def render_capabilities(doc, ostream): """ example:: +-------------------------------------------------------+-------------------------------------------------+ | CAPABILITY | NAMESPACE | |-------------------------------------------------------+-------------------------------------------------| | check for OutputDebugString error (2 matches) | anti-analysis/anti-debugging/debugger-detection | | read and send data from client to server | c2/file-transfer | | ... | ... | +-------------------------------------------------------+-------------------------------------------------+ """ rows = [] for rule in rutils.capability_rules(doc): count = len(rule["matches"]) if count == 1: capability = rutils.bold(rule["meta"]["name"]) else: capability = "%s (%d matches)" % (rutils.bold( rule["meta"]["name"]), count) rows.append((capability, rule["meta"]["namespace"])) if rows: ostream.write( tabulate.tabulate( rows, headers=[width("CAPABILITY", 50), width("NAMESPACE", 50)], tablefmt="psql")) ostream.write("\n") else: ostream.writeln(rutils.bold("no capabilities found"))
def render_mbc(doc, ostream): """ example:: +--------------------------+------------------------------------------------------------+ | MBC Objective | MBC Behavior | |--------------------------+------------------------------------------------------------| | ANTI-BEHAVIORAL ANALYSIS | Virtual Machine Detection::Instruction Testing [B0009.029] | | COLLECTION | Keylogging::Polling [F0002.002] | | COMMUNICATION | Interprocess Communication::Create Pipe [C0003.001] | | | Interprocess Communication::Write Pipe [C0003.004] | | IMPACT | Remote Access::Reverse Shell [B0022.001] | +--------------------------+------------------------------------------------------------+ """ objectives = collections.defaultdict(set) for rule in rutils.capability_rules(doc): if not rule["meta"].get("mbc"): continue mbcs = rule["meta"]["mbc"] if not isinstance(mbcs, list): raise ValueError("invalid rule: MBC mapping is not a list") for mbc in mbcs: objective, _, rest = mbc.partition("::") if "::" in rest: behavior, _, rest = rest.partition("::") method, _, id = rest.rpartition(" ") objectives[objective].add((behavior, method, id)) else: behavior, _, id = rest.rpartition(" ") objectives[objective].add((behavior, id)) rows = [] for objective, behaviors in sorted(objectives.items()): inner_rows = [] for spec in sorted(behaviors): if len(spec) == 2: behavior, id = spec inner_rows.append("%s %s" % (rutils.bold(behavior), id)) elif len(spec) == 3: behavior, method, id = spec inner_rows.append("%s::%s %s" % (rutils.bold(behavior), method, id)) else: raise RuntimeError("unexpected MBC spec format") rows.append(( rutils.bold(objective.upper()), "\n".join(inner_rows), )) if rows: ostream.write( tabulate.tabulate(rows, headers=[ width("MBC Objective", 25), width("MBC Behavior", 75) ], tablefmt="psql")) ostream.write("\n")
def render_attack(doc, ostream): """ example:: +------------------------+----------------------------------------------------------------------+ | ATT&CK Tactic | ATT&CK Technique | |------------------------+----------------------------------------------------------------------| | DEFENSE EVASION | Obfuscated Files or Information [T1027] | | DISCOVERY | Query Registry [T1012] | | | System Information Discovery [T1082] | | EXECUTION | Command and Scripting Interpreter::Windows Command Shell [T1059.003] | | | Shared Modules [T1129] | | EXFILTRATION | Exfiltration Over C2 Channel [T1041] | | PERSISTENCE | Create or Modify System Process::Windows Service [T1543.003] | +------------------------+----------------------------------------------------------------------+ """ tactics = collections.defaultdict(set) for rule in rutils.capability_rules(doc): if not rule["meta"].get("att&ck"): continue for attack in rule["meta"]["att&ck"]: tactic, _, rest = attack.partition("::") if "::" in rest: technique, _, rest = rest.partition("::") subtechnique, _, id = rest.rpartition(" ") tactics[tactic].add((technique, subtechnique, id)) else: technique, _, id = rest.rpartition(" ") tactics[tactic].add((technique, id)) rows = [] for tactic, techniques in sorted(tactics.items()): inner_rows = [] for spec in sorted(techniques): if len(spec) == 2: technique, id = spec inner_rows.append("%s %s" % (rutils.bold(technique), id)) elif len(spec) == 3: technique, subtechnique, id = spec inner_rows.append("%s::%s %s" % (rutils.bold(technique), subtechnique, id)) else: raise RuntimeError("unexpected ATT&CK spec format") rows.append(( rutils.bold(tactic.upper()), "\n".join(inner_rows), )) if rows: ostream.write( tabulate.tabulate(rows, headers=[ width("ATT&CK Tactic", 20), width("ATT&CK Technique", 80) ], tablefmt="psql")) ostream.write("\n")
def render_attack(doc, ostream: StringIO): """ example:: +------------------------+----------------------------------------------------------------------+ | ATT&CK Tactic | ATT&CK Technique | |------------------------+----------------------------------------------------------------------| | DEFENSE EVASION | Obfuscated Files or Information [T1027] | | DISCOVERY | Query Registry [T1012] | | | System Information Discovery [T1082] | | EXECUTION | Command and Scripting Interpreter::Windows Command Shell [T1059.003] | | | Shared Modules [T1129] | | EXFILTRATION | Exfiltration Over C2 Channel [T1041] | | PERSISTENCE | Create or Modify System Process::Windows Service [T1543.003] | +------------------------+----------------------------------------------------------------------+ """ tactics = collections.defaultdict(set) for rule in rutils.capability_rules(doc): if not rule["meta"].get("att&ck"): continue for attack in rule["meta"]["att&ck"]: tactics[attack["tactic"]].add( (attack["technique"], attack.get("subtechnique"), attack["id"])) rows = [] for tactic, techniques in sorted(tactics.items()): inner_rows = [] for (technique, subtechnique, id) in sorted(techniques): if subtechnique is None: inner_rows.append("%s %s" % (rutils.bold(technique), id)) else: inner_rows.append("%s::%s %s" % (rutils.bold(technique), subtechnique, id)) rows.append(( rutils.bold(tactic.upper()), "\n".join(inner_rows), )) if rows: ostream.write( tabulate.tabulate(rows, headers=[ width("ATT&CK Tactic", 20), width("ATT&CK Technique", 80) ], tablefmt="psql")) ostream.write("\n")
def render_mbc(doc, ostream: StringIO): """ example:: +--------------------------+------------------------------------------------------------+ | MBC Objective | MBC Behavior | |--------------------------+------------------------------------------------------------| | ANTI-BEHAVIORAL ANALYSIS | Virtual Machine Detection::Instruction Testing [B0009.029] | | COLLECTION | Keylogging::Polling [F0002.002] | | COMMUNICATION | Interprocess Communication::Create Pipe [C0003.001] | | | Interprocess Communication::Write Pipe [C0003.004] | | IMPACT | Remote Access::Reverse Shell [B0022.001] | +--------------------------+------------------------------------------------------------+ """ objectives = collections.defaultdict(set) for rule in rutils.capability_rules(doc): if not rule["meta"].get("mbc"): continue for mbc in rule["meta"]["mbc"]: objectives[mbc["objective"]].add( (mbc["behavior"], mbc.get("method"), mbc["id"])) rows = [] for objective, behaviors in sorted(objectives.items()): inner_rows = [] for (behavior, method, id) in sorted(behaviors): if method is None: inner_rows.append("%s [%s]" % (rutils.bold(behavior), id)) else: inner_rows.append("%s::%s [%s]" % (rutils.bold(behavior), method, id)) rows.append(( rutils.bold(objective.upper()), "\n".join(inner_rows), )) if rows: ostream.write( tabulate.tabulate(rows, headers=[ width("MBC Objective", 25), width("MBC Behavior", 75) ], tablefmt="psql")) ostream.write("\n")
def render_rules(ostream, doc): """ like: receive data (2 matches) namespace communication description all known techniques for receiving data from a potential C2 server scope function matches 0x10003A13 0x10003797 """ had_match = False for rule in rutils.capability_rules(doc): count = len(rule["matches"]) if count == 1: capability = rutils.bold(rule["meta"]["name"]) else: capability = "%s (%d matches)" % (rutils.bold( rule["meta"]["name"]), count) ostream.writeln(capability) had_match = True rows = [] for key in ("namespace", "description", "scope"): if key == "name" or key not in rule["meta"]: continue v = rule["meta"][key] if isinstance(v, list) and len(v) == 1: v = v[0] rows.append((key, v)) if rule["meta"]["scope"] != capa.rules.FILE_SCOPE: locations = doc["rules"][rule["meta"]["name"]]["matches"].keys() rows.append(("matches", "\n".join(map(rutils.hex, locations)))) ostream.writeln(tabulate.tabulate(rows, tablefmt="plain")) ostream.write("\n") if not had_match: ostream.writeln(rutils.bold("no capabilities found"))
def render_capabilities(doc, ostream): """ example:: +-------------------------------------------------------+-------------------------------------------------+ | CAPABILITY | NAMESPACE | |-------------------------------------------------------+-------------------------------------------------| | check for OutputDebugString error (2 matches) | anti-analysis/anti-debugging/debugger-detection | | read and send data from client to server | c2/file-transfer | | ... | ... | +-------------------------------------------------------+-------------------------------------------------+ """ subrule_matches = find_subrule_matches(doc) rows = [] for rule in rutils.capability_rules(doc): if rule["meta"]["name"] in subrule_matches: # rules that are also matched by other rules should not get rendered by default. # this cuts down on the amount of output while giving approx the same detail. # see #224 continue count = len(rule["matches"]) if count == 1: capability = rutils.bold(rule["meta"]["name"]) else: capability = "%s (%d matches)" % (rutils.bold( rule["meta"]["name"]), count) rows.append((capability, rule["meta"]["namespace"])) if rows: ostream.write( tabulate.tabulate( rows, headers=[width("CAPABILITY", 50), width("NAMESPACE", 50)], tablefmt="psql")) ostream.write("\n") else: ostream.writeln(rutils.bold("no capabilities found"))
