create TCP socket

edit on GitHub
search on VirusTotal
rule:
  meta:
    name: create TCP socket
    namespace: communication/socket/tcp
    authors:
      - william.ballenthin@mandiant.com
      - joakim@intezer.com
      - anushka.virgaonkar@mandiant.com
      - michael.hunhoff@mandiant.com
    scopes:
      static: basic block
      dynamic: call
    mbc:
      - Communication::Socket Communication::Create TCP Socket [C0001.011]
    examples:
      - Practical Malware Analysis Lab 01-01.dll_:0x10001010
  features:
    - or:
      - and:
        - number: 6 = IPPROTO_TCP
        - number: 1 = SOCK_STREAM
        - number: 2 = AF_INET
        - or:
          - api: socket
          - api: ws2_32.socket
          - api: ws2_32.#23 = socket
          - api: ws2_32.WSASocket
          - api: ws2_32.#82 = WSASocketA
          - api: ws2_32.#83 = WSASocketW
          - api: System.Net.Sockets.Socket::ctor
      - property/read: System.Net.Sockets.TcpClient::Client
last edited: 2024-04-23 12:20:28