-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add rules for various stealer techniques #960
Merged
mr-tz
merged 6 commits into
mandiant:master
from
Still34:patches/add-stealer-techniques
Nov 15, 2024
+91
−0
Merged
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
00dbe61
Add rules for various stealer techniques
Still34 c11d9d8
Add bytes and replace string with substring
Still34 1aed358
Fix scope for get-steam-token
Still34 e3e84b8
Add Microsoft Edge in IID/CLSID detection & rename rule to broaden sc…
Still34 ffe6dd6
Remove bytes representation of the string as substring supercedes it
Still34 13062aa
Replace string with substring for Steam token rule
Still34 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| rule: | ||
| meta: | ||
| name: get Chrome CookieMonster | ||
| namespace: collection/browser | ||
| authors: | ||
| - still@teamt5.org | ||
| description: finds sections related to Chrome's CookieMonster component, typically used in conjunction with code that dumps cookies from Chromium-based browsers | ||
| scopes: | ||
| static: file | ||
| dynamic: process | ||
| att&ck: | ||
| - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] | ||
| references: | ||
| - https://github.com/Meckazin/ChromeKatz/blob/main/CookieKatz-BOF/CookieKatzBOF.cpp | ||
| examples: | ||
| - 79f5cabff898d60cd614e7254d409d9c2e05184416e5c54201e2dc216998d28b:0x117D | ||
| features: | ||
| - and: | ||
| - substring: "network.mojom.NetworkService" # process with CookieMonster | ||
| - or: | ||
| - substring: "chrome.dll" | ||
| - substring: "chrome.exe" | ||
| - substring: "msedge.exe" | ||
| - substring: "msedgewebview2.exe" | ||
| - substring: "msedge.dll" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| rule: | ||
| meta: | ||
| name: get Chrome elevation service | ||
| namespace: collection/browser | ||
| authors: | ||
| - still@teamt5.org | ||
| description: finds strings/identifiers related to Chrome Elevation Service, typically used in conjunction with retrieving App-bound Encryption related key | ||
| scopes: | ||
| static: function | ||
| dynamic: unsupported # requires bytes features | ||
| att&ck: | ||
| - Credential Access::Exploitation for Credential Access [T1212] | ||
| - Credential Access::Credentials from Password Stores::Credentials from Web Browsers [T1555.003] | ||
| references: | ||
| - https://gist.github.com/snovvcrash/caded55a318bbefcb6cc9ee30e82f824 | ||
| - https://chromium.googlesource.com/chromium/src/+/HEAD/chrome/install_static/install_util_unittest.cc | ||
| examples: | ||
| - fb690a23b66d4f90dac83f1b4d6dec0074aff68d6ef62c2613120bd4d17cfbdd:0x14006E8C0 | ||
| features: | ||
| - and: | ||
| - optional: | ||
| - string: "APPB" | ||
| description: prefix for App-bound Encryption encrypted credentials | ||
| - or: | ||
| - 2 or more: | ||
| - bytes: CF BE 3A 46 0D 41 7F 40 8A F5 0D F3 5A 00 5C C8 = IID for Google Chrome | ||
| - bytes: E0 60 88 70 41 F6 11 46 88 95 7D 86 7D D3 67 5B = CLSID for Google Chrome | ||
| - substring: "{708860E0-F641-4611-8895-7D867DD3675B}" | ||
| description: CLSID for Google Chrome | ||
| - 2 or more: | ||
| - bytes: 66 1D 72 A2 6E 37 2F 4D 9F 0F 90 70 E9 A4 2B 5F = IID for Google Chrome Beta | ||
| - bytes: BA 46 26 DD 07 37 F8 4B B9 A7 03 86 91 A6 8F C2 = CLSID for Google Chrome Beta | ||
| - substring: "{DD2646BA-3707-4BF8-B9A7-038691A68FC2}" | ||
| description: CLSID for Google Chrome Beta | ||
| - 2 or more: | ||
| - bytes: 6B A2 2A BB 3A 34 72 40 8B 6F 80 55 7B 8C E5 71 = IID for Google Chrome Dev | ||
| - bytes: A5 DC 7F DA AA 2C 37 46 AA 17 07 40 58 4D E7 DA = CLSID for Google Chrome Dev | ||
| - substring: "{DA7FDCA5-2CAA-4637-AA17-0740584DE7DA}" | ||
| description: CLSID for Google Chrome Dev | ||
| - 2 or more: | ||
| - bytes: 41 E0 7C 4F E9 28 4F 48 9D D0 61 A8 CA CE FE E4 = IID for Google Chrome Canary | ||
| - bytes: 72 28 4C 70 49 20 5E 43 A4 69 0A 53 43 13 C4 2B = CLSID for Google Chrome Canary | ||
| - substring: "{704C2872-2049-435E-A469-0A534313C42B}" | ||
| description: CLSID for Google Chrome Canary | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| rule: | ||
| meta: | ||
| name: get Steam token | ||
| namespace: collection | ||
| authors: | ||
| - still@teamt5.org | ||
| description: locates references to Steam authentication token via the beginning of a Steam bearer token | ||
| scopes: | ||
| static: file | ||
| dynamic: unsupported # requires bytes feature | ||
| examples: | ||
| - 2c83f152e09d0abaa3a3784669e75276784e50e1e202d16ab27e5741eef9ab4f:0x0041718C | ||
Still34 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| features: | ||
| - or: | ||
| - bytes: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A | ||
Still34 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| - string: "65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A" | ||
Still34 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| - substring: "eyAidHlwIjogIkpXVCIsICJ" | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
consider using
com/*features for GUIDs, described here:https://github.com/mandiant/capa-rules/blob/f880b13f08b2b3f603e41b87c999600d71a41e78/doc/format.md#com
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do I just do something like
com/class: <class_name> # E0 60 88 70 41 F6 11 46 88 95 7D 86 7D D3 67 5B = CLSID for Google Chrome?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup, that's the right idea. And the comment is strictly for humans, it isn't parsed into the rule - we use a built in database of GUIDs.
...which may be a problem since I think it's only MS Windows COM entries, and may not include the Chome entries. I'd be curious to hear what happens if you try.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeaah I don't think that'll work then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess to fix it someone will have to PR over here https://github.com/mandiant/capa/blob/e8ad2072458568149697a856d6e83490b2ecdaa9/capa/features/com/classes.py ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct, for this PR we can proceed using the bytes