From 9e12c563bc0d17725c2b360bb837a20e121f6bd8 Mon Sep 17 00:00:00 2001 From: Pratham Chauhan Date: Wed, 29 Mar 2023 16:02:17 +0530 Subject: [PATCH] remove unused imports --- rules | 2 +- tests/data | 2 +- tests/test_result_document.py | 3 --- tmp0xt29tvs | 1 + 4 files changed, 3 insertions(+), 5 deletions(-) create mode 100644 tmp0xt29tvs diff --git a/rules b/rules index aa2dc1137..4ca802336 160000 --- a/rules +++ b/rules @@ -1 +1 @@ -Subproject commit aa2dc1137dca05215f71a48926c56345cc462173 +Subproject commit 4ca802336320e9b2f1f524d5aa95ef102ad3c1e4 diff --git a/tests/data b/tests/data index d19468ce0..3cbd7768c 160000 --- a/tests/data +++ b/tests/data @@ -1 +1 @@ -Subproject commit d19468ce08c1f887626971f6ff92b9ad28c32360 +Subproject commit 3cbd7768c27fbcc77dc46d8f7bddd16834e352f1 diff --git a/tests/test_result_document.py b/tests/test_result_document.py index ad949bf06..c3c47f718 100644 --- a/tests/test_result_document.py +++ b/tests/test_result_document.py @@ -6,10 +6,7 @@ # is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and limitations under the License. -from typing import Dict, Tuple -import textwrap import fixtures -from fixtures import * import capa import capa.engine as ceng diff --git a/tmp0xt29tvs b/tmp0xt29tvs new file mode 100644 index 000000000..62db661f5 --- /dev/null +++ b/tmp0xt29tvs @@ -0,0 +1 @@ +"{\"meta\": {\"timestamp\": \"2023-03-29T09:12:40.844121\", \"version\": \"5.0.0\", \"argv\": [\"/home/ooprathamm/Comding/capa/tests/data/Practical Malware Analysis Lab 01-01.dll_\", \"-j\"], \"sample\": {\"md5\": \"290934c61de9176ad682ffdd65f0a669\", \"sha1\": \"a4b35de71ca20fe776dc72d12fb2886736f43c22\", \"sha256\": \"f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba\", \"path\": \"/home/ooprathamm/Comding/capa/tests/data/Practical Malware Analysis Lab 01-01.dll_\"}, \"analysis\": {\"format\": \"pe\", \"arch\": \"i386\", \"os\": \"windows\", \"extractor\": \"VivisectFeatureExtractor\", \"rules\": [\"/home/ooprathamm/Comding/capa/rules\"], \"base_address\": {\"type\": \"absolute\", \"value\": 268435456}, \"layout\": {\"functions\": [{\"address\": {\"type\": \"absolute\", \"value\": 268439568}, \"matched_basic_blocks\": [{\"address\": {\"type\": \"absolute\", \"value\": 268439598}}, {\"address\": {\"type\": \"absolute\", \"value\": 268439692}}, {\"address\": {\"type\": \"absolute\", \"value\": 268439868}}, {\"address\": {\"type\": \"absolute\", \"value\": 268439892}}, {\"address\": {\"type\": \"absolute\", \"value\": 268439905}}, {\"address\": {\"type\": \"absolute\", \"value\": 268439929}}, {\"address\": {\"type\": \"absolute\", \"value\": 268440000}}, {\"address\": {\"type\": \"absolute\", \"value\": 268440040}}]}, {\"address\": {\"type\": \"absolute\", \"value\": 268440096}, \"matched_basic_blocks\": []}, {\"address\": {\"type\": \"absolute\", \"value\": 268440143}, \"matched_basic_blocks\": []}, {\"address\": {\"type\": \"absolute\", \"value\": 268440314}, \"matched_basic_blocks\": []}, {\"address\": {\"type\": \"absolute\", \"value\": 268440472}, \"matched_basic_blocks\": []}]}, \"feature_counts\": {\"file\": 127, \"functions\": [{\"address\": {\"type\": \"absolute\", \"value\": 268439568}, \"count\": 160}, {\"address\": {\"type\": \"absolute\", \"value\": 268440472}, \"count\": 7}]}, \"library_functions\": [{\"address\": {\"type\": \"absolute\", \"value\": 268440096}, \"name\": \"__alloca_probe\"}, {\"address\": {\"type\": \"absolute\", \"value\": 268440143}, \"name\": \"__CRT_INIT@12\"}, {\"address\": {\"type\": \"absolute\", \"value\": 268440314}, \"name\": \"__DllMainCRTStartup@12\"}]}}, \"rules\": {\"check mutex\": {\"meta\": {\"name\": \"check mutex\", \"namespace\": \"host-interaction/mutex\", \"authors\": [\"moritz.raabe@mandiant.com\", \"anushka.virgaonkar@mandiant.com\"], \"scope\": \"basic block\", \"attack\": [], \"mbc\": [{\"parts\": [\"Process\", \"Check Mutex\"], \"objective\": \"Process\", \"behavior\": \"Check Mutex\", \"method\": \"\", \"id\": \"C0043\"}], \"references\": [], \"examples\": [\"Practical Malware Analysis Lab 01-01.dll_:0x10001010\"], \"description\": \"\", \"lib\": false, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: check mutex\\n namespace: host-interaction/mutex\\n authors:\\n - moritz.raabe@mandiant.com\\n - anushka.virgaonkar@mandiant.com\\n scope: basic block\\n mbc:\\n - Process::Check Mutex [C0043]\\n examples:\\n - Practical Malware Analysis Lab 01-01.dll_:0x10001010\\n features:\\n - and:\\n - or:\\n - api: kernel32.OpenMutex\\n - match: create mutex\\n - api: System.Threading.Mutex::OpenExisting\\n - api: System.Threading.Mutex::TryOpenExisting\\n - optional:\\n - or:\\n - api: kernel32.GetLastError\\n - number: 2 = ERROR_FILE_NOT_FOUND\\n - number: 0xB7 = ERROR_ALREADY_EXISTS\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439598}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.OpenMutex\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439641}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"create mutex\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Threading.Mutex::OpenExisting\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Threading.Mutex::TryOpenExisting\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"optional\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.GetLastError\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 2, \"description\": \"ERROR_FILE_NOT_FOUND\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 183, \"description\": \"ERROR_ALREADY_EXISTS\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"create TCP socket\": {\"meta\": {\"name\": \"create TCP socket\", \"namespace\": \"communication/socket/tcp\", \"authors\": [\"william.ballenthin@mandiant.com\", \"joakim@intezer.com\", \"anushka.virgaonkar@mandiant.com\"], \"scope\": \"basic block\", \"attack\": [], \"mbc\": [{\"parts\": [\"Communication\", \"Socket Communication\", \"Create TCP Socket\"], \"objective\": \"Communication\", \"behavior\": \"Socket Communication\", \"method\": \"Create TCP Socket\", \"id\": \"C0001.011\"}], \"references\": [], \"examples\": [\"Practical Malware Analysis Lab 01-01.dll_:0x10001010\"], \"description\": \"\", \"lib\": false, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: create TCP socket\\n namespace: communication/socket/tcp\\n authors:\\n - william.ballenthin@mandiant.com\\n - joakim@intezer.com\\n - anushka.virgaonkar@mandiant.com\\n scope: basic block\\n mbc:\\n - Communication::Socket Communication::Create TCP Socket [C0001.011]\\n examples:\\n - Practical Malware Analysis Lab 01-01.dll_:0x10001010\\n features:\\n - or:\\n - and:\\n - number: 6 = IPPROTO_TCP\\n - number: 1 = SOCK_STREAM\\n - number: 2 = AF_INET\\n - or:\\n - api: ws2_32.socket\\n - api: ws2_32.WSASocket\\n - api: socket\\n - property/read: System.Net.Sockets.TcpClient::Client\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439692}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"property\", \"access\": \"read\", \"property\": \"System.Net.Sockets.TcpClient::Client\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 6, \"description\": \"IPPROTO_TCP\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439692}], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 1, \"description\": \"SOCK_STREAM\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439694}], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 2, \"description\": \"AF_INET\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439696}], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.socket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439698}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASocket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"socket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439698}], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"delay execution\": {\"meta\": {\"name\": \"delay execution\", \"authors\": [\"michael.hunhoff@mandiant.com\", \"@ramen0x3f\"], \"scope\": \"basic block\", \"attack\": [], \"mbc\": [{\"parts\": [\"Anti-Behavioral Analysis\", \"Dynamic Analysis Evasion\", \"Delayed Execution\"], \"objective\": \"Anti-Behavioral Analysis\", \"behavior\": \"Dynamic Analysis Evasion\", \"method\": \"Delayed Execution\", \"id\": \"B0003.003\"}], \"references\": [\"https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions\", \"https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp\"], \"examples\": [\"al-khaser_x86.exe_:0x449770\", \"B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402FA6\"], \"description\": \"\", \"lib\": true, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: delay execution\\n authors:\\n - michael.hunhoff@mandiant.com\\n - \\\"@ramen0x3f\\\"\\n lib: true\\n scope: basic block\\n mbc:\\n - Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution [B0003.003]\\n references:\\n - https://docs.microsoft.com/en-us/windows/win32/sync/wait-functions\\n - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/TimingAttacks/timing.cpp\\n examples:\\n - al-khaser_x86.exe_:0x449770\\n - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402FA6\\n features:\\n - or:\\n - and:\\n - os: windows\\n - or:\\n - api: kernel32.Sleep\\n - api: kernel32.SleepEx\\n - api: kernel32.WaitForSingleObject\\n - api: kernel32.SignalObjectAndWait\\n - api: kernel32.WaitForSingleObjectEx\\n - api: kernel32.WaitForMultipleObjects\\n - api: kernel32.WaitForMultipleObjectsEx\\n - api: kernel32.RegisterWaitForSingleObject\\n - api: WaitOnAddress\\n - api: user32.MsgWaitForMultipleObjects\\n - api: user32.MsgWaitForMultipleObjectsEx\\n - api: NtDelayExecution\\n - api: KeWaitForSingleObject\\n - api: KeDelayExecutionThread\\n - and:\\n - os: linux\\n - or:\\n - api: sleep\\n - api: usleep\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439892}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"os\", \"os\": \"linux\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"sleep\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"usleep\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"os\", \"os\": \"windows\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"no address\"}], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.Sleep\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439897}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.SleepEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.WaitForSingleObject\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.SignalObjectAndWait\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.WaitForSingleObjectEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.WaitForMultipleObjects\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.WaitForMultipleObjectsEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.RegisterWaitForSingleObject\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"WaitOnAddress\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"user32.MsgWaitForMultipleObjects\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"user32.MsgWaitForMultipleObjectsEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"NtDelayExecution\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"KeWaitForSingleObject\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"KeDelayExecutionThread\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], [{\"type\": \"absolute\", \"value\": 268440000}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"os\", \"os\": \"linux\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"sleep\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"usleep\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"os\", \"os\": \"windows\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"no address\"}], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.Sleep\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268440005}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.SleepEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.WaitForSingleObject\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.SignalObjectAndWait\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.WaitForSingleObjectEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.WaitForMultipleObjects\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.WaitForMultipleObjectsEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.RegisterWaitForSingleObject\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"WaitOnAddress\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"user32.MsgWaitForMultipleObjects\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"user32.MsgWaitForMultipleObjectsEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"NtDelayExecution\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"KeWaitForSingleObject\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"KeDelayExecutionThread\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"create process on Windows\": {\"meta\": {\"name\": \"create process on Windows\", \"namespace\": \"host-interaction/process/create\", \"authors\": [\"moritz.raabe@mandiant.com\"], \"scope\": \"basic block\", \"attack\": [], \"mbc\": [{\"parts\": [\"Process\", \"Create Process\"], \"objective\": \"Process\", \"behavior\": \"Create Process\", \"method\": \"\", \"id\": \"C0017\"}], \"references\": [], \"examples\": [\"9324D1A8AE37A36AE560C37448C9705A:0x406DB0\", \"Practical Malware Analysis Lab 01-04.exe_:0x4011FC\", \"692f7fd6d198e804d6af98eb9e390d61:0x6000003\"], \"description\": \"\", \"lib\": false, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: create process on Windows\\n namespace: host-interaction/process/create\\n authors:\\n - moritz.raabe@mandiant.com\\n scope: basic block\\n mbc:\\n - Process::Create Process [C0017]\\n examples:\\n - 9324D1A8AE37A36AE560C37448C9705A:0x406DB0\\n - Practical Malware Analysis Lab 01-04.exe_:0x4011FC\\n - 692f7fd6d198e804d6af98eb9e390d61:0x6000003\\n features:\\n - or:\\n - api: kernel32.WinExec\\n - api: kernel32.CreateProcess\\n - api: shell32.ShellExecute\\n - api: shell32.ShellExecuteEx\\n - api: advapi32.CreateProcessAsUser\\n - api: advapi32.CreateProcessWithLogon\\n - api: advapi32.CreateProcessWithToken\\n - api: kernel32.CreateProcessInternal\\n - api: ntdll.NtCreateUserProcess\\n - api: ntdll.NtCreateProcess\\n - api: ntdll.NtCreateProcessEx\\n - api: ntdll.ZwCreateProcess\\n - api: ZwCreateProcessEx\\n - api: ntdll.ZwCreateUserProcess\\n - api: ntdll.RtlCreateUserProcess\\n - api: System.Diagnostics.Process::Start\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439929}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.WinExec\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.CreateProcess\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439983}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"shell32.ShellExecute\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"shell32.ShellExecuteEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"advapi32.CreateProcessAsUser\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"advapi32.CreateProcessWithLogon\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"advapi32.CreateProcessWithToken\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.CreateProcessInternal\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ntdll.NtCreateUserProcess\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ntdll.NtCreateProcess\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ntdll.NtCreateProcessEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ntdll.ZwCreateProcess\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ZwCreateProcessEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ntdll.ZwCreateUserProcess\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ntdll.RtlCreateUserProcess\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Diagnostics.Process::Start\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"create mutex\": {\"meta\": {\"name\": \"create mutex\", \"namespace\": \"host-interaction/mutex\", \"authors\": [\"moritz.raabe@mandiant.com\", \"michael.hunhoff@mandiant.com\"], \"scope\": \"function\", \"attack\": [], \"mbc\": [{\"parts\": [\"Process\", \"Create Mutex\"], \"objective\": \"Process\", \"behavior\": \"Create Mutex\", \"method\": \"\", \"id\": \"C0042\"}], \"references\": [], \"examples\": [\"Practical Malware Analysis Lab 01-01.dll_:0x10001010\"], \"description\": \"\", \"lib\": false, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: create mutex\\n namespace: host-interaction/mutex\\n authors:\\n - moritz.raabe@mandiant.com\\n - michael.hunhoff@mandiant.com\\n scope: function\\n mbc:\\n - Process::Create Mutex [C0042]\\n examples:\\n - Practical Malware Analysis Lab 01-01.dll_:0x10001010\\n features:\\n - or:\\n - api: kernel32.CreateMutex\\n - api: kernel32.CreateMutexEx\\n - api: System.Threading.Mutex::ctor\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439568}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.CreateMutex\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439662}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"kernel32.CreateMutexEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Threading.Mutex::ctor\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"contain loop\": {\"meta\": {\"name\": \"contain loop\", \"authors\": [\"moritz.raabe@mandiant.com\"], \"scope\": \"function\", \"attack\": [], \"mbc\": [], \"references\": [], \"examples\": [\"08AC667C65D36D6542917655571E61C8:0x406EAA\"], \"description\": \"\", \"lib\": true, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: contain loop\\n authors:\\n - moritz.raabe@mandiant.com\\n lib: true\\n scope: function\\n examples:\\n - 08AC667C65D36D6542917655571E61C8:0x406EAA\\n features:\\n - or:\\n - characteristic: loop\\n - characteristic: tight loop\\n - characteristic: recursive call\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439568}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"characteristic\", \"characteristic\": \"loop\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439568}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"characteristic\", \"characteristic\": \"tight loop\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"characteristic\", \"characteristic\": \"recursive call\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"receive data on socket\": {\"meta\": {\"name\": \"receive data on socket\", \"namespace\": \"communication/socket/receive\", \"authors\": [\"moritz.raabe@mandiant.com\", \"joakim@intezer.com\", \"michael.hunhoff@mandiant.com\"], \"scope\": \"function\", \"attack\": [], \"mbc\": [{\"parts\": [\"Communication\", \"Socket Communication\", \"Receive Data\"], \"objective\": \"Communication\", \"behavior\": \"Socket Communication\", \"method\": \"Receive Data\", \"id\": \"C0001.006\"}], \"references\": [], \"examples\": [\"Practical Malware Analysis Lab 01-01.dll_:0x10001010\"], \"description\": \"\", \"lib\": false, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: receive data on socket\\n namespace: communication/socket/receive\\n authors:\\n - moritz.raabe@mandiant.com\\n - joakim@intezer.com\\n - michael.hunhoff@mandiant.com\\n scope: function\\n mbc:\\n - Communication::Socket Communication::Receive Data [C0001.006]\\n examples:\\n - Practical Malware Analysis Lab 01-01.dll_:0x10001010\\n features:\\n - or:\\n - api: ws2_32.recv\\n - api: ws2_32.recvfrom\\n - api: ws2_32.WSARecv\\n - api: ws2_32.WSARecvDisconnect\\n - api: ws2_32.WSARecvEx\\n - api: ws2_32.WSARecvFrom\\n - api: ws2_32.WSARecvMsg\\n - api: recv\\n - api: System.Net.Sockets.Socket::Receive\\n - api: System.Net.Sockets.Socket::ReceiveAsync\\n - api: System.Net.Sockets.Socket::ReceiveFrom\\n - api: System.Net.Sockets.Socket::ReceiveFromAsync\\n - api: System.Net.Sockets.Socket::ReceiveMessageFrom\\n - api: System.Net.Sockets.Socket::ReceiveMessageFromAsync\\n - api: System.Net.Sockets.Socket::BeginReceive\\n - api: System.Net.Sockets.Socket::BeginReceiveFrom\\n - api: System.Net.Sockets.Socket::BeginReceiveMessageFrom\\n - api: System.Net.Sockets.Socket::EndReceive\\n - api: System.Net.Sockets.Socket::EndReceiveFrom\\n - api: System.Net.Sockets.Socket::EndReceiveMessageFrom\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439568}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.recv\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439858}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.recvfrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSARecv\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSARecvDisconnect\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSARecvEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSARecvFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSARecvMsg\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"recv\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439858}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::Receive\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::ReceiveAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::ReceiveFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::ReceiveFromAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::ReceiveMessageFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::ReceiveMessageFromAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::BeginReceive\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::BeginReceiveFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::BeginReceiveMessageFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::EndReceive\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::EndReceiveFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::EndReceiveMessageFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"send data on socket\": {\"meta\": {\"name\": \"send data on socket\", \"namespace\": \"communication/socket/send\", \"authors\": [\"moritz.raabe@mandiant.com\", \"joakim@intezer.com\", \"anushka.virgaonkar@mandiant.com\"], \"scope\": \"function\", \"attack\": [], \"mbc\": [{\"parts\": [\"Communication\", \"Socket Communication\", \"Send Data\"], \"objective\": \"Communication\", \"behavior\": \"Socket Communication\", \"method\": \"Send Data\", \"id\": \"C0001.007\"}], \"references\": [], \"examples\": [\"Practical Malware Analysis Lab 01-01.dll_:0x10001010\"], \"description\": \"\", \"lib\": false, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: send data on socket\\n namespace: communication/socket/send\\n authors:\\n - moritz.raabe@mandiant.com\\n - joakim@intezer.com\\n - anushka.virgaonkar@mandiant.com\\n scope: function\\n mbc:\\n - Communication::Socket Communication::Send Data [C0001.007]\\n examples:\\n - Practical Malware Analysis Lab 01-01.dll_:0x10001010\\n features:\\n - or:\\n - api: ws2_32.send\\n - api: ws2_32.sendto\\n - api: ws2_32.WSASend\\n - api: ws2_32.WSASendMsg\\n - api: ws2_32.WSASendTo\\n - api: send\\n - api: System.Net.Sockets.Socket::Send\\n - api: System.Net.Sockets.Socket::SendAsync\\n - api: System.Net.Sockets.Socket::SendTo\\n - api: System.Net.Sockets.Socket::SendToAsync\\n - api: System.Net.Sockets.UdpClient::Send\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439568}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439809}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.sendto\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASend\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASendMsg\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASendTo\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439809}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::Send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::SendAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::SendTo\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::SendToAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.UdpClient::Send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"initialize Winsock library\": {\"meta\": {\"name\": \"initialize Winsock library\", \"namespace\": \"communication/socket\", \"authors\": [\"michael.hunhoff@mandiant.com\"], \"scope\": \"function\", \"attack\": [], \"mbc\": [{\"parts\": [\"Communication\", \"Socket Communication\", \"Initialize Winsock Library\"], \"objective\": \"Communication\", \"behavior\": \"Socket Communication\", \"method\": \"Initialize Winsock Library\", \"id\": \"C0001.009\"}], \"references\": [], \"examples\": [\"6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10001D30\"], \"description\": \"\", \"lib\": false, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: initialize Winsock library\\n namespace: communication/socket\\n authors:\\n - michael.hunhoff@mandiant.com\\n scope: function\\n mbc:\\n - Communication::Socket Communication::Initialize Winsock Library [C0001.009]\\n examples:\\n - 6A352C3E55E8AE5ED39DC1BE7FB964B1:0x10001D30\\n features:\\n - and:\\n - api: ws2_32.WSAStartup\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439568}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSAStartup\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439678}], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"receive data\": {\"meta\": {\"name\": \"receive data\", \"namespace\": \"communication\", \"authors\": [\"william.ballenthin@mandiant.com\"], \"scope\": \"function\", \"attack\": [], \"mbc\": [{\"parts\": [\"Command and Control\", \"C2 Communication\", \"Receive Data\"], \"objective\": \"Command and Control\", \"behavior\": \"C2 Communication\", \"method\": \"Receive Data\", \"id\": \"B0030.002\"}], \"references\": [], \"examples\": [\"BFB9B5391A13D0AFD787E87AB90F14F5:0x13145D60\"], \"description\": \"all known techniques for receiving data from a potential C2 server\", \"lib\": false, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: receive data\\n namespace: communication\\n authors:\\n - william.ballenthin@mandiant.com\\n description: all known techniques for receiving data from a potential C2 server\\n scope: function\\n mbc:\\n - Command and Control::C2 Communication::Receive Data [B0030.002]\\n examples:\\n - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145D60\\n features:\\n - or:\\n - match: receive data on socket\\n - match: read data from Internet\\n - match: download URL\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439568}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"receive data on socket\"}, \"type\": \"feature\"}, \"children\": [{\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.recv\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439858}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.recvfrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSARecv\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSARecvDisconnect\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSARecvEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSARecvFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSARecvMsg\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"recv\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439858}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::Receive\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::ReceiveAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::ReceiveFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::ReceiveFromAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::ReceiveMessageFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::ReceiveMessageFromAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::BeginReceive\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::BeginReceiveFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::BeginReceiveMessageFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::EndReceive\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::EndReceiveFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::EndReceiveMessageFrom\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [{\"type\": \"absolute\", \"value\": 268439568}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"read data from Internet\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"download URL\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"send data\": {\"meta\": {\"name\": \"send data\", \"namespace\": \"communication\", \"authors\": [\"william.ballenthin@mandiant.com\", \"joakim@intezer.com\"], \"scope\": \"function\", \"attack\": [], \"mbc\": [{\"parts\": [\"Command and Control\", \"C2 Communication\", \"Send Data\"], \"objective\": \"Command and Control\", \"behavior\": \"C2 Communication\", \"method\": \"Send Data\", \"id\": \"B0030.001\"}], \"references\": [], \"examples\": [\"BFB9B5391A13D0AFD787E87AB90F14F5:0x13145D60\"], \"description\": \"all known techniques for sending data to a potential C2 server\", \"lib\": false, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: send data\\n namespace: communication\\n authors:\\n - william.ballenthin@mandiant.com\\n - joakim@intezer.com\\n description: all known techniques for sending data to a potential C2 server\\n scope: function\\n mbc:\\n - Command and Control::C2 Communication::Send Data [B0030.001]\\n examples:\\n - BFB9B5391A13D0AFD787E87AB90F14F5:0x13145D60\\n features:\\n - or:\\n - and:\\n - os: windows\\n - or:\\n - match: send HTTP request\\n - match: send data on socket\\n - match: send file via HTTP\\n - and:\\n - os: linux\\n - or: # Require network bound socket.\\n - match: create TCP socket\\n - match: create UDP socket\\n - or:\\n - match: send HTTP request\\n - match: send data on socket\\n - match: send file via HTTP\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439568}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"os\", \"os\": \"windows\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"no address\"}], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"send HTTP request\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"send data on socket\"}, \"type\": \"feature\"}, \"children\": [{\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439809}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.sendto\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASend\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASendMsg\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASendTo\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439809}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::Send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::SendAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::SendTo\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::SendToAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.UdpClient::Send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [{\"type\": \"absolute\", \"value\": 268439568}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"send file via HTTP\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"os\", \"os\": \"linux\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"create TCP socket\"}, \"type\": \"feature\"}, \"children\": [{\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"property\", \"access\": \"read\", \"property\": \"System.Net.Sockets.TcpClient::Client\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 6, \"description\": \"IPPROTO_TCP\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439692}], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 1, \"description\": \"SOCK_STREAM\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439694}], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 2, \"description\": \"AF_INET\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439696}], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.socket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439698}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASocket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"socket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439698}], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [{\"type\": \"absolute\", \"value\": 268439692}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"create UDP socket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"send HTTP request\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"send data on socket\"}, \"type\": \"feature\"}, \"children\": [{\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439809}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.sendto\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASend\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASendMsg\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASendTo\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439809}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::Send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::SendAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::SendTo\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.Socket::SendToAsync\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.UdpClient::Send\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [{\"type\": \"absolute\", \"value\": 268439568}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"send file via HTTP\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"connect TCP socket\": {\"meta\": {\"name\": \"connect TCP socket\", \"namespace\": \"communication/socket/tcp\", \"authors\": [\"moritz.raabe@mandiant.com\", \"joakim@intezer.com\"], \"scope\": \"function\", \"attack\": [], \"mbc\": [{\"parts\": [\"Communication\", \"Socket Communication\", \"Connect Socket\"], \"objective\": \"Communication\", \"behavior\": \"Socket Communication\", \"method\": \"Connect Socket\", \"id\": \"C0001.004\"}], \"references\": [], \"examples\": [\"Practical Malware Analysis Lab 01-01.dll_:0x10001010\"], \"description\": \"\", \"lib\": false, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: connect TCP socket\\n namespace: communication/socket/tcp\\n authors:\\n - moritz.raabe@mandiant.com\\n - joakim@intezer.com\\n scope: function\\n mbc:\\n - Communication::Socket Communication::Connect Socket [C0001.004]\\n examples:\\n - Practical Malware Analysis Lab 01-01.dll_:0x10001010\\n features:\\n - and:\\n - match: create TCP socket\\n - or:\\n - api: connect\\n - api: ws2_32.connect\\n - api: ws2_32.WSAConnect\\n - api: ConnectEx\\n - and:\\n - basic block:\\n # candidate for GUID: WSAID_CONNECTEX/25a207b9-ddf3-4660-8ee9-76e58c74063e\\n - and:\\n - number: 0x25A207B9\\n - number: 0x4660DDF3\\n - number: 0xE576E98E\\n - number: 0x3E06748C\\n - basic block:\\n - and:\\n - api: WSAIoctl\\n - number: 0xC8000006 = SIO_GET_EXTENSION_FUNCTION_POINTER\\n - basic block:\\n - and:\\n - api: setsockopt\\n - number: 0xFFFF = SOL_SOCKET\\n - number: 0x7010 = SO_UPDATE_CONNECT_CONTEXT\\n # socket must be bound to ConnectEx\\n # https://gist.github.com/joeyadams/4158972\\n - api: bind\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439568}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"create TCP socket\"}, \"type\": \"feature\"}, \"children\": [{\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"property\", \"access\": \"read\", \"property\": \"System.Net.Sockets.TcpClient::Client\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 6, \"description\": \"IPPROTO_TCP\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439692}], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 1, \"description\": \"SOCK_STREAM\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439694}], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 2, \"description\": \"AF_INET\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439696}], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.socket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439698}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASocket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"socket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439698}], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [{\"type\": \"absolute\", \"value\": 268439692}], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"connect\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439758}], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.connect\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439758}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSAConnect\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ConnectEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"connect TCP socket/ae22acdd40144f4eabc347889338d681\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"connect TCP socket/c7c2534615d84c1b9beafde678afeb40\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"connect TCP socket/44a4a4d414174889997c583987ef02df\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"bind\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}, \"act as TCP client\": {\"meta\": {\"name\": \"act as TCP client\", \"namespace\": \"communication/tcp/client\", \"authors\": [\"william.ballenthin@mandiant.com\", \"michael.hunhoff@mandiant.com\"], \"scope\": \"function\", \"attack\": [], \"mbc\": [{\"parts\": [\"Communication\", \"Socket Communication\", \"TCP Client\"], \"objective\": \"Communication\", \"behavior\": \"Socket Communication\", \"method\": \"TCP Client\", \"id\": \"C0001.008\"}], \"references\": [], \"examples\": [\"Practical Malware Analysis Lab 01-01.dll_:0x10001010\"], \"description\": \"\", \"lib\": false, \"is_subscope_rule\": false, \"maec\": {}}, \"source\": \"rule:\\n meta:\\n name: act as TCP client\\n namespace: communication/tcp/client\\n authors:\\n - william.ballenthin@mandiant.com\\n - michael.hunhoff@mandiant.com\\n scope: function\\n mbc:\\n - Communication::Socket Communication::TCP Client [C0001.008]\\n examples:\\n - Practical Malware Analysis Lab 01-01.dll_:0x10001010\\n features:\\n - or:\\n - match: connect TCP socket\\n - api: System.Net.Sockets.TcpClient::ctor\\n\", \"matches\": [[{\"type\": \"absolute\", \"value\": 268439568}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"connect TCP socket\"}, \"type\": \"feature\"}, \"children\": [{\"success\": true, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"create TCP socket\"}, \"type\": \"feature\"}, \"children\": [{\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"property\", \"access\": \"read\", \"property\": \"System.Net.Sockets.TcpClient::Client\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 6, \"description\": \"IPPROTO_TCP\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439692}], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 1, \"description\": \"SOCK_STREAM\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439694}], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"number\", \"number\": 2, \"description\": \"AF_INET\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439696}], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.socket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439698}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSASocket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"socket\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439698}], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [{\"type\": \"absolute\", \"value\": 268439692}], \"captures\": {}}, {\"success\": true, \"node\": {\"statement\": {\"type\": \"or\"}, \"type\": \"statement\"}, \"children\": [{\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"connect\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439758}], \"captures\": {}}, {\"success\": true, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.connect\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [{\"type\": \"absolute\", \"value\": 268439758}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ws2_32.WSAConnect\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"ConnectEx\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"statement\": {\"type\": \"and\"}, \"type\": \"statement\"}, \"children\": [{\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"connect TCP socket/ae22acdd40144f4eabc347889338d681\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"connect TCP socket/c7c2534615d84c1b9beafde678afeb40\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"match\", \"match\": \"connect TCP socket/44a4a4d414174889997c583987ef02df\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"bind\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}], \"locations\": [{\"type\": \"absolute\", \"value\": 268439568}], \"captures\": {}}, {\"success\": false, \"node\": {\"feature\": {\"type\": \"api\", \"api\": \"System.Net.Sockets.TcpClient::ctor\"}, \"type\": \"feature\"}, \"children\": [], \"locations\": [], \"captures\": {}}], \"locations\": [], \"captures\": {}}]]}}}\n" \ No newline at end of file