-
Notifications
You must be signed in to change notification settings - Fork 167
/
Copy pathencrypt-data-using-rc4-prga.yml
36 lines (36 loc) · 1.28 KB
/
encrypt-data-using-rc4-prga.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
rule:
meta:
name: encrypt data using RC4 PRGA
namespace: data-manipulation/encryption/rc4
authors:
- moritz.raabe@mandiant.com
scopes:
static: function
dynamic: unsupported # requires characteristic, mnemonic, basicblock features
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
mbc:
- Cryptography::Encrypt Data::RC4 [C0027.009]
- Cryptography::Generate Pseudo-random Sequence::RC4 PRGA [C0021.004]
examples:
- 34404A3FB9804977C6AB86CB991FB130:0x403DB0
- 34404A3FB9804977C6AB86CB991FB130:0x403E50
- 9324D1A8AE37A36AE560C37448C9705A:0x4049F0
- 73CE04892E5F39EC82B00C02FC04C70F:0x4064C6
features:
- and:
# TODO: maybe add characteristic for nzxor reg size
- count(characteristic(nzxor)): 1
- or:
- match: calculate modulo 256 via x86 assembly
# compiler may do this via zero-extended mov from 8-bit register
- count(mnemonic(movzx)): 4 or more
# should not call (many) functions
- count(characteristic(calls from)): (0, 4)
# should not be too simple or too complex (50 is picked by intuition)
- count(basic blocks): (4, 50)
- match: contain loop
- optional:
- or:
- number: 0xFF
- number: 0x100