Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ENH] Refactor format in capa/features/extractors/dotnetfile.py #2024

Merged
merged 6 commits into from
Mar 20, 2024
Merged

[ENH] Refactor format in capa/features/extractors/dotnetfile.py #2024

merged 6 commits into from
Mar 20, 2024

Conversation

samadpls
Copy link
Contributor

@samadpls samadpls commented Mar 7, 2024

Changed format order for .NET files
closes #2022

Checklist

  • No CHANGELOG update needed
  • No new tests needed
  • No documentation update needed

Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good @samadpls . Please verify that the -vv output from capa's standalone tool lists .NET as the format in the metadata section by posting the output here. You can use one of the .NET samples from capa/test-files.

Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add bug fixes, new features, breaking changes and anything else you think is worthwhile mentioning to the master (unreleased) section of CHANGELOG.md. If no CHANGELOG update is needed add the following to the PR description: [x] No CHANGELOG update needed

@mike-hunhoff
Copy link
Collaborator

@samadpls bump. Please let us know if you have any questions running capa locally against a test .NET file. Also, please add an entry to CHANGELOG.md with a short description of the PR when you get a chance.

@github-actions github-actions bot dismissed their stale review March 15, 2024 19:18

CHANGELOG updated or no update needed, thanks! 😄

@samadpls
Copy link
Contributor Author

Hello @mike-hunhoff , while setting up the locally im facing following issue

capa -vv /media/samadpls/ubuntu/download/1c444ebeba24dcba8628b7dfe5fec7c6.exe_
ERROR:capa:[Errno 28] No space left on device: '/home/samadpls/.cache/capa'
ERROR:capa:Make sure your file directory contains properly formatted capa rules. You can download the standard collection of capa rules from https://github.com/mandiant/capa-rules/releases.
ERROR:capa:Please ensure you're using the rules that correspond to your major version of capa (7)
ERROR:capa:Or, for more details, see the rule set documentation here: https://github.com/mandiant/capa/blob/master/doc/rules.md

@mr-tz
Copy link
Collaborator

mr-tz commented Mar 16, 2024

Are you out of hard-drive space?

@samadpls
Copy link
Contributor Author

samadpls commented Mar 16, 2024

Looks good @samadpls . Please verify that the -vv output from capa's standalone tool lists .NET as the format in the metadata section by posting the output here. You can use one of the .NET samples from capa/test-files.

@mike-hunhoff , Sorry for responding late; I was busy with academic workk.
Here the output i got after running the following command

format                  pe
...
create or open registry key (2 matches, only showing first match of library rule)
...
save image in .NET
...
full log
capa -vv -r E:\capa-rules-7.0.1\capa-rules-7.0.1  1c444ebeba24dcba8628b7dfe5fec7c6.exe
md5                     1c444ebeba24dcba8628b7dfe5fec7c6
sha1                    ebdec120fbbdbff28ebd6accc85d05f7ccabf461
sha256                  a9f9e5a30cc858dc135ec428cdd68cb06143732e5c62c4dc4b359c8abc11d74b
path                    E:/extraproj/capa/1c444ebeba24dcba8628b7dfe5fec7c6.exe
timestamp               2024-03-16 23:55:17.310730
capa version            7.0.1
os                      any
format                  pe
arch                    any
analysis                static
extractor               DnfileFeatureExtractor
base address            global
rules                   E:/capa-rules-7.0.1/capa-rules-7.0.1
function count          150
library function count  0
total feature count     4309

create or open registry key (2 matches, only showing first match of library rule)
author  [email protected], [email protected]
scope   basic block
mbc     Operating System::Registry::Create Registry Key [C0036.004], Operating System::Registry::Open Registry Key [C0036.003]
basic block @ token(0x6000062) in function token(0x6000062)
  or:
    api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB

save image in .NET
namespace  collection
author     [email protected]
scope      function
function @ token(0x600006D)
  and:
    api: System.Drawing.Image::Save @ token(0x600006D)+0x11
    optional:
      class: System.Drawing.Imaging.ImageFormat @ token(0x600006D)+0xC

capture screenshot
namespace  collection/screenshot
author     [email protected], @_re_fox, [email protected]
scope      function
att&ck     Collection::Screen Capture [T1113]
mbc        Collection::Screen Capture::WinAPI [E1113.m01]
function @ token(0x6000073)
  or:
    and:
      or:
        api: GetWindowDC @ token(0x6000073)+0x1
      or:
        api: BitBlt @ token(0x6000073)+0x63
      api: CreateCompatibleDC @ token(0x6000073)+0x39
      api: CreateCompatibleBitmap @ token(0x6000073)+0x43

send data (2 matches)
namespace    communication
author       [email protected], [email protected]
scope        function
mbc          Command and Control::C2 Communication::Send Data [B0030.001]
description  all known techniques for sending data to a potential C2 server
function @ token(0x6000096)
  or:
    and:
      os: windows
      or:
        match: send HTTP request @ token(0x6000096)
          or:
            api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0
function @ token(0x600009B)
  or:
    and:
      os: windows
      or:
        match: send HTTP request @ token(0x600009B)
          or:
            api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C

set web proxy in .NET
namespace  communication/http
author     [email protected]
scope      function
function @ token(0x6000096)
  and:
    property/write: System.Net.WebRequest::Proxy @ token(0x6000096)+0x20

create HTTP request (2 matches)
namespace  communication/http/client
author     [email protected], [email protected]
scope      function
mbc        Communication::HTTP Communication::Create Request [C0002.012]
function @ token(0x6000096)
  and:
    or:
      api: System.Net.WebRequest::Create @ token(0x6000096)+0x7
function @ token(0x600009B)
  and:
    or:
      api: System.Net.WebRequest::Create @ token(0x600009B)+0x6E

receive HTTP response (2 matches)
namespace  communication/http/client
author     [email protected]
scope      function
mbc        Communication::HTTP Communication::Get Response [C0002.017]
function @ token(0x6000096)
  or:
    api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0
function @ token(0x600009B)
  or:
    api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C

send HTTP request (2 matches)
namespace  communication/http/client
author     [email protected], [email protected]
scope      function
mbc        Communication::HTTP Communication::Send Request [C0002.003]
function @ token(0x6000096)
  or:
    api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0
function @ token(0x600009B)
  or:
    api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C

send request in .NET
namespace  communication/http/client
author     [email protected]
scope      function
att&ck     Command and Control::Application Layer Protocol::Web Protocols [T1071.001]
mbc        Communication::HTTP Communication::Send Request [C0002.003]
function @ token(0x6000096)
  and:
    api: System.IO.Stream::Write @ token(0x6000096)+0x2B0, token(0x6000096)+0x314, token(0x6000096)+0x322, token(0x6000096)+0x341, and 8 more...
    api: System.IO.Stream::Close @ token(0x6000096)+0x435, token(0x6000096)+0x4CA, token(0x6000096)+0x4FF
    or:
      api: System.Net.WebRequest::GetRequestStream @ token(0x6000096)+0x2A0

act as TCP client
namespace  communication/tcp/client
author     [email protected], [email protected]
scope      function
mbc        Communication::Socket Communication::TCP Client [C0001.008]
function @ token(0x600008A)
  or:
    api: System.Net.Sockets.TcpClient::ctor @ token(0x600008A)+0x26

decode data using Base64 in .NET
namespace  data-manipulation/encoding/base64
author     [email protected]
scope      function
att&ck     Defense Evasion::Deobfuscate/Decode Files or Information [T1140]
mbc        Data::Decode Data::Base64 [C0053.001]
function @ token(0x6000023)
  or:
    api: System.Convert::FromBase64String @ token(0x6000023)+0xC

encode data using Base64 (11 matches)
namespace  data-manipulation/encoding/base64
author     [email protected], [email protected], [email protected]
scope      function
att&ck     Defense Evasion::Obfuscated Files or Information [T1027]
mbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02], Data::Encode Data::Base64 [C0026.001]function @ token(0x600001B)
  or:
    api: System.Convert::ToBase64String @ token(0x600001B)+0x30
function @ token(0x6000028)
  or:
    api: System.Convert::ToBase64String @ token(0x6000028)+0x40
function @ token(0x600002C)
  or:
    api: System.Convert::ToBase64String @ token(0x600002C)+0x17
function @ token(0x600002F)
  or:
    api: System.Convert::ToBase64String @ token(0x600002F)+0x40
function @ token(0x6000034)
  or:
    api: System.Convert::ToBase64String @ token(0x6000034)+0x40
function @ token(0x6000039)
  or:
    api: System.Convert::ToBase64String @ token(0x6000039)+0x40
function @ token(0x600003E)
  or:
    api: System.Convert::ToBase64String @ token(0x600003E)+0x40
function @ token(0x6000048)
  or:
    api: System.Convert::ToBase64String @ token(0x6000048)+0x40
function @ token(0x600004E)
  or:
    api: System.Convert::ToBase64String @ token(0x600004E)+0x40
function @ token(0x6000064)
  or:
    api: System.Convert::ToBase64String @ token(0x6000064)+0x17
function @ token(0x60000A0)
  or:
    api: System.Convert::ToBase64String @ token(0x60000A0)+0x3E

hash data with MD5
namespace   data-manipulation/hashing/md5
author      [email protected], [email protected], [email protected]
scope       function
mbc         Cryptography::Cryptographic Hash::MD5 [C0029.001]
references  https://github.com/rwfpl/rewolf-x86-virtualizer/blob/master/src/test_app/main.cpp
function @ token(0x600001D)
  or:
    and:
      format: dotnet
      or:
        api: System.Security.Cryptography.MD5::Create @ token(0x600001D)+0x0
      optional:
        api: System.Security.Cryptography.HashAlgorithm::ComputeHash @ token(0x600001D)+0x14

manipulate console buffer
namespace   host-interaction/console
author      [email protected], [email protected]
scope       function
mbc         Operating System::Console [C0033]
references  https://stackoverflow.com/a/15770935/87207
function @ token(0x600009B)
  or:
    api: System.Console::WriteLine @ token(0x600009B)+0x2C

get common file path
namespace  host-interaction/file-system
author     [email protected], [email protected], [email protected]
scope      function
att&ck     Discovery::File and Directory Discovery [T1083]
mbc        Discovery::File and Directory Discovery [E1083]
function @ token(0x6000069)
  or:
    api: System.Environment::GetFolderPath @ token(0x6000069)+0x3

create directory (2 matches)
namespace  host-interaction/file-system/create
author     [email protected], [email protected]
scope      function
mbc        File System::Create Directory [C0046]
function @ token(0x600003A)
  or:
    api: System.IO.Directory::CreateDirectory @ token(0x600003A)+0x6
function @ token(0x600006B)
  or:
    api: System.IO.Directory::CreateDirectory @ token(0x600006B)+0x13

delete directory
namespace  host-interaction/file-system/delete
author     [email protected], [email protected]
scope      function
mbc        File System::Delete Directory [C0048]
function @ token(0x6000035)
  or:
    api: System.IO.Directory::Delete @ token(0x6000035)+0x7

delete file
namespace  host-interaction/file-system/delete
author     [email protected], [email protected]
scope      function
mbc        File System::Delete File [C0047]
function @ token(0x6000030)
  or:
    api: System.IO.File::Delete @ token(0x6000030)+0x6

check if directory exists
namespace  host-interaction/file-system/exists
author     [email protected]
scope      function
att&ck     Discovery::File and Directory Discovery [T1083]
function @ token(0x600006B)
  or:
    api: System.IO.Directory::Exists @ token(0x600006B)+0x6

check if file exists
namespace  host-interaction/file-system/exists
author     [email protected], [email protected]
scope      function
att&ck     Discovery::File and Directory Discovery [T1083]
mbc        Discovery::File and Directory Discovery [E1083]
function @ token(0x600009B)
  or:
    api: System.IO.File::Exists @ token(0x600009B)+0x52

enumerate files in .NET (2 matches)
namespace   host-interaction/file-system/files/list
author      [email protected], [email protected]
scope       function
att&ck      Discovery::File and Directory Discovery [T1083]
mbc         Discovery::File and Directory Discovery [E1083]
references  https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b163f873a41b
function @ token(0x600002A)
  or:
    api: System.IO.DirectoryInfo::GetDirectories @ token(0x600002A)+0x6
function @ token(0x600002B)
  or:
    api: System.IO.DirectoryInfo::GetFiles @ token(0x600002B)+0x6

get file size (2 matches)
namespace  host-interaction/file-system/meta
author     [email protected], [email protected]
scope      function
att&ck     Discovery::File and Directory Discovery [T1083]
mbc        Discovery::File and Directory Discovery [E1083]
function @ token(0x600002B)
  or:
    property/read: System.IO.FileInfo::Length @ token(0x600002B)+0x40
function @ token(0x6000096)
  or:
    property/read: System.IO.FileInfo::Length @ token(0x6000096)+0x257

create a process with modified I/O handles and window
namespace   host-interaction/process/create
author      [email protected], [email protected]
scope       function
mbc         Process::Create Process [C0017]
references  https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa
function @ token(0x6000081)
  or:
    and:
      api: System.Diagnostics.Process::Start @ token(0x6000081)+0xB2
      or:
        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000081)+0x7A
        property/write: System.Diagnostics.ProcessStartInfo::WorkingDirectory @ token(0x6000081)+0x96
        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000081)+0x4A
        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000081)+0x86
        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000081)+0x62
        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardInput @ token(0x6000081)+0x56

create process on Windows (2 matches)
namespace  host-interaction/process/create
author     [email protected]
scope      basic block
mbc        Process::Create Process [C0017]
basic block @ token(0x6000044) in function token(0x6000044)
  or:
    api: System.Diagnostics.Process::Start @ token(0x6000044)+0x6
basic block @ token(0x6000081) in function token(0x6000081)
  or:
    api: System.Diagnostics.Process::Start @ token(0x6000081)+0xB2

query or enumerate registry key (2 matches)
namespace  host-interaction/registry
author     [email protected]
scope      function
att&ck     Discovery::Query Registry [T1012]
mbc        Operating System::Registry::Query Registry Key [C0036.005]
function @ token(0x6000062)
  and:
    optional:
      match: create or open registry key @ token(0x6000062)
        or:
          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB
    or:
      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB
function @ token(0x6000063)
  and:
    optional:
      match: create or open registry key @ token(0x6000063)
        or:
          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E
    or:
      api: Microsoft.Win32.RegistryKey::GetSubKeyNames @ token(0x6000063)+0x6
      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E

query or enumerate registry value
namespace  host-interaction/registry
author     [email protected], [email protected], [email protected]
scope      function
att&ck     Discovery::Query Registry [T1012]
mbc        Operating System::Registry::Query Registry Value [C0036.006]
function @ token(0x6000063)
  and:
    optional:
      match: create or open registry key @ token(0x6000063)
        or:
          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E
    or:
      api: Microsoft.Win32.RegistryKey::GetValue @ token(0x6000063)+0x45, token(0x6000063)+0x5D, token(0x6000063)+0x75, token(0x6000063)+0x8D

create thread (6 matches)
namespace  host-interaction/thread/create
author     [email protected], [email protected], [email protected], [email protected]
scope      basic block
mbc        Process::Create Thread [C0038]
basic block @ token(0x6000081) in function token(0x6000081)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x6000081)+0xE0, token(0x6000081)+0x10D
      optional:
        api: System.Threading.Thread::ctor @ token(0x6000081)+0xCA, token(0x6000081)+0xF7
basic block @ token(0x6000087) in function token(0x6000087)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x6000087)+0x4A
      optional:
        api: System.Threading.Thread::ctor @ token(0x6000087)+0x3A
basic block @ token(0x600008C) in function token(0x600008C)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x600008C)+0x54
      optional:
        api: System.Threading.Thread::ctor @ token(0x600008C)+0x2F
basic block @ token(0x6000094) in function token(0x6000094)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x6000094)+0x41
      optional:
        api: System.Threading.Thread::ctor @ token(0x6000094)+0x30
basic block @ token(0x6000095) in function token(0x6000095)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x6000095)+0x41
      optional:
        api: System.Threading.Thread::ctor @ token(0x6000095)+0x30
basic block @ token(0x600009A) in function token(0x600009A)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x600009A)+0x50
      optional:
        api: System.Threading.Thread::ctor @ token(0x600009A)+0x30

suspend thread (5 matches)
namespace  host-interaction/thread/suspend
author     [email protected], [email protected]
scope      basic block
mbc        Process::Suspend Thread [C0055]
basic block @ token(0x6000084) in function token(0x6000084)
  or:
    api: System.Threading.Thread::Sleep @ token(0x6000084)+0x78, token(0x6000084)+0x85
basic block @ token(0x6000085) in function token(0x6000085)
  or:
    api: System.Threading.Thread::Sleep @ token(0x6000085)+0x78, token(0x6000085)+0x85
basic block @ token(0x600008A) in function token(0x600008A)
  or:
    api: System.Threading.Thread::Sleep @ token(0x600008A)+0x5, token(0x600008A)+0xBB, token(0x600008A)+0x11D, token(0x600008A)+0x126      
basic block @ token(0x600008F) in function token(0x600008F)
  or:
    api: System.Threading.Thread::Sleep @ token(0x600008F)+0x1
basic block @ token(0x6000091) in function token(0x6000091)
  or:
    api: System.Threading.Thread::Sleep @ token(0x6000091)+0x69

unmanaged call (2 matches)
namespace    runtime
author       [email protected]
scope        function
description  managed code calls unmanaged (native) code, often seen in .NET
function @ token(0x6000072)
  or:
    characteristic: unmanaged call @ token(0x6000072)+0x1
function @ token(0x6000073)
  or:
    characteristic: unmanaged call @ token(0x6000073)+0x1, token(0x6000073)+0x12, token(0x6000073)+0x39, token(0x6000073)+0x43, and 6 more...

compiled to the .NET platform
namespace  runtime/dotnet
author     [email protected]
scope      file
or:
  format: dotnet

@samadpls
Copy link
Contributor Author

Are you out of hard-drive space?

Hi @mr-tz , thanks for noticing. Yes, I noticed that my cache was full somehow, so I ran it on Windows and got the log

@mike-hunhoff
Copy link
Collaborator

mike-hunhoff commented Mar 18, 2024

Looks good @samadpls . Please verify that the -vv output from capa's standalone tool lists .NET as the format in the metadata section by posting the output here. You can use one of the .NET samples from capa/test-files.

@mike-hunhoff , Sorry for responding late; I was busy with academic workk. Here the output i got after running the following command

format                  pe
...
create or open registry key (2 matches, only showing first match of library rule)
...
save image in .NET
...

full log

capa -vv -r E:\capa-rules-7.0.1\capa-rules-7.0.1  1c444ebeba24dcba8628b7dfe5fec7c6.exe
md5                     1c444ebeba24dcba8628b7dfe5fec7c6
sha1                    ebdec120fbbdbff28ebd6accc85d05f7ccabf461
sha256                  a9f9e5a30cc858dc135ec428cdd68cb06143732e5c62c4dc4b359c8abc11d74b
path                    E:/extraproj/capa/1c444ebeba24dcba8628b7dfe5fec7c6.exe
timestamp               2024-03-16 23:55:17.310730
capa version            7.0.1
os                      any
format                  pe
arch                    any
analysis                static
extractor               DnfileFeatureExtractor
base address            global
rules                   E:/capa-rules-7.0.1/capa-rules-7.0.1
function count          150
library function count  0
total feature count     4309

[...]

Thank you for providing the output. Following the changes that you've made in this PR I'd expect capa's output to list format: dotnet, not format: pe e.g. expected output for .NET file:

capa -vv -r E:\capa-rules-7.0.1\capa-rules-7.0.1  1c444ebeba24dcba8628b7dfe5fec7c6.exe
md5                     1c444ebeba24dcba8628b7dfe5fec7c6
sha1                    ebdec120fbbdbff28ebd6accc85d05f7ccabf461
sha256                  a9f9e5a30cc858dc135ec428cdd68cb06143732e5c62c4dc4b359c8abc11d74b
path                    E:/extraproj/capa/1c444ebeba24dcba8628b7dfe5fec7c6.exe
timestamp               2024-03-16 23:55:17.310730
capa version            7.0.1
os                      any
format                  dotnet
arch                    any
[...]

I'm unsure based solely on the output of command whether you're running the existing capa standalone tool or capa w/ the changes that you've made in this PR. Can you confirm that you have installed capa locally for development and that you are running capa with the changes that you've made in this PR?

@samadpls
Copy link
Contributor Author

@mike-hunhoff, you were right. I was in the master branch and running the command. I apologize for the oversight
here is the expected log

capa 1c444ebeba24dcba8628b7dfe5fec7c6.exe_ -vv -r ./rules/
md5                     1c444ebeba24dcba8628b7dfe5fec7c6
sha1                    ebdec120fbbdbff28ebd6accc85d05f7ccabf461
sha256                  a9f9e5a30cc858dc135ec428cdd68cb06143732e5c62c4dc4b359c8abc11d74b
path                    E:/extraproj/capa/1c444ebeba24dcba8628b7dfe5fec7c6.exe_
timestamp               2024-03-18 23:54:18.048229
capa version            7.0.1
os                      any
format                  dotnet
arch                    any
analysis                static
extractor               DnfileFeatureExtractor
base address            global
rules                   E:/extraproj/capa/rules
function count          150
library function count  0
total feature count     4309
[ .... ]
full log
capa 1c444ebeba24dcba8628b7dfe5fec7c6.exe_ -vv -r ./rules/
md5                     1c444ebeba24dcba8628b7dfe5fec7c6
sha1                    ebdec120fbbdbff28ebd6accc85d05f7ccabf461
sha256                  a9f9e5a30cc858dc135ec428cdd68cb06143732e5c62c4dc4b359c8abc11d74b
path                    E:/extraproj/capa/1c444ebeba24dcba8628b7dfe5fec7c6.exe_
timestamp               2024-03-18 23:54:18.048229
capa version            7.0.1
os                      any
format                  dotnet
arch                    any
analysis                static
extractor               DnfileFeatureExtractor
base address            global
rules                   E:/extraproj/capa/rules
function count          150
library function count  0
total feature count     4309

create or open registry key (2 matches, only showing first match of library rule)       
author  [email protected], [email protected]
scope   basic block
mbc     Operating System::Registry::Create Registry Key [C0036.004], Operating System::Registry::Open Registry Key [C0036.003]
basic block @ token(0x6000062) in function token(0x6000062)
  or:
    api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB

save image in .NET
namespace  collection
author     [email protected]
scope      function
function @ token(0x600006D)
  and:
    api: System.Drawing.Image::Save @ token(0x600006D)+0x11
    optional:
      class: System.Drawing.Imaging.ImageFormat @ token(0x600006D)+0xC

capture screenshot
namespace  collection/screenshot
author     [email protected], @_re_fox, [email protected]
scope      function
att&ck     Collection::Screen Capture [T1113]
mbc        Collection::Screen Capture::WinAPI [E1113.m01]
function @ token(0x6000073)
  or:
    and:
      or:
        api: GetWindowDC @ token(0x6000073)+0x1
      or:
        api: BitBlt @ token(0x6000073)+0x63
      api: CreateCompatibleDC @ token(0x6000073)+0x39
      api: CreateCompatibleBitmap @ token(0x6000073)+0x43

