add rules for volume interaction via IOCTLs (#879)

* add rules for volume interaction via IOCTLs * rename interact with driver * factor out IOCTL handling * fix 'set-system-properties' for 'install driver' * fmt
mandiant · Feb 14, 2024 · 33feff1 · 33feff1
1 parent 0c32d65
commit 33feff1
Show file tree

Hide file tree

Showing 11 changed files with 111 additions and 28 deletions.
diff --git a/host-interaction/driver/install-driver.yml b/host-interaction/driver/install-driver.yml
@@ -11,9 +11,16 @@ rule:
  - Persistence::Create or Modify System Process::Windows Service [T1543.003]
  mbc:
  - Hardware::Install Driver [C0037]
+ references:
+ - https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/set.htm
  examples:
  - af60700383b75727f5256a0000c1476f:0x1127E
  features:
  - or:
  - api: ntdll.NtLoadDriver
  - api: ZwLoadDriver
+ - and:
+ - number: 38 = SystemLoadAndCallImage
+ - or:
+ - api: NtSetSystemInformation
+ - api: ZwSetSystemInformation
diff --git a/host-interaction/driver/interact-with-driver-via-control-codes.yml b/host-interaction/driver/interact-with-driver-via-control-codes.yml
diff --git a/host-interaction/driver/interact-with-driver-via-ioctl.yml b/host-interaction/driver/interact-with-driver-via-ioctl.yml
@@ -0,0 +1,14 @@
+rule:
+ meta:
+ name: interact with driver via IOCTL
+ namespace: host-interaction/driver
+ authors:
+ - moritz.raabe@mandiant.com
+ scopes:
+ static: basic block
+ dynamic: thread
+ examples:
+ - Practical Malware Analysis Lab 10-03.exe_:0x40108c
+ features:
+ - or:
+ - api: DeviceIoControl
diff --git a/host-interaction/driver/unload-driver.yml b/host-interaction/driver/unload-driver.yml
@@ -0,0 +1,17 @@
+rule:
+ meta:
+ name: unload driver
+ namespace: host-interaction/driver
+ authors:
+ - moritz.raabe@mandiant.com
+ scopes:
+ static: basic block
+ dynamic: call
+ att&ck:
+ - Persistence::Create or Modify System Process::Windows Service [T1543.003]
+ examples:
+ - 31cee4f66cf3b537e3d2d37a71f339f4:0x1400044ce
+ features:
+ - or:
+ - api: NtUnloadDriver
+ - api: ZwUnloadDriver
diff --git a/host-interaction/hardware/storage/get-disk-size.yml b/host-interaction/hardware/storage/get-disk-size.yml
@@ -26,11 +26,11 @@ rule:
  - property/read: System.IO.DriveInfo::AvailableFreeSpace
  - basic block:
  - and:
- - api: DeviceIoControl
+ - match: interact with driver via IOCTL
  - number: 0x7405C = IOCTL_DISK_GET_LENGTH_INFO
  - call:
  - and:
- - api: DeviceIoControl
+ - match: interact with driver via IOCTL
  - number: 0x7405C = IOCTL_DISK_GET_LENGTH_INFO
  - and:
  - or:

diff --git a/impact/wipe-disk/delete-drive-layout-via-ioctl.yml b/impact/wipe-disk/delete-drive-layout-via-ioctl.yml
@@ -6,7 +6,7 @@ rule:
  - william.ballenthin@mandiant.com
  scopes:
  static: basic block
- dynamic: thread
+ dynamic: call
  att&ck:
  - Impact::Disk Wipe::Disk Structure Wipe [T1561.002]
  mbc:
@@ -20,6 +20,6 @@ rule:
  features:
  - and:
  - or:
- - api: DeviceIoControl
+ - match: interact with driver via IOCTL
  - characteristic: indirect call
  - number: 0x7c100 = IOCTL_DISK_DELETE_DRIVE_LAYOUT
diff --git a/nursery/get-disk-information-via-ioctl.yml b/nursery/get-disk-information-via-ioctl.yml
@@ -0,0 +1,25 @@
+rule:
+ meta:
+ name: get disk information via IOCTL
+ namespace: host-interaction/hardware/storage
+ authors:
+ - william.ballenthin@mandiant.com
+ scopes:
+ static: basic block
+ dynamic: call
+ att&ck:
+ - Discovery::System Information Discovery [T1082]
+ mbc:
+ - Discovery::System Information Discovery [E1082]
+ references:
+ - https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/
+ - http://www.ioctls.net/
+ features:
+ - and:
+ - or:
+ - match: interact with driver via IOCTL
+ - characteristic: indirect call
+ - or:
+ - number: 0x70050 = IOCTL_DISK_GET_DRIVE_LAYOUT_EX
+ - number: 0x24050 = IOCTL_DISK_GET_DRIVE_GEOMETRY_EX
+ - number: 0x2d1080 = IOCTL_STORAGE_GET_DEVICE_NUMBER
diff --git a/nursery/get-storage-device-properties.yml b/nursery/get-storage-device-properties.yml
@@ -12,7 +12,9 @@ rule:
  - https://docs.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-ioctl_storage_query_property
  features:
  - and:
- - match: interact with driver via control codes
+ - or:
+ - characteristic: indirect call
+ - match: interact with driver via IOCTL
  - number: 0x2D1400 = IOCTL_STORAGE_QUERY_PROPERTY
  - optional:
  - string: "\\\\.\\PhysicalDrive0"
diff --git a/nursery/get-volume-information-via-ioctl.yml b/nursery/get-volume-information-via-ioctl.yml
@@ -0,0 +1,21 @@
+rule:
+ meta:
+ name: get volume information via IOCTL
+ namespace: host-interaction/hardware/storage
+ authors:
+ - william.ballenthin@mandiant.com
+ scopes:
+ static: basic block
+ dynamic: call
+ att&ck:
+ - Discovery::System Information Discovery [T1082]
+ mbc:
+ - Discovery::System Information Discovery [E1082]
+ references:
+ - https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/
+ features:
+ - and:
+ - or:
+ - match: interact with driver via IOCTL
+ - characteristic: indirect call
+ - number: 0x90064 = FSCTL_GET_NTFS_VOLUME_DATA
diff --git a/nursery/resize-volume-shadow-copy-storage.yml b/nursery/resize-volume-shadow-copy-storage.yml
@@ -10,5 +10,5 @@ rule:
  dynamic: call
  features:
  - and:
- - api: kernel32.DeviceIoControl
+ - match: interact with driver via IOCTL
  - number: 0x53C028 = IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE
diff --git a/nursery/unmount-volume-via-ioctl.yml b/nursery/unmount-volume-via-ioctl.yml
@@ -0,0 +1,19 @@
+rule:
+ meta:
+ name: unmount volume via IOCTL
+ namespace: host-interaction/hardware/storage
+ authors:
+ - william.ballenthin@mandiant.com
+ scopes:
+ static: function
+ dynamic: call
+ references:
+ - https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/
+ features:
+ - and:
+ - or:
+ - match: interact with driver via IOCTL
+ - characteristic: indirect call
+ - and:
+ - number: 0x90018 = FSCTL_LOCK_VOLUME
+ - number: 0x90020 = FSCTL_DISMOUNT_VOLUME