diff --git a/anti-analysis/anti-av/protect-process-using-arbitrary-code-guard-or-blockdlls.yml b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml similarity index 76% rename from anti-analysis/anti-av/protect-process-using-arbitrary-code-guard-or-blockdlls.yml rename to anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml index 82536a40..d900b68d 100644 --- a/anti-analysis/anti-av/protect-process-using-arbitrary-code-guard-or-blockdlls.yml +++ b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml @@ -1,6 +1,6 @@ rule: meta: - name: protect process using Arbitrary Code Guard or blockdlls + name: block operations on executable memory pages using Arbitrary Code Guard namespace: anti-analysis/anti-av authors: - jakub.jozwiak@mandiant.com @@ -28,8 +28,3 @@ rule: - number: 4 = sizeof(PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY) - number: 1 = set policy.MicrosoftSignedOnly to 1 - number: 8 = ProcessSignaturePolicy - - and: - - description: blockdlls - - api: UpdateProcThreadAttribute - - number: 0x20007 = PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY - - number: 0x100000000000 = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON