Move get-routing-table.yml out of nursery. Add enumerate-tcp-connecti… (#1074)

jtothej · web-flow · commit 1a065e6dea28 · 2025-09-09T13:21:48.000-06:00
* Move get-routing-table.yml out of nursery. Add enumerate-tcp-connections-via-wmi-com-api.yml and create-routing-table-entry.yml

* Update scopes in enumerate-tcp-connections-via-wmi-com-api.yml, create-routing-table-entry.yml, get-routing-table.yml
diff --git a/host-interaction/network/enumerate-tcp-connections-via-wmi-com-api.yml b/host-interaction/network/enumerate-tcp-connections-via-wmi-com-api.yml
@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: enumerate TCP connections via WMI COM API
+    namespace: host-interaction/network
+    authors:
+      - jakubjozwiak@google.com
+    description: Match on files capable of enumerating TCP connections using WMI COM API
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Discovery::System Network Connections Discovery [T1049]
+    references:
+      - https://medium.com/@s12deff/get-tcp-active-connections-with-wmi-cfd80899d7fa
+    examples:
+      - 0a942aca9589d10f7b8f127870ca35cdd90d25c0b3449abe0434ffeb9f93f277:0x140001000
+  features:
+    - and:
+      - match: connect to WMI namespace via WbemLocator
+      - string: "ROOT\\StandardCIMV2"
+      - string: "MSFT_NetTCPConnection"
diff --git a/host-interaction/network/routing-table/create-routing-table-entry.yml b/host-interaction/network/routing-table/create-routing-table-entry.yml
@@ -0,0 +1,17 @@
+rule:
+  meta:
+    name: create routing table entry
+    namespace: host-interaction/network/routing-table
+    authors:
+      - jakubjozwiak@google.com
+    scopes:
+      static: instruction
+      dynamic: call
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-createipforwardentry
+      - https://github.com/T04R/collection/blob/main/evasion/03.Local-admin/EPP-comms/netblk-route/implant.cpp
+    examples:
+      - de07bd6e3ade9e4d8a36032a23de11a372bd93d39a6ef95d849e3f6f7ebac6e5:0x140001000
+  features:
+    - or:
+      - api: iphlpapi.CreateIpForwardEntry
diff --git a/host-interaction/network/routing-table/get-routing-table.yml b/host-interaction/network/routing-table/get-routing-table.yml
@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: get routing table
+    namespace: host-interaction/network/routing-table
+    authors:
+      - michael.hunhoff@mandiant.com
+    scopes:
+      static: instruction
+      dynamic: call
+    att&ck:
+      - Discovery::System Network Configuration Discovery [T1016]
+    references:
+      - https://learn.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getipforwardtable
+      - https://learn.microsoft.com/en-us/windows/win32/api/netioapi/nf-netioapi-getipforwardtable2
+      - https://github.com/T04R/collection/blob/main/evasion/03.Local-admin/EPP-comms/netblk-printroute/implant.cpp
+    examples:
+      - b1133d7e5599beefe992a127f6e9704176a13b7e86b4db45c3b61cf25a60d414:0x140001000
+  features:
+    - or:
+      - api: iphlpapi.GetIpForwardTable
+      - api: iphlpapi.GetIpForwardTable2
diff --git a/nursery/get-routing-table.yml b/nursery/get-routing-table.yml
