From 6abb74095acddb3e6d5a7f572097f26f97ed63ce Mon Sep 17 00:00:00 2001 From: jtothej <95413053+jtothej@users.noreply.github.com> Date: Thu, 13 Jul 2023 20:54:45 +0800 Subject: [PATCH 1/3] Add patch-antimalware-scan-interface-function.yml and updated patch-event-tracing-for-windows-function.yml --- ...ch-antimalware-scan-interface-function.yml | 33 +++++++++++++++++++ ...tch-event-tracing-for-windows-function.yml | 4 ++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml new file mode 100644 index 000000000..669a452be --- /dev/null +++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml @@ -0,0 +1,33 @@ +rule: + meta: + name: patch Antimalware Scan Interface function + namespace: anti-analysis/anti-av + authors: + - jakub.jozwiak@mandiant.com + scope: function + att&ck: + - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] + mbc: + - Defense Evasion::Disable or Evade Security Tools [F0004] + references: + - https://fluidattacks.com/blog/amsi-bypass/ + examples: + - edb92795c06a2bde47e652639327253a1148ee675ba2f0d1d9ac8690ef1820b1:0x14001126C + features: + - and: + - match: link function at runtime on Windows + - or: + - api: kernel32.VirtualProtect + - api: kernel32.VirtualProtectEx + - api: ntdll.NtProtectVirtualMemory + - api: ZwProtectVirtualMemory + - string: "VirtualProtect" + - string: "VirtualProtectEx" + - string: "NtProtectVirtualMemory" + - string: "ZwProtectVirtualMemory" + - or: + - string: "AmsiScanBuffer" + - string: "AmsiScanString" + - optional: + - match: write process memory + - string: "amsi.dll" diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml index 8edfa3fc0..a1db351df 100644 --- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -6,7 +6,7 @@ rule: - jakub.jozwiak@mandiant.com scope: function att&ck: - - Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006] + - Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] mbc: - Defense Evasion::Disable or Evade Security Tools [F0004] references: @@ -19,9 +19,11 @@ rule: - match: link function at runtime on Windows - or: - api: kernel32.VirtualProtect + - api: kernel32.VirtualProtectEx - api: ntdll.NtProtectVirtualMemory # exported by only ntdll, not ntoskrnl - api: ZwProtectVirtualMemory # exported by both ntdll and ntoskrnl - string: "VirtualProtect" + - string: "VirtualProtectEx" - string: "NtProtectVirtualMemory" - string: "ZwProtectVirtualMemory" - or: From 9bf276aacefd6d4a38ce373c7efd88b23808f265 Mon Sep 17 00:00:00 2001 From: JJ <jakub.jozwiak@mandiant.com> Date: Mon, 20 Nov 2023 02:20:20 -0800 Subject: [PATCH 2/3] Update anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml Co-authored-by: Moritz <mr-tz@users.noreply.github.com> --- .../patch-antimalware-scan-interface-function.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml index 669a452be..14130f2db 100644 --- a/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml +++ b/anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml @@ -15,16 +15,7 @@ rule: - edb92795c06a2bde47e652639327253a1148ee675ba2f0d1d9ac8690ef1820b1:0x14001126C features: - and: - - match: link function at runtime on Windows - - or: - - api: kernel32.VirtualProtect - - api: kernel32.VirtualProtectEx - - api: ntdll.NtProtectVirtualMemory - - api: ZwProtectVirtualMemory - - string: "VirtualProtect" - - string: "VirtualProtectEx" - - string: "NtProtectVirtualMemory" - - string: "ZwProtectVirtualMemory" + - match: change memory protection - or: - string: "AmsiScanBuffer" - string: "AmsiScanString" From 7eb58b995e5cb2075de85336334eaf2a17ffcc68 Mon Sep 17 00:00:00 2001 From: JJ <jakub.jozwiak@mandiant.com> Date: Mon, 20 Nov 2023 02:20:33 -0800 Subject: [PATCH 3/3] Update anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml Co-authored-by: Moritz <mr-tz@users.noreply.github.com> --- .../patch-event-tracing-for-windows-function.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml index a1db351df..bce84559c 100644 --- a/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml +++ b/anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml @@ -16,16 +16,7 @@ rule: - 15835b6dd703e69d22d4ab941ccd5f6e78c3abc22ae123366da5e950eaa62e2b:0x180001D70 features: - and: - - match: link function at runtime on Windows - - or: - - api: kernel32.VirtualProtect - - api: kernel32.VirtualProtectEx - - api: ntdll.NtProtectVirtualMemory # exported by only ntdll, not ntoskrnl - - api: ZwProtectVirtualMemory # exported by both ntdll and ntoskrnl - - string: "VirtualProtect" - - string: "VirtualProtectEx" - - string: "NtProtectVirtualMemory" - - string: "ZwProtectVirtualMemory" + - match: change memory protection - or: - string: "EventWrite" - string: "EtwEventWrite"