From aad07996a704b80c5596c553c684f48e242a0228 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Fri, 26 May 2023 11:11:07 +0200 Subject: [PATCH 1/2] improve clipboard rules --- .../clipboard/read-clipboard-data.yml | 5 +++++ .../clipboard/replace-clipboard-data.yml | 17 ----------------- .../clipboard/write-clipboard-data.yml | 4 ++++ 3 files changed, 9 insertions(+), 17 deletions(-) delete mode 100644 host-interaction/clipboard/replace-clipboard-data.yml diff --git a/host-interaction/clipboard/read-clipboard-data.yml b/host-interaction/clipboard/read-clipboard-data.yml index 8d5447855..0ac2f2cdf 100644 --- a/host-interaction/clipboard/read-clipboard-data.yml +++ b/host-interaction/clipboard/read-clipboard-data.yml @@ -8,6 +8,8 @@ rule: scope: function att&ck: - Collection::Clipboard Data [T1115] + references: + - https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-clipboard examples: - C91887D861D9BD4A5872249B641BC9F9:0x40156F - 93dfc146f60bd796eb28d4e4f348f2e4:0x401050 @@ -15,6 +17,9 @@ rule: - and: - optional: - match: open clipboard + - api: kernel32.GlobalAlloc + - api: kernel32.GlobalLock + - api: kernel32.GlobalUnlock - or: - and: - api: user32.GetClipboardData diff --git a/host-interaction/clipboard/replace-clipboard-data.yml b/host-interaction/clipboard/replace-clipboard-data.yml deleted file mode 100644 index 3b2bb7935..000000000 --- a/host-interaction/clipboard/replace-clipboard-data.yml +++ /dev/null @@ -1,17 +0,0 @@ -rule: - meta: - name: replace clipboard data - namespace: host-interaction/clipboard - authors: - - michael.hunhoff@mandiant.com - scope: function - mbc: - - Impact::Clipboard Modification [E1510] - examples: - - 6f99a2c8944cb02ff28c6f9ced59b161:0x403180 - features: - - and: - - optional: - - match: open clipboard - - match: write clipboard data - - api: user32.EmptyClipboard diff --git a/host-interaction/clipboard/write-clipboard-data.yml b/host-interaction/clipboard/write-clipboard-data.yml index 5502b1e86..cbc655c0e 100644 --- a/host-interaction/clipboard/write-clipboard-data.yml +++ b/host-interaction/clipboard/write-clipboard-data.yml @@ -8,12 +8,16 @@ rule: scope: function mbc: - Impact::Clipboard Modification [E1510] + references: + - https://learn.microsoft.com/en-us/windows/win32/dataxchg/using-the-clipboard examples: - 6F99A2C8944CB02FF28C6F9CED59B161:0x403180 features: - and: - optional: - match: open clipboard + - api: user32.EmptyClipboard + - api: System.Windows.Forms.Clipboard::Clear - or: - api: user32.SetClipboardData - api: System.Windows.Forms.Clipboard::SetAudio From 2fc3bf5639740a4d02e8e9a1475419e2e630dc36 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Mon, 12 Jun 2023 14:16:41 +0200 Subject: [PATCH 2/2] tighten scope and add optional loop match --- host-interaction/clipboard/read-clipboard-data.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/host-interaction/clipboard/read-clipboard-data.yml b/host-interaction/clipboard/read-clipboard-data.yml index 0ac2f2cdf..f920f8f65 100644 --- a/host-interaction/clipboard/read-clipboard-data.yml +++ b/host-interaction/clipboard/read-clipboard-data.yml @@ -17,16 +17,18 @@ rule: - and: - optional: - match: open clipboard + - match: contain loop - api: kernel32.GlobalAlloc - api: kernel32.GlobalLock - api: kernel32.GlobalUnlock - or: - - and: - - api: user32.GetClipboardData - - optional: - - number: 0x1 = CF_TEXT - - number: 0x7 = CF_OEMTEXT - - number: 0xD = CF_UNICODETEXT + - basic block: + - and: + - api: user32.GetClipboardData + - optional: + - number: 0x1 = CF_TEXT + - number: 0x7 = CF_OEMTEXT + - number: 0xD = CF_UNICODETEXT - api: System.Windows.Forms.Clipboard::GetAudioStream - api: System.Windows.Forms.Clipboard::GetData - api: System.Windows.Forms.Clipboard::GetDataObject