diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml index 32fc1d127..f34ad103f 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-beingdebugged-flag.yml @@ -15,5 +15,5 @@ rule: - Practical Malware Analysis Lab 16-01.exe_:0x403530 features: - and: - - match: PEB access + - match: PEB access via x86 assembly - offset: 2 = PEB.BeingDebugged diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml similarity index 91% rename from anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml rename to anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml index 9fbffe04e..1186cf2f3 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-peb-ntglobalflag-flag-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: check for PEB NtGlobalFlag flag + name: check for PEB NtGlobalFlag flag via x86 assembly namespace: anti-analysis/anti-debugging/debugger-detection authors: - moritz.raabe@mandiant.com @@ -18,7 +18,7 @@ rule: - and: - basic block: - and: - - match: PEB access + - match: PEB access via x86 assembly - or: - and: - arch: i386 diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception-via-x86-assembly.yml similarity index 94% rename from anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml rename to anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception-via-x86-assembly.yml index ba561e738..c27ae9a51 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-trap-flag-exception-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: check for trap flag exception + name: check for trap flag exception via x86 assembly namespace: anti-analysis/anti-debugging/debugger-detection authors: - michael.hunhoff@mandiant.com diff --git a/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml b/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions-via-x86-assembly.yml similarity index 88% rename from anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml rename to anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions-via-x86-assembly.yml index 573617ddf..7ba5926d5 100644 --- a/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions.yml +++ b/anti-analysis/anti-debugging/debugger-detection/execute-anti-debugging-instructions-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: execute anti-debugging instructions + name: execute anti-debugging instructions via x86 assembly namespace: anti-analysis/anti-debugging/debugger-detection authors: - moritz.raabe@mandiant.com diff --git a/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml b/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate-via-x86-assembly.yml similarity index 95% rename from anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml rename to anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate-via-x86-assembly.yml index 822f1b661..ccc8fe5bd 100644 --- a/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate.yml +++ b/anti-analysis/anti-disasm/64-bit-execution-via-heavens-gate-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: 64-bit execution via heavens gate + name: 64-bit execution via heavens gate via x86 assembly namespace: anti-analysis/anti-disasm authors: - awillia2@cisco.com diff --git a/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml b/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml index cf6d86659..3104290ea 100644 --- a/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml +++ b/anti-analysis/anti-disasm/contain-anti-disasm-techniques.yml @@ -13,4 +13,4 @@ rule: - a5c70086b3bc4fe64f4e7a0aa452e620 features: - or: - - count(match(contain pusha popa sequence)): 10 or more + - count(match(contain pusha popa sequence via x86 assembly)): 10 or more diff --git a/anti-analysis/packer/generic/packed-with-generic-packer.yml b/anti-analysis/packer/generic/packed-with-generic-packer.yml index f388bfddc..55f3d2a40 100644 --- a/anti-analysis/packer/generic/packed-with-generic-packer.yml +++ b/anti-analysis/packer/generic/packed-with-generic-packer.yml @@ -23,4 +23,4 @@ rule: - mnemonic: popad # vivisect - characteristic: cross section flow - not: - - match: contain pusha popa sequence + - match: contain pusha popa sequence via x86 assembly diff --git a/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml b/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl-via-x86-assembly.yml similarity index 95% rename from communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml rename to communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl-via-x86-assembly.yml index d41a3040f..14cd75a51 100644 --- a/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl.yml +++ b/communication/socket/tcp/send/obtain-transmitpackets-callback-function-via-wsaioctl-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: obtain TransmitPackets callback function via WSAIoctl + name: obtain TransmitPackets callback function via WSAIoctl via x86 assembly namespace: communication/socket/tcp/send authors: - jonathan.lepore@mandiant.com diff --git a/data-manipulation/checksum/adler32/compute-adler32-checksum.yml