extend rule features and rename #969

mr-tz · 2024-12-02T12:55:39Z

closes #966

mr-tz · 2024-12-02T12:56:24Z

@Ezbeat @jtothej please take a look

Ezbeat · 2024-12-02T15:50:19Z

Thank you for taking my feedback into consideration.

Regarding the ProcessSignaturePolicy configuration, wouldn't it be clearer and more consistent to use policy.MicrosoftSignedOnly instead of policy.flags? This would enhance readability and align with the explicit naming convention used in other mitigation policies.
For the detection of blockdlls, rather than relying on the InitializeProcThreadAttributeList function, how about using the UpdateProcThreadAttribute function? This approach could directly focus on when the Attribute is actually set, potentially improving accuracy and reducing false positives.

mr-tz · 2024-12-02T16:52:57Z

nice, great feedback here, thanks! does the rule now look good to you?

Ezbeat · 2024-12-02T23:07:47Z

Looks good. Thank you for considering the suggestions!

Additionally, after reviewing the rules, it seems that the blockdlls condition overlaps with the rule defined in:

What are your thoughts on this? If there is indeed an overlap, we could consider removing the blockdlls condition from this rule to avoid redundancy.

mr-tz · 2024-12-03T08:17:46Z

Oh 🤦 @jtothej already did all the work... Thanks, for noticing. I'll update accordingly.

mr-tz · 2024-12-03T13:12:23Z

Thanks, @Ezbeat (and @jtothej)!!

extend rule features and rename

0e4ebef

adjust per code review

3ecf5c2

undo rename and remove features already captured in other rule

c01b2bc

mr-tz force-pushed the fix/966 branch from b8e037a to c01b2bc Compare December 3, 2024 10:55

mr-tz merged commit 1adcf13 into master Dec 3, 2024
3 checks passed

mr-tz deleted the fix/966 branch December 3, 2024 13:12

Provide feedback