Add patch-antimalware-scan-interface-function.yml and updated patch-e…

…vent-tracing-for-windows-function.yml
mandiant · Jul 13, 2023 · 6abb740 · 6abb740
1 parent 85a980a
commit 6abb740
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 1 deletion.
diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
@@ -0,0 +1,33 @@
+rule:
+  meta:
+    name: patch Antimalware Scan Interface function
+    namespace: anti-analysis/anti-av
+    authors:
+      - jakub.jozwiak@mandiant.com
+    scope: function
+    att&ck:
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
+    mbc:
+      - Defense Evasion::Disable or Evade Security Tools [F0004]
+    references:
+      - https://fluidattacks.com/blog/amsi-bypass/
+    examples:
+      - edb92795c06a2bde47e652639327253a1148ee675ba2f0d1d9ac8690ef1820b1:0x14001126C
+  features:
+    - and:
+      - match: link function at runtime on Windows
+      - or:
+        - api: kernel32.VirtualProtect
+        - api: kernel32.VirtualProtectEx
+        - api: ntdll.NtProtectVirtualMemory
+        - api: ZwProtectVirtualMemory
+        - string: "VirtualProtect"
+        - string: "VirtualProtectEx"
+        - string: "NtProtectVirtualMemory"
+        - string: "ZwProtectVirtualMemory"
+      - or:
+        - string: "AmsiScanBuffer"
+        - string: "AmsiScanString"
+      - optional:
+        - match: write process memory
+        - string: "amsi.dll"
diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
@@ -6,7 +6,7 @@ rule:
       - jakub.jozwiak@mandiant.com
     scope: function
     att&ck:
-      - Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006]
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:
       - Defense Evasion::Disable or Evade Security Tools [F0004]
     references:
@@ -19,9 +19,11 @@ rule:
       - match: link function at runtime on Windows
       - or:
         - api: kernel32.VirtualProtect
+        - api: kernel32.VirtualProtectEx
         - api: ntdll.NtProtectVirtualMemory  # exported by only ntdll, not ntoskrnl
         - api: ZwProtectVirtualMemory  # exported by both ntdll and ntoskrnl
         - string: "VirtualProtect"
+        - string: "VirtualProtectEx"
         - string: "NtProtectVirtualMemory"
         - string: "ZwProtectVirtualMemory"
       - or: