Add new rule persist-via-shellserviceobjectdelayload-registry-key.yml

[xpzhxhm]

Add new rule persist-via-shellserviceobjectdelayload-registry-key.yml
Closes #1114
Ref mandiant/capa-testfiles#303
https://blog.virustotal.com/2024/03/com-objects-hijacking.html

[mike-hunhoff]

Great, thanks @xpzhxhm . I've left comments for your review.

[xpzhxhm]

Hi @mike-hunhoff.
Thanks for the review!
I've updated a more detailed description and removed the blank line.
For the scope, I successfully narrowed it to function by adding number: 0x80000002 = HKEY_LOCAL_MACHINE in the features. The rule now correctly detects the sample at function scope.

[xpzhxhm]

I confirmed in IDA that this sample uses a helper function to write to the registry. The HKLM constant 0x80000002 and the string ShellServiceObjectDelayLoad reside in the parent function (sub_405224 in the sample), while RegSetValue is in a child function (sub_4053CD in the sample). My understanding is that adding the feature number: 0x80000002 will allow the rule to match the parent function.

[mike-hunhoff]

I confirmed in IDA that this sample uses a helper function to write to the registry. The HKLM constant 0x80000002 and the string ShellServiceObjectDelayLoad reside in the parent function (sub_405224 in the sample), while RegSetValue is in a child function (sub_4053CD in the sample). My understanding is that adding the feature number: 0x80000002 will allow the rule to match the parent function.

@xpzhxhm capa does not match across functions, so, specifying function scope enforces that all features are matched within a single function.

[xpzhxhm]

Hi @mike-hunhoff , thanks for clarifying! I understand now that with function scope, capa does not match across functions.
Since the RegSetValue action and the ShellServiceObjectDelayLoad string are in different functions in this sample, I changed the scope to file. Does it sound like a right approach?
I have pushed the updates. Could you please take another look when you have a chance? Thanks!

[mike-hunhoff]

Hi @mike-hunhoff , thanks for clarifying! I understand now that with function scope, capa does not match across functions. Since the RegSetValue action and the ShellServiceObjectDelayLoad string are in different functions in this sample, I changed the scope to file. Does it sound like a right approach? I have pushed the updates. Could you please take another look when you have a chance? Thanks!

@xpzhxhm no, capa rules must match the smallest reasonable scope possible. In this case , that would likely be function scope. Please find another sample or remove the example meta entry and move this rule to the nursery directory.

[xpzhxhm]

Hi @mike-hunhoff, thank you so much for your guidance :)

I'm switching the scope back to function. I initially assumed a broader scope was required, but the current sample shows the relevant features are in a single function.
On the sample, both 0x80000002 (HKLM) and Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad appear in the same function, So the rule matches correctly under function scope.
Linter output and IDA screenshot are attached for reference.

Please let me know if I’m on the right track.
Thanks!