diff --git a/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml index fa2530362..412bc98e2 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml @@ -8,6 +8,8 @@ rule: scope: function att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002] + mbc: + - Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012] references: - https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html - https://unprotect.it/technique/getforegroundwindow/ diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml index 8a7324bf3..e19528ffe 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml @@ -8,6 +8,8 @@ rule: scope: function att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] + mbc: + - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023] examples: - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0 features: diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml index 08374416e..56c830688 100644 --- a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml +++ b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml @@ -8,6 +8,8 @@ rule: scope: function att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] + mbc: + - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023] examples: - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0 features: diff --git a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml index fbb2e72f9..79474ebb8 100644 --- a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml +++ b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml @@ -7,6 +7,8 @@ rule: scope: function att&ck: - Defense Evasion::Hide Artifacts::Hidden File System [T1564.005] + mbc: + - Defense Evasion::Hidden Files and Directories [F0005] references: - https://learn.microsoft.com/en-us/dotnet/api/system.web.hosting.virtualpathprovider?view=netframework-4.8.1 examples: diff --git a/host-interaction/memory/create-new-application-domain-in-dotnet.yml b/host-interaction/memory/create-new-application-domain-in-dotnet.yml index 0bd7dabee..8626dfdab 100644 --- a/host-interaction/memory/create-new-application-domain-in-dotnet.yml +++ b/host-interaction/memory/create-new-application-domain-in-dotnet.yml @@ -7,6 +7,8 @@ rule: scope: file att&ck: - Persistence::Hijack Execution Flow [T1574] + mbc: + - Persistence::Hijack Execution Flow [F0015] references: - https://learn.microsoft.com/en-us/dotnet/framework/app-domains/application-domains - https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/ diff --git a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml index ed78e2d9c..f7a79c99c 100644 --- a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml +++ b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml @@ -8,6 +8,8 @@ rule: scope: function att&ck: - Defense Evasion::Obfuscated Files or Information::Dynamic API Resolution [T1027.007] + mbc: + - Defense Evasion::Obfuscated Files or Information [E1027] references: - https://bruteratel.com/release_notes/releases.txt examples: