forked from mandiant/capa-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
encrypt-data-using-salsa20-or-chacha.yml
35 lines (35 loc) · 1.2 KB
/
encrypt-data-using-salsa20-or-chacha.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
rule:
meta:
name: encrypt data using Salsa20 or ChaCha
namespace: data-manipulation/encryption/salsa20
authors:
scopes:
static: function
dynamic: thread
att&ck:
- Defense Evasion::Obfuscated Files or Information [T1027]
references:
- http://cr.yp.to/snuffle/ecrypt.c
features:
# The constant words spell "expand 32-byte k" in ASCII (i.e. the 4 words are "expa", "nd 3", "2-by", and "te k")
- or:
- description: part of key setup
- string: "expand 32-byte k"
description: sigma
- string: "expand 16-byte k"
description: tau
# if sigma and tau are in contiguous memory, may result in concatenated string
- string: "expand 32-byte kexpand 16-byte k"
- bytes: 65 78 70 61 6E 64 20 33 32 2D 62 79 74 65 20 6B = "expand 32-byte k"
- bytes: 65 78 70 61 6E 64 20 31 36 2D 62 79 74 65 20 6B = "expand 16-byte k"
- and:
- string: "expa"
- string: "nd 3"
- string: "2-by"
- string: "te k"
- and:
- number: 0x61707865 = "apxe"
- number: 0x3320646E = "3 dn"
- number: 0x79622D32 = "yb-2"
- number: 0x6B206574 = "k et"