-
Notifications
You must be signed in to change notification settings - Fork 234
Expand file tree
/
Copy pathcreate-tcp-socket.yml
More file actions
36 lines (36 loc) · 1.12 KB
/
create-tcp-socket.yml
File metadata and controls
36 lines (36 loc) · 1.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
rule:
meta:
name: create TCP socket
namespace: communication/socket/tcp
authors:
- william.ballenthin@mandiant.com
- joakim@intezer.com
- anushka.virgaonkar@mandiant.com
- michael.hunhoff@mandiant.com
scopes:
static: basic block
dynamic: call
mbc:
- Communication::Socket Communication::Create TCP Socket [C0001.011]
references:
- https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket
- https://man7.org/linux/man-pages/man2/socket.2.html
examples:
- Practical Malware Analysis Lab 01-01.dll_:0x10001010
features:
- or:
- and:
- or:
- number: 0 = protocol (default)
- number: 6 = IPPROTO_TCP
- number: 1 = SOCK_STREAM
- number: 2 = AF_INET
- or:
- api: socket
- api: ws2_32.socket
- api: ws2_32.#23 = socket
- api: ws2_32.WSASocket
- api: ws2_32.#82 = WSASocketA
- api: ws2_32.#83 = WSASocketW
- api: System.Net.Sockets.Socket::ctor
- property/read: System.Net.Sockets.TcpClient::Client