diff --git a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml index f8ff190e..1d232489 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-for-protected-handle-exception.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024] references: @@ -15,8 +15,13 @@ rule: - al-khaser_x86.exe_:0x430D20 features: - and: - - basic block: - - and: - - count(number(2)): 2 or more - - api: SetHandleInformation + - or: + - basic block: + - and: + - count(number(2)): 2 or more + - api: SetHandleInformation + - call: + - and: + - count(number(2)): 2 or more + - api: SetHandleInformation - api: CloseHandle diff --git a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml index 3dd92a34..a7ab788d 100644 --- a/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml +++ b/anti-analysis/anti-debugging/debugger-detection/check-process-job-object.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread mbc: - Anti-Behavioral Analysis::Debugger Detection [B0001] references: @@ -14,13 +14,25 @@ rule: examples: - al-khaser_x86.exe_:0x426730 features: - - and: - - match: contain loop - - basic block: - - and: - - api: kernel32.QueryInformationJobObject - - number: 0x3 = JobObjectBasicProcessIdList - - basic block: - - and: - - api: kernel32.OpenProcess - - number: 0x400 = PROCESS_QUERY_INFORMATION + - or: + # static + - and: + - match: contain loop + - basic block: + - and: + - api: kernel32.QueryInformationJobObject + - number: 0x3 = JobObjectBasicProcessIdList + - basic block: + - and: + - api: kernel32.OpenProcess + - number: 0x400 = PROCESS_QUERY_INFORMATION + # dynamic + - and: + - call: + - and: + - api: kernel32.QueryInformationJobObject + - number: 0x3 = JobObjectBasicProcessIdList + - call: + - and: + - api: kernel32.OpenProcess + - number: 0x400 = PROCESS_QUERY_INFORMATION \ No newline at end of file diff --git a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml index cebab288..fe420821 100644 --- a/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml +++ b/anti-analysis/anti-debugging/debugger-evasion/hide-thread-from-debugger.yml @@ -7,7 +7,7 @@ rule: - jakub.jozwiak@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Defense Evasion::Debugger Evasion [T1622] mbc: @@ -26,6 +26,12 @@ rule: - api: NtSetInformationThread - api: ZwSetInformationThread - number: 0x11 = ThreadHideFromDebugger + - call: + - and: + - or: + - api: NtSetInformationThread + - api: ZwSetInformationThread + - number: 0x11 = ThreadHideFromDebugger - and: - or: - string: "NtSetInformationThread" diff --git a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml index b7dc9d1e..797171c9 100644 --- a/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml +++ b/anti-analysis/anti-forensic/clear-logs/clear-windows-event-logs.yml @@ -6,7 +6,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001] examples: @@ -26,3 +26,6 @@ rule: - basic block: - and: - string: /wevtutil(\.exe)?\s+(clear-log|cl)/i + - call: + - and: + - string: /wevtutil(\.exe)?\s+(clear-log|cl)/i diff --git a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml index 730119f0..075c4f93 100644 --- a/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml +++ b/anti-analysis/anti-vm/vm-detection/check-for-windows-sandbox-via-genuine-state.yml @@ -6,7 +6,7 @@ rule: - "@_re_fox" scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: @@ -17,6 +17,7 @@ rule: - 773290480d5445f11d3dc1b800728966:0x140001140 features: - and: + # static - basic block: - and: - api: SLIsGenuineLocal @@ -24,3 +25,11 @@ rule: - and: - api: UuidFromString - string: "55c92734-d682-4d71-983e-d6ec3f16059f" + # dynamic + - call: + - and: + - api: SLIsGenuineLocal + - call: + - and: + - api: UuidFromString + - string: "55c92734-d682-4d71-983e-d6ec3f16059f" diff --git a/collection/screenshot/capture-screenshot.yml b/collection/screenshot/capture-screenshot.yml index 175e1a15..bbba9441 100644 --- a/collection/screenshot/capture-screenshot.yml +++ b/collection/screenshot/capture-screenshot.yml @@ -8,7 +8,7 @@ rule: - michael.hunhoff@mandiant.com scopes: static: function - dynamic: unspecified # TODO upgrade manually, contains subscope + dynamic: thread att&ck: - Collection::Screen Capture [T1113] mbc: @@ -39,4 +39,7 @@ rule: - and: - api: BitBlt - characteristic: tight loop + - call: + - and: + - api: BitBlt - api: System.Drawing.Graphics::CopyFromScreen