Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add patch-antimalware-scan-interface-function.yml and updated patch-e… #798

Merged
merged 3 commits into from
Nov 20, 2023
Merged

Add patch-antimalware-scan-interface-function.yml and updated patch-e… #798

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6abb740
Add patch-antimalware-scan-interface-function.yml and updated patch-e…
jtothej Jul 13, 2023
9bf276a
Update anti-analysis/anti-av/patch-antimalware-scan-interface-functio…
jtothej Nov 20, 2023
7eb58b9
Update anti-analysis/anti-av/patch-event-tracing-for-windows-function…
jtothej Nov 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions anti-analysis/anti-av/patch-antimalware-scan-interface-function.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
rule:
meta:
name: patch Antimalware Scan Interface function
namespace: anti-analysis/anti-av
authors:
- [email protected]
scope: function
att&ck:
- Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
mbc:
- Defense Evasion::Disable or Evade Security Tools [F0004]
references:
- https://fluidattacks.com/blog/amsi-bypass/
examples:
- edb92795c06a2bde47e652639327253a1148ee675ba2f0d1d9ac8690ef1820b1:0x14001126C
features:
- and:
- match: link function at runtime on Windows
- or:
- api: kernel32.VirtualProtect
- api: kernel32.VirtualProtectEx
- api: ntdll.NtProtectVirtualMemory
- api: ZwProtectVirtualMemory
- string: "VirtualProtect"
- string: "VirtualProtectEx"
- string: "NtProtectVirtualMemory"
- string: "ZwProtectVirtualMemory"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think we should factor this logic out into a library rule, like patch read-only memory at runtime or something

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

then we can have a rule like hook function at runtime and then the rules in this PR boil down to:

    - match: hook function at runtime
    - or:
      - string: AmsiScanBuffer
      - string: AmsiScanString

and

    - match: hook function at runtime
    - or:
      - string: EventWrite
      - ...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was initially thinking about using allocate RWX memory (which in turn depends on allocate memory) but allocate memory matches on both memory allocation functions and functions that change of protection of already allocated memory.
So maybe we could split allocate memory to actual allocate memory and something like change memory protection (including VirtualProtect, VirtualProtectEx, NtProtectVirtualMemory, ZwProtectVirtualMemory). The we could have change memory protection to RWX and use it in rules in this PR. The problem with this approach would be figuring out which rules currently using allocate memory rule depend on memory allocation functions, which depend on change of memory functions and which on both.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup, that sounds like a great refactor!

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

refactoring this in #836

jtothej marked this conversation as resolved.
Show resolved Hide resolved
- or:
- string: "AmsiScanBuffer"
- string: "AmsiScanString"
- optional:
- match: write process memory
- string: "amsi.dll"
4 changes: 3 additions & 1 deletion anti-analysis/anti-av/patch-event-tracing-for-windows-function.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ rule:
- [email protected]
scope: function
att&ck:
- Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006]
- Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001]
mbc:
- Defense Evasion::Disable or Evade Security Tools [F0004]
references:
Expand All @@ -19,9 +19,11 @@ rule:
- match: link function at runtime on Windows
- or:
- api: kernel32.VirtualProtect
- api: kernel32.VirtualProtectEx
- api: ntdll.NtProtectVirtualMemory # exported by only ntdll, not ntoskrnl
- api: ZwProtectVirtualMemory # exported by both ntdll and ntoskrnl
- string: "VirtualProtect"
- string: "VirtualProtectEx"
- string: "NtProtectVirtualMemory"
- string: "ZwProtectVirtualMemory"
jtothej marked this conversation as resolved.
Show resolved Hide resolved
- or:
Expand Down