send data (2 matches)
namespace    communication
author       [email protected], [email protected]
scope        function
mbc          Command and Control::C2 Communication::Send Data [B0030.001]
description  all known techniques for sending data to a potential C2 server
function @ token(0x6000096)
  or:
    and:
      os: windows
      or:
        match: send HTTP request @ token(0x6000096)
          or:
            api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0
function @ token(0x600009B)
  or:
    and:
      os: windows
      or:
        match: send HTTP request @ token(0x600009B)
          or:
            api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C

set web proxy in .NET
namespace  communication/http
author     [email protected]
scope      function
function @ token(0x6000096)
  and:
    property/write: System.Net.WebRequest::Proxy @ token(0x6000096)+0x20

create HTTP request (2 matches)
namespace  communication/http/client
author     [email protected], [email protected]
scope      function
mbc        Communication::HTTP Communication::Create Request [C0002.012]
function @ token(0x6000096)
  and:
    or:
      api: System.Net.WebRequest::Create @ token(0x6000096)+0x7
function @ token(0x600009B)
  and:
    or:
      api: System.Net.WebRequest::Create @ token(0x600009B)+0x6E

receive HTTP response (2 matches)
namespace  communication/http/client
author     [email protected]
scope      function
mbc        Communication::HTTP Communication::Get Response [C0002.017]
function @ token(0x6000096)
  or:
    api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0
function @ token(0x600009B)
  or:
    api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C

send HTTP request (2 matches)
namespace  communication/http/client
author     [email protected], [email protected]
scope      function
mbc        Communication::HTTP Communication::Send Request [C0002.003]
function @ token(0x6000096)
  or:
    api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0
function @ token(0x600009B)
  or:
    api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C

send request in .NET
namespace  communication/http/client
author     [email protected]
scope      function
att&ck     Command and Control::Application Layer Protocol::Web Protocols [T1071.001]
mbc        Communication::HTTP Communication::Send Request [C0002.003]
function @ token(0x6000096)
  and:
    api: System.IO.Stream::Write @ token(0x6000096)+0x2B0, token(0x6000096)+0x314, token(0x6000096)+0x322, token(0x6000096)+0x341, and 8 more...
    api: System.IO.Stream::Close @ token(0x6000096)+0x435, token(0x6000096)+0x4CA, token(0x6000096)+0x4FF
    or:
      api: System.Net.WebRequest::GetRequestStream @ token(0x6000096)+0x2A0

act as TCP client
namespace  communication/tcp/client
author     [email protected], [email protected]
scope      function
mbc        Communication::Socket Communication::TCP Client [C0001.008]
function @ token(0x600008A)
  or:
    api: System.Net.Sockets.TcpClient::ctor @ token(0x600008A)+0x26

decode data using Base64 in .NET
namespace  data-manipulation/encoding/base64
author     [email protected]
scope      function
att&ck     Defense Evasion::Deobfuscate/Decode Files or Information [T1140]
mbc        Data::Decode Data::Base64 [C0053.001]
function @ token(0x6000023)
  or:
    api: System.Convert::FromBase64String @ token(0x6000023)+0xC

encode data using Base64 (11 matches)
namespace  data-manipulation/encoding/base64
author     [email protected], [email protected], [email protected]
scope      function
att&ck     Defense Evasion::Obfuscated Files or Information [T1027]
mbc        Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02], Data::Encode Data::Base64 [C0026.001]
function @ token(0x600001B)
  or:
    api: System.Convert::ToBase64String @ token(0x600001B)+0x30
function @ token(0x6000028)
  or:
    api: System.Convert::ToBase64String @ token(0x6000028)+0x40
function @ token(0x600002C)
  or:
    api: System.Convert::ToBase64String @ token(0x600002C)+0x17
function @ token(0x600002F)
  or:
    api: System.Convert::ToBase64String @ token(0x600002F)+0x40
function @ token(0x6000034)
  or:
    api: System.Convert::ToBase64String @ token(0x6000034)+0x40
function @ token(0x6000039)
  or:
    api: System.Convert::ToBase64String @ token(0x6000039)+0x40
function @ token(0x600003E)
  or:
    api: System.Convert::ToBase64String @ token(0x600003E)+0x40
function @ token(0x6000048)
  or:
    api: System.Convert::ToBase64String @ token(0x6000048)+0x40
function @ token(0x600004E)
  or:
    api: System.Convert::ToBase64String @ token(0x600004E)+0x40
function @ token(0x6000064)
  or:
    api: System.Convert::ToBase64String @ token(0x6000064)+0x17
function @ token(0x60000A0)
  or:
    api: System.Convert::ToBase64String @ token(0x60000A0)+0x3E

hash data with MD5
namespace   data-manipulation/hashing/md5
author      [email protected], [email protected], [email protected]
scope       function
mbc         Cryptography::Cryptographic Hash::MD5 [C0029.001]
references  https://github.com/rwfpl/rewolf-x86-virtualizer/blob/master/src/test_app/main.cpp
function @ token(0x600001D)
  or:
    and:
      format: dotnet
      or:
        api: System.Security.Cryptography.MD5::Create @ token(0x600001D)+0x0
      optional:
        api: System.Security.Cryptography.HashAlgorithm::ComputeHash @ token(0x600001D)+0x14

manipulate console buffer
namespace   host-interaction/console
author      [email protected], [email protected]
scope       function
mbc         Operating System::Console [C0033]
references  https://stackoverflow.com/a/15770935/87207
function @ token(0x600009B)
  or:
    api: System.Console::WriteLine @ token(0x600009B)+0x2C

get common file path
namespace  host-interaction/file-system
author     [email protected], [email protected], [email protected]
scope      function
att&ck     Discovery::File and Directory Discovery [T1083]
mbc        Discovery::File and Directory Discovery [E1083]
function @ token(0x6000069)
  or:
    api: System.Environment::GetFolderPath @ token(0x6000069)+0x3

create directory (2 matches)
namespace  host-interaction/file-system/create
author     [email protected], [email protected]
scope      function
mbc        File System::Create Directory [C0046]
function @ token(0x600003A)
  or:
    api: System.IO.Directory::CreateDirectory @ token(0x600003A)+0x6
function @ token(0x600006B)
  or:
    api: System.IO.Directory::CreateDirectory @ token(0x600006B)+0x13

delete directory
namespace  host-interaction/file-system/delete
author     [email protected], [email protected]
scope      function
mbc        File System::Delete Directory [C0048]
function @ token(0x6000035)
  or:
    api: System.IO.Directory::Delete @ token(0x6000035)+0x7

delete file
namespace  host-interaction/file-system/delete
author     [email protected], [email protected]
scope      function
mbc        File System::Delete File [C0047]
function @ token(0x6000030)
  or:
    api: System.IO.File::Delete @ token(0x6000030)+0x6

check if directory exists
namespace  host-interaction/file-system/exists
author     [email protected]
scope      function
att&ck     Discovery::File and Directory Discovery [T1083]
function @ token(0x600006B)
  or:
    api: System.IO.Directory::Exists @ token(0x600006B)+0x6

check if file exists
namespace  host-interaction/file-system/exists
author     [email protected], [email protected]
scope      function
att&ck     Discovery::File and Directory Discovery [T1083]
mbc        Discovery::File and Directory Discovery [E1083]
function @ token(0x600009B)
  or:
    api: System.IO.File::Exists @ token(0x600009B)+0x52

enumerate files in .NET (2 matches)
namespace   host-interaction/file-system/files/list
author      [email protected], [email protected]
scope       function
att&ck      Discovery::File and Directory Discovery [T1083]
mbc         Discovery::File and Directory Discovery [E1083]
references  https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b163f873a41b
function @ token(0x600002A)
  or:
    api: System.IO.DirectoryInfo::GetDirectories @ token(0x600002A)+0x6
function @ token(0x600002B)
  or:
    api: System.IO.DirectoryInfo::GetFiles @ token(0x600002B)+0x6

get file size (2 matches)
namespace  host-interaction/file-system/meta
author     [email protected], [email protected]
scope      function
att&ck     Discovery::File and Directory Discovery [T1083]
mbc        Discovery::File and Directory Discovery [E1083]
function @ token(0x600002B)
  or:
    property/read: System.IO.FileInfo::Length @ token(0x600002B)+0x40
function @ token(0x6000096)
  or:
    property/read: System.IO.FileInfo::Length @ token(0x6000096)+0x257

create a process with modified I/O handles and window
namespace   host-interaction/process/create
author      [email protected], [email protected]
scope       function
mbc         Process::Create Process [C0017]
references  https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa
function @ token(0x6000081)
  or:
    and:
      api: System.Diagnostics.Process::Start @ token(0x6000081)+0xB2
      or:
        property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000081)+0x7A
        property/write: System.Diagnostics.ProcessStartInfo::WorkingDirectory @ token(0x6000081)+0x96
        property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000081)+0x4A
        property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000081)+0x86
        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000081)+0x62
        property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardInput @ token(0x6000081)+0x56

create process on Windows (2 matches)
namespace  host-interaction/process/create
author     [email protected]
scope      basic block
mbc        Process::Create Process [C0017]
basic block @ token(0x6000044) in function token(0x6000044)
  or:
    api: System.Diagnostics.Process::Start @ token(0x6000044)+0x6
basic block @ token(0x6000081) in function token(0x6000081)
  or:
    api: System.Diagnostics.Process::Start @ token(0x6000081)+0xB2

query or enumerate registry key (2 matches)
namespace  host-interaction/registry
author     [email protected]
scope      function
att&ck     Discovery::Query Registry [T1012]
mbc        Operating System::Registry::Query Registry Key [C0036.005]
function @ token(0x6000062)
  and:
    optional:
      match: create or open registry key @ token(0x6000062)
        or:
          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB
    or:
      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB
function @ token(0x6000063)
  and:
    optional:
      match: create or open registry key @ token(0x6000063)
        or:
          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E
    or:
      api: Microsoft.Win32.RegistryKey::GetSubKeyNames @ token(0x6000063)+0x6
      api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E

query or enumerate registry value
namespace  host-interaction/registry
author     [email protected], [email protected], [email protected]
scope      function
att&ck     Discovery::Query Registry [T1012]
mbc        Operating System::Registry::Query Registry Value [C0036.006]
function @ token(0x6000063)
  and:
    optional:
      match: create or open registry key @ token(0x6000063)
        or:
          api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E
    or:
      api: Microsoft.Win32.RegistryKey::GetValue @ token(0x6000063)+0x45, token(0x6000063)+0x5D, token(0x6000063)+0x75, token(0x6000063)+0x8D

create thread (6 matches)
namespace  host-interaction/thread/create
author     [email protected], [email protected], [email protected], [email protected]
scope      basic block
mbc        Process::Create Thread [C0038]
basic block @ token(0x6000081) in function token(0x6000081)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x6000081)+0xE0, token(0x6000081)+0x10D
      optional:
        api: System.Threading.Thread::ctor @ token(0x6000081)+0xCA, token(0x6000081)+0xF7
basic block @ token(0x6000087) in function token(0x6000087)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x6000087)+0x4A
      optional:
        api: System.Threading.Thread::ctor @ token(0x6000087)+0x3A
basic block @ token(0x600008C) in function token(0x600008C)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x600008C)+0x54
      optional:
        api: System.Threading.Thread::ctor @ token(0x600008C)+0x2F
basic block @ token(0x6000094) in function token(0x6000094)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x6000094)+0x41
      optional:
        api: System.Threading.Thread::ctor @ token(0x6000094)+0x30
basic block @ token(0x6000095) in function token(0x6000095)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x6000095)+0x41
      optional:
        api: System.Threading.Thread::ctor @ token(0x6000095)+0x30
basic block @ token(0x600009A) in function token(0x600009A)
  or:
    and:
      api: System.Threading.Thread::Start @ token(0x600009A)+0x50
      optional:
        api: System.Threading.Thread::ctor @ token(0x600009A)+0x30

suspend thread (5 matches)
namespace  host-interaction/thread/suspend
author     [email protected], [email protected]
scope      basic block
mbc        Process::Suspend Thread [C0055]
basic block @ token(0x6000084) in function token(0x6000084)
  or:
    api: System.Threading.Thread::Sleep @ token(0x6000084)+0x78, token(0x6000084)+0x85
basic block @ token(0x6000085) in function token(0x6000085)
  or:
    api: System.Threading.Thread::Sleep @ token(0x6000085)+0x78, token(0x6000085)+0x85
basic block @ token(0x600008A) in function token(0x600008A)
  or:
    api: System.Threading.Thread::Sleep @ token(0x600008A)+0x5, token(0x600008A)+0xBB, token(0x600008A)+0x11D, token(0x600008A)+0x126
basic block @ token(0x600008F) in function token(0x600008F)
  or:
    api: System.Threading.Thread::Sleep @ token(0x600008F)+0x1
basic block @ token(0x6000091) in function token(0x6000091)
  or:
    api: System.Threading.Thread::Sleep @ token(0x6000091)+0x69

unmanaged call (2 matches)
namespace    runtime
author       [email protected]
scope        function
description  managed code calls unmanaged (native) code, often seen in .NET
function @ token(0x6000072)
  or:
    characteristic: unmanaged call @ token(0x6000072)+0x1
function @ token(0x6000073)
  or:
    characteristic: unmanaged call @ token(0x6000073)+0x1, token(0x6000073)+0x12, token(0x6000073)+0x39, token(0x6000073)+0x43, and 6 more...

compiled to the .NET platform
namespace  runtime/dotnet
author     [email protected]
scope      file
or:
  format: dotnet

@samadpls samadpls requested a review from mike-hunhoff March 18, 2024 19:02
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking food @samadpls . One small change to add and we can merge 🚀

CHANGELOG.md Outdated Show resolved Hide resolved
Co-authored-by: Mike Hunhoff <[email protected]>
@samadpls samadpls requested a review from mike-hunhoff March 19, 2024 17:07
Copy link
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@mike-hunhoff mike-hunhoff merged commit 7bc298d into mandiant:master Mar 20, 2024
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

dotnet: yield FORMAT_DOTNET before FORMAT_PE when processing .NET files
3 participants