From 534ee22fcc51c5f6a592b60114e5305ff8b292b3 Mon Sep 17 00:00:00 2001
From: Ervin Ocampo <130457949+ejfocampo@users.noreply.github.com>
Date: Mon, 16 Sep 2024 20:45:21 +0800
Subject: [PATCH] Add capa rules create-thread-bypass-freeze.yml and
 check-thread-suspend-count-exceeded.yml to nursery. (#912)

* Add rules

---------

Co-authored-by: Willi Ballenthin <wballenthin@google.com>
---
 .../check-thread-suspend-count-exceeded.yml   | 27 +++++++++++++++++++
 ...create-thread-bypassing-process-freeze.yml | 23 ++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 nursery/check-thread-suspend-count-exceeded.yml
 create mode 100644 nursery/create-thread-bypassing-process-freeze.yml

diff --git a/nursery/check-thread-suspend-count-exceeded.yml b/nursery/check-thread-suspend-count-exceeded.yml
new file mode 100644
index 00000000..da2c281e
--- /dev/null
+++ b/nursery/check-thread-suspend-count-exceeded.yml
@@ -0,0 +1,27 @@
+rule:
+  meta:
+    name: check thread suspend count exceeded
+    authors:
+      - ervinocampo@google.com
+    scopes:
+      static: file
+      dynamic: unsupported #requires mnemonic feature
+    att&ck:
+      - Defense Evasion::Debugger Evasion [T1622]
+    mbc:
+      - Anti-Behavioral Analysis::Debugger Detection [B0001]
+    references:
+      - https://secret.club/2021/01/04/thread-stuff.html
+      - https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/
+  features:
+    - and:
+      - match: create thread bypassing process freeze
+      - function:
+        - and:
+          - or:
+            - api: ntdll.NtSuspendThread
+            - string: "NtSuspendThread"
+          - basic block:
+            - and:
+              - number: 0xc000004a = STATUS_SUSPEND_COUNT_EXCEEDED
+              - mnemonic: cmp
diff --git a/nursery/create-thread-bypassing-process-freeze.yml b/nursery/create-thread-bypassing-process-freeze.yml
new file mode 100644
index 00000000..f60e038e
--- /dev/null
+++ b/nursery/create-thread-bypassing-process-freeze.yml
@@ -0,0 +1,23 @@
+rule:
+  meta:
+    name: create thread bypassing process freeze
+    authors:
+      - ervinocampo@google.com
+    scopes:
+      static: basic block
+      dynamic: call
+    att&ck:
+      - Defense Evasion::Debugger Evasion [T1622]
+    mbc:
+      - Anti-Behavioral Analysis::Debugger Evasion [B0002]
+    references:
+      - https://secret.club/2021/01/04/thread-stuff.html
+      - https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/
+      - https://www.pinvoke.dev/ntdll/ntcreatethreadex
+      - https://github.com/winsiderss/systeminformer/blob/master/phnt/include/ntpsapi.h
+  features:
+    - and:
+      - or:
+        - api: ntdll.NtCreateThreadEx
+        - string: "NtCreateThreadEx"
+      - number: 0x40 = Undocumented thread creation flag dubbed as THREAD_CREATE_FLAGS_BYPASS_PROCESS_FREEZE