b/data-manipulation/checksum/adler32/compute-adler32-checksum-via-x86-assembly.yml similarity index 97% rename from data-manipulation/checksum/adler32/compute-adler32-checksum.yml rename to data-manipulation/checksum/adler32/compute-adler32-checksum-via-x86-assembly.yml index 246e8d27a..8f4268bb0 100644 --- a/data-manipulation/checksum/adler32/compute-adler32-checksum.yml +++ b/data-manipulation/checksum/adler32/compute-adler32-checksum-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: compute adler32 checksum + name: compute adler32 checksum via x86 assembly namespace: data-manipulation/checksum/adler32 authors: - matthew.williams@mandiant.com diff --git a/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml b/data-manipulation/encryption/hc-128/encrypt-data-using-hc-128-via-wolfssl.yml old mode 100755 new mode 100644 diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa-via-x86-assembly.yml similarity index 97% rename from data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml rename to data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa-via-x86-assembly.yml index d0a9fa269..17467f08f 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-ksa-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: encrypt data using RC4 KSA + name: encrypt data using RC4 KSA via x86 assembly namespace: data-manipulation/encryption/rc4 authors: - moritz.raabe@mandiant.com diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga-via-x86-assembly.yml similarity index 95% rename from data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml rename to data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga-via-x86-assembly.yml index 9066f37e0..699c221e9 100644 --- a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga.yml +++ b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-prga-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: encrypt data using RC4 PRGA + name: encrypt data using RC4 PRGA via x86 assembly namespace: data-manipulation/encryption/rc4 authors: - moritz.raabe@mandiant.com diff --git a/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml b/data-manipulation/encryption/rc4/encrypt-data-using-rc4-with-custom-key-via-winapi.yml old mode 100755 new mode 100644 diff --git a/data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml b/data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library-via-x86-assembly.yml similarity index 95% rename from data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml rename to data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library-via-x86-assembly.yml index 7599ab4ad..576966456 100644 --- a/data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml +++ b/data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: encrypt data using RSA via embedded library + name: encrypt data using RSA via embedded library via x86 assembly namespace: data-manipulation/encryption/rsa authors: - "Ana06" diff --git a/data-manipulation/encryption/tea/decrypt-data-using-tea.yml b/data-manipulation/encryption/tea/decrypt-data-using-tea.yml old mode 100755 new mode 100644 diff --git a/data-manipulation/encryption/tea/encrypt-data-using-tea.yml b/data-manipulation/encryption/tea/encrypt-data-using-tea.yml old mode 100755 new mode 100644 diff --git a/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml b/data-manipulation/encryption/xtea/encrypt-data-using-xtea.yml old mode 100755 new mode 100644 diff --git a/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml b/data-manipulation/encryption/xxtea/encrypt-data-using-xxtea.yml old mode 100755 new mode 100644 diff --git a/host-interaction/hardware/cpu/get-number-of-processors.yml b/host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml similarity index 89% rename from host-interaction/hardware/cpu/get-number-of-processors.yml rename to host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml index 7499ac7c0..0fa4773ea 100644 --- a/host-interaction/hardware/cpu/get-number-of-processors.yml +++ b/host-interaction/hardware/cpu/get-number-of-processors-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: get number of processors + name: get number of processors via x86 assembly namespace: host-interaction/hardware/cpu authors: - michael.hunhoff@mandiant.com @@ -17,7 +17,7 @@ rule: features: - or: - and: - - match: PEB access + - match: PEB access via x86 assembly - or: - and: - arch: i386 diff --git a/host-interaction/log/clfs/read-data-from-clfs-log-container.yml b/host-interaction/log/clfs/read-data-from-clfs-log-container.yml old mode 100755 new mode 100644 diff --git a/host-interaction/process/create/create-process-on-linux.yml b/host-interaction/process/create/create-process-on-linux.yml index 8394567ca..9a3308b5b 100644 --- a/host-interaction/process/create/create-process-on-linux.yml +++ b/host-interaction/process/create/create-process-on-linux.yml @@ -20,7 +20,7 @@ rule: - or: - api: execve - and: - - match: execute syscall + - match: execute syscall via x86 assembly - arch: aarch64 - number: 0xdd = execve - api: execl diff --git a/host-interaction/process/get-process-filename.yml b/host-interaction/process/get-process-filename-via-x86-assembly.yml similarity index 97% rename from host-interaction/process/get-process-filename.yml rename to host-interaction/process/get-process-filename-via-x86-assembly.yml index eff6f4837..344ed0eea 100644 --- a/host-interaction/process/get-process-filename.yml +++ b/host-interaction/process/get-process-filename-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: get process filename + name: get process filename via x86 assembly namespace: host-interaction/process authors: - matthew.williams@mandiant.com diff --git a/host-interaction/process/get-process-heap-flags.yml b/host-interaction/process/get-process-heap-flags-via-x86-assembly.yml similarity index 90% rename from host-interaction/process/get-process-heap-flags.yml rename to host-interaction/process/get-process-heap-flags-via-x86-assembly.yml index f5ac9a96e..6f193f437 100644 --- a/host-interaction/process/get-process-heap-flags.yml +++ b/host-interaction/process/get-process-heap-flags-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: get process heap flags + name: get process heap flags via x86 assembly namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com @@ -15,7 +15,7 @@ rule: - al-khaser_x86.exe_:0x425470 features: - and: - - match: PEB access + - match: PEB access via x86 assembly - or: - and: - arch: i386 diff --git a/host-interaction/process/get-process-heap-force-flags.yml b/host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml similarity index 90% rename from host-interaction/process/get-process-heap-force-flags.yml rename to host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml index 9ffc6cc47..1edaa7df2 100644 --- a/host-interaction/process/get-process-heap-force-flags.yml +++ b/host-interaction/process/get-process-heap-force-flags-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: get process heap force flags + name: get process heap force flags via x86 assembly namespace: host-interaction/process authors: - michael.hunhoff@mandiant.com @@ -15,7 +15,7 @@ rule: - al-khaser_x86.exe_:0x425470 features: - and: - - match: PEB access + - match: PEB access via x86 assembly - or: - and: - arch: i386 diff --git a/lib/contain-pusha-popa-sequence.yml b/lib/contain-pusha-popa-sequence-via-x86-assembly.yml similarity index 89% rename from lib/contain-pusha-popa-sequence.yml rename to lib/contain-pusha-popa-sequence-via-x86-assembly.yml index 1c368029e..7be227355 100644 --- a/lib/contain-pusha-popa-sequence.yml +++ b/lib/contain-pusha-popa-sequence-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: contain pusha popa sequence + name: contain pusha popa sequence via x86 assembly authors: - moritz.raabe@mandiant.com lib: true diff --git a/lib/get-os-version.yml b/lib/get-os-version.yml index 2cb26218d..97e6b2588 100644 --- a/lib/get-os-version.yml +++ b/lib/get-os-version.yml @@ -21,7 +21,7 @@ rule: - api: RtlGetNtVersionNumbers - api: GetProductInfo - and: - - match: PEB access + - match: PEB access via x86 assembly - or: - and: - arch: i386 diff --git a/lib/peb-access.yml b/lib/peb-access-via-x86-assembly.yml similarity index 97% rename from lib/peb-access.yml rename to lib/peb-access-via-x86-assembly.yml index 1490de8c5..141caa18d 100644 --- a/lib/peb-access.yml +++ b/lib/peb-access-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: PEB access + name: PEB access via x86 assembly authors: - michael.hunhoff@mandiant.com lib: true diff --git a/linking/runtime-linking/access-peb-ldr_data.yml b/linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml similarity index 91% rename from linking/runtime-linking/access-peb-ldr_data.yml rename to linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml index 99c5dd000..27e687efd 100644 --- a/linking/runtime-linking/access-peb-ldr_data.yml +++ b/linking/runtime-linking/access-peb-ldr_data-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: access PEB ldr_data + name: access PEB ldr_data via x86 assembly namespace: linking/runtime-linking authors: - moritz.raabe@mandiant.com @@ -20,7 +20,7 @@ rule: - arch: i386 - description: x32 - - match: PEB access + - match: PEB access via x86 assembly # x86 Windows uses fs:0 to access the TIB which contains SEH information at offset 0 # checking for fs:0 and a (possibly unrelated) number or offset often results in false positives @@ -37,7 +37,7 @@ rule: - arch: amd64 - description: x64 - - match: PEB access + - match: PEB access via x86 assembly - offset: 0x18 = PEB.LDR_DATA diff --git a/linking/runtime-linking/get-kernel32-base-address.yml b/linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml similarity index 90% rename from linking/runtime-linking/get-kernel32-base-address.yml rename to linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml index e897783f9..5430e47a9 100644 --- a/linking/runtime-linking/get-kernel32-base-address.yml +++ b/linking/runtime-linking/get-kernel32-base-address-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: get kernel32 base address + name: get kernel32 base address via x86 assembly namespace: linking/runtime-linking authors: - moritz.raabe@mandiant.com @@ -17,7 +17,7 @@ rule: features: - and: # PEB -> PEB.Ldr -> PEB_LDR_DATA.InLoadOrderModuleList.Flink - - match: access PEB ldr_data + - match: access PEB ldr_data via x86 assembly # -> current module -> ntdll - count(offset(0)): 2 # -> kernel32 -> LDR_DATA_TABLE_ENTRY.DllBase diff --git a/linking/runtime-linking/get-ntdll-base-address.yml b/linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml similarity index 90% rename from linking/runtime-linking/get-ntdll-base-address.yml rename to linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml index 74106ccf0..5658461ef 100644 --- a/linking/runtime-linking/get-ntdll-base-address.yml +++ b/linking/runtime-linking/get-ntdll-base-address-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: get ntdll base address + name: get ntdll base address via x86 assembly namespace: linking/runtime-linking authors: - moritz.raabe@mandiant.com @@ -17,7 +17,7 @@ rule: features: - and: # PEB -> PEB.Ldr -> PEB_LDR_DATA.InLoadOrderModuleList.Flink - - match: access PEB ldr_data + - match: access PEB ldr_data via x86 assembly # -> current module - count(offset(0)): 1 # -> ntdll -> LDR_DATA_TABLE_ENTRY.DllBase diff --git a/load-code/pe/resolve-function-by-parsing-pe-exports.yml b/load-code/pe/resolve-function-by-parsing-pe-exports.yml old mode 100755 new mode 100644 diff --git a/nursery/append-data-to-clfs-log-container.yml b/nursery/append-data-to-clfs-log-container.yml old mode 100755 new mode 100644 diff --git a/nursery/execute-syscall.yml b/nursery/execute-syscall-via-x86-assembly.yml similarity index 95% rename from nursery/execute-syscall.yml rename to nursery/execute-syscall-via-x86-assembly.yml index 0f61a2500..a7ed98fd3 100644 --- a/nursery/execute-syscall.yml +++ b/nursery/execute-syscall-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: execute syscall + name: execute syscall via x86 assembly namespace: anti-analysis authors: - "@kulinacs" diff --git a/nursery/get-ntoskrnl-base-address.yml b/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml similarity index 69% rename from nursery/get-ntoskrnl-base-address.yml rename to nursery/get-ntoskrnl-base-address-via-x86-assembly.yml index 157d9bc96..d1d8a5ebb 100644 --- a/nursery/get-ntoskrnl-base-address.yml +++ b/nursery/get-ntoskrnl-base-address-via-x86-assembly.yml @@ -1,9 +1,10 @@ rule: meta: - name: get ntoskrnl base address + name: get ntoskrnl base address via x86 assembly namespace: linking/runtime-linking authors: - "@mr-tz" + - "@akh7177" scopes: static: function dynamic: unsupported # requires offset features @@ -19,9 +20,10 @@ rule: - description: returns RTL_PROCESS_MODULES structure - number: 0xB = SystemModuleInformation - match: get system information on Windows - - and: - - arch: i386 - - offset: 0xC = RTL_PROCESS_MODULES.Modules[0].ImageBase - - and: - - arch: amd64 - - offset: 0x18 = RTL_PROCESS_MODULES.Modules[0].ImageBase + - or: + - and: + - arch: i386 + - offset: 0xC = RTL_PROCESS_MODULES.Modules[0].ImageBase + - and: + - arch: amd64 + - offset: 0x18 = RTL_PROCESS_MODULES.Modules[0].ImageBase diff --git a/nursery/hash-data-using-ripemd128.yml b/nursery/hash-data-using-ripemd128.yml old mode 100755 new mode 100644 diff --git a/nursery/hash-data-using-ripemd256.yml b/nursery/hash-data-using-ripemd256.yml old mode 100755 new mode 100644 diff --git a/nursery/hash-data-using-ripemd320.yml b/nursery/hash-data-using-ripemd320.yml old mode 100755 new mode 100644 diff --git a/nursery/hook-routines-via-dlsym-rtld_next.yml b/nursery/hook-routines-via-dlsym-rtld_next-via-x86-assembly.yml similarity index 90% rename from nursery/hook-routines-via-dlsym-rtld_next.yml rename to nursery/hook-routines-via-dlsym-rtld_next-via-x86-assembly.yml index 9640bea57..5315980c9 100644 --- a/nursery/hook-routines-via-dlsym-rtld_next.yml +++ b/nursery/hook-routines-via-dlsym-rtld_next-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: hook routines via dlsym RTLD_NEXT + name: hook routines via dlsym RTLD_NEXT via x86 assembly namespace: linking/hooking authors: - william.ballenthin@mandiant.com diff --git a/nursery/reference-processor-manufacturer-constants.yml b/nursery/reference-processor-manufacturer-constants-via-x86-assembly.yml similarity index 92% rename from nursery/reference-processor-manufacturer-constants.yml rename to nursery/reference-processor-manufacturer-constants-via-x86-assembly.yml index 1002ba4c6..9bdb81340 100644 --- a/nursery/reference-processor-manufacturer-constants.yml +++ b/nursery/reference-processor-manufacturer-constants-via-x86-assembly.yml @@ -1,6 +1,6 @@ rule: meta: - name: reference processor manufacturer constants + name: reference processor manufacturer constants via x86 assembly namespace: anti-analysis/anti-vm/vm-detection authors: - matthew.williams@mandiant.com