Merge pull request #902 from jtothej/shareprovider

Add two new CAPA rules: act-as-share-provider-dll.yml and act-as-windbg-extension.yml
mandiant · May 31, 2024 · b0b9da3 · b0b9da3
2 parents ded2744 + 93b9c62
commit b0b9da3
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/persistence/act-as-share-provider-dll.yml b/persistence/act-as-share-provider-dll.yml
@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: act as Share Provider DLL
+    namespace: persistence
+    authors:
+      - [email protected]
+    scopes:
+      static: file
+      dynamic: file
+    att&ck:
+      - Persistence::Server Software Component [T1505]
+    references:
+      - https://www.hexacorn.com/blog/2018/10/14/how-to-find-new-persistence-tricks/
+    examples:
+      - 7ca4ce02c9d331c2cfdad7329352664c224f02ccfef826a76321831bee1e2191
+  features:
+    - or:
+      - export: ShareProviderInitialize
+      - export: ShareProviderUninitialize
+      - export: ShareProviderShareAdd
+      - export: ShareProviderShareSetInfo
+      - export: ShareProviderShareDel
diff --git a/persistence/act-as-windbg-extension.yml b/persistence/act-as-windbg-extension.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: act as WinDbg extension
+    namespace: persistence
+    authors:
+      - [email protected]
+    scopes:
+      static: file
+      dynamic: file
+    att&ck:
+      - Persistence::Server Software Component [T1505]
+    references:
+      - https://www.codeproject.com/Articles/6522/Debug-Tutorial-Part-4-Writing-WINDBG-Extensions
+    examples:
+      - 36f506a34b99bf4c199b3c9ec8aa02bd631feafdca20e69e33e714c269ddb8c5
+  features:
+    - or:
+      - export: ExtensionApiVersion
+      - export: WinDbgExtensionDllInit