adding/updating rules based on recent samples (#1085)

mike-hunhoff · web-flow · commit 3b42582539a1 · 2025-11-25T13:38:55.000-07:00
diff --git a/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml b/anti-analysis/anti-vm/vm-detection/check-for-sandbox-username-or-hostname.yml
@@ -5,6 +5,7 @@ rule:
     authors:
       - "@_re_fox"
       - "echernofsky@google.com"
+      - mehunhoff@google.com
     scopes:
       static: function
       dynamic: span of calls
@@ -96,3 +97,7 @@ rule:
           description: Windows Defender Application Guard
         - string: /HAL9TH/i
           description: Windows Defender Emulator
+        - string: /nepenthes/i
+          description: Nepenthes honeypot
+        - string: /heuerzl/i
+          description: Known sandbox username
diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings-targeting-vmware.yml
@@ -3,7 +3,7 @@ rule:
     name: reference anti-VM strings targeting VMWare
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
-      - michael.hunhoff@mandiant.com
+      - mehunhoff@google.com
       - "@johnk3r"
     scopes:
       static: file
@@ -65,3 +65,5 @@ rule:
       - string: /vmmousever\.dll/i
       - string: /VmGuestLibJava\.dll/i
       - string: /vmscsi\.sys/i
+      - string: /vmwareservice\.exe/i
+      - string: /vgautservice\.exe/i
diff --git a/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml b/anti-analysis/anti-vm/vm-detection/reference-anti-vm-strings.yml
@@ -4,6 +4,7 @@ rule:
     namespace: anti-analysis/anti-vm/vm-detection
     authors:
       - moritz.raabe@mandiant.com
+      - mehunhoff@google.com
     scopes:
       static: file
       dynamic: file
@@ -59,3 +60,7 @@ rule:
       - string: /klavme\.exe/i
       - string: /myapp\.exe/i
       - string: /testapp\.exe/i
+      - string: /vmusrvc\.exe/i
+        description: Microsoft Virtual PC / Hyper-V
+      - string: /vmsrvc\.exe/i
+        description: Microsoft Virtual PC / Hyper-V
diff --git a/anti-analysis/reference-analysis-tools-strings.yml b/anti-analysis/reference-analysis-tools-strings.yml
@@ -3,7 +3,7 @@ rule:
     name: reference analysis tools strings
     namespace: anti-analysis
     authors:
-      - michael.hunhoff@mandiant.com
+      - mehunhoff@google.com
     scopes:
       static: file
       dynamic: file
@@ -51,3 +51,45 @@ rule:
       - string: /decompile(\.exe)?/i
       - string: /scylla/i
       - string: /megadumper/i
+      - string: /apdagent(\.exe)?/i
+      - string: /apimonitor(\.exe)?/i
+      - string: /azurearcsystray(\.exe)?/i
+      - string: /binaryninja(\.exe)?/i
+      - string: /burpsuite(\.exe)?/i
+      - string: /charles\.exe/i
+      - string: /cutter(\.exe)?/i
+      - string: /dbgx\.shell(\.exe)?/i
+      - string: /df5serv(\.exe)?/i
+      - string: /frida(\.exe)?/i
+      - string: /httpanalyzerv7(\.exe)?/i
+      - string: /httpdebuggerui(\.exe)?/i
+      - string: /netcat(\.exe)?/i
+      - string: /pin\.exe/i
+      - string: /prl_tools(\.exe)?/i
+      - string: /qemu-ga(\.exe)?/i
+      - string: /rammap(\.exe)?/i
+      - string: /rammap64(\.exe)?/i
+      - string: /rdpclip(\.exe)?/i
+      - string: /tasklist/i
+      - string: /cred-store(\.exe)?/i
+      - string: /decoder\.exe/i
+      - string: /dnspy(\.exe)?/i
+      - string: /drrun(\.exe)?/i
+      - string: /dumpit(\.exe)?/i
+      - string: /frida-inject(\.exe)?/i
+      - string: /frida-server(\.exe)?/i
+      - string: /gdb\.exe/i
+      - string: /httpdebuggersvc(\.exe)?/i
+      - string: /ilspy(\.exe)?/i
+      - string: /inetsim(\.exe)?/i
+      - string: /ksdumper(\.exe)?/i
+      - string: /ksdumperclient(\.exe)?/i
+      - string: /mitmdump(\.exe)?/i
+      - string: /pestudio(\.exe)?/i
+      - string: /private-cloud-proxy(\.exe)?/i
+      - string: /process\.exe/i
+      - string: /r2\.exe/i
+      - string: /rekall(\.exe)?/i
+      - string: /tcpdump(\.exe)?/i
+      - string: /windasm(\.exe)?/i
+      - string: /x32dbgn(\.exe)?/i
diff --git a/host-interaction/service/run-as-service.yml b/host-interaction/service/run-as-service.yml
@@ -4,7 +4,7 @@ rule:
     namespace: host-interaction/service
     authors:
       - moritz.raabe@mandiant.com
-      - michael.hunhoff@mandiant.com
+      - mehunhoff@google.com
     scopes:
       static: file
       dynamic: file
@@ -15,7 +15,13 @@ rule:
   features:
     - or:
       - export: ServiceMain
-      - function:
+      - instruction:
+        - or:
+          - api: RegisterServiceCtrlHandler
+          - api: RegisterServiceCtrlHandlerEx
+          - api: StartServiceCtrlDispatcher
+          - api: System.ServiceProcess.ServiceBase::Run
+      - call:
         - or:
           - api: RegisterServiceCtrlHandler
           - api: RegisterServiceCtrlHandlerEx
diff --git a/nursery/run-as-nodejs-native-module.yml b/nursery/run-as-nodejs-native-module.yml
@@ -0,0 +1,13 @@
+rule:
+  meta:
+    name: run as NodeJS native module
+    namespace: runtime/node
+    authors:
+      - mehunhoff@google.com
+    description: NodeJS native modules enable native code to interact with the NodeJS runtime.
+    scopes:
+      static: file
+      dynamic: file
+  features:
+    - or:
+      - export: napi_register_module_v1
