From 2fb2df94161fcdcfbbf55f0b8cd5650645cc590f Mon Sep 17 00:00:00 2001 From: Ana Maria Martinez Gomez Date: Mon, 20 Jan 2025 16:18:54 +0100 Subject: [PATCH 1/2] Add use-bigint-function Add new `data-manipulation/encryption/use-bigint-function.yml` rule to identify bigint functions as these functions may help reverse engineers identifying crypto. Example of bigint functions identified by this rule: - `bi_copi` - `bi_permanent` - `bi_depermant` - `bi_free` Reference: - https://github.com/ezhangle/krypton/blob/147d69429bfb03cce7113dca6dba36e77f8a9325/src/bigint.c - https://github.com/bnoordhuis/mongrel2/blob/3e9b57d82aeb627be0aebfb346199bfdfd67e530/src/crypto/bigint.c --- .../encryption/use-bigint-function.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 data-manipulation/encryption/use-bigint-function.yml diff --git a/data-manipulation/encryption/use-bigint-function.yml b/data-manipulation/encryption/use-bigint-function.yml new file mode 100644 index 00000000..119200c3 --- /dev/null +++ b/data-manipulation/encryption/use-bigint-function.yml @@ -0,0 +1,31 @@ +rule: + meta: + name: use bigint function + namespace: data-manipulation/encryption + authors: + - "Ana06" + description: use bigint function such as bi_copy and bi_permanent. Useful to identify crypto. + scopes: + static: instruction + dynamic: unsupported # requires mnemonic, offset features + references: + # bi_copy + - https://github.com/ezhangle/krypton/blob/147d69429bfb03cce7113dca6dba36e77f8a9325/src/bigint.c#L149 + - https://github.com/bnoordhuis/mongrel2/blob/3e9b57d82aeb627be0aebfb346199bfdfd67e530/src/crypto/bigint.c#L162 + # bi_permanent + - https://github.com/ezhangle/krypton/blob/147d69429bfb03cce7113dca6dba36e77f8a9325/src/bigint.c#L161 + - https://github.com/bnoordhuis/mongrel2/blob/3e9b57d82aeb627be0aebfb346199bfdfd67e530/src/crypto/bigint.c#L176 + examples: + - 009c2377b67997b0da1579f4bbc822c1:0x404096 # bi_copy + - 009c2377b67997b0da1579f4bbc822c1:0x4040D4 # bi_permanent + - 009c2377b67997b0da1579f4bbc822c1:0x4040E6 # bi_depermanent + - 009c2377b67997b0da1579f4bbc822c1:0x404109 # bi_free + - 8333822ed41d9f2b302cf8e21b126efc:0x407933 # bi_permanent + - 8333822ed41d9f2b302cf8e21b126efc:0x407933 # bi_depermanent + features: + - and: + - or: + - mnemonic: mov + - mnemonic: cmp + - number: 0x7FFF55AA = PERMANENT + - offset: 8 = bi->refs From be61f54d89a20046fd97187527a05df7a532f6c7 Mon Sep 17 00:00:00 2001 From: Ana Maria Martinez Gomez Date: Mon, 20 Jan 2025 16:21:32 +0100 Subject: [PATCH 2/2] Add rsa-encrypt Add new rule `data-manipulation/encryption/rsa/rsa-encrypt.yml` that identifies the RSA encryption implementation from: - https://github.com/ezhangle/krypton/blob/147d69429bfb03cce7113dca6dba36e77f8a9325/src/rsa.c#L232 - https://github.com/bnoordhuis/mongrel2/blob/3e9b57d82aeb627be0aebfb346199bfdfd67e530/src/crypto/rsa.c#L233 Rename current RSA encryption/decryption rules in the nursery to add `via WinAPI` to prevent name conflict. --- ...pt-data-using-rsa-via-embedded-library.yml | 46 +++++++++++++++++++ ... => decrypt-data-using-rsa-via-winapi.yml} | 2 +- ... => encrypt-data-using-rsa-via-winapi.yml} | 2 +- 3 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml rename nursery/{decrypt-data-using-rsa.yml => decrypt-data-using-rsa-via-winapi.yml} (92%) rename nursery/{encrypt-data-using-rsa.yml => encrypt-data-using-rsa-via-winapi.yml} (93%) diff --git a/data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml b/data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml new file mode 100644 index 00000000..7599ab4a --- /dev/null +++ b/data-manipulation/encryption/rsa/encrypt-data-using-rsa-via-embedded-library.yml @@ -0,0 +1,46 @@ +rule: + meta: + name: encrypt data using RSA via embedded library + namespace: data-manipulation/encryption/rsa + authors: + - "Ana06" + description: encrypt data using krypton RSA implementation or similar + scopes: + static: function + dynamic: unsupported # requires mnemonic, offset features + att&ck: + - Defense Evasion::Obfuscated Files or Information [T1027] + mbc: + - Defense Evasion::Obfuscated Files or Information::Encryption-Standard Algorithm [E1027.m05] + - Cryptography::Encrypt Data::RSA [C0027.011] + references: + - https://github.com/ezhangle/krypton/blob/147d69429bfb03cce7113dca6dba36e77f8a9325/src/rsa.c#L232 + - https://github.com/bnoordhuis/mongrel2/blob/3e9b57d82aeb627be0aebfb346199bfdfd67e530/src/crypto/rsa.c#L233 + examples: + - 009c2377b67997b0da1579f4bbc822c1:0x405CF0 + features: + - and: + # `sub eax, 3` Subtract 3 to calculate pads needed + - instruction: + - mnemonic: sub + - number: 3 + # `mov byte ptr [ecx], 0` Ensure encryption block is < modulus + - instruction: + - mnemonic: mov + - offset: 0 + - number: 0 + # `mov byte ptr [edx+1], 2` Set encryption flag + - instruction: + - mnemonic: mov + - offset: 1 + - number: 2 + # `mov byte ptr [edx+2], 0` Terminate with zero + - instruction: + - mnemonic: mov + - offset: 2 + - number: 0 + # call `get_random_nonzero`, `memcpy`, `bi_import`, `RSA_public`, `bi_export`, and `bi_clear_cache` + # if the signing code is included, also call `memcpy` and `RSA_private` + - count(mnemonic(call)): (6,8) + - optional: # likely in a subfunction + - match: use bigint function diff --git a/nursery/decrypt-data-using-rsa.yml b/nursery/decrypt-data-using-rsa-via-winapi.yml similarity index 92% rename from nursery/decrypt-data-using-rsa.yml rename to nursery/decrypt-data-using-rsa-via-winapi.yml index 9c89b255..8631100a 100644 --- a/nursery/decrypt-data-using-rsa.yml +++ b/nursery/decrypt-data-using-rsa-via-winapi.yml @@ -1,6 +1,6 @@ rule: meta: - name: decrypt data using RSA + name: decrypt data using RSA via WinAPI namespace: data-manipulation/encryption/rsa authors: - michael.hunhoff@mandiant.com diff --git a/nursery/encrypt-data-using-rsa.yml b/nursery/encrypt-data-using-rsa-via-winapi.yml similarity index 93% rename from nursery/encrypt-data-using-rsa.yml rename to nursery/encrypt-data-using-rsa-via-winapi.yml index a54e898a..67e5df54 100644 --- a/nursery/encrypt-data-using-rsa.yml +++ b/nursery/encrypt-data-using-rsa-via-winapi.yml @@ -1,6 +1,6 @@ rule: meta: - name: encrypt data using RSA + name: encrypt data using RSA via WinAPI namespace: data-manipulation/encryption/rsa authors: - michael.hunhoff@mandiant.com