Merge pull request #312 from dandonov/master

Adding an initial rule for detecting Curve25519 algorithms
mandiant · Apr 1, 2021 · 941de77 · 941de77
2 parents 55c914a + 31d4790
commit 941de77
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/nursery/encrypt-data-using-curve25519.yml b/nursery/encrypt-data-using-curve25519.yml
@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: encrypt data using Curve25519
+    namespace: data-manipulation/encryption/curve25519
+    author: dimiter.andonov@fireeye.com
+    scope: basic block
+    att&ck:
+      - Defense Evasion::Obfuscated Files or Information [T1027]
+    examples:
+      - 0a0882b8da225406cc838991b5f67d11:0x4135f6
+      - 0a0882b8da225406cc838991b5f67d11:0x416f51
+      - 80372de850597bd9e7e021a94f13f0a1:0x406480
+      - 80372de850597bd9e7e021a94f13f0a1:0x4086f4
+  features:
+    # initializes a 32-byte array with 
+    #   array[0] = 0xf8, 
+    #   array[31] = array[31] & 0x3f | 0x40
+    - and:
+      - and:
+        - number: 0xf8
+        - mnemonic: and
+      - and:
+        - number: 0x3f
+        - mnemonic: and
+      - and:
+        - number: 0x40
+        - mnemonic: or