HTTP 200 OK
Allow: GET, POST, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"count": 153,
"next": "https://unprotect.it/api/detection_rules/?format=api&page=2",
"previous": null,
"results": [
{
"id": 87,
"key": "capa_check_icebp",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Check_ICEBP",
"rule": "rule:\r\n meta:\r\n name: execute anti-debugging instructions\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scope: function\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034]\r\n examples:\r\n - Practical Malware Analysis Lab 16-03.exe_:0x401300\r\n features:\r\n - or:\r\n - count(mnemonic(rdtsc)): 2 or more\r\n - mnemonic: icebp"
},
{
"id": 92,
"key": "capa_check_sandboxprocess",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Check_SandboxProcess",
"rule": "rule:\r\n meta:\r\n name: check for windows sandbox via process name\r\n namespace: anti-analysis/anti-vm/vm-detection\r\n authors:\r\n - \"@_re_fox\"\r\n scope: function\r\n att&ck:\r\n - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n references:\r\n - https://github.com/LloydLabs/wsb-detect\r\n examples:\r\n - 773290480d5445f11d3dc1b800728966:0x140001140\r\n features:\r\n - and:\r\n - match: enumerate processes\r\n - string: \"CExecSvc.exe\""
},
{
"id": 56,
"key": "capa_delete_volume_shadow_copy",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Delete_Volume_Shadow_Copy",
"rule": "rule:\r\n meta:\r\n name: delete volume shadow copies\r\n namespace: impact/inhibit-system-recovery\r\n author: moritz.raabe@mandiant.com\r\n scope: function\r\n att&ck:\r\n - Impact::Inhibit System Recovery [T1490]\r\n - Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004]\r\n mbc:\r\n - Impact::Data Destruction::Delete Shadow Copies [E1485.m04]\r\n examples:\r\n - B87E9DD18A5533A09D3E48A7A1EFBCF6:0x140006AF0\r\n features:\r\n - or:\r\n - string: /vssadmin.* delete shadows/i\r\n - string: /vssadmin.* resize shadowstorage/i\r\n - string: /wmic.* shadowcopy delete/i"
},
{
"id": 95,
"key": "capa_detect_aspack",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Detect_ASPACK",
"rule": "rule:\r\n meta:\r\n name: packed with ASPack\r\n namespace: anti-analysis/packer/aspack\r\n authors:\r\n - william.ballenthin@mandiant.com\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n mbc:\r\n - Anti-Static Analysis::Software Packing [F0001]\r\n references:\r\n - http://www.aspack.com/\r\n - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n examples:\r\n - 2055994ff75b4309eee3a49c5749d306\r\n features:\r\n - or:\r\n - section: .aspack\r\n - section: .adata\r\n - section: .ASPack\r\n - section: ASPack\r\n - string: \"The procedure entry point %s could not be located in the dynamic link library %s\"\r\n - string: \"The ordinal %u could not be located in the dynamic link library %s\""
},
{
"id": 101,
"key": "capa_detect_confuser",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Detect_Confuser",
"rule": "rule:\r\n meta:\r\n name: packed with Confuser\r\n namespace: anti-analysis/packer/confuser\r\n authors:\r\n - william.ballenthin@mandiant.com\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n mbc:\r\n - Anti-Static Analysis::Software Packing::Confuser [F0001.009]\r\n examples:\r\n - b9f5bd514485fb06da39beff051b9fdc\r\n features:\r\n - or:\r\n - string: \"ConfusedByAttribute\""
},
{
"id": 91,
"key": "capa_detect_filemelt",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Detect_FileMelt",
"rule": "rule:\r\n meta:\r\n name: self delete\r\n namespace: anti-analysis/anti-forensic/self-deletion\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scope: function\r\n att&ck:\r\n - Defense Evasion::Indicator Removal on Host::File Deletion [T1070.004]\r\n mbc:\r\n - Defense Evasion::Self Deletion::COMSPEC Environment Variable [F0007.001]\r\n examples:\r\n - Practical Malware Analysis Lab 14-02.exe_:0x401880\r\n features:\r\n - and:\r\n - or:\r\n - match: get COMSPEC environment variable\r\n - string: \"cmd.exe\"\r\n - match: host-interaction/process/create\r\n - string: /\\/c\\s*del\\s*/\r\n description: \"/c del\"\r\n - optional:\r\n - string: /\\s*>\\s*nul\\s*/i\r\n description: \"> nul\""
},
{
"id": 96,
"key": "capa_detect_nspack",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Detect_NSpack",
"rule": "rule:\r\n meta:\r\n name: packed with nspack\r\n namespace: anti-analysis/packer/nspack\r\n authors:\r\n - \"@_re_fox\"\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n mbc:\r\n - Anti-Static Analysis::Software Packing [F0001]\r\n references:\r\n - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n examples:\r\n - 02179f3ba93663074740b5c0d283bae2\r\n features:\r\n - or:\r\n - section: .nsp0\r\n - section: .nsp1\r\n - section: .nsp2"
},
{
"id": 97,
"key": "capa_detect_pecompact",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Detect_PeCompact",
"rule": "rule:\r\n meta:\r\n name: packed with PECompact\r\n namespace: anti-analysis/packer/pecompact\r\n authors:\r\n - william.ballenthin@mandiant.com\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n mbc:\r\n - Anti-Static Analysis::Software Packing [F0001]\r\n references:\r\n - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n examples:\r\n - Practical Malware Analysis Lab 18-03.exe_\r\n features:\r\n - or:\r\n - section: PEC2TO\r\n - section: PEC2\r\n - section: pec\r\n - section: pec1\r\n - section: pec2\r\n - section: pec3\r\n - section: pec4\r\n - section: pec5\r\n - section: pec6\r\n - section: PEC2MO"
},
{
"id": 99,
"key": "capa_detect_petite",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Detect_Petite",
"rule": "rule:\r\n meta:\r\n name: packed with petite\r\n namespace: anti-analysis/packer/petite\r\n authors:\r\n - \"@_re_fox\"\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n mbc:\r\n - Anti-Static Analysis::Software Packing [F0001]\r\n references:\r\n - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n examples:\r\n - 2a7429d60040465f9bd27bbae2beef88\r\n features:\r\n - or:\r\n - section: .petite"
},
{
"id": 93,
"key": "capa_detect_qemu",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Detect_QEMU",
"rule": "rule:\r\n meta:\r\n name: reference anti-VM strings targeting Qemu\r\n namespace: anti-analysis/anti-vm/vm-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Qemu.cpp\r\n examples:\r\n - al-khaser_x86.exe_\r\n features:\r\n - or:\r\n - string: /Qemu/i\r\n - string: /qemu-ga.exe/i\r\n - string: /BOCHS/i\r\n - string: /BXPC/i"
},
{
"id": 98,
"key": "capa_detect_themida",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Detect_Themida",
"rule": "rule:\r\n meta:\r\n name: packed with Themida\r\n namespace: anti-analysis/packer/themida\r\n authors:\r\n - william.ballenthin@mandiant.com\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n mbc:\r\n - Anti-Static Analysis::Software Packing::Themida [F0001.011]\r\n references:\r\n - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n examples:\r\n - 8a132663bee5c2f0f5cbfebee1b55ac72934632bf32bc32d6e2dae797c9e6e35\r\n - 2826b762b9c268601a44974ef469a671b441e798a6c3cbb40070450c6c030ba2\r\n features:\r\n - or:\r\n - section: Themida\r\n - section: .Themida\r\n - section: .themida\r\n - section: WinLicen\r\n - section: .winlice\r\n - count(section( )): 2 or more\r\n description: Section names containing 8 space characters observed in Themida 3.0.x packed files\r\n - and:\r\n - description: Section names containing 3 and 8 space characters observed in Themida 2.1.x packed files\r\n - section: \" \"\r\n - section: \" \""
},
{
"id": 90,
"key": "capa_detect_timestomp",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Detect_Timestomp",
"rule": "rule:\r\n meta:\r\n name: timestomp file\r\n namespace: anti-analysis/anti-forensic/timestomp\r\n authors:\r\n - moritz.raabe@mandiant.com\r\n scope: function\r\n att&ck:\r\n - Defense Evasion::Indicator Removal on Host::Timestomp [T1070.006]\r\n examples:\r\n - Practical Malware Analysis Lab 03-04.exe_:0x4014e0\r\n features:\r\n - and:\r\n - or:\r\n - api: kernel32.GetSystemTime\r\n - api: kernel32.FileTimeToLocalFileTime\r\n - api: kernel32.GetSystemTimeAsFileTime\r\n - api: kernel32.SystemTimeToFileTime\r\n - api: kernel32.GetFileTime\r\n - api: kernel32.SetFileTime"
},
{
"id": 94,
"key": "capa_detect_upx",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Detect_UPX",
"rule": "rule:\r\n meta:\r\n name: packed with UPX\r\n namespace: anti-analysis/packer/upx\r\n authors:\r\n - william.ballenthin@mandiant.com\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n mbc:\r\n - Anti-Static Analysis::Software Packing::UPX [F0001.008]\r\n examples:\r\n - CD2CBA9E6313E8DF2C1273593E649682\r\n - Practical Malware Analysis Lab 01-02.exe_:0x0401000\r\n features:\r\n - or:\r\n - and:\r\n - format: pe\r\n - or:\r\n - section: UPX0\r\n - section: UPX1\r\n - and:\r\n - format: elf\r\n - or:\r\n - string: \"UPX!\""
},
{
"id": 100,
"key": "capa_detect_vmprotect",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Detect_vmprotect",
"rule": "rule:\r\n meta:\r\n name: packed with VMProtect\r\n namespace: anti-analysis/packer/vmprotect\r\n authors:\r\n - william.ballenthin@mandiant.com\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Obfuscated Files or Information::Software Packing [T1027.002]\r\n mbc:\r\n - Anti-Static Analysis::Software Packing::VMProtect [F0001.010]\r\n references:\r\n - https://www.pcworld.com/article/2824572/leaked-programming-manual-may-help-criminals-develop-more-atm-malware.html\r\n - https://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/\r\n examples:\r\n - 971e599e6e707349eccea2fd4c8e5f67\r\n features:\r\n - or:\r\n - string: \"A debugger has been found running in your system.\"\r\n - string: \"Please, unload it from memory and restart your program.\"\r\n - string: \"File corrupted!. This program has been manipulated and maybe\"\r\n - string: \"it's infected by a Virus or cracked. This file won't work anymore.\"\r\n - section: .vmp0\r\n - section: .vmp1\r\n - section: .vmp2"
},
{
"id": 89,
"key": "capa_fileversion_impersonation",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_FileVersion_Impersonation",
"rule": "rule:\r\n meta:\r\n name: impersonate file version information\r\n namespace: anti-analysis/anti-forensic\r\n authors:\r\n - awillia2@cisco.com\r\n description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application.\r\n scope: function\r\n att&ck:\r\n - Defense Evasion::Indicator Removal on Host [T1070]\r\n references:\r\n - https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-updateresourcea\r\n - https://www.carbonblack.com/blog/threat-analysis-dont-forget-about-kangaroo-ransomware/\r\n examples:\r\n - e5369ac309f1be6d77afeeb3edab0ed8:0x4025A0\r\n features:\r\n - and:\r\n - match: get file version info\r\n - api: kernel32.BeginUpdateResource\r\n - api: kernel32.UpdateResource\r\n - api: kernel32.EndUpdateResource"
},
{
"id": 120,
"key": "capa_hook_injection",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Hook_Injection",
"rule": "rule:\r\n meta:\r\n name: set global application hook\r\n namespace: host-interaction/gui\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scope: basic block\r\n features:\r\n - and:\r\n - api: user32.SetWindowsHookEx\r\n - number: 0x3 = WM_GETMESSAGE\r\n - number: 0x0 = dwThreadId"
},
{
"id": 121,
"key": "capa_hook_injection1",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Hook_Injection1",
"rule": "rule:\r\n meta:\r\n name: set application hook\r\n namespace: host-interaction/gui\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scope: function\r\n examples:\r\n - Practical Malware Analysis Lab 12-03.exe_:0x401000\r\n features:\r\n - and:\r\n - or:\r\n - api: user32.SetWindowsHookEx\r\n - api: user32.UnhookWindowsHookEx"
},
{
"id": 86,
"key": "capa_ntqueryinformation",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_NtQueryInformation",
"rule": "rule:\r\n meta:\r\n name: check process job object\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scope: function\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection [B0001]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/ProcessJob.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x426730\r\n features:\r\n - and:\r\n - match: contain loop\r\n - basic block:\r\n - and:\r\n - api: kernel32.QueryInformationJobObject\r\n - number: 0x3 = JobObjectBasicProcessIdList\r\n - basic block:\r\n - and:\r\n - api: kernel32.OpenProcess\r\n - number: 0x400 = PROCESS_QUERY_INFORMATION"
},
{
"id": 15,
"key": "capa_queryperformancecounter",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_QueryPerformanceCounter",
"rule": "rule:\r\n meta:\r\n name: check for time delay via QueryPerformanceCounter\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n author: michael.hunhoff@fireeye.com\r\n scope: function\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033]\r\n examples:\r\n - Practical Malware Analysis Lab 16-03.exe_:0x4011e0\r\n features:\r\n - and:\r\n - count(api(kernel32.QueryPerformanceCounter)): 2 or more"
},
{
"id": 47,
"key": "capa_sanbox_av_check",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_SANBOX_AV_CHECK",
"rule": "rule:\r\n meta:\r\n name: check for sandbox and av modules\r\n namespace: anti-analysis/anti-av\r\n author: \"@_re_fox\"\r\n scope: basic block\r\n unprotect: U0508\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n - Anti-Behavioral Analysis::Sandbox Detection [B0007]\r\n examples:\r\n - ccbf7cba35bab56563c0fbe4237fdc41:0x0040a4a0\r\n features:\r\n - and:\r\n - api: GetModuleHandle\r\n - or:\r\n - string: /avghook(x|a)\\.dll/i\r\n description: AVG\r\n - string: /snxhk\\.dll/i \r\n description: Avast\r\n - string: /sf2\\.dll/i \r\n description: Avast\r\n - string: /sbiedll\\.dll/i\r\n description: Sandboxie\r\n - string: /dbghelp\\.dll/i \r\n description: WindBG\r\n - string: /api_log\\.dll/i \r\n description: iDefense Lab\r\n - string: /dir_watch\\.dll/ \r\n description: iDefense Lab\r\n - string: /pstorec\\.dll/i\r\n description: SunBelt Sandbox\r\n - string: /vmcheck\\.dll/i\r\n description: Virtual PC\r\n - string: /wpespy\\.dll/i\r\n description: WPE Pro\r\n - string: /cmdvrt(64|32).dll/i \r\n description: Comodo Container\r\n - string: /sxin.dll/i \r\n description: 360 SOFTWARE\r\n - string: /dbghelp\\.dll/i\r\n description: WINE\r\n - string: /printfhelp\\.dll/i \r\n description: Unknown Sandbox"
},
{
"id": 45,
"key": "capa_sethandleinformation",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_SetHandleInformation",
"rule": "rule:\r\n meta:\r\n name: check for protected handle exception\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n author: michael.hunhoff@fireeye.com\r\n scope: function\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SetHandleInformation_API.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x430D20\r\n features:\r\n - and:\r\n - basic block:\r\n - and:\r\n - count(number(2)): 2 or more\r\n - api: SetHandleInformation\r\n - api: CloseHandle"
},
{
"id": 84,
"key": "capa_software_breakpoint",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Software_Breakpoint",
"rule": "rule:\r\n meta:\r\n name: check for software breakpoints\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scope: function\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/SoftwareBreakpoints.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x431020\r\n features:\r\n - and:\r\n - basic block:\r\n - and:\r\n - mnemonic: cmp\r\n - or:\r\n - number: 0xCC\r\n - and:\r\n - number: 0xCD\r\n - number: 0x3\r\n - match: contain loop"
},
{
"id": 85,
"key": "capa_trap_flag",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Trap_Flag",
"rule": "rule:\r\n meta:\r\n name: check for trap flag exception\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scope: basic block\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection [B0001]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/TrapFlag.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x431680\r\n - al-khaser_x64.exe_:0x140030CB0\r\n features:\r\n - and:\r\n - or:\r\n - description: read/write EFLAGS register\r\n - and:\r\n - mnemonic: pushf\r\n - mnemonic: popf\r\n - and:\r\n - mnemonic: pushfd\r\n - mnemonic: popfd\r\n - and:\r\n - mnemonic: pushfq\r\n - mnemonic: popfq\r\n - or:\r\n - description: set trap flag\r\n - and:\r\n - mnemonic: or\r\n - number: 0x100\r\n - and:\r\n - mnemonic: bts\r\n - number: 0x8"
},
{
"id": 133,
"key": "capa_unhook-freelibrary",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_Unhook-FreeLibrary",
"rule": "rule:\r\n meta:\r\n name: API pattern detection for removing EDR/AV hooks\r\n namespace: anti-analysis/anti-av\r\n authors: \r\n - github.com/west-wind\r\n scope: basic block\r\n mbc:\r\n - Defense Evasion::Disable or Evade Security Tools [F0004]\r\n examples:\r\n - 7cacd0b11497bcdd2db0ee3ae9580bdd:0x403ED2\r\n - 7cacd0b11497bcdd2db0ee3ae9580bdd:0x403ED9\r\n features:\r\n - and:\r\n - api: GetModuleHandleA\r\n - api: FreeLibrary\r\n - or:\r\n - string: /(\\w|\\d)+\\.dll/i\r\n description: Regex match on AV/EDR dll name"
},
{
"id": 88,
"key": "capa_check_ppid",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_check_PPID",
"rule": "rule:\r\n meta:\r\n name: spoof parent PID\r\n namespace: anti-analysis/anti-forensic\r\n authors:\r\n - michael.hunhoff@mandiant.com\r\n scope: basic block\r\n att&ck:\r\n - Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004]\r\n references:\r\n - https://blog.f-secure.com/detecting-parent-pid-spoofing/\r\n examples:\r\n - 2ebadd04f0ada89c36c1409b6e96423a68dd77b513db8db3da203c36d3753e5f:0x140002291\r\n features:\r\n - and:\r\n - api: kernel32.UpdateProcThreadAttribute\r\n - number: 0x20000 = PROC_THREAD_ATTRIBUTE_PARENT_PROCESS"
},
{
"id": 12,
"key": "capa_clear_log",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_clear_log",
"rule": "rule:\r\n meta:\r\n name: clear the Windows event log\r\n namespace: anti-analysis/anti-forensic/clear-logs\r\n author: michael.hunhoff@fireeye.com\r\n scope: basic block\r\n att&ck:\r\n - Defense Evasion::Indicator Removal on Host::Clear Windows Event Logs [T1070.001]\r\n examples:\r\n - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0\r\n features:\r\n - and:\r\n - api: advapi32.ElfClearEventLogFile\r\n - optional:\r\n - api: advapi32.OpenEventLog"
},
{
"id": 11,
"key": "capa_crash_eventlog",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_crash_eventlog",
"rule": "rule:\r\n meta:\r\n name: crash the Windows event logging service\r\n namespace: anti-analysis/anti-forensic\r\n author: michael.hunhoff@fireeye.com\r\n scope: basic block\r\n att&ck:\r\n - Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002]\r\n references:\r\n - https://github.com/limbenjamin/LogServiceCrash\r\n examples:\r\n - 82BF6347ACF15E5D883715DC289D8A2B:0x14005E0C0\r\n features:\r\n - and:\r\n - count(api(advapi32.ElfClearEventLogFileW)): 3 or more\r\n - count(api(advapi32.OpenEventLogA)): 1 or more"
},
{
"id": 10,
"key": "capa_debug_register",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_debug_register",
"rule": "rule:\r\n meta:\r\n name: check for hardware breakpoints\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n author: michael.hunhoff@fireeye.com\r\n scope: function\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/HardwareBreakpoints.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x42035D\r\n features:\r\n - and:\r\n - api: kernel32.GetThreadContext\r\n - number: 0x10010 = CONTEXT_DEBUG_REGISTERS\r\n - offset: 0x4 = DR0\r\n - offset: 0x8 = DR1\r\n - offset: 0xC = DR2\r\n - offset: 0x10 = DR3\r\n - count(mnemonic(cmp)): 4 or more"
},
{
"id": 26,
"key": "capa_debugged_flag",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_debugged_flag",
"rule": "rule:\r\n meta:\r\n name: check for PEB BeingDebugged flag\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n author: moritz.raabe@fireeye.com\r\n scope: basic block\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035]\r\n references:\r\n - Practical Malware Analysis, Chapter 16, p. 353\r\n examples:\r\n - Practical Malware Analysis Lab 16-01.exe_:0x403530\r\n features:\r\n - and:\r\n - match: PEB access\r\n - offset: 2 = PEB.BeingDebugged"
},
{
"id": 7,
"key": "capa_debugger_api",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_debugger_api",
"rule": "rule:\r\n meta:\r\n name: check for debugger via API\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n author: michael.hunhoff@fireeye.com\r\n scope: function\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002]\r\n - Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiDebug/CheckRemoteDebuggerPresent.cpp\r\n examples:\r\n - al-khaser_x86.exe_:0x420000\r\n features:\r\n - or:\r\n - api: kernel32.CheckRemoteDebuggerPresent\r\n - api: WUDFPlatform.WudfIsAnyDebuggerPresent\r\n - api: WUDFPlatform.WudfIsKernelDebuggerPresent\r\n - api: WUDFPlatform.WudfIsUserDebuggerPresent"
},
{
"id": 17,
"key": "capa_detect_vm_process",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_detect_vm_process",
"rule": "rule:\r\n meta:\r\n name: check for windows sandbox via process name\r\n namespace: anti-analysis/anti-vm/vm-detection\r\n author: \"@_re_fox\"\r\n scope: function\r\n att&ck:\r\n - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n references:\r\n - https://github.com/LloydLabs/wsb-detect\r\n examples:\r\n - 773290480d5445f11d3dc1b800728966:0x140001140\r\n features:\r\n - and:\r\n - match: enumerate processes\r\n - string: CExecSvc.exe"
},
{
"id": 16,
"key": "capa_device_pipe",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_device_pipe",
"rule": "rule:\r\n meta:\r\n name: check for windows sandbox via device\r\n namespace: anti-analysis/anti-vm/vm-detection\r\n author: \"@_re_fox\"\r\n scope: basic block\r\n att&ck:\r\n - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n references:\r\n - https://github.com/LloydLabs/wsb-detect\r\n examples:\r\n - 773290480d5445f11d3dc1b800728966:0x140001140\r\n features:\r\n - and:\r\n - api: CreateFile\r\n - string: \\\\.\\GLOBALROOT\\device\\vmsmb"
},
{
"id": 58,
"key": "capa_fingerprint_av",
"type": {
"id": 3,
"name": "SIGMA",
"syntax_lang": "yaml"
},
"name": "CAPA_fingerprint_av",
"rule": "title: Get antivirus details via WMIC query\r\nstatus: experimental\r\ndescription: Get antivirus details via WMIC query\r\nauthor: Joe Security\r\ndate: 2020-03-27\r\nid: 200069\r\nthreatname:\r\nbehaviorgroup: 5\r\nclassification: 8\r\nmitreattack:\r\n\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n CommandLine:\r\n -'*wmic * path antivirusproduct get displayname*'\r\n condition: selection\r\nlevel: critical"
},
{
"id": 28,
"key": "capa_gettickcount",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_gettickcount",
"rule": "rule:\r\n meta:\r\n name: check for time delay via GetTickCount\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n author: michael.hunhoff@fireeye.com\r\n scope: function\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount [B0001.032]\r\n examples:\r\n - Practical Malware Analysis Lab 16-03.exe_:0x4013d0\r\n features:\r\n - and:\r\n - count(api(kernel32.GetTickCount)): 2 or more"
},
{
"id": 46,
"key": "capa_kill_process",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_kill_process",
