-
Notifications
You must be signed in to change notification settings - Fork 167
/
Copy pathencrypt-data-using-aes-mixcolumns-step.yml
45 lines (45 loc) · 1.45 KB
/
encrypt-data-using-aes-mixcolumns-step.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# generated using capa explorer for IDA Pro
rule:
meta:
name: encrypt data using AES MixColumns step
namespace: data-manipulation/encryption/aes
authors:
- "@mr-tz"
scopes:
static: function
dynamic: unsupported # requires operand[1].number, characteristic, mnemonic, operand[0].offset features
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
mbc:
- Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05]
- Cryptography::Encrypt Data::AES [C0027.001]
references:
- https://en.wikipedia.org/wiki/Rijndael_MixColumns
examples:
- 1e9fc7f32bd5522dd0222932eb9f1d8bd0a2e132c7b46cfcc622ad97831e6128:0x40e3de
features:
- and:
# for (c = 0; c < 4; c++)
- characteristic: loop
- instruction:
- and:
- mnemonic: cmp
- operand[1].number: 0x4
# b[c] = r[c] << 1;
- instruction:
- and:
- description: implicitly removes high bit
- mnemonic: shl
- operand[1].number: 0x1
# b[c] ^= h * 0x1B;
- instruction:
- and:
- description: Rijndael's Galois field
- mnemonic: xor
- operand[1].number: 0x1B
- optional:
- instruction:
- and:
- description: "byte assignment, e.g., in: b[c] = r[c] << 1; b[c] ^= h * 0x1B;"
- mnemonic: mov
- operand[0].offset: 0x0