From b33f95c9ca7caa72aeec9d85211253307403e754 Mon Sep 17 00:00:00 2001
From: johnk3r <johnatan2camargo@gmail.com>
Date: Fri, 6 Oct 2023 12:19:47 -0300
Subject: [PATCH] set state tcp connection (#829)

* Add rule

---------

Co-authored-by: Willi Ballenthin <wballenthin@google.com>
---
 .../connectivity/set-tcp-connection-state.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 host-interaction/network/connectivity/set-tcp-connection-state.yml

diff --git a/host-interaction/network/connectivity/set-tcp-connection-state.yml b/host-interaction/network/connectivity/set-tcp-connection-state.yml
new file mode 100644
index 000000000..4c8d87a49
--- /dev/null
+++ b/host-interaction/network/connectivity/set-tcp-connection-state.yml
@@ -0,0 +1,19 @@
+rule:
+  meta:
+    name: set TCP connection state
+    namespace: host-interaction/network/connectivity
+    authors:
+      - "@johnk3r"
+    description: The SetTcpEntry function sets the state of a TCP connection.
+    scope: function
+    att&ck:
+      - Defense Evasion::Impair Defenses [T1562]
+    references:
+      - https://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website
+      - https://github.com/magisterquis/EDRSniper/blob/master/edrsniper.c
+    examples:
+      - 883bf161937f8dc6e766b07000110254:0x403150
+  features:
+    - and:
+      - api: iphlpapi.SetTcpEntry
+      - number: 12 = MIB_TCP_STATE_DELETE_TCB