Add rules for various stealer techniques #960
Conversation
Signed-off-by: Still Hsu <dev@stillu.cc>
Signed-off-by: Still Hsu <dev@stillu.cc>
Signed-off-by: Still Hsu <dev@stillu.cc>
| - bytes: CF BE 3A 46 0D 41 7F 40 8A F5 0D F3 5A 00 5C C8 = IID for Google Chrome | ||
| - bytes: E0 60 88 70 41 F6 11 46 88 95 7D 86 7D D3 67 5B = CLSID for Google Chrome | ||
| - substring: "{708860E0-F641-4611-8895-7D867DD3675B}" | ||
| description: CLSID for Google Chrome |
There was a problem hiding this comment.
consider using com/* features for GUIDs, described here:
https://github.com/mandiant/capa-rules/blob/f880b13f08b2b3f603e41b87c999600d71a41e78/doc/format.md#com
There was a problem hiding this comment.
Do I just do something like com/class: <class_name> # E0 60 88 70 41 F6 11 46 88 95 7D 86 7D D3 67 5B = CLSID for Google Chrome?
There was a problem hiding this comment.
yup, that's the right idea. And the comment is strictly for humans, it isn't parsed into the rule - we use a built in database of GUIDs.
...which may be a problem since I think it's only MS Windows COM entries, and may not include the Chome entries. I'd be curious to hear what happens if you try.
There was a problem hiding this comment.
yeaah I don't think that'll work then
There was a problem hiding this comment.
I guess to fix it someone will have to PR over here https://github.com/mandiant/capa/blob/e8ad2072458568149697a856d6e83490b2ecdaa9/capa/features/com/classes.py ?
There was a problem hiding this comment.
correct, for this PR we can proceed using the bytes
Signed-off-by: Still Hsu <dev@stillu.cc>
…ope of the target Signed-off-by: Still Hsu <dev@stillu.cc>
Signed-off-by: Still Hsu <dev@stillu.cc>
Signed-off-by: Still Hsu <dev@stillu.cc>
Summary
This PR adds three new rules spotted amongst various types of infostealers/dumping tools (Stealc, Vidar, ChromeKatz),
collection/browser/get-chrome-cookiemonster.ymlcollection/browser/get-chrome-elevation-service.ymlcollection/get-steam-token.yml