reduce false positives in credential manager, credit-card parsing, an…

collection/acquire-credentials-from-windows-credential-manager.yml

@@ -10,6 +10,9 @@ rule:
       dynamic: span of calls
     att&ck:
       - Credential Access::Credentials from Password Stores::Windows Credential Manager [T1555.004]
+    references:
+      - https://github.com/mandiant/capa-rules/issues/1030
+      - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/vaultcmd
     examples:
       - c56af5561e3f20bed435fb4355cffc29:0x411A41
   features:
@@ -23,6 +26,6 @@ rule:
         - optional:
           - match: host-interaction/process/create
         - or:
-          - string: /vaultcmd(\.exe)?/
+          - string: /\bvaultcmd(\.exe)?\b/i
           - substring: "/listcreds:"
           - substring: "\"Windows Credentials\""

collection/credit-card/parse-credit-card-information.yml

@@ -9,14 +9,22 @@ rule:
       dynamic: unsupported  # requires mnemonic features
     mbc:
       - Data::Check String [C0019]
+    references:
+      - https://github.com/mandiant/capa-rules/issues/1088
+      - https://github.com/mandiant/capa-rules/issues/897
+      - https://en.wikipedia.org/wiki/ISO/IEC_7813
     examples:
       - 1d8fd13c890060464019c0f07b928b1a:0x402860
   features:
     - and:
-      - 3 or more:
+      - or:
         - instruction:
           - mnemonic: cmp
           - number: 0x5E = '^' (Track 1 separator)
+        - instruction:
+          - mnemonic: cmp
+          - number: 0x3B = ';' (Track 2 start sentinel)
+      - 2 or more:
         - instruction:
           - mnemonic: cmp
           - number: 0x3D = '=' (Track 2 separator)
@@ -32,9 +40,6 @@ rule:
         - instruction:
           - mnemonic: cmp
           - number: 0x3F = '?' (Track 1 & 2 end sentinel)
-        - instruction:
-          - mnemonic: cmp
-          - number: 0x3B = ';' (Track 2 start sentinel)
       - not:
         - description: if a function also compares these non-hex characters it's most likely NOT parsing CC data
         - and:

collection/group-policy/discover-group-policy-via-gpresult.yml

@@ -9,11 +9,12 @@ rule:
       dynamic: span of calls
     att&ck:
       - Discovery::Group Policy Discovery [T1615]
+    references:
+      - https://github.com/mandiant/capa-rules/issues/1036
+      - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
     examples:
       - 9e4d06759f278255073f9ac7b31a115a:0x100068B7
   features:
     - and:
       - os: windows
-      - or:
-        - substring: "gpresult"
-        - substring: "GPRESULT"
+      - string: /\bgpresult(\.exe)?\s+\/\w+/i

load-code/pe/enumerate-pe-sections.yml

@@ -11,13 +11,15 @@ rule:
     mbc:
       - Discovery::Code Discovery::Enumerate PE Sections [B0046.001]
     references:
+      - https://github.com/mandiant/capa-rules/issues/1090
       - https://0x00sec.org/t/reflective-dll-injection/3080
       - https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection
     examples:
       - E4C33AC3638EEF68311F8AC0D72483C7:0x401510
   features:
     - and:
       - os: windows
+      - match: parse PE header
       # there should be some complexity to functions like this
       - count(basic blocks): 3 or more
       - optional:

persistence/service/persist-via-windows-service.yml

@@ -10,6 +10,9 @@ rule:
     att&ck:
       - Persistence::Create or Modify System Process::Windows Service [T1543.003]
       - Execution::System Services::Service Execution [T1569.002]
+    references:
+      - https://github.com/mandiant/capa-rules/issues/1100
+      - https://learn.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
     examples:
       - Practical Malware Analysis Lab 03-02.dll_:0x10004706
       - 9f012d7e3ae8f62370278e372691eb73b878fe2280b6083e1be637b278021855:0x40113A
@@ -40,3 +43,7 @@ rule:
       - and:
         - match: set registry value
         - string: /System\\(ControlSet\d{3}|CurrentControlSet)\\Services/i
+        - or:
+          - string: /ImagePath/i
+          - string: /ServiceDll/i
+          - string: /^Start$/i