search

mandiant / capa

The FLARE team's open-source tool to identify capabilities in executable files.
https://mandiant.github.io/capa/
Apache License 2.0
4.48k stars 535 forks source link

[ENH] Refactor format in `capa/features/extractors/dotnetfile.py` #2024

Closed samadpls closed 6 months ago

samadpls commented 7 months ago

Changed format order for .NET files closes #2022

Checklist

mike-hunhoff commented 6 months ago

@samadpls bump. Please let us know if you have any questions running capa locally against a test .NET file. Also, please add an entry to CHANGELOG.md with a short description of the PR when you get a chance.

samadpls commented 6 months ago

Hello @mike-hunhoff , while setting up the locally im facing following issue

capa -vv /media/samadpls/ubuntu/download/1c444ebeba24dcba8628b7dfe5fec7c6.exe_
ERROR:capa:[Errno 28] No space left on device: '/home/samadpls/.cache/capa'
ERROR:capa:Make sure your file directory contains properly formatted capa rules. You can download the standard collection of capa rules from https://github.com/mandiant/capa-rules/releases.
ERROR:capa:Please ensure you're using the rules that correspond to your major version of capa (7)
ERROR:capa:Or, for more details, see the rule set documentation here: https://github.com/mandiant/capa/blob/master/doc/rules.md
mr-tz commented 6 months ago

Are you out of hard-drive space?

samadpls commented 6 months ago

Looks good @samadpls . Please verify that the -vv output from capa's standalone tool lists .NET as the format in the metadata section by posting the output here. You can use one of the .NET samples from capa/test-files.

@mike-hunhoff , Sorry for responding late; I was busy with academic workk. Here the output i got after running the following command

format                  pe
...
create or open registry key (2 matches, only showing first match of library rule)
...
save image in .NET
...
full log ``` capa -vv -r E:\capa-rules-7.0.1\capa-rules-7.0.1 1c444ebeba24dcba8628b7dfe5fec7c6.exe md5 1c444ebeba24dcba8628b7dfe5fec7c6 sha1 ebdec120fbbdbff28ebd6accc85d05f7ccabf461 sha256 a9f9e5a30cc858dc135ec428cdd68cb06143732e5c62c4dc4b359c8abc11d74b path E:/extraproj/capa/1c444ebeba24dcba8628b7dfe5fec7c6.exe timestamp 2024-03-16 23:55:17.310730 capa version 7.0.1 os any format pe arch any analysis static extractor DnfileFeatureExtractor base address global rules E:/capa-rules-7.0.1/capa-rules-7.0.1 function count 150 library function count 0 total feature count 4309 create or open registry key (2 matches, only showing first match of library rule) author michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope basic block mbc Operating System::Registry::Create Registry Key [C0036.004], Operating System::Registry::Open Registry Key [C0036.003] basic block @ token(0x6000062) in function token(0x6000062) or: api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB save image in .NET namespace collection author michael.hunhoff@mandiant.com scope function function @ token(0x600006D) and: api: System.Drawing.Image::Save @ token(0x600006D)+0x11 optional: class: System.Drawing.Imaging.ImageFormat @ token(0x600006D)+0xC capture screenshot namespace collection/screenshot author moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com scope function att&ck Collection::Screen Capture [T1113] mbc Collection::Screen Capture::WinAPI [E1113.m01] function @ token(0x6000073) or: and: or: api: GetWindowDC @ token(0x6000073)+0x1 or: api: BitBlt @ token(0x6000073)+0x63 api: CreateCompatibleDC @ token(0x6000073)+0x39 api: CreateCompatibleBitmap @ token(0x6000073)+0x43 send data (2 matches) namespace communication author william.ballenthin@mandiant.com, joakim@intezer.com scope function mbc Command and Control::C2 Communication::Send Data [B0030.001] description all known techniques for sending data to a potential C2 server function @ token(0x6000096) or: and: os: windows or: match: send HTTP request @ token(0x6000096) or: api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0 function @ token(0x600009B) or: and: os: windows or: match: send HTTP request @ token(0x600009B) or: api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C set web proxy in .NET namespace communication/http author michael.hunhoff@mandiant.com scope function function @ token(0x6000096) and: property/write: System.Net.WebRequest::Proxy @ token(0x6000096)+0x20 create HTTP request (2 matches) namespace communication/http/client author michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope function mbc Communication::HTTP Communication::Create Request [C0002.012] function @ token(0x6000096) and: or: api: System.Net.WebRequest::Create @ token(0x6000096)+0x7 function @ token(0x600009B) and: or: api: System.Net.WebRequest::Create @ token(0x600009B)+0x6E receive HTTP response (2 matches) namespace communication/http/client author michael.hunhoff@mandiant.com scope function mbc Communication::HTTP Communication::Get Response [C0002.017] function @ token(0x6000096) or: api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0 function @ token(0x600009B) or: api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C send HTTP request (2 matches) namespace communication/http/client author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function mbc Communication::HTTP Communication::Send Request [C0002.003] function @ token(0x6000096) or: api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0 function @ token(0x600009B) or: api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C send request in .NET namespace communication/http/client author anushka.virgaonakr@mandiant.com scope function att&ck Command and Control::Application Layer Protocol::Web Protocols [T1071.001] mbc Communication::HTTP Communication::Send Request [C0002.003] function @ token(0x6000096) and: api: System.IO.Stream::Write @ token(0x6000096)+0x2B0, token(0x6000096)+0x314, token(0x6000096)+0x322, token(0x6000096)+0x341, and 8 more... api: System.IO.Stream::Close @ token(0x6000096)+0x435, token(0x6000096)+0x4CA, token(0x6000096)+0x4FF or: api: System.Net.WebRequest::GetRequestStream @ token(0x6000096)+0x2A0 act as TCP client namespace communication/tcp/client author william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com scope function mbc Communication::Socket Communication::TCP Client [C0001.008] function @ token(0x600008A) or: api: System.Net.Sockets.TcpClient::ctor @ token(0x600008A)+0x26 decode data using Base64 in .NET namespace data-manipulation/encoding/base64 author michael.hunhoff@mandiant.com scope function att&ck Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc Data::Decode Data::Base64 [C0053.001] function @ token(0x6000023) or: api: System.Convert::FromBase64String @ token(0x6000023)+0xC encode data using Base64 (11 matches) namespace data-manipulation/encoding/base64 author moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com scope function att&ck Defense Evasion::Obfuscated Files or Information [T1027] mbc Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02], Data::Encode Data::Base64 [C0026.001]function @ token(0x600001B) or: api: System.Convert::ToBase64String @ token(0x600001B)+0x30 function @ token(0x6000028) or: api: System.Convert::ToBase64String @ token(0x6000028)+0x40 function @ token(0x600002C) or: api: System.Convert::ToBase64String @ token(0x600002C)+0x17 function @ token(0x600002F) or: api: System.Convert::ToBase64String @ token(0x600002F)+0x40 function @ token(0x6000034) or: api: System.Convert::ToBase64String @ token(0x6000034)+0x40 function @ token(0x6000039) or: api: System.Convert::ToBase64String @ token(0x6000039)+0x40 function @ token(0x600003E) or: api: System.Convert::ToBase64String @ token(0x600003E)+0x40 function @ token(0x6000048) or: api: System.Convert::ToBase64String @ token(0x6000048)+0x40 function @ token(0x600004E) or: api: System.Convert::ToBase64String @ token(0x600004E)+0x40 function @ token(0x6000064) or: api: System.Convert::ToBase64String @ token(0x6000064)+0x17 function @ token(0x60000A0) or: api: System.Convert::ToBase64String @ token(0x60000A0)+0x3E hash data with MD5 namespace data-manipulation/hashing/md5 author moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com scope function mbc Cryptography::Cryptographic Hash::MD5 [C0029.001] references https://github.com/rwfpl/rewolf-x86-virtualizer/blob/master/src/test_app/main.cpp function @ token(0x600001D) or: and: format: dotnet or: api: System.Security.Cryptography.MD5::Create @ token(0x600001D)+0x0 optional: api: System.Security.Cryptography.HashAlgorithm::ComputeHash @ token(0x600001D)+0x14 manipulate console buffer namespace host-interaction/console author william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com scope function mbc Operating System::Console [C0033] references https://stackoverflow.com/a/15770935/87207 function @ token(0x600009B) or: api: System.Console::WriteLine @ token(0x600009B)+0x2C get common file path namespace host-interaction/file-system author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] mbc Discovery::File and Directory Discovery [E1083] function @ token(0x6000069) or: api: System.Environment::GetFolderPath @ token(0x6000069)+0x3 create directory (2 matches) namespace host-interaction/file-system/create author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function mbc File System::Create Directory [C0046] function @ token(0x600003A) or: api: System.IO.Directory::CreateDirectory @ token(0x600003A)+0x6 function @ token(0x600006B) or: api: System.IO.Directory::CreateDirectory @ token(0x600006B)+0x13 delete directory namespace host-interaction/file-system/delete author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function mbc File System::Delete Directory [C0048] function @ token(0x6000035) or: api: System.IO.Directory::Delete @ token(0x6000035)+0x7 delete file namespace host-interaction/file-system/delete author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function mbc File System::Delete File [C0047] function @ token(0x6000030) or: api: System.IO.File::Delete @ token(0x6000030)+0x6 check if directory exists namespace host-interaction/file-system/exists author michael.hunhoff@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] function @ token(0x600006B) or: api: System.IO.Directory::Exists @ token(0x600006B)+0x6 check if file exists namespace host-interaction/file-system/exists author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] mbc Discovery::File and Directory Discovery [E1083] function @ token(0x600009B) or: api: System.IO.File::Exists @ token(0x600009B)+0x52 enumerate files in .NET (2 matches) namespace host-interaction/file-system/files/list author moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] mbc Discovery::File and Directory Discovery [E1083] references https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b163f873a41b function @ token(0x600002A) or: api: System.IO.DirectoryInfo::GetDirectories @ token(0x600002A)+0x6 function @ token(0x600002B) or: api: System.IO.DirectoryInfo::GetFiles @ token(0x600002B)+0x6 get file size (2 matches) namespace host-interaction/file-system/meta author michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] mbc Discovery::File and Directory Discovery [E1083] function @ token(0x600002B) or: property/read: System.IO.FileInfo::Length @ token(0x600002B)+0x40 function @ token(0x6000096) or: property/read: System.IO.FileInfo::Length @ token(0x6000096)+0x257 create a process with modified I/O handles and window namespace host-interaction/process/create author matthew.williams@mandiant.com, anushka.virgaonkar@mandiant.com scope function mbc Process::Create Process [C0017] references https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa function @ token(0x6000081) or: and: api: System.Diagnostics.Process::Start @ token(0x6000081)+0xB2 or: property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000081)+0x7A property/write: System.Diagnostics.ProcessStartInfo::WorkingDirectory @ token(0x6000081)+0x96 property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000081)+0x4A property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000081)+0x86 property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000081)+0x62 property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardInput @ token(0x6000081)+0x56 create process on Windows (2 matches) namespace host-interaction/process/create author moritz.raabe@mandiant.com scope basic block mbc Process::Create Process [C0017] basic block @ token(0x6000044) in function token(0x6000044) or: api: System.Diagnostics.Process::Start @ token(0x6000044)+0x6 basic block @ token(0x6000081) in function token(0x6000081) or: api: System.Diagnostics.Process::Start @ token(0x6000081)+0xB2 query or enumerate registry key (2 matches) namespace host-interaction/registry author michael.hunhoff@mandiant.com scope function att&ck Discovery::Query Registry [T1012] mbc Operating System::Registry::Query Registry Key [C0036.005] function @ token(0x6000062) and: optional: match: create or open registry key @ token(0x6000062) or: api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB or: api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB function @ token(0x6000063) and: optional: match: create or open registry key @ token(0x6000063) or: api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E or: api: Microsoft.Win32.RegistryKey::GetSubKeyNames @ token(0x6000063)+0x6 api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E query or enumerate registry value namespace host-interaction/registry author william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope function att&ck Discovery::Query Registry [T1012] mbc Operating System::Registry::Query Registry Value [C0036.006] function @ token(0x6000063) and: optional: match: create or open registry key @ token(0x6000063) or: api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E or: api: Microsoft.Win32.RegistryKey::GetValue @ token(0x6000063)+0x45, token(0x6000063)+0x5D, token(0x6000063)+0x75, token(0x6000063)+0x8D create thread (6 matches) namespace host-interaction/thread/create author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, joakim@intezer.com, anushka.virgaonkar@mandiant.com scope basic block mbc Process::Create Thread [C0038] basic block @ token(0x6000081) in function token(0x6000081) or: and: api: System.Threading.Thread::Start @ token(0x6000081)+0xE0, token(0x6000081)+0x10D optional: api: System.Threading.Thread::ctor @ token(0x6000081)+0xCA, token(0x6000081)+0xF7 basic block @ token(0x6000087) in function token(0x6000087) or: and: api: System.Threading.Thread::Start @ token(0x6000087)+0x4A optional: api: System.Threading.Thread::ctor @ token(0x6000087)+0x3A basic block @ token(0x600008C) in function token(0x600008C) or: and: api: System.Threading.Thread::Start @ token(0x600008C)+0x54 optional: api: System.Threading.Thread::ctor @ token(0x600008C)+0x2F basic block @ token(0x6000094) in function token(0x6000094) or: and: api: System.Threading.Thread::Start @ token(0x6000094)+0x41 optional: api: System.Threading.Thread::ctor @ token(0x6000094)+0x30 basic block @ token(0x6000095) in function token(0x6000095) or: and: api: System.Threading.Thread::Start @ token(0x6000095)+0x41 optional: api: System.Threading.Thread::ctor @ token(0x6000095)+0x30 basic block @ token(0x600009A) in function token(0x600009A) or: and: api: System.Threading.Thread::Start @ token(0x600009A)+0x50 optional: api: System.Threading.Thread::ctor @ token(0x600009A)+0x30 suspend thread (5 matches) namespace host-interaction/thread/suspend author 0x534a@mailbox.org, anushka.virgaonkar@mandiant.com scope basic block mbc Process::Suspend Thread [C0055] basic block @ token(0x6000084) in function token(0x6000084) or: api: System.Threading.Thread::Sleep @ token(0x6000084)+0x78, token(0x6000084)+0x85 basic block @ token(0x6000085) in function token(0x6000085) or: api: System.Threading.Thread::Sleep @ token(0x6000085)+0x78, token(0x6000085)+0x85 basic block @ token(0x600008A) in function token(0x600008A) or: api: System.Threading.Thread::Sleep @ token(0x600008A)+0x5, token(0x600008A)+0xBB, token(0x600008A)+0x11D, token(0x600008A)+0x126 basic block @ token(0x600008F) in function token(0x600008F) or: api: System.Threading.Thread::Sleep @ token(0x600008F)+0x1 basic block @ token(0x6000091) in function token(0x6000091) or: api: System.Threading.Thread::Sleep @ token(0x6000091)+0x69 unmanaged call (2 matches) namespace runtime author michael.hunhoff@mandiant.com scope function description managed code calls unmanaged (native) code, often seen in .NET function @ token(0x6000072) or: characteristic: unmanaged call @ token(0x6000072)+0x1 function @ token(0x6000073) or: characteristic: unmanaged call @ token(0x6000073)+0x1, token(0x6000073)+0x12, token(0x6000073)+0x39, token(0x6000073)+0x43, and 6 more... compiled to the .NET platform namespace runtime/dotnet author william.ballenthin@mandiant.com scope file or: format: dotnet ```
samadpls commented 6 months ago

Are you out of hard-drive space?

Hi @mr-tz , thanks for noticing. Yes, I noticed that my cache was full somehow, so I ran it on Windows and got the log

mike-hunhoff commented 6 months ago

Looks good @samadpls . Please verify that the -vv output from capa's standalone tool lists .NET as the format in the metadata section by posting the output here. You can use one of the .NET samples from capa/test-files.

@mike-hunhoff , Sorry for responding late; I was busy with academic workk. Here the output i got after running the following command

format                  pe
...
create or open registry key (2 matches, only showing first match of library rule)
...
save image in .NET
...

full log

capa -vv -r E:\capa-rules-7.0.1\capa-rules-7.0.1  1c444ebeba24dcba8628b7dfe5fec7c6.exe
md5                     1c444ebeba24dcba8628b7dfe5fec7c6
sha1                    ebdec120fbbdbff28ebd6accc85d05f7ccabf461
sha256                  a9f9e5a30cc858dc135ec428cdd68cb06143732e5c62c4dc4b359c8abc11d74b
path                    E:/extraproj/capa/1c444ebeba24dcba8628b7dfe5fec7c6.exe
timestamp               2024-03-16 23:55:17.310730
capa version            7.0.1
os                      any
format                  pe
arch                    any
analysis                static
extractor               DnfileFeatureExtractor
base address            global
rules                   E:/capa-rules-7.0.1/capa-rules-7.0.1
function count          150
library function count  0
total feature count     4309

[...]

Thank you for providing the output. Following the changes that you've made in this PR I'd expect capa's output to list format: dotnet, not format: pe e.g. expected output for .NET file:

capa -vv -r E:\capa-rules-7.0.1\capa-rules-7.0.1  1c444ebeba24dcba8628b7dfe5fec7c6.exe
md5                     1c444ebeba24dcba8628b7dfe5fec7c6
sha1                    ebdec120fbbdbff28ebd6accc85d05f7ccabf461
sha256                  a9f9e5a30cc858dc135ec428cdd68cb06143732e5c62c4dc4b359c8abc11d74b
path                    E:/extraproj/capa/1c444ebeba24dcba8628b7dfe5fec7c6.exe
timestamp               2024-03-16 23:55:17.310730
capa version            7.0.1
os                      any
format                  dotnet
arch                    any
[...]

I'm unsure based solely on the output of command whether you're running the existing capa standalone tool or capa w/ the changes that you've made in this PR. Can you confirm that you have installed capa locally for development and that you are running capa with the changes that you've made in this PR?

samadpls commented 6 months ago

@mike-hunhoff, you were right. I was in the master branch and running the command. I apologize for the oversight here is the expected log

capa 1c444ebeba24dcba8628b7dfe5fec7c6.exe_ -vv -r ./rules/
md5                     1c444ebeba24dcba8628b7dfe5fec7c6
sha1                    ebdec120fbbdbff28ebd6accc85d05f7ccabf461
sha256                  a9f9e5a30cc858dc135ec428cdd68cb06143732e5c62c4dc4b359c8abc11d74b
path                    E:/extraproj/capa/1c444ebeba24dcba8628b7dfe5fec7c6.exe_
timestamp               2024-03-18 23:54:18.048229
capa version            7.0.1
os                      any
format                  dotnet
arch                    any
analysis                static
extractor               DnfileFeatureExtractor
base address            global
rules                   E:/extraproj/capa/rules
function count          150
library function count  0
total feature count     4309
[ .... ]
full log ``` capa 1c444ebeba24dcba8628b7dfe5fec7c6.exe_ -vv -r ./rules/ md5 1c444ebeba24dcba8628b7dfe5fec7c6 sha1 ebdec120fbbdbff28ebd6accc85d05f7ccabf461 sha256 a9f9e5a30cc858dc135ec428cdd68cb06143732e5c62c4dc4b359c8abc11d74b path E:/extraproj/capa/1c444ebeba24dcba8628b7dfe5fec7c6.exe_ timestamp 2024-03-18 23:54:18.048229 capa version 7.0.1 os any format dotnet arch any analysis static extractor DnfileFeatureExtractor base address global rules E:/extraproj/capa/rules function count 150 library function count 0 total feature count 4309 create or open registry key (2 matches, only showing first match of library rule) author michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope basic block mbc Operating System::Registry::Create Registry Key [C0036.004], Operating System::Registry::Open Registry Key [C0036.003] basic block @ token(0x6000062) in function token(0x6000062) or: api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB save image in .NET namespace collection author michael.hunhoff@mandiant.com scope function function @ token(0x600006D) and: api: System.Drawing.Image::Save @ token(0x600006D)+0x11 optional: class: System.Drawing.Imaging.ImageFormat @ token(0x600006D)+0xC capture screenshot namespace collection/screenshot author moritz.raabe@mandiant.com, @_re_fox, michael.hunhoff@mandiant.com scope function att&ck Collection::Screen Capture [T1113] mbc Collection::Screen Capture::WinAPI [E1113.m01] function @ token(0x6000073) or: and: or: api: GetWindowDC @ token(0x6000073)+0x1 or: api: BitBlt @ token(0x6000073)+0x63 api: CreateCompatibleDC @ token(0x6000073)+0x39 api: CreateCompatibleBitmap @ token(0x6000073)+0x43 send data (2 matches) namespace communication author william.ballenthin@mandiant.com, joakim@intezer.com scope function mbc Command and Control::C2 Communication::Send Data [B0030.001] description all known techniques for sending data to a potential C2 server function @ token(0x6000096) or: and: os: windows or: match: send HTTP request @ token(0x6000096) or: api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0 function @ token(0x600009B) or: and: os: windows or: match: send HTTP request @ token(0x600009B) or: api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C set web proxy in .NET namespace communication/http author michael.hunhoff@mandiant.com scope function function @ token(0x6000096) and: property/write: System.Net.WebRequest::Proxy @ token(0x6000096)+0x20 create HTTP request (2 matches) namespace communication/http/client author michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope function mbc Communication::HTTP Communication::Create Request [C0002.012] function @ token(0x6000096) and: or: api: System.Net.WebRequest::Create @ token(0x6000096)+0x7 function @ token(0x600009B) and: or: api: System.Net.WebRequest::Create @ token(0x600009B)+0x6E receive HTTP response (2 matches) namespace communication/http/client author michael.hunhoff@mandiant.com scope function mbc Communication::HTTP Communication::Get Response [C0002.017] function @ token(0x6000096) or: api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0 function @ token(0x600009B) or: api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C send HTTP request (2 matches) namespace communication/http/client author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function mbc Communication::HTTP Communication::Send Request [C0002.003] function @ token(0x6000096) or: api: System.Net.WebRequest::GetResponse @ token(0x6000096)+0x4D0 function @ token(0x600009B) or: api: System.Net.WebRequest::GetResponse @ token(0x600009B)+0x7C send request in .NET namespace communication/http/client author anushka.virgaonakr@mandiant.com scope function att&ck Command and Control::Application Layer Protocol::Web Protocols [T1071.001] mbc Communication::HTTP Communication::Send Request [C0002.003] function @ token(0x6000096) and: api: System.IO.Stream::Write @ token(0x6000096)+0x2B0, token(0x6000096)+0x314, token(0x6000096)+0x322, token(0x6000096)+0x341, and 8 more... api: System.IO.Stream::Close @ token(0x6000096)+0x435, token(0x6000096)+0x4CA, token(0x6000096)+0x4FF or: api: System.Net.WebRequest::GetRequestStream @ token(0x6000096)+0x2A0 act as TCP client namespace communication/tcp/client author william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com scope function mbc Communication::Socket Communication::TCP Client [C0001.008] function @ token(0x600008A) or: api: System.Net.Sockets.TcpClient::ctor @ token(0x600008A)+0x26 decode data using Base64 in .NET namespace data-manipulation/encoding/base64 author michael.hunhoff@mandiant.com scope function att&ck Defense Evasion::Deobfuscate/Decode Files or Information [T1140] mbc Data::Decode Data::Base64 [C0053.001] function @ token(0x6000023) or: api: System.Convert::FromBase64String @ token(0x6000023)+0xC encode data using Base64 (11 matches) namespace data-manipulation/encoding/base64 author moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com scope function att&ck Defense Evasion::Obfuscated Files or Information [T1027] mbc Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm [E1027.m02], Data::Encode Data::Base64 [C0026.001] function @ token(0x600001B) or: api: System.Convert::ToBase64String @ token(0x600001B)+0x30 function @ token(0x6000028) or: api: System.Convert::ToBase64String @ token(0x6000028)+0x40 function @ token(0x600002C) or: api: System.Convert::ToBase64String @ token(0x600002C)+0x17 function @ token(0x600002F) or: api: System.Convert::ToBase64String @ token(0x600002F)+0x40 function @ token(0x6000034) or: api: System.Convert::ToBase64String @ token(0x6000034)+0x40 function @ token(0x6000039) or: api: System.Convert::ToBase64String @ token(0x6000039)+0x40 function @ token(0x600003E) or: api: System.Convert::ToBase64String @ token(0x600003E)+0x40 function @ token(0x6000048) or: api: System.Convert::ToBase64String @ token(0x6000048)+0x40 function @ token(0x600004E) or: api: System.Convert::ToBase64String @ token(0x600004E)+0x40 function @ token(0x6000064) or: api: System.Convert::ToBase64String @ token(0x6000064)+0x17 function @ token(0x60000A0) or: api: System.Convert::ToBase64String @ token(0x60000A0)+0x3E hash data with MD5 namespace data-manipulation/hashing/md5 author moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com, michael.hunhoff@mandiant.com scope function mbc Cryptography::Cryptographic Hash::MD5 [C0029.001] references https://github.com/rwfpl/rewolf-x86-virtualizer/blob/master/src/test_app/main.cpp function @ token(0x600001D) or: and: format: dotnet or: api: System.Security.Cryptography.MD5::Create @ token(0x600001D)+0x0 optional: api: System.Security.Cryptography.HashAlgorithm::ComputeHash @ token(0x600001D)+0x14 manipulate console buffer namespace host-interaction/console author william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com scope function mbc Operating System::Console [C0033] references https://stackoverflow.com/a/15770935/87207 function @ token(0x600009B) or: api: System.Console::WriteLine @ token(0x600009B)+0x2C get common file path namespace host-interaction/file-system author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] mbc Discovery::File and Directory Discovery [E1083] function @ token(0x6000069) or: api: System.Environment::GetFolderPath @ token(0x6000069)+0x3 create directory (2 matches) namespace host-interaction/file-system/create author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function mbc File System::Create Directory [C0046] function @ token(0x600003A) or: api: System.IO.Directory::CreateDirectory @ token(0x600003A)+0x6 function @ token(0x600006B) or: api: System.IO.Directory::CreateDirectory @ token(0x600006B)+0x13 delete directory namespace host-interaction/file-system/delete author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function mbc File System::Delete Directory [C0048] function @ token(0x6000035) or: api: System.IO.Directory::Delete @ token(0x6000035)+0x7 delete file namespace host-interaction/file-system/delete author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function mbc File System::Delete File [C0047] function @ token(0x6000030) or: api: System.IO.File::Delete @ token(0x6000030)+0x6 check if directory exists namespace host-interaction/file-system/exists author michael.hunhoff@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] function @ token(0x600006B) or: api: System.IO.Directory::Exists @ token(0x600006B)+0x6 check if file exists namespace host-interaction/file-system/exists author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] mbc Discovery::File and Directory Discovery [E1083] function @ token(0x600009B) or: api: System.IO.File::Exists @ token(0x600009B)+0x52 enumerate files in .NET (2 matches) namespace host-interaction/file-system/files/list author moritz.raabe@mandiant.com, anushka.virgaonkar@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] mbc Discovery::File and Directory Discovery [E1083] references https://github.com/hfiref0x/TDL/blob/cc4b46ae1c939b14a22a734a727b163f873a41b function @ token(0x600002A) or: api: System.IO.DirectoryInfo::GetDirectories @ token(0x600002A)+0x6 function @ token(0x600002B) or: api: System.IO.DirectoryInfo::GetFiles @ token(0x600002B)+0x6 get file size (2 matches) namespace host-interaction/file-system/meta author michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope function att&ck Discovery::File and Directory Discovery [T1083] mbc Discovery::File and Directory Discovery [E1083] function @ token(0x600002B) or: property/read: System.IO.FileInfo::Length @ token(0x600002B)+0x40 function @ token(0x6000096) or: property/read: System.IO.FileInfo::Length @ token(0x6000096)+0x257 create a process with modified I/O handles and window namespace host-interaction/process/create author matthew.williams@mandiant.com, anushka.virgaonkar@mandiant.com scope function mbc Process::Create Process [C0017] references https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa function @ token(0x6000081) or: and: api: System.Diagnostics.Process::Start @ token(0x6000081)+0xB2 or: property/write: System.Diagnostics.ProcessStartInfo::UseShellExecute @ token(0x6000081)+0x7A property/write: System.Diagnostics.ProcessStartInfo::WorkingDirectory @ token(0x6000081)+0x96 property/write: System.Diagnostics.ProcessStartInfo::FileName @ token(0x6000081)+0x4A property/write: System.Diagnostics.ProcessStartInfo::CreateNoWindow @ token(0x6000081)+0x86 property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardOutput @ token(0x6000081)+0x62 property/write: System.Diagnostics.ProcessStartInfo::RedirectStandardInput @ token(0x6000081)+0x56 create process on Windows (2 matches) namespace host-interaction/process/create author moritz.raabe@mandiant.com scope basic block mbc Process::Create Process [C0017] basic block @ token(0x6000044) in function token(0x6000044) or: api: System.Diagnostics.Process::Start @ token(0x6000044)+0x6 basic block @ token(0x6000081) in function token(0x6000081) or: api: System.Diagnostics.Process::Start @ token(0x6000081)+0xB2 query or enumerate registry key (2 matches) namespace host-interaction/registry author michael.hunhoff@mandiant.com scope function att&ck Discovery::Query Registry [T1012] mbc Operating System::Registry::Query Registry Key [C0036.005] function @ token(0x6000062) and: optional: match: create or open registry key @ token(0x6000062) or: api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB or: api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000062)+0xB function @ token(0x6000063) and: optional: match: create or open registry key @ token(0x6000063) or: api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E or: api: Microsoft.Win32.RegistryKey::GetSubKeyNames @ token(0x6000063)+0x6 api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E query or enumerate registry value namespace host-interaction/registry author william.ballenthin@mandiant.com, michael.hunhoff@mandiant.com, anushka.virgaonkar@mandiant.com scope function att&ck Discovery::Query Registry [T1012] mbc Operating System::Registry::Query Registry Value [C0036.006] function @ token(0x6000063) and: optional: match: create or open registry key @ token(0x6000063) or: api: Microsoft.Win32.RegistryKey::OpenSubKey @ token(0x6000063)+0x1E or: api: Microsoft.Win32.RegistryKey::GetValue @ token(0x6000063)+0x45, token(0x6000063)+0x5D, token(0x6000063)+0x75, token(0x6000063)+0x8D create thread (6 matches) namespace host-interaction/thread/create author moritz.raabe@mandiant.com, michael.hunhoff@mandiant.com, joakim@intezer.com, anushka.virgaonkar@mandiant.com scope basic block mbc Process::Create Thread [C0038] basic block @ token(0x6000081) in function token(0x6000081) or: and: api: System.Threading.Thread::Start @ token(0x6000081)+0xE0, token(0x6000081)+0x10D optional: api: System.Threading.Thread::ctor @ token(0x6000081)+0xCA, token(0x6000081)+0xF7 basic block @ token(0x6000087) in function token(0x6000087) or: and: api: System.Threading.Thread::Start @ token(0x6000087)+0x4A optional: api: System.Threading.Thread::ctor @ token(0x6000087)+0x3A basic block @ token(0x600008C) in function token(0x600008C) or: and: api: System.Threading.Thread::Start @ token(0x600008C)+0x54 optional: api: System.Threading.Thread::ctor @ token(0x600008C)+0x2F basic block @ token(0x6000094) in function token(0x6000094) or: and: api: System.Threading.Thread::Start @ token(0x6000094)+0x41 optional: api: System.Threading.Thread::ctor @ token(0x6000094)+0x30 basic block @ token(0x6000095) in function token(0x6000095) or: and: api: System.Threading.Thread::Start @ token(0x6000095)+0x41 optional: api: System.Threading.Thread::ctor @ token(0x6000095)+0x30 basic block @ token(0x600009A) in function token(0x600009A) or: and: api: System.Threading.Thread::Start @ token(0x600009A)+0x50 optional: api: System.Threading.Thread::ctor @ token(0x600009A)+0x30 suspend thread (5 matches) namespace host-interaction/thread/suspend author 0x534a@mailbox.org, anushka.virgaonkar@mandiant.com scope basic block mbc Process::Suspend Thread [C0055] basic block @ token(0x6000084) in function token(0x6000084) or: api: System.Threading.Thread::Sleep @ token(0x6000084)+0x78, token(0x6000084)+0x85 basic block @ token(0x6000085) in function token(0x6000085) or: api: System.Threading.Thread::Sleep @ token(0x6000085)+0x78, token(0x6000085)+0x85 basic block @ token(0x600008A) in function token(0x600008A) or: api: System.Threading.Thread::Sleep @ token(0x600008A)+0x5, token(0x600008A)+0xBB, token(0x600008A)+0x11D, token(0x600008A)+0x126 basic block @ token(0x600008F) in function token(0x600008F) or: api: System.Threading.Thread::Sleep @ token(0x600008F)+0x1 basic block @ token(0x6000091) in function token(0x6000091) or: api: System.Threading.Thread::Sleep @ token(0x6000091)+0x69 unmanaged call (2 matches) namespace runtime author michael.hunhoff@mandiant.com scope function description managed code calls unmanaged (native) code, often seen in .NET function @ token(0x6000072) or: characteristic: unmanaged call @ token(0x6000072)+0x1 function @ token(0x6000073) or: characteristic: unmanaged call @ token(0x6000073)+0x1, token(0x6000073)+0x12, token(0x6000073)+0x39, token(0x6000073)+0x43, and 6 more... compiled to the .NET platform namespace runtime/dotnet author william.ballenthin@mandiant.com scope file or: format: dotnet ```