"rule": "rule:\r\n meta:\r\n name: reference analysis tools strings\r\n namespace: anti-analysis\r\n author: michael.hunhoff@fireeye.com\r\n scope: file\r\n mbc:\r\n - Discovery::Analysis Tool Discovery::Process Detection [B0013.001]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiAnalysis/process.cpp\r\n examples:\r\n - al-khaser_x86.exe_\r\n features:\r\n - or:\r\n - string: /ollydbg.exe/i\r\n - string: /ProcessHacker.exe/i\r\n - string: /tcpview.exe/i\r\n - string: /autoruns.exe/i\r\n - string: /autorunsc.exe/i\r\n - string: /filemon.exe/i\r\n - string: /procmon.exe/i\r\n - string: /regmon.exe/i\r\n - string: /procexp.exe/i\r\n - string: /idaq.exe/i\r\n - string: /idaq64.exe/i\r\n - string: /ImmunityDebugger.exe/i\r\n - string: /Wireshark.exe/i\r\n - string: /dumpcap.exe/i\r\n - string: /HookExplorer.exe/i\r\n - string: /ImportREC.exe/i\r\n - string: /PETools.exe/i\r\n - string: /LordPE.exe/i\r\n - string: /SysInspector.exe/i\r\n - string: /proc_analyzer.exe/i\r\n - string: /sysAnalyzer.exe/i\r\n - string: /sniff_hit.exe/i\r\n - string: /windbg.exe/i\r\n - string: /joeboxcontrol.exe/i\r\n - string: /joeboxserver.exe/i\r\n - string: /ResourceHacker.exe/i\r\n - string: /x32dbg.exe/i\r\n - string: /x64dbg.exe/i\r\n - string: /Fiddler.exe/i\r\n - string: /httpdebugger.exe/i\r\n - string: /fakenet.exe/i\r\n - string: /netmon.exe/i\r\n - string: /WPE PRO.exe/i\r\n - string: /decompile.exe/i"
},
{
"id": 39,
"key": "capa_localsize",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_localsize",
"rule": "rule:\r\n meta:\r\n name: trap debugger with localsize\r\n namespace: anti-analysis/anti-debugging\r\n author: lordtmk@protonmail.com\r\n scope: basic block\r\n examples:\r\n - B67E5B1985742F62785122B637EF4FBD:0x4B1F5B\r\n features:\r\n - and:\r\n - api: LocalSize\r\n - mnemonic: push \r\n - number: 0"
},
{
"id": 22,
"key": "capa_mouse_cursor",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_mouse_cursor",
"rule": "rule:\r\n meta:\r\n name: check for unmoving mouse cursor\r\n namespace: anti-analysis/anti-vm/vm-detection\r\n author: BitsOfBinary\r\n scope: function\r\n att&ck:\r\n - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012]\r\n references:\r\n - https://www.joesecurity.org/blog/5852460122427342172\r\n examples:\r\n - 7E17F0F35D50F49407841372F24FBD38:0x4010f6\r\n features:\r\n - and:\r\n - count(api(user32.GetCursorPos)): 2 or more"
},
{
"id": 25,
"key": "capa_ntglobalflag",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_ntglobalflag",
"rule": "rule:\r\n meta:\r\n name: check for PEB NtGlobalFlag flag\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n author: moritz.raabe@fireeye.com\r\n scope: function\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036]\r\n references:\r\n - Practical Malware Analysis, Chapter 16, p. 355\r\n - https://www.geoffchappell.com/studies/windows/win32/ntdll/structs/peb/index.htm\r\n examples:\r\n - Practical Malware Analysis Lab 16-01.exe_:0x403530\r\n features:\r\n - and:\r\n - basic block:\r\n - and:\r\n - match: PEB access\r\n - or:\r\n - or:\r\n - offset/x32: 0x68 = PEB.NtGlobalFlag\r\n - offset/x64: 0xBC = PEB.NtGlobalFlag\r\n - and:\r\n - mnemonic: add\r\n - or:\r\n - number/x32: 0x68 = PEB.NtGlobalFlag\r\n - number/x64: 0xBC = PEB.NtGlobalFlag\r\n - number: 0x70 = (FLG_HEAP_ENABLE_TAIL_CHECK | FLG_HEAP_ENABLE_FREE_CHECK | FLG_HEAP_VALIDATE_PARAMETERS)"
},
{
"id": 14,
"key": "capa_output_debug_string",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_output_debug_string",
"rule": "rule:\r\n meta:\r\n name: check for OutputDebugString error\r\n namespace: anti-analysis/anti-debugging/debugger-detection\r\n author: michael.hunhoff@fireeye.com\r\n scope: function\r\n mbc:\r\n - Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016]\r\n examples:\r\n - Practical Malware Analysis Lab 16-02.exe_:0x401020\r\n features:\r\n - and:\r\n - api: kernel32.SetLastError\r\n - api: kernel32.GetLastError\r\n - api: kernel32.OutputDebugString"
},
{
"id": 60,
"key": "capa_resize_volume_shadow_copy_storage",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_resize_volume_shadow_copy_storage",
"rule": "rule:\r\n meta:\r\n name: resize volume shadow copy storage\r\n namespace: impact/inhibit-system-recovery\r\n author: michael.hunhoff@mandiant.com\r\n scope: basic block\r\n features:\r\n - and:\r\n - api: kernel32.DeviceIoControl\r\n - number: 0x53C028 = IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE"
},
{
"id": 57,
"key": "capa_sandbox_name",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_sandbox_name",
"rule": "rule:\r\n meta:\r\n name: check for sandbox username\r\n namespace: anti-analysis/anti-vm/vm-detection\r\n author: \"@_re_fox\"\r\n scope: function\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n examples:\r\n - ccbf7cba35bab56563c0fbe4237fdc41:0x402B90\r\n references:\r\n - https://github.com/LloydLabs/wsb-detect\r\n features:\r\n - and:\r\n - api: GetUserName\r\n - or:\r\n - string: /MALTEST/i\r\n description: Betabot Username Check\r\n - string: /TEQUILABOOMBOOM/i\r\n description: VirusTotal Sandbox\r\n - string: /SANDBOX/i\r\n description: Gookit Username Check\r\n - string: /^VIRUS/i\r\n description: Satan Username Check\r\n - string: /MALWARE/i\r\n description: Betabot Username Check\r\n - string: /SAND\\sBOX/i\r\n description: Betabot Username Check\r\n - string: /Test\\sUser/i\r\n description: Betabot Username Check\r\n - string: /CurrentUser/i\r\n description: Gookit Username Check\r\n - string: /7SILVIA/i\r\n description: Gookit Username Check\r\n - string: /FORTINET/i\r\n description: Shifu Username Check\r\n - string: /John\\sDoe/i\r\n description: Emotet Username Check\r\n - string: /Emily/i\r\n description: Trickbot Downloader Username Check\r\n - string: /HANSPETER\\-PC/i\r\n description: Trickbot Downloader Username Check\r\n - string: /HAPUBWS/i\r\n description: Trickbot Downloader Username Check\r\n - string: /Hong\\sLee/i\r\n description: Trickbot Downloader Username Check\r\n - string: /IT\\-ADMIN/i\r\n description: Trickbot Downloader Username Check\r\n - string: /JOHN\\-PC/i\r\n description: Trickbot Downloader Username Check\r\n - string: /Johnson/i\r\n description: Trickbot Downloader Username Check\r\n - string: /Miller/i\r\n description: Trickbot Downloader Username Check\r\n - string: /MUELLER\\-PC/i\r\n description: Trickbot Downloader Username Check\r\n - string: /Peter\\sWilson/i\r\n description: Trickbot Downloader Username Check\r\n - string: /SystemIT/i\r\n description: Trickbot Downloader Username Check\r\n - string: /Timmy/i\r\n description: Trickbot Downloader Username Check\r\n - string: /WIN7\\-TRAPS/i\r\n description: Trickbot Downloader Username Check\r\n - string: /WDAGUtilityAccount/i\r\n description: Windows Defender Application Guard"
},
{
"id": 20,
"key": "capa_stackstring_obf",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_stackstring_obf",
"rule": "rule:\r\n meta:\r\n name: contain obfuscated stackstrings\r\n namespace: anti-analysis/obfuscation/string/stackstring\r\n author: moritz.raabe@fireeye.com\r\n scope: basic block\r\n att&ck:\r\n - Defense Evasion::Obfuscated Files or Information [T1027]\r\n mbc:\r\n - Anti-Static Analysis::Disassembler Evasion::Argument Obfuscation [B0012.001]\r\n examples:\r\n - Practical Malware Analysis Lab 16-03.exe_:0x4013D0\r\n features:\r\n - characteristic: stack string"
},
{
"id": 13,
"key": "capa_timestomp",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_timestomp",
"rule": "rule:\r\n meta:\r\n name: timestomp file\r\n namespace: anti-analysis/anti-forensic/timestomp\r\n author: moritz.raabe@fireeye.com\r\n scope: function\r\n att&ck:\r\n - Defense Evasion::Indicator Removal on Host::Timestomp [T1070.006]\r\n examples:\r\n - Practical Malware Analysis Lab 03-04.exe_:0x4014e0\r\n features:\r\n - and:\r\n - or:\r\n - api: kernel32.GetSystemTime\r\n - api: kernel32.FileTimeToLocalFileTime\r\n - api: kernel32.GetSystemTimeAsFileTime\r\n - api: kernel32.SystemTimeToFileTime\r\n - api: kernel32.GetFileTime\r\n - api: kernel32.SetFileTime"
},
{
"id": 41,
"key": "capa_vm_artefact",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_vm_artefact",
"rule": "rule:\r\n meta:\r\n name: reference anti-VM strings targeting VMWare\r\n namespace: anti-analysis/anti-vm/vm-detection\r\n author: michael.hunhoff@fireeye.com\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n references:\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/VMWare.cpp\r\n examples:\r\n - al-khaser_x86.exe_\r\n features:\r\n - or:\r\n - string: /VMWare/i\r\n - string: /VMTools/i\r\n - string: /SOFTWARE\\\\VMware, Inc\\.\\\\VMware Tools/i\r\n - string: /vmnet.sys/i\r\n - string: /vmmouse.sys/i\r\n - string: /vmusb.sys/i\r\n - string: /vm3dmp.sys/i\r\n - string: /vmci.sys/i\r\n - string: /vmhgfs.sys/i\r\n - string: /vmmemctl.sys/i\r\n - string: /vmx86.sys/i\r\n - string: /vmrawdsk.sys/i\r\n - string: /vmusbmouse.sys/i\r\n - string: /vmkdb.sys/i\r\n - string: /vmnetuserif.sys/i\r\n - string: /vmnetadapter.sys/i\r\n - string: /\\\\\\\\.\\\\HGFS/i\r\n - string: /\\\\\\\\.\\\\vmci/i\r\n - string: /vmtoolsd.exe/i\r\n - string: /vmwaretray.exe/i\r\n - string: /vmwareuser.exe/i\r\n - string: /VGAuthService.exe/i\r\n - string: /vmacthlp.exe/i\r\n - string: /vmci/i\r\n description: VMWare VMCI Bus Driver\r\n - string: /vmhgfs/i\r\n description: VMWare Host Guest Control Redirector\r\n - string: /vmmouse/i\r\n - string: /vmmemctl/i\r\n description: VMWare Guest Memory Controller Driver\r\n - string: /vmusb/i\r\n - string: /vmusbmouse/i\r\n - string: /vmx_svga/i\r\n - string: /vmxnet/i\r\n - string: /vmx86/i\r\n - string: /VMwareVMware/i\r\n - string: /vmGuestLib.dll/i"
},
{
"id": 31,
"key": "capa_vm_artefact2",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_vm_artefact2",
