extend rule features and rename (#969)

* extend rule features
mandiant · Dec 3, 2024 · 1adcf13 · 1adcf13
1 parent 1649218
commit 1adcf13
Showing 1 changed file with 13 additions and 7 deletions.
diff --git a/...alysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml b/...alysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml
@@ -17,10 +17,16 @@ rule:
     examples:
       - 2ebadd04f0ada89c36c1409b6e96423a68dd77b513db8db3da203c36d3753e5f:0x140002120
   features:
-    - and:
-      - api: SetProcessMitigationPolicy
-      - number: 4 = sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY)
-      - number: 1 = ProhibitDynamicCode
-      - or:
-        - number: 8 = ProcessDynamicCodePolicy
-        - offset: 4
+    - or:
+      - and:
+        - api: SetProcessMitigationPolicy
+        - number: 4 = sizeof(PROCESS_MITIGATION_DYNAMIC_CODE_POLICY)
+        - number: 1 = set policy.ProhibitDynamicCode to 1
+        - number: 2 = ProcessDynamicCodePolicy
+      - and:
+        - api: SetProcessMitigationPolicy
+        - number: 4 = sizeof(PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY)
+        - number: 1 = set policy.MicrosoftSignedOnly to 1
+        - or:
+          - number: 8 = ProcessSignaturePolicy
+          - offset: 4 = lea ecx, [r8+4] ; with r8 equal to 4