encrypt-data-using-rc4-ksa.yml

rule:
  meta:
    name: encrypt data using RC4 KSA
    namespace: data-manipulation/encryption/rc4
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: function
      dynamic: unsupported  # requires characteristic, mnemonic, Not features
    att&ck:
      - Defense Evasion::Obfuscated Files or Information [T1027]
    mbc:
      - Cryptography::Encrypt Data::RC4 [C0027.009]
      - Cryptography::Encryption Key::RC4 KSA [C0028.002]
    examples:
      - 34404A3FB9804977C6AB86CB991FB130:0x403D40
      - 9324D1A8AE37A36AE560C37448C9705A:0x404950
      - 2B8BEC5BCB1777EAA155D832F7AFC797:0x405C42
      - 73CE04892E5F39EC82B00C02FC04C70F:0x40646E
  features:
    - or:
      - and:
        - basic block:
          - and:
            - description: initialize S
            # misses if regular loop is used,
            # however we cannot model that a loop contains a certain number
            - characteristic: tight loop
            - or:
              - number: 0xFF
              - number: 0x100
        - or:
          - description: modulo 256
          - match: calculate modulo 256 via x86 assembly
          - basic block:
            - and:
              - description: modulo via zero-extended mov from 8-bit register
              - count(mnemonic(movzx)): 2 or more
              # avoid false positives; filter out unexpected instructions
              - not:
                - or:
                  - mnemonic: shl
                  - mnemonic: rol
                  - characteristic: nzxor
        - or:
          - description: modulo key length
          - mnemonic: div
          - mnemonic: idiv
      - and:
        - description: write DWORDs instead of bytes
        - or:
          - number: 0x03020100
          - number: 0xFFFEFDFC
        - instruction:
          - or:
            - mnemonic: add
            - mnemonic: sub
          - number: 0x04040404