File tree Expand file tree Collapse file tree 2 files changed +14
-4
lines changed Expand file tree Collapse file tree 2 files changed +14
-4
lines changed Original file line number Diff line number Diff line change @@ -12,12 +12,17 @@ rule:
1212 dynamic : call
1313 mbc :
1414 - Communication::Socket Communication::Create TCP Socket [C0001.011]
15+ references :
16+ - https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket
17+ - https://man7.org/linux/man-pages/man2/socket.2.html
1518 examples :
1619 - Practical Malware Analysis Lab 01-01.dll_:0x10001010
1720 features :
1821 - or :
1922 - and :
20- - number : 6 = IPPROTO_TCP
23+ - or :
24+ - number : 0 = protocol (default)
25+ - number : 6 = IPPROTO_TCP
2126 - number : 1 = SOCK_STREAM
2227 - number : 2 = AF_INET
2328 - or :
Original file line number Diff line number Diff line change @@ -11,12 +11,17 @@ rule:
1111 dynamic : call
1212 mbc :
1313 - Communication::Socket Communication::Create UDP Socket [C0001.010]
14- examples :
15- - 203BD48BCC18434314AD60F4C8BC21E3D3422EB0624B22B827410F9BC63B4082:0x401240
14+ references :
15+ - https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket
16+ - https://man7.org/linux/man-pages/man2/socket.2.html
1617 features :
1718 - or :
1819 - and :
19- - count(number(2 = AF_INET/SOCK_DGRAM)) : 2 or more
20+ - number : 2 = AF_INET
21+ - number : 2 = SOCK_DGRAM
22+ - or :
23+ - number : 0 = protocol (default)
24+ - number : 17 = IPPROTO_UDP
2025 - or :
2126 - api : socket
2227 - api : ws2_32.socket
You can’t perform that action at this time.
0 commit comments