Skip to content

Commit

Permalink
Update Mappings for MBC (part 11)
Browse files Browse the repository at this point in the history
  • Loading branch information
ryantxu1 committed Sep 27, 2023
1 parent b9c2bc1 commit 6fbf518
Show file tree
Hide file tree
Showing 6 changed files with 12 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ rule:
scope: function
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012]
references:
- https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
- https://unprotect.it/technique/getforegroundwindow/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ rule:
scope: function
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023]
examples:
- 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
features:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ rule:
scope: function
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023]
examples:
- 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
features:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ rule:
scope: function
att&ck:
- Defense Evasion::Hide Artifacts::Hidden File System [T1564.005]
mbc:
- Defense Evasion::Hidden Files and Directories [F0005]
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.web.hosting.virtualpathprovider?view=netframework-4.8.1
examples:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ rule:
scope: file
att&ck:
- Persistence::Hijack Execution Flow [T1574]
mbc:
- Persistence::Hijack Execution Flow [F0015]
references:
- https://learn.microsoft.com/en-us/dotnet/framework/app-domains/application-domains
- https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ rule:
scope: function
att&ck:
- Defense Evasion::Obfuscated Files or Information::Dynamic API Resolution [T1027.007]
mbc:
- Defense Evasion::Obfuscated Files or Information [E1027]
references:
- https://bruteratel.com/release_notes/releases.txt
examples:
Expand Down

0 comments on commit 6fbf518

Please sign in to comment.