"rule": "rule:\r\n meta:\r\n name: reference anti-VM strings\r\n namespace: anti-analysis/anti-vm/vm-detection\r\n author: moritz.raabe@fireeye.com\r\n scope: file\r\n att&ck:\r\n - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n references:\r\n - https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm_*\r\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp\r\n examples:\r\n - Practical Malware Analysis Lab 17-02.dll_\r\n features:\r\n - or:\r\n - string: /HARDWARE\\\\ACPI\\\\(DSDT|FADT|RSDT)\\\\BOCHS/i\r\n - string: /HARDWARE\\\\DESCRIPTION\\\\System\\\\(SystemBiosVersion|VideoBiosVersion)/i\r\n - string: /HARDWARE\\\\DESCRIPTION\\\\System\\\\CentralProcessor\\\\.*ProcessorNameString/i\r\n - string: /HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0/i\r\n - string: /SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Enum\\\\IDE/i\r\n - string: /SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Services\\\\Disk\\\\Enum\\\\/i\r\n - string: /SYSTEM\\\\(CurrentControlSet|ControlSet001)\\\\Control\\\\SystemInformation\\\\SystemManufacturer/i\r\n - string: /A M I/i\r\n - string: /Hyper-V/i\r\n - string: /Kernel-VMDetection-Private/i\r\n # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L699\r\n - string: /KVMKVMKVM/i\r\n description: KVM\r\n - string: /Microsoft Hv/i\r\n description: Microsoft Hyper-V or Windows Virtual PC\r\n # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L8\r\n - string: /avghookx.dll/i\r\n description: AVG\r\n - string: /avghooka.dll/i\r\n description: AVG\r\n - string: /snxhk.dll/i\r\n description: Avast\r\n - string: /pstorec.dll/i\r\n description: SunBelt Sandbox\r\n - string: /vmcheck.dll/i\r\n description: Virtual PC\r\n - string: /wpespy.dll/i\r\n description: WPE Pro\r\n - string: /cmdvrt64.dll/i\r\n description: Comodo Container\r\n - string: /cmdvrt32.dll/i\r\n description: Comodo Container\r\n # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L46\r\n - string: /sample.exe/i\r\n - string: /bot.exe/i\r\n - string: /sandbox.exe/i\r\n - string: /malware.exe/i\r\n - string: /test.exe/i\r\n - string: /klavme.exe/i\r\n - string: /myapp.exe/i\r\n - string: /testapp.exe/i"
},
{
"id": 30,
"key": "capa_vm_instruction",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_vm_instruction",
"rule": "rule:\r\n meta:\r\n name: execute anti-VM instructions\r\n namespace: anti-analysis/anti-vm/vm-detection\r\n author: moritz.raabe@fireeye.com\r\n scope: basic block\r\n att&ck:\r\n - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing [B0009.029]\r\n examples:\r\n - Practical Malware Analysis Lab 17-03.exe_:0x401A80\r\n features:\r\n - or:\r\n - mnemonic: sdit\r\n - mnemonic: sgdt\r\n - mnemonic: sldt\r\n - mnemonic: smsw\r\n - mnemonic: str\r\n - mnemonic: in\r\n - mnemonic: cpuid\r\n - mnemonic: vpcext"
},
{
"id": 32,
"key": "capa_vm_registry",
"type": {
"id": 2,
"name": "CAPA",
"syntax_lang": "yaml"
},
"name": "CAPA_vm_registry",
"rule": "rule:\r\n meta:\r\n name: check for windows sandbox via registry\r\n namespace: anti-analysis/anti-vm/vm-detection\r\n author: \"@_re_fox\"\r\n scope: function\r\n att&ck:\r\n - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]\r\n mbc:\r\n - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]\r\n references:\r\n - https://github.com/LloydLabs/wsb-detect\r\n examples:\r\n - 773290480d5445f11d3dc1b800728966:0x140001140\r\n features:\r\n - and:\r\n - api: RegOpenKeyEx\r\n - api: RegEnumValue\r\n - string: /\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce/\r\n - string: /wmic useraccount where \\\"name='WDAGUtilityAccount'\\\"/i"
},
{
"id": 72,
"key": "detect_enumprocess",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "Detect_EnumProcess",
"rule": "rule Detect_EnumProcess: AntiDebug {\r\n meta: \r\n description = \"Detect EnumProcessas anti-debug\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"EnumProcessModulesEx\" fullword ascii\r\n $2 = \"EnumProcesses\" fullword ascii\r\n $3 = \"EnumProcessModules\" fullword ascii\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and any of them \r\n}"
},
{
"id": 70,
"key": "detect_interrupts",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "Detect_Interrupts",
"rule": "rule Detect_Interrupt: AntiDebug {\r\n meta: \r\n description = \"Detect Interrupt instruction\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule / the rule can be slow to use\"\r\n strings:\r\n $int3 = { CC }\r\n $intCD = { CD }\r\n $int03 = { 03 }\r\n $int2D = { 2D }\r\n $ICE = { F1 }\r\n condition: \r\n uint16(0) == 0x5A4D and filesize < 1000KB and any of them\r\n}"
},
{
"id": 69,
"key": "detect_ollydbg_badformat_trick",
"type": {
"id": 1,
"name": "YARA",
"syntax_lang": "YARA"
},
"name": "Detect_OllyDbg_BadFormat_Trick",
"rule": "rule Detect_OllyDBG_BadFormatTrick: AntiDebug {\r\n meta: \r\n description = \"Detect bad format not handled by Ollydbg\"\r\n author = \"Unprotect\"\r\n comment = \"Experimental rule\"\r\n strings:\r\n $1 = \"%s%s.exe\" fullword ascii\r\n condition: \r\n $1\r\n}"
}
]
}
