diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
new file mode 100644
index 000000000..14130f2db
--- /dev/null
+++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
@@ -0,0 +1,24 @@
+rule:
+  meta:
+    name: patch Antimalware Scan Interface function
+    namespace: anti-analysis/anti-av
+    authors:
+      - jakub.jozwiak@mandiant.com
+    scope: function
+    att&ck:
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
+    mbc:
+      - Defense Evasion::Disable or Evade Security Tools [F0004]
+    references:
+      - https://fluidattacks.com/blog/amsi-bypass/
+    examples:
+      - edb92795c06a2bde47e652639327253a1148ee675ba2f0d1d9ac8690ef1820b1:0x14001126C
+  features:
+    - and:
+      - match: change memory protection
+      - or:
+        - string: "AmsiScanBuffer"
+        - string: "AmsiScanString"
+      - optional:
+        - match: write process memory
+        - string: "amsi.dll"
diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
index 8edfa3fc0..bce84559c 100644
--- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
+++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
@@ -6,7 +6,7 @@ rule:
       - jakub.jozwiak@mandiant.com
     scope: function
     att&ck:
-      - Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006]
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:
       - Defense Evasion::Disable or Evade Security Tools [F0004]
     references:
@@ -16,14 +16,7 @@ rule:
       - 15835b6dd703e69d22d4ab941ccd5f6e78c3abc22ae123366da5e950eaa62e2b:0x180001D70
   features:
     - and:
-      - match: link function at runtime on Windows
-      - or:
-        - api: kernel32.VirtualProtect
-        - api: ntdll.NtProtectVirtualMemory  # exported by only ntdll, not ntoskrnl
-        - api: ZwProtectVirtualMemory  # exported by both ntdll and ntoskrnl
-        - string: "VirtualProtect"
-        - string: "NtProtectVirtualMemory"
-        - string: "ZwProtectVirtualMemory"
+      - match: change memory protection
       - or:
         - string: "EventWrite"
         - string: "EtwEventWrite"