Adjusted rules for the ELF BEACON sample shared by Intezer (#654)

* Created rules for the ELF BEACON sample shared by Intezer * removing rule that sometimes hits and sometimes doesn't Co-authored-by: Alyssa Rahman <alyssa.rahman@mandiant.com>
mandiant · Jan 9, 2023 · 3e8792d · 3e8792d
1 parent dc81cb4
commit 3e8792d
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 14 deletions.
diff --git a/host-interaction/mutex/create-semaphore-on-linux.yml b/host-interaction/mutex/create-semaphore-on-linux.yml
@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: create semaphore on Linux
+    namespace: host-interaction/mutex
+    authors:
+      - "@ramen0x3f"
+    scope: function
+    examples:
+      - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408de0
+  features:
+    - and:
+      - os: linux
+      - api: sem_init
diff --git a/host-interaction/mutex/lock-semaphore-on-linux.yml b/host-interaction/mutex/lock-semaphore-on-linux.yml
@@ -0,0 +1,15 @@
+rule:
+  meta:
+    name: lock semaphore on Linux
+    namespace: host-interaction/mutex
+    authors:
+      - "@ramen0x3f"
+    scope: function
+    examples:
+      - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40
+  features:
+    - and:
+      - os: linux
+      - or:
+        - api: sem_wait
+        - api: sem_timedwait
diff --git a/host-interaction/mutex/unlock-semaphore-on-linux.yml b/host-interaction/mutex/unlock-semaphore-on-linux.yml
@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: unlock semaphore on Linux
+    namespace: host-interaction/mutex
+    authors:
+      - "@ramen0x3f"
+    scope: function
+    examples:
+      - 294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc:0x408e40
+  features:
+    - and:
+      - os: linux
+      - api: sem_post
diff --git a/lib/delay-execution.yml b/lib/delay-execution.yml
@@ -3,6 +3,7 @@ rule:
     name: delay execution
     authors:
       - michael.hunhoff@mandiant.com
+      - "@ramen0x3f"
     lib: true
     scope: basic block
     mbc:
@@ -15,17 +16,25 @@ rule:
       - B5F85C26D7AA5A1FB4AF5821B6B5AB9B:0x402FA6
   features:
     - or:
-      - api: kernel32.Sleep
-      - api: kernel32.SleepEx
-      - api: kernel32.WaitForSingleObject
-      - api: kernel32.SignalObjectAndWait
-      - api: kernel32.WaitForSingleObjectEx
-      - api: kernel32.WaitForMultipleObjects
-      - api: kernel32.WaitForMultipleObjectsEx
-      - api: kernel32.RegisterWaitForSingleObject
-      - api: WaitOnAddress
-      - api: user32.MsgWaitForMultipleObjects
-      - api: user32.MsgWaitForMultipleObjectsEx
-      - api: NtDelayExecution
-      - api: KeWaitForSingleObject
-      - api: KeDelayExecutionThread
+      - and:
+        - os: windows
+        - or:
+          - api: kernel32.Sleep
+          - api: kernel32.SleepEx
+          - api: kernel32.WaitForSingleObject
+          - api: kernel32.SignalObjectAndWait
+          - api: kernel32.WaitForSingleObjectEx
+          - api: kernel32.WaitForMultipleObjects
+          - api: kernel32.WaitForMultipleObjectsEx
+          - api: kernel32.RegisterWaitForSingleObject
+          - api: WaitOnAddress
+          - api: user32.MsgWaitForMultipleObjects
+          - api: user32.MsgWaitForMultipleObjectsEx
+          - api: NtDelayExecution
+          - api: KeWaitForSingleObject
+          - api: KeDelayExecutionThread
+      - and:
+        - os: linux
+        - or:
+          - api: sleep
+          - api: usleep