From b8e037a7587695f5dc81774aefff7c9364eb8e12 Mon Sep 17 00:00:00 2001 From: mr-tz Date: Tue, 3 Dec 2024 10:40:46 +0000 Subject: [PATCH] undo rename and remove features already captured in other rule --- ...executable-memory-pages-using-arbitrary-code-guard.yml} | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) rename anti-analysis/anti-av/{protect-process-using-arbitrary-code-guard-or-blockdlls.yml => block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml} (76%) diff --git a/anti-analysis/anti-av/protect-process-using-arbitrary-code-guard-or-blockdlls.yml b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml similarity index 76% rename from anti-analysis/anti-av/protect-process-using-arbitrary-code-guard-or-blockdlls.yml rename to anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml index 82536a40..d900b68d 100644 --- a/anti-analysis/anti-av/protect-process-using-arbitrary-code-guard-or-blockdlls.yml +++ b/anti-analysis/anti-av/block-operations-on-executable-memory-pages-using-arbitrary-code-guard.yml @@ -1,6 +1,6 @@ rule: meta: - name: protect process using Arbitrary Code Guard or blockdlls + name: block operations on executable memory pages using Arbitrary Code Guard namespace: anti-analysis/anti-av authors: - jakub.jozwiak@mandiant.com @@ -28,8 +28,3 @@ rule: - number: 4 = sizeof(PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY) - number: 1 = set policy.MicrosoftSignedOnly to 1 - number: 8 = ProcessSignaturePolicy - - and: - - description: blockdlls - - api: UpdateProcThreadAttribute - - number: 0x20007 = PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY - - number: 0x100000000000 = PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON