 internal/limitation/file/bundled-with-dotnet-single-file-deployment.yml create mode 100644 internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml diff --git a/internal/limitation/file/bundled-with-dotnet-single-file-deployment.yml b/internal/limitation/file/bundled-with-dotnet-single-file-deployment.yml deleted file mode 100644 index c5e95114..00000000 --- a/internal/limitation/file/bundled-with-dotnet-single-file-deployment.yml +++ /dev/null @@ -1,20 +0,0 @@ -rule: - meta: - name: bundled with .NET single-file deployment - namespace: runtime/dotnet - authors: - - sara.rincon@mandiant.com - scope: file - references: - - https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file/overview?tabs=cli - - https://github.com/dotnet/runtime/blob/84de9b678613675e0444b265905c82d33dae33a8/src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs - examples: - - a83339b07cf2bf1aeda192de42760c625d4b2f106260f58c902d02f4766848d5 - features: - - or: - - and: - - match: contains PDB path - - string: "singlefilehost.pdb" - description = symbol file for the native executable when PublishSingleFile is true - - export: DotNetRuntimeInfo - - export: corehost_initialize diff --git a/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml b/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml new file mode 100644 index 00000000..e66356a3 --- /dev/null +++ b/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml @@ -0,0 +1,20 @@ +rule: + meta: + name: (internal) .NET single file deployment limitation + namespace: internal/limitation/file + authors: + - sara.rincon@mandiant.com + description: | + This sample appears to be built with the single-file deployment in .NET. + + Single-file deployment allows all the application-dependent files to be bundled into a single binary. + The size of the single file in a self-contained application is large since it includes the runtime and the framework libraries. + The main application and the libraries are contained in the overlay section. + You may need to extract the runtime configuration files such as *.deps.json and *.runtimeconfig.json files to determine the main .NET library and extract it with the tool SingleFileExtractor. + scope: file + examples: + - a83339b07cf2bf1aeda192de42760c625d4b2f106260f58c902d02f4766848d5 + features: + - or: + - match: executable/installer/dotnet + From 7c31b3eacfa9c7c83ebe61e1dbade6d7b1c0ba4f Mon Sep 17 00:00:00 2001 From: sara-rn Date: Wed, 15 Nov 2023 14:01:44 +0100 Subject: [PATCH 09/12] fixed namespace --- .../dotnet/bundled-with-dotnet-single-file-deployment.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml b/executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml index 6d536f9f..97b5a655 100644 --- a/executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml +++ b/executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml @@ -1,7 +1,7 @@ rule: meta: name: bundled with .NET single-file deployment - namespace: runtime/dotnet + namespace: executable/installer/dotnet authors: - sara.rincon@mandiant.com scope: file From b649129df7dc59c0ae7398629bdc9a7ae567e3e7 Mon Sep 17 00:00:00 2001 From: sara-rn Date: Wed, 15 Nov 2023 14:04:46 +0100 Subject: [PATCH 10/12] deleted older file limitation rule --- ...nternal-dotnet-bundled-file-limitation.yml | 20 ------------------- 1 file changed, 20 deletions(-) delete mode 100644 internal/limitation/file/internal-dotnet-bundled-file-limitation.yml diff --git a/internal/limitation/file/internal-dotnet-bundled-file-limitation.yml b/internal/limitation/file/internal-dotnet-bundled-file-limitation.yml deleted file mode 100644 index d34b54d1..00000000 --- a/internal/limitation/file/internal-dotnet-bundled-file-limitation.yml +++ /dev/null @@ -1,20 +0,0 @@ -rule: - meta: - name: (internal) .NET single file bundles limitation - namespace: internal/limitation/file - authors: - - "@sara-rn - description: | - This sample appears to be built with the single-file deployment in .NET. - - Single-file deployment allows all the application-dependent files to be bundled into a single binary. - The size of the single file in a self-contained application is large since it includes the runtime and the framework libraries. - The main application and the libraries are contained in the overlay section. - You may need to extract the runtime configuration files such as *.deps.json and *.runtimeconfig.json files to determines the main .NET library to be analyzed. - - scope: file - examples: - - a83339b07cf2bf1aeda192de42760c625d4b2f106260f58c902d02f4766848d5 - features: - - or: - - match: runtime/dotnet/bundled-with-dotnet-single-file-deployment \ No newline at end of file From cbd07c08a47f39d2d262b2480086ed7761aba9dd Mon Sep 17 00:00:00 2001 From: sara-rn Date: Wed, 15 Nov 2023 14:09:58 +0100 Subject: [PATCH 11/12] added description --- .../dotnet/bundled-with-dotnet-single-file-deployment.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml b/executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml index 97b5a655..b6212f02 100644 --- a/executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml +++ b/executable/installer/dotnet/bundled-with-dotnet-single-file-deployment.yml @@ -15,5 +15,6 @@ rule: - and: - match: contains PDB path - string: "singlefilehost.pdb" + description = symbol file for the native executable when PublishSingleFile is true - export: DotNetRuntimeInfo - export: corehost_initialize From 56334a40f28394c71278613bfde043473e83e664 Mon Sep 17 00:00:00 2001 From: sara-rn Date: Wed, 15 Nov 2023 19:41:56 +0100 Subject: [PATCH 12/12] fixed format --- .../file/internal-dotnet-single-file-deployment-limitation.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml b/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml index e66356a3..9364b213 100644 --- a/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml +++ b/internal/limitation/file/internal-dotnet-single-file-deployment-limitation.yml @@ -17,4 +17,3 @@ rule: features: - or: - match: executable/installer/dotnet -