mandiant · williballenthin · Sep 27, 2023 · Sep 27, 2023
diff --git a/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml b/anti-analysis/anti-vm/vm-detection/check-for-foreground-window-switch.yml
@@ -8,6 +8,8 @@ rule:
     scope: function
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
+    mbc:
+      - Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012]
     references:
       - https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
       - https://unprotect.it/technique/getforegroundwindow/

diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-disk-hardware-wmi-queries.yml
@@ -8,6 +8,8 @@ rule:
     scope: function
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
+    mbc:
+      - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023]
     examples:
       - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
   features:

diff --git a/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-vm-via-motherboard-hardware-wmi-queries.yml
@@ -8,6 +8,8 @@ rule:
     scope: function
     att&ck:
       - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
+    mbc:
+      - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023]
     examples:
       - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
   features:

diff --git a/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml b/host-interaction/file-system/create-virtual-file-system-in-dotnet.yml
@@ -7,6 +7,8 @@ rule:
     scope: function
     att&ck:
       - Defense Evasion::Hide Artifacts::Hidden File System [T1564.005]
+    mbc:
+      - Defense Evasion::Hidden Files and Directories [F0005]
     references:
       - https://learn.microsoft.com/en-us/dotnet/api/system.web.hosting.virtualpathprovider?view=netframework-4.8.1
     examples:

diff --git a/host-interaction/memory/create-new-application-domain-in-dotnet.yml b/host-interaction/memory/create-new-application-domain-in-dotnet.yml
@@ -7,6 +7,8 @@ rule:
     scope: file
     att&ck:
       - Persistence::Hijack Execution Flow [T1574]
+    mbc:
+      - Persistence::Hijack Execution Flow [F0015]
     references:
       - https://learn.microsoft.com/en-us/dotnet/framework/app-domains/application-domains
       - https://www.rapid7.com/blog/post/2023/05/05/appdomain-manager-injection-new-techniques-for-red-teams/

diff --git a/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml b/linking/runtime-linking/resolve-function-by-brute-ratel-badger-hash.yml
@@ -8,6 +8,8 @@ rule:
     scope: function
     att&ck:
       - Defense Evasion::Obfuscated Files or Information::Dynamic API Resolution [T1027.007]
+    mbc:
+      - Defense Evasion::Obfuscated Files or Information [E1027]
     references:
       - https://bruteratel.com/release_notes/releases.txt
     examples: