From 0e4ebef238cdaf552853ead2c1bf0df3bcbb0b06 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Mon, 2 Dec 2024 12:55:06 +0000 Subject: [PATCH] extend rule features and rename --- ...emory-pages-using-arbitrary-code-guard.yml | 26 -------------- ...sing-arbitrary-code-guard-or-blockdlls.yml | 35 +++++++++++++++++++ 2 files changed, 35 insertions(+), 26 deletions(-) delete mode 100644 anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml create mode 100644 anti-analysis/anti-av/protect-process-using-arbitrary-code-guard-or-blockdlls.yml diff --git a/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml deleted file mode 100644 index 3d19579e..00000000 --- a/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml +++ /dev/null @@ -1,26 +0,0 @@ -rule: - meta: - name: block operations on executable memory pages using Arbitrary Code Guard - namespace: anti-analysis/anti-av - authors: - - jakub.jozwiak@mandiant.com - scopes: - static: basic block - dynamic: call - att&ck: - - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] - mbc: - - Defense Evasion::Disable or Evade Security Tools::Modify Policy [F0004.005] - references: - - https://blog.xpnsec.com/protecting-your-malware/ - - https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/ - examples: - - 2ebadd04f0ada89c36c1409b6e96423a68dd77b513db8db3da203c36d3753e5f:0x140002120 - features: - - and: - - api: SetProcessMitigationPolicy - - number: 4 = sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY) - - number: 1 = ProhibitDynamicCode - - or: - - number: 8 = ProcessDynamicCodePolicy - - offset: 4 diff --git a/anti-analysis/anti-av/protect-process-using-arbitrary-code-guard-or-blockdlls.yml b/anti-analysis/anti-av/protect-process-using-arbitrary-code-guard-or-blockdlls.yml new file mode 100644 index 00000000..3228a4dc --- /dev/null +++ b/anti-analysis/anti-av/protect-process-using-arbitrary-code-guard-or-blockdlls.yml @@ -0,0 +1,35 @@ +rule: + meta: + name: protect process using Arbitrary Code Guard or blockdlls + namespace: anti-analysis/anti-av + authors: + - jakub.jozwiak@mandiant.com + scopes: + static: basic block + dynamic: call + att&ck: + - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] + mbc: + - Defense Evasion::Disable or Evade Security Tools::Modify Policy [F0004.005] + references: + - https://blog.xpnsec.com/protecting-your-malware/ + - https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/ + examples: + - 2ebadd04f0ada89c36c1409b6e96423a68dd77b513db8db3da203c36d3753e5f:0x140002120 + features: + - or: + - and: + - api: SetProcessMitigationPolicy + - number: 4 = sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY) + - number: 1 = set policy.ProhibitDynamicCode + - number: 2 = ProcessDynamicCodePolicy + - and: + - api: SetProcessMitigationPolicy + - number: 4 = sizeof(PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY) + - number: 1 = set policy.flags to 1 + - number: 8 = ProcessSignaturePolicy + - and: + - description: blockdlls + - api: InitializeProcThreadAttributeList + - number: 0x20007 = PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY + - number: 0x100000000000 = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON