From 4113edffaf07c7e0cea17fdd7b5b8b0676fbdf2d Mon Sep 17 00:00:00 2001
From: Ervin Ocampo <ervinocampo@google.com>
Date: Wed, 17 Jul 2024 14:18:14 +0800
Subject: [PATCH] Add capa rules create-thread-bypass-freeze.yml and
 check-thread-suspend-count-exceeded.yml to nursery.

---
 .../check-thread-suspend-count-exceeded.yml   | 27 +++++++++++++++++++
 nursery/create-thread-bypass-freeze.yml       | 23 ++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 nursery/check-thread-suspend-count-exceeded.yml
 create mode 100644 nursery/create-thread-bypass-freeze.yml

diff --git a/nursery/check-thread-suspend-count-exceeded.yml b/nursery/check-thread-suspend-count-exceeded.yml
new file mode 100644
index 00000000..67d7cb02
--- /dev/null
+++ b/nursery/check-thread-suspend-count-exceeded.yml
@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: check thread suspend count exceeded
+    authors:
+      - ervinocampo@google.com
+    scopes:
+      static: file
+      dynamic: unsupported #requires mnemonic feature
+    att&ck:
+      - Defense Evasion::Debugger Evasion [T1622]
+    mbc:
+      - Anti-Behavioral Analysis::Debugger Detection [B0001]
+    references:
+      - https://secret.club/2021/01/04/thread-stuff.html
+      - https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/
+  features:
+    - and:
+      - match: create thread bypass process freeze
+      - function:
+        - and:
+          - or:
+            - api: ntdll.NtSuspendThread
+            - string: "NtSuspendThread"
+          - basic block:
+            - and:
+              - number: 0xc000004a = STATUS_SUSPEND_COUNT_EXCEEDED
+              - mnemonic: cmp
diff --git a/nursery/create-thread-bypass-freeze.yml b/nursery/create-thread-bypass-freeze.yml
new file mode 100644
index 00000000..a10a7302
--- /dev/null
+++ b/nursery/create-thread-bypass-freeze.yml
@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: create thread bypass process freeze
+    authors:
+      - ervinocampo@google.com
+    scopes:
+      static: basic block
+      dynamic: call
+    att&ck:
+      - Defense Evasion::Debugger Evasion [T1622]
+    mbc:
+      - Anti-Behavioral Analysis::Debugger Evasion [B0002]
+    references:
+      - https://secret.club/2021/01/04/thread-stuff.html
+      - https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/
+      - https://www.pinvoke.dev/ntdll/ntcreatethreadex
+      - https://github.com/winsiderss/systeminformer/blob/master/phnt/include/ntpsapi.h
+  features:
+    - and:
+      - or:
+        - api: ntdll.NtCreateThreadEx
+        - string: "NtCreateThreadEx"
+      - number: 0x40 = Undocumented thread creation flag dubbed as THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE