From 131cf44959eeeceb579eb071af7ce47455040658 Mon Sep 17 00:00:00 2001 From: JJ Date: Mon, 20 Nov 2023 02:26:41 -0800 Subject: [PATCH] =?UTF-8?q?Add=20patch-antimalware-scan-interface-function?= =?UTF-8?q?.yml=20and=20updated=20patch-e=E2=80=A6=20(#798)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add patch-antimalware-scan-interface-function.yml and updated patch-event-tracing-for-windows-function.yml --------- Co-authored-by: Moritz --- ...ch-antimalware-scan-interface-function.yml | 24 +++++++++++++++++++ ...tch-event-tracing-for-windows-function.yml | 11 ++------- 2 files changed, 26 insertions(+), 9 deletions(-) create mode 100644 anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml new file mode 100644 index 000000000..14130f2db --- /dev/null +++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml @@ -0,0 +1,24 @@ +rule: + meta: + name: patch Antimalware Scan Interface function + namespace: anti-analysis/anti-av + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] + mbc: + - Defense Evasion::Disable or Evade Security Tools [F0004] + references: + - https://fluidattacks.com/blog/amsi-bypass/ + examples: + - edb92795c06a2bde47e652639327253a1148ee675ba2f0d1d9ac8690ef1820b1:0x14001126C + features: + - and: + - match: change memory protection + - or: + - string: "AmsiScanBuffer" + - string: "AmsiScanString" + - optional: + - match: write process memory + - string: "amsi.dll" diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml index 8edfa3fc0..bce84559c 100644 --- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scope: function att&ck: - - Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006] + - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: - Defense Evasion::Disable or Evade Security Tools [F0004] references: @@ -16,14 +16,7 @@ rule: - 15835b6dd703e69d22d4ab941ccd5f6e78c3abc22ae123366da5e950eaa62e2b:0x180001D70 features: - and: - - match: link function at runtime on Windows - - or: - - api: kernel32.VirtualProtect - - api: ntdll.NtProtectVirtualMemory # exported by only ntdll, not ntoskrnl - - api: ZwProtectVirtualMemory # exported by both ntdll and ntoskrnl - - string: "VirtualProtect" - - string: "NtProtectVirtualMemory" - - string: "ZwProtectVirtualMemory" + - match: change memory protection - or: - string: "EventWrite" - string: "EtwEventWrite"