def render_rules(ostream, doc): """ like: ## rules check for OutputDebugString error namespace anti-analysis/anti-debugging/debugger-detection author [email protected] scope function mbc Anti-Behavioral Analysis::Detect Debugger::OutputDebugString examples Practical Malware Analysis Lab 16-02.exe_:0x401020 function @ 0x10004706 and: api: kernel32.SetLastError @ 0x100047C2 api: kernel32.GetLastError @ 0x10004A87 api: kernel32.OutputDebugString @ 0x10004767, 0x10004787, 0x10004816, 0x10004895 """ had_match = False for rule in rutils.capability_rules(doc): count = len(rule["matches"]) if count == 1: capability = rutils.bold(rule["meta"]["name"]) else: capability = "%s (%d matches)" % (rutils.bold(rule["meta"]["name"]), count) ostream.writeln(capability) had_match = True rows = [] for key in capa.rules.META_KEYS: if key == "name" or key not in rule["meta"]: continue v = rule["meta"][key] if isinstance(v, list) and len(v) == 1: v = v[0] elif isinstance(v, list) and len(v) > 1: v = ", ".join(v) rows.append((key, v)) ostream.writeln(tabulate.tabulate(rows, tablefmt="plain")) if rule["meta"]["scope"] == capa.rules.FILE_SCOPE: matches = list(doc["rules"][rule["meta"]["name"]]["matches"].values()) if len(matches) != 1: # i think there should only ever be one match per file-scope rule, # because we do the file-scope evaluation a single time. # but i'm not 100% sure if this is/will always be true. # so, lets be explicit about our assumptions and raise an exception if they fail. raise RuntimeError("unexpected file scope match count: " + len(matches)) render_match(ostream, matches[0], indent=0) else: for location, match in sorted(doc["rules"][rule["meta"]["name"]]["matches"].items()): ostream.write(rule["meta"]["scope"]) ostream.write(" @ ") ostream.writeln(rutils.hex(location)) render_match(ostream, match, indent=1) ostream.write("\n") if not had_match: ostream.writeln(rutils.bold("no capabilities found"))
def render_rules(ostream, doc): """ like: ## rules check for OutputDebugString error namespace anti-analysis/anti-debugging/debugger-detection author [email protected] scope function mbc Anti-Behavioral Analysis::Detect Debugger::OutputDebugString function @ 0x10004706 and: api: kernel32.SetLastError @ 0x100047C2 api: kernel32.GetLastError @ 0x10004A87 api: kernel32.OutputDebugString @ 0x10004767, 0x10004787, 0x10004816, 0x10004895 """ functions_by_bb = {} for function, info in doc["meta"]["analysis"]["layout"]["functions"].items( ): for bb in info["matched_basic_blocks"]: functions_by_bb[bb] = function had_match = False for (_, _, rule) in sorted( map( lambda rule: (rule["meta"].get("namespace", ""), rule["meta"][ "name"], rule), doc["rules"].values())): # default scope hides things like lib rules, malware-category rules, etc. # but in vverbose mode, we really want to show everything. # # still ignore subscope rules because they're stitched into the final document. if rule["meta"].get("capa/subscope"): continue count = len(rule["matches"]) if count == 1: capability = rutils.bold(rule["meta"]["name"]) else: capability = "%s (%d matches)" % (rutils.bold( rule["meta"]["name"]), count) ostream.writeln(capability) had_match = True rows = [] for key in capa.rules.META_KEYS: if key == "name" or key not in rule["meta"]: continue if key == "examples": # I can't think of a reason that an analyst would pivot to the concrete example # directly from the capa output. # the more likely flow is to review the rule and go from there. # so, don't make the output messy by showing the examples. continue v = rule["meta"][key] if not v: continue if key in ("att&ck", "mbc"): v = [rutils.format_parts_id(vv) for vv in v] if isinstance(v, list) and len(v) == 1: v = v[0] elif isinstance(v, list) and len(v) > 1: v = ", ".join(v) rows.append((key, v)) ostream.writeln(tabulate.tabulate(rows, tablefmt="plain")) if rule["meta"]["scope"] == capa.rules.FILE_SCOPE: matches = list( doc["rules"][rule["meta"]["name"]]["matches"].values()) if len(matches) != 1: # i think there should only ever be one match per file-scope rule, # because we do the file-scope evaluation a single time. # but i'm not 100% sure if this is/will always be true. # so, lets be explicit about our assumptions and raise an exception if they fail. raise RuntimeError("unexpected file scope match count: %d" % (len(matches))) render_match(ostream, matches[0], indent=0) else: for location, match in sorted( doc["rules"][rule["meta"]["name"]]["matches"].items()): ostream.write(rule["meta"]["scope"]) ostream.write(" @ ") ostream.write(rutils.hex(location)) if rule["meta"]["scope"] == capa.rules.BASIC_BLOCK_SCOPE: ostream.write(" in function " + rutils.hex(functions_by_bb[location])) ostream.write("\n") render_match(ostream, match, indent=1) ostream.write("\n") if not had_match: ostream.writeln(rutils.bold("no capabilities found"))