Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add PlugX rule proposed in #469 #515

Merged
merged 9 commits into from
Dec 20, 2021
Merged

Add PlugX rule proposed in #469 #515

merged 9 commits into from
Dec 20, 2021

Conversation

Still34
Copy link
Contributor

@Still34 Still34 commented Dec 13, 2021

Summary

This PR adds the first malware-specific capa rule as initially proposed in issue #469. Specifically, this PR adds the known module watermarks found in various builds of PlugX.

@Still34
Add rule proposed in mandiant#469
30a7a96 
Signed-off-by: Still Hsu <[email protected]>
@Still34
Lint rule
8c8de61 
Signed-off-by: Still Hsu <[email protected]>
@Still34
Copy link
Contributor Author

Still34 commented Dec 13, 2021

Per the linter, guess upstream needs to be updated to support the maec meta field.

williballenthin
williballenthin approved these changes Dec 13, 2021
View reviewed changes
Copy link
Collaborator

@williballenthin williballenthin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great to me, thanks!

only one suggestion to tweak the directory path for family rules. let's use "malware-family" instead of "malware". with that change, i'll be happy to merge.

@williballenthin williballenthin mentioned this pull request Dec 13, 2021
Closed
This was referenced Dec 15, 2021
Merged
Closed
@Still34 Still34 mentioned this pull request Dec 15, 2021
Merged
mr-tz
mr-tz reviewed Dec 15, 2021
View reviewed changes
Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

almost good to go, sorry for the annoyance with the little fixes

@mr-tz mr-tz mentioned this pull request Dec 15, 2021
Open
@Still34
Update rule per request
7cacff8 
Signed-off-by: Still Hsu <[email protected]>
@Still34
Copy link
Contributor Author

Still34 commented Dec 16, 2021

No problem. Hope the changes above are good now!

@Still34
Add scrubbed timestamp in timestamp check
7114d1b 
- Some samples may attempt to scrub the timestamp by replacing it with an invalid date (e.g., 0x8888888)

Signed-off-by: Still Hsu <[email protected]>
@Still34
Add missing command op codes
fbb511e 
Signed-off-by: Still Hsu <[email protected]>
mr-tz
mr-tz requested changes Dec 20, 2021
View reviewed changes
Copy link
Collaborator

@mr-tz mr-tz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

final formatting issues (hopefully)

@Still34 Still34 requested a review from mr-tz December 20, 2021 12:22
@mr-tz
Copy link
Collaborator

mr-tz commented Dec 20, 2021

awesome, thank you very much!

@mr-tz mr-tz merged commit e2dbb34 into mandiant:master Dec 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@williballenthin williballenthin williballenthin approved these changes

@mr-tz mr-tz Awaiting requested review from mr-tz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Still34 @mr-tz @williballenthin