undo rename and remove features already captured in other rule

mandiant · Dec 3, 2024 · c01b2bc · c01b2bc
1 parent 3ecf5c2
commit c01b2bc
Showing 1 changed file with 5 additions and 8 deletions.
diff --git a/...ing-arbitrary-code-guard-or-blockdlls.yml → ...mory-pages-using-arbitrary-code-guard.yml b/...ing-arbitrary-code-guard-or-blockdlls.yml → ...mory-pages-using-arbitrary-code-guard.yml
@@ -1,6 +1,6 @@
 rule:
   meta:
-    name: protect process using Arbitrary Code Guard or blockdlls
+    name: block operations on executable memory pages using Arbitrary Code Guard
     namespace: anti-analysis/anti-av
     authors:
       - jakub.jozwiak@mandiant.com
@@ -21,15 +21,12 @@ rule:
       - and:
         - api: SetProcessMitigationPolicy
         - number: 4 = sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY)
-        - number: 1 = set policy.ProhibitDynamicCode
+        - number: 1 = set policy.ProhibitDynamicCode to 1
         - number: 2 = ProcessDynamicCodePolicy
       - and:
         - api: SetProcessMitigationPolicy
         - number: 4 = sizeof(PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY)
         - number: 1 = set policy.MicrosoftSignedOnly to 1
-        - number: 8 = ProcessSignaturePolicy
-      - and:
-        - description: blockdlls
-        - api: UpdateProcThreadAttribute
-        - number: 0x20007 = PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY
-        - number: 0x100000000000 = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON
+        - or:
+          - number: 8 = ProcessSignaturePolicy
+          - offset: 4 = lea ecx, [r8+4] ; with r8 equal to 4