rules: add QUIC / msquic detection rule#1108

Open

AdityaSkhorne wants to merge 4 commits intomandiant:masterfrom

AdityaSkhorne:rules/add-quic-msquic-detection

AdityaSkhorne commented Jan 28, 2026

Summary
Adds a focused rule to detect usage of QUIC-related APIs and libraries, with emphasis on Microsoft msquic and other QUIC implementations.

Changes

New rule: communication/quic/detect-msquic.yml
- Matches canonical MsQuic APIs (MsQuicOpen, MsQuicRegistrationOpen, MsQuicStreamOpen, etc.)
- Matches strings referencing msquic.dll and common QUIC implementations (quiche, ngtcp2, quic-go)

Why
QUIC is increasingly used in modern network stacks and can be abused by malware for covert C2 and data exfiltration. Covering msquic and other QUIC libs improves capa's ability to surface these behaviors.

Testing

Includes placeholder example metadata. CI will run the rule linter and tests.

Author: adityashankarkhorne@gmail.com

Note on provenance:
This contribution was created with assistance from an AI tool (ChatGPT). I reviewed and edited the content and confirm I have the right to submit it under the project's license. I accept responsibility for the submission and its licensing.

AdityaSkhorne and others added 4 commits

January 25, 2026 15:17


          Create create-tcp-socket-winsock-variants.yml


          Delete communication/socket/tcp/create-tcp-socket-winsock-variants.yml

d370788


          Merge branch 'mandiant:master' into master

468823e


          rules: add QUIC/msquic detection rule

08b470b

mike-hunhoff requested changes

View reviewed changes

communication/quic/detect-msquic.yml

@@ @@ -0,0 +1,34 @@ @@
+              rule:
+                meta:
+                  name: detect usage of msquic (QUIC) APIs

Collaborator

mike-hunhoff Jan 28, 2026

please review the rule name documentation and modify accordingly.

communication/quic/detect-msquic.yml

Comment on lines +7 to +8

		scopes:
		static: function

Collaborator

mike-hunhoff Jan 28, 2026

please review the scopes section of the meta block documentation and modify accordingly.

communication/quic/detect-msquic.yml

+                  mbc:
+                    - Communication::Network Communication::QUIC Client/Server [C0005.001]
+                  examples:
+                    - 05be49819139a3fdcdbddbdefd298398779521f3d68daa25275cc77508e42310.exe:0x401000

Collaborator

mike-hunhoff Jan 28, 2026

please review the examples section of the meta block documentation and modify accordingly.

communication/quic/detect-msquic.yml

Comment on lines +30 to +34

+                    - string: msquic
+                    - string: msquic.dll
+                    - string: quiche
+                    - string: ngtcp2
+                    - string: "quic-go"

Collaborator

mike-hunhoff Jan 28, 2026

please review the file string and substring documentation and modify accordingly. Also, provide descriptions for each string to help readers understand their purpose and relevance to the rule detection.

communication/quic/detect-msquic.yml

+                  scopes:
+                    static: function
+                  mbc:
+                    - Communication::Network Communication::QUIC Client/Server [C0005.001]

Collaborator

mike-hunhoff Jan 28, 2026

I don't see this listed in MBC. Can you provide a direct reference or update to the correct behaviour?

mike-hunhoff mentioned this pull request

rules: detect QUIC communication via Microsoft MsQuic #1106

Closed

Collaborator

mike-hunhoff commented Feb 6, 2026

@AdityaSkhorne bump

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet