From 6abb74095acddb3e6d5a7f572097f26f97ed63ce Mon Sep 17 00:00:00 2001
From: jtothej <95413053+jtothej@users.noreply.github.com>
Date: Thu, 13 Jul 2023 20:54:45 +0800
Subject: [PATCH 1/3] Add patch-antimalware-scan-interface-function.yml and
 updated patch-event-tracing-for-windows-function.yml

---
 ...ch-antimalware-scan-interface-function.yml | 33 +++++++++++++++++++
 ...tch-event-tracing-for-windows-function.yml |  4 ++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml

diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
new file mode 100644
index 000000000..669a452be
--- /dev/null
+++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
@@ -0,0 +1,33 @@
+rule:
+  meta:
+    name: patch Antimalware Scan Interface function
+    namespace: anti-analysis/anti-av
+    authors:
+      - jakub.jozwiak@mandiant.com
+    scope: function
+    att&ck:
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
+    mbc:
+      - Defense Evasion::Disable or Evade Security Tools [F0004]
+    references:
+      - https://fluidattacks.com/blog/amsi-bypass/
+    examples:
+      - edb92795c06a2bde47e652639327253a1148ee675ba2f0d1d9ac8690ef1820b1:0x14001126C
+  features:
+    - and:
+      - match: link function at runtime on Windows
+      - or:
+        - api: kernel32.VirtualProtect
+        - api: kernel32.VirtualProtectEx
+        - api: ntdll.NtProtectVirtualMemory
+        - api: ZwProtectVirtualMemory
+        - string: "VirtualProtect"
+        - string: "VirtualProtectEx"
+        - string: "NtProtectVirtualMemory"
+        - string: "ZwProtectVirtualMemory"
+      - or:
+        - string: "AmsiScanBuffer"
+        - string: "AmsiScanString"
+      - optional:
+        - match: write process memory
+        - string: "amsi.dll"
diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
index 8edfa3fc0..a1db351df 100644
--- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
+++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
@@ -6,7 +6,7 @@ rule:
       - jakub.jozwiak@mandiant.com
     scope: function
     att&ck:
-      - Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006]
+      - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
     mbc:
       - Defense Evasion::Disable or Evade Security Tools [F0004]
     references:
@@ -19,9 +19,11 @@ rule:
       - match: link function at runtime on Windows
       - or:
         - api: kernel32.VirtualProtect
+        - api: kernel32.VirtualProtectEx
         - api: ntdll.NtProtectVirtualMemory  # exported by only ntdll, not ntoskrnl
         - api: ZwProtectVirtualMemory  # exported by both ntdll and ntoskrnl
         - string: "VirtualProtect"
+        - string: "VirtualProtectEx"
         - string: "NtProtectVirtualMemory"
         - string: "ZwProtectVirtualMemory"
       - or:

From 9bf276aacefd6d4a38ce373c7efd88b23808f265 Mon Sep 17 00:00:00 2001
From: JJ <jakub.jozwiak@mandiant.com>
Date: Mon, 20 Nov 2023 02:20:20 -0800
Subject: [PATCH 2/3] Update
 anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>
---
 .../patch-antimalware-scan-interface-function.yml     | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
index 669a452be..14130f2db 100644
--- a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
+++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
@@ -15,16 +15,7 @@ rule:
       - edb92795c06a2bde47e652639327253a1148ee675ba2f0d1d9ac8690ef1820b1:0x14001126C
   features:
     - and:
-      - match: link function at runtime on Windows
-      - or:
-        - api: kernel32.VirtualProtect
-        - api: kernel32.VirtualProtectEx
-        - api: ntdll.NtProtectVirtualMemory
-        - api: ZwProtectVirtualMemory
-        - string: "VirtualProtect"
-        - string: "VirtualProtectEx"
-        - string: "NtProtectVirtualMemory"
-        - string: "ZwProtectVirtualMemory"
+      - match: change memory protection
       - or:
         - string: "AmsiScanBuffer"
         - string: "AmsiScanString"

From 7eb58b995e5cb2075de85336334eaf2a17ffcc68 Mon Sep 17 00:00:00 2001
From: JJ <jakub.jozwiak@mandiant.com>
Date: Mon, 20 Nov 2023 02:20:33 -0800
Subject: [PATCH 3/3] Update
 anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml

Co-authored-by: Moritz <mr-tz@users.noreply.github.com>
---
 .../patch-event-tracing-for-windows-function.yml      | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
index a1db351df..bce84559c 100644
--- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
+++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
@@ -16,16 +16,7 @@ rule:
       - 15835b6dd703e69d22d4ab941ccd5f6e78c3abc22ae123366da5e950eaa62e2b:0x180001D70
   features:
     - and:
-      - match: link function at runtime on Windows
-      - or:
-        - api: kernel32.VirtualProtect
-        - api: kernel32.VirtualProtectEx
-        - api: ntdll.NtProtectVirtualMemory  # exported by only ntdll, not ntoskrnl
-        - api: ZwProtectVirtualMemory  # exported by both ntdll and ntoskrnl
-        - string: "VirtualProtect"
-        - string: "VirtualProtectEx"
-        - string: "NtProtectVirtualMemory"
-        - string: "ZwProtectVirtualMemory"
+      - match: change memory protection
       - or:
         - string: "EventWrite"
         - string: "EtwEventWrite"