-
Notifications
You must be signed in to change notification settings - Fork 166
/
Copy pathhash-data-using-sha1.yml
42 lines (42 loc) · 1.87 KB
/
hash-data-using-sha1.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
rule:
meta:
name: hash data using SHA1
namespace: data-manipulation/hashing/sha1
authors:
- moritz.raabe@mandiant.com
- michael.hunhoff@mandiant.com
- william.ballenthin@mandiant.com
scopes:
static: function
dynamic: span of calls
mbc:
- Cryptography::Cryptographic Hash::SHA1 [C0029.002]
examples:
- D063B1804E8D2BB26BD2E097141C1BBC:0x4344D0
- 91B08896FBDA9EDB8B6F93A6BC811EC6:0x180004878
features:
- or:
- and:
- description: Magic initialization constants used in SHA1
- number: 0x67452301 = A, also used in MD5, RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320
- number: 0xEFCDAB89 = B, also used in MD5, RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320
- number: 0x98BADCFE = C, also used in MD5, RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320
- number: 0x10325476 = D, also used in MD5, RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320
- number: 0xC3D2E1F0 = likely SHA1 but also used in RIPEMD-160 and RIPEMD-320
- and:
- number: 0x5A827999 = K(t) (0 <= t <= 19), also used in RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320
- number: 0x6ED9EBA1 = K(t) (20 <= t <= 39), also used in RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320
- number: 0x8F1BBCDC = K(t) (40 <= t <= 59), also used in RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320
- number: 0xCA62C1D6 = K(t) (60 <= t <= 79), also used in RIPEMD-160 and RIPEMD-320
- basic block:
- and:
- number: 0x8004 = CALG_SHA1
- api: advapi32.CryptCreateHash
- call:
- and:
- number: 0x8004 = CALG_SHA1
- api: advapi32.CryptCreateHash
- and:
- api: System.Security.Cryptography.SHA1Managed::ctor
- optional:
- api: System.Security.Cryptography.HashAlgorithm::ComputeHash