-
Notifications
You must be signed in to change notification settings - Fork 163
/
get-disk-size.yml
39 lines (39 loc) · 1.37 KB
/
get-disk-size.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
rule:
meta:
name: get disk size
namespace: host-interaction/hardware/storage
authors:
scopes:
static: function
dynamic: thread
att&ck:
- Discovery::System Information Discovery [T1082]
mbc:
- Discovery::System Information Discovery [E1082]
references:
- https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L347
examples:
- al-khaser_x86.exe_:0x4343D0
- al-khaser_x86.exe_:0x434010
features:
- or:
- api: kernel32.GetDiskFreeSpace
- api: kernel32.GetDiskFreeSpaceEx
- property/read: System.IO.DriveInfo::TotalSize
- property/read: System.IO.DriveInfo::TotalFreeSpace
- property/read: System.IO.DriveInfo::AvailableFreeSpace
- basic block:
- and:
- match: interact with driver via IOCTL
- number: 0x7405C = IOCTL_DISK_GET_LENGTH_INFO
- call:
- and:
- match: interact with driver via IOCTL
- number: 0x7405C = IOCTL_DISK_GET_LENGTH_INFO
- and:
- or:
- string: /SELECT\s+\*\s+FROM\s+Win32_LogicalDisk/i
- string: /SELECT\s+\*\s+FROM\s+Win32_DiskDrive\s+WHERE\s+\(SerialNumber\s+IS\s+NOT\s+NULL\)\s+AND\s+\(MediaType\s+LIKE\s+\'Fixed\s+hard\s+disk\%\'\)/i
- string: "Size"