mandiant · Oct 15, 2024 · Oct 16, 2024 · Oct 18, 2024 · Oct 22, 2024 · Oct 22, 2024
diff --git a/.github/scripts/create_releases.py b/.github/scripts/create_releases.py
@@ -8,7 +8,6 @@
 import logging
 import subprocess
 import collections
-from typing import Dict, Tuple
 from argparse import ArgumentParser, ArgumentDefaultsHelpFormatter
 
 GIT_EXE = "git"
@@ -23,7 +22,7 @@
 logger = logging.getLogger(__name__)
 
 
-def run_cmd(cmd: str) -> Tuple[str, str]:
+def run_cmd(cmd: str) -> tuple[str, str]:
     logger.debug("cmd: %s", cmd)
     p = subprocess.Popen(cmd.split(" "), stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     out_, err_ = p.communicate()
@@ -34,7 +33,7 @@ def run_cmd(cmd: str) -> Tuple[str, str]:
     return out, err
 
 
-def get_diffs(cpath1: str, cpath2: str, percentage: str) -> Dict[str, list]:
+def get_diffs(cpath1: str, cpath2: str, percentage: str) -> dict[str, list]:
     cmd = f"{GIT_EXE} --no-pager diff --find-renames={percentage} --name-status {cpath1} {cpath2}"
     gdiff, err = run_cmd(cmd)
     # example output:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
 jobs:
 
   create_release:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     permissions:
       contents: write
     steps:

diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml
@@ -4,7 +4,7 @@ on:
     branches: [ master ]
 jobs:
   update_num_rules:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
     - name: Checkout capa-rules
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -23,7 +23,7 @@ jobs:
         color: blue
 
   sync_submodule_capa:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs: update_num_rules
     steps:
     # Do not checkout submodules as we don't need capa-testfiles and we need to
@@ -50,10 +50,10 @@ jobs:
     - name: Get modified files
       id: files
       uses: Ana06/get-changed-files@25f79e676e7ea1868813e21465014798211fad8c # v2.3.0
-    - name: Set up Python 3.9
+    - name: Set up Python 3.12
       uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
-        python-version: 3.9
+        python-version: 3.12
     - name: Install Python dependencies
       run:
         pip install pyyaml

diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -23,7 +23,7 @@ env:
 
 jobs:
   rule_linter:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     env:
       # expect this text in the PR body to trigger thorough lint of all rules
       LINT_THOROUGH: '[x] lint thorough all'
@@ -43,10 +43,10 @@ jobs:
         repository: mandiant/capa-testfiles
         path: tests/data
     # use latest available python for best performance
-    - name: Set up Python 3.11
+    - name: Set up Python 3.12
       uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
       with:
-        python-version: 3.11
+        python-version: 3.12
     - name: Install capa
       run: pip install -e .
     # Regular lint is fast, so do this first
@@ -100,7 +100,7 @@ jobs:
   rules_latest_release:
     # e.g. v4
     if: startsWith(github.base_ref, 'v')
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
     - name: Get latest release executable name and version
       run: |

diff --git a/...alysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml b/...alysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
@@ -17,10 +17,16 @@ rule:
     examples:
       - 2ebadd04f0ada89c36c1409b6e96423a68dd77b513db8db3da203c36d3753e5f:0x140002120
   features:
-    - and:
-      - api: SetProcessMitigationPolicy
-      - number: 4 = sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY)
-      - number: 1 = ProhibitDynamicCode
-      - or:
-        - number: 8 = ProcessDynamicCodePolicy
-        - offset: 4
+    - or:
+      - and:
+        - api: SetProcessMitigationPolicy
+        - number: 4 = sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY)
+        - number: 1 = set policy.ProhibitDynamicCode to 1
+        - number: 2 = ProcessDynamicCodePolicy
+      - and:
+        - api: SetProcessMitigationPolicy
+        - number: 4 = sizeof(PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY)
+        - number: 1 = set policy.MicrosoftSignedOnly to 1
+        - or:
+          - number: 8 = ProcessSignaturePolicy
+          - offset: 4 = lea ecx, [r8+4] ; with r8 equal to 4
diff --git a/collection/browser/get-chrome-cookiemonster.yml b/collection/browser/get-chrome-cookiemonster.yml
@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: get Chrome CookieMonster
+    namespace: collection/browser
+    authors:
+      - still@teamt5.org
+    description: finds sections related to Chrome's CookieMonster component, typically used in conjunction with code that dumps cookies from Chromium-based browsers
+    scopes:
+      static: file
+      dynamic: process
+    att&ck:
+      - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
+    references:
+      - https://github.com/Meckazin/ChromeKatz/blob/main/CookieKatz-BOF/CookieKatzBOF.cpp
+    examples:
+      - 79f5cabff898d60cd614e7254d409d9c2e05184416e5c54201e2dc216998d28b:0x117D
+  features:
+    - and:
+      - substring: "network.mojom.NetworkService" # process with CookieMonster
+      - or:
+        - substring: "chrome.dll"
+        - substring: "chrome.exe"
+        - substring: "msedge.exe"
+        - substring: "msedgewebview2.exe"
+        - substring: "msedge.dll"
diff --git a/collection/browser/get-elevation-service-for-chromium-based-browsers.yml b/collection/browser/get-elevation-service-for-chromium-based-browsers.yml
@@ -0,0 +1,50 @@
+rule:
+  meta:
+    name: get elevation service for Chromium-based browsers
+    namespace: collection/browser
+    authors:
+      - still@teamt5.org
+    description: finds strings/identifiers related to Chrome Elevation Service, typically used in conjunction with retrieving App-bound Encryption related key
+    scopes:
+      static: function
+      dynamic: unsupported  # requires bytes features
+    att&ck:
+      - Credential Access::Exploitation for Credential Access [T1212]
+      - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003]
+    references:
+      - https://gist.github.com/snovvcrash/caded55a318bbefcb6cc9ee30e82f824
+      - https://chromium.googlesource.com/chromium/src/+/HEAD/chrome/install_static/install_util_unittest.cc
+    examples:
+      - fb690a23b66d4f90dac83f1b4d6dec0074aff68d6ef62c2613120bd4d17cfbdd:0x14006E8C0
+  features:
+    - and:
+      - optional:
+        - string: "APPB"
+          description: prefix for App-bound Encryption encrypted credentials
+      - or:
+        - 2 or more:
+          - bytes: CF BE 3A 46 0D 41 7F 40 8A F5 0D F3 5A 00 5C C8 = IID for Google Chrome
+          - bytes: E0 60 88 70 41 F6 11 46 88 95 7D 86 7D D3 67 5B = CLSID for Google Chrome
+          - substring: "{708860E0-F641-4611-8895-7D867DD3675B}"
+            description: CLSID for Google Chrome
+        - 2 or more:
+          - bytes: 66 1D 72 A2 6E 37 2F 4D 9F 0F 90 70 E9 A4 2B 5F = IID for Google Chrome Beta
+          - bytes: BA 46 26 DD 07 37 F8 4B B9 A7 03 86 91 A6 8F C2 = CLSID for Google Chrome Beta
+          - substring: "{DD2646BA-3707-4BF8-B9A7-038691A68FC2}"
+            description: CLSID for Google Chrome Beta
+        - 2 or more:
+          - bytes: 6B A2 2A BB 3A 34 72 40 8B 6F 80 55 7B 8C E5 71 = IID for Google Chrome Dev
+          - bytes: A5 DC 7F DA AA 2C 37 46 AA 17 07 40 58 4D E7 DA = CLSID for Google Chrome Dev
+          - substring: "{DA7FDCA5-2CAA-4637-AA17-0740584DE7DA}"
+            description: CLSID for Google Chrome Dev
+        - 2 or more:
+          - bytes: 41 E0 7C 4F E9 28 4F 48 9D D0 61 A8 CA CE FE E4 = IID for Google Chrome Canary
+          - bytes: 72 28 4C 70 49 20 5E 43 A4 69 0A 53 43 13 C4 2B = CLSID for Google Chrome Canary
+          - substring: "{704C2872-2049-435E-A469-0A534313C42B}"
+            description: CLSID for Google Chrome Canary
+        - 2 or more:
+          # untested
+          - bytes: 07 B8 C2 C9 31 77 34 4F 81 B7 44 FF 77 79 52 2B = IID for Microsoft Edge
+          - bytes: 6C E9 CB 1F 97 16 AF 43 91 40 28 97 C7 C6 97 67 = CLSID for Microsoft Edge
+          - substring: "{1FCBE96C-1697-43AF-9140-2897C7C69767}"
+            description: CLSID for Microsoft Edge
diff --git a/collection/get-steam-token.yml b/collection/get-steam-token.yml
@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: get Steam token
+    namespace: collection
+    authors:
+      - still@teamt5.org
+    description: locates references to Steam authentication token via the beginning of a Steam bearer token
+    scopes:
+      static: function
+      dynamic: unsupported # requires bytes feature
+    examples:
+      - 2c83f152e09d0abaa3a3784669e75276784e50e1e202d16ab27e5741eef9ab4f:0x0041718C
+  features:
+    - or:
+      - substring: "65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A"
+      - substring: "eyAidHlwIjogIkpXVCIsICJ"
diff --git a/data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml b/data-manipulation/encryption/create-new-key-via-cryptacquirecontext.yml
@@ -5,8 +5,8 @@ rule:
     authors:
       - chuong.dong@mandiant.com
     scopes:
-      static: function
-      dynamic: thread
+      static: basic block
+      dynamic: call
     att&ck:
       - Defense Evasion::Obfuscated Files or Information [T1027]
     mbc:

diff --git a/host-interaction/file-system/copy/copy-file.yml b/host-interaction/file-system/copy/copy-file.yml
@@ -7,7 +7,7 @@ rule:
       - michael.hunhoff@mandiant.com
     scopes:
       static: function
-      dynamic: thread
+      dynamic: call
     mbc:
       - File System::Copy File [C0045]
     examples:

diff --git a/host-interaction/file-system/move/move-file.yml b/host-interaction/file-system/move/move-file.yml
@@ -7,7 +7,7 @@ rule:
       - michael.hunhoff@mandiant.com
     scopes:
       static: function
-      dynamic: thread
+      dynamic: call
     mbc:
       - File System::Move File [C0063]
     examples:

diff --git a/host-interaction/file-system/write/write-file-on-windows.yml b/host-interaction/file-system/write/write-file-on-windows.yml
@@ -7,7 +7,7 @@ rule:
       - anushka.virgaonkar@mandiant.com
     scopes:
       static: function
-      dynamic: thread
+      dynamic: call
     mbc:
       - File System::Writes File [C0052]
     examples:

diff --git a/host-interaction/process/get-process-filename.yml b/host-interaction/process/get-process-filename.yml
@@ -12,17 +12,26 @@ rule:
       - Discovery::Process Discovery [T1057]
     references:
       - https://learn.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb_ldr_data
+      - https://research.openanalysis.net/rhadamanthys/config/ida/shifted%20pointers/peb/_list_entry/_ldr_data_table_entry/2023/01/19/rhadamanthys.html#PEB-Walk-_LDR_DATA_TABLE_ENTRY-and-Shifted-Pointers-in-IDA
     examples:
       - cb948b13a5046a692ec3ed8cc16a9566:0x140013ee2
   features:
-    - and:
-      # example:
-      # mov     rax, gs:60h     ; TEB.ProcessEnvironmentBlock
-      # mov     rcx, [rax+18h]  ; PEB64.Ldr
-      # mov     rax, [rcx+20h]  ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink
-      # mov     rcx, [rax+50h]  ; LDR_DATA_TABLE_ENTRY.FullDllName.Buffer
-      - arch: amd64
-      - characteristic: peb access
-      - offset: 0x18 = PEB->Ldr
-      - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink
-      - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->FullDllName
+    - or:
+      - and:
+        - arch: i386
+        - characteristic: peb access
+        - offset: 0x0C = PEB->Ldr
+        - offset: 0x14 = PEB->Ldr->InMemoryOrderModuleList->Flink
+        - offset: 0x28 = PEB->Ldr->InMemoryOrderModuleList->Flink->BaseDllName.Buffer
+
+      - and:
+        # example:
+        # mov     rax, gs:60h     ; TEB.ProcessEnvironmentBlock
+        # mov     rcx, [rax+18h]  ; PEB64.Ldr
+        # mov     rax, [rcx+20h]  ; PEB_LDR_DATA.InMemoryOrderModuleList.Flink
+        # mov     rcx, [rax+50h]  ; LDR_DATA_TABLE_ENTRY.BaseDllName.Buffer
+        - arch: amd64
+        - characteristic: peb access
+        - offset: 0x18 = PEB->Ldr
+        - offset: 0x20 = PEB->Ldr->InMemoryOrderModuleList->Flink
+        - offset: 0x50 = PEB->Ldr->InMemoryOrderModuleList->Flink->BaseDllName.Buffer
diff --git a/host-interaction/registry/create/set-registry-value.yml b/host-interaction/registry/create/set-registry-value.yml
@@ -7,7 +7,7 @@ rule:
       - michael.hunhoff@mandiant.com
     scopes:
       static: function
-      dynamic: thread
+      dynamic: call
     mbc:
       - Operating System::Registry::Set Registry Key [C0036.001]
     examples:

diff --git a/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml b/host-interaction/wmi/connect-to-wmi-namespace-via-wbemlocator.yml
@@ -7,26 +7,40 @@ rule:
       - michael.hunhoff@mandiant.com
     scopes:
       static: function
-      dynamic: unsupported  # requires offset, bytes features
+      dynamic: call
     att&ck:
       - Execution::Windows Management Instrumentation [T1047]
     examples:
       - al-khaser_x64.exe_:0x14001956e
       - al-khaser_x86.exe_:0x00445270
   features:
-    - and:
-      - basic block:
-        - and:
-          - api: ole32.CoCreateInstance
-          - com/class: WbemLocator  # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator
-          - com/interface: IWbemLocator  # 87 A6 12 DC 7F 73 CF 11 88 4D 00 AA 00 4B 2E 24 = IID_IWbemLocator
-      - or:
-        - and:
-          - arch: i386
-          - offset: 0xC = ppv->ConnectServer
-        - and:
-          - arch: amd64
-          - offset: 0x18 = ppv->ConnectServer
-      - optional:
-        - string: /ROOT\\CIMV2/i
-        - string: /ROOT\\DEFAULT/i
+    - or:
+      - call:
+        - description: dynamic detection rule
+        - or:
+          - and:
+            - api: ole32.CoCreateInstance
+            - com/class: WbemLocator  # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator
+          - and:
+            - match: host-interaction/process/create
+            - or:
+              - string: /wmic(|\.exe) /i
+              - string: /Register-WMIEvent /i
+      - and:
+        - description: static detection rule
+        - basic block:
+          - and:
+            - api: ole32.CoCreateInstance
+            - com/class: WbemLocator  # 11 F8 90 45 3A 1D D0 11 89 1F 00 AA 00 4B 2E 24 = CLSID_WbemLocator
+            - com/interface: IWbemLocator  # 87 A6 12 DC 7F 73 CF 11 88 4D 00 AA 00 4B 2E 24 = IID_IWbemLocator
+        - basic block:
+          - or:
+            - and:
+              - arch: i386
+              - offset: 0xC = ppv->ConnectServer
+            - and:
+              - arch: amd64
+              - offset: 0x18 = ppv->ConnectServer
+        - optional:
+          - string: /ROOT\\CIMV2/i
+          - string: /ROOT\\DEFAULT/i
diff --git a/linking/runtime-linking/access-peb-ldr_data.yml b/linking/runtime-linking/access-peb-ldr_data.yml
@@ -10,7 +10,7 @@ rule:
     att&ck:
       - Execution::Shared Modules [T1129]
     references:
-      - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb_ldr_data.htm
+      - https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/ntpsapi_x/peb_ldr_data.htm
       - https://github.com/d35ha/CallObfuscator/blob/5834aff9ff4511f1408ae4ce80b79737af4ae77b/ShellCode/shell_x64.asm#L8
     examples:
       - 3FDFB2D522E7DEECAAAF2F87420F7E75:0x4117B7

diff --git a/linking/static/touchsocket/linked-against-touchsocket.yml b/linking/static/touchsocket/linked-against-touchsocket.yml
@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: linked against TouchSocket
+    namespace: linking/static/touchsocket
+    authors:
+      - still@teamt5.org
+    description: TouchSocket is a .NET networking library, supporting a wide variety of protocol types such as WebSocket, RPC, DMTP, Modbus, and more.
+    scopes:
+      static: file
+      dynamic: file
+    references:
+      - https://github.com/RRQM/TouchSocket/
+      - https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html
+    examples:
+      - 684cc28e6a7fbd12f23dbc563f06306555ebb870bd727ad60839d4ff26e7f3b2
+  features:
+    - and:
+      - or:
+        - match: compiled to the .NET platform
+        - match: compiled with .NET AoT
+      - 3 or more:
+        - substring: "TouchSocket"
+        - substring: "TouchSocket.Core"
+        - substring: "TouchSocket.Dmtp"
+        - substring: "TouchSocket.Modbus"
+        - substring: "BinarySerialize"
+        - substring: "BinaryDeserialize"