-
Notifications
You must be signed in to change notification settings - Fork 160
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
831 changed files
with
2,493 additions
and
831 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-av | ||
authors: | ||
- [email protected] | ||
scope: basic block | ||
scopes: | ||
static: basic block | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] | ||
mbc: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-av | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Impair Defenses::Indicator Blocking [T1562.006] | ||
mbc: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-av | ||
authors: | ||
- [email protected] | ||
scope: basic block | ||
scopes: | ||
static: basic block | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Impair Defenses::Disable or Modify Tools [T1562.001] | ||
mbc: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,9 @@ rule: | |
authors: | ||
- [email protected] | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::CheckRemoteDebuggerPresent [B0001.002] | ||
- Anti-Behavioral Analysis::Debugger Detection::WudfIsAnyDebuggerPresent [B0001.031] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::Hardware Breakpoints [B0001.005] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection [B0001] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: basic block | ||
scopes: | ||
static: basic block | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::OutputDebugString [B0001.016] | ||
examples: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: basic block | ||
scopes: | ||
static: basic block | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::Process Environment Block BeingDebugged [B0001.035] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::Process Environment Block NtGlobalFlag [B0001.036] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::SetHandleInformation [B0001.024] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::Software Breakpoints [B0001.025] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check GetTickCount [B0001.032] | ||
examples: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::Timing/Delay Check QueryPerformanceCounter [B0001.033] | ||
examples: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: basic block | ||
scopes: | ||
static: basic block | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection [B0001] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: basic block | ||
scopes: | ||
static: basic block | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::Memory Write Watching [B0001.010] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection [B0001] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: basic block | ||
scopes: | ||
static: basic block | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::NtQueryInformationProcess [B0001.012] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-debugging/debugger-detection | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Behavioral Analysis::Debugger Detection::Anti-debugging Instructions [B0001.034] | ||
examples: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,9 @@ rule: | |
authors: | ||
- [email protected] | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Debugger Evasion [T1622] | ||
mbc: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,9 @@ rule: | |
authors: | ||
- [email protected] | ||
description: Looks for instructions related to executing 64-bit code from a 32-bit process (Heaven's Gate) | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Defense Evasion::Disable or Evade Security Tools::Heavens Gate [F0004.008] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-disasm | ||
authors: | ||
- [email protected] | ||
scope: file | ||
scopes: | ||
static: file | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
mbc: | ||
- Anti-Static Analysis::Disassembler Evasion [B0012] | ||
examples: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-forensic/clear-logs | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Indicator Removal::Clear Windows Event Logs [T1070.001] | ||
examples: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-forensic | ||
authors: | ||
- [email protected] | ||
scope: basic block | ||
scopes: | ||
static: basic block | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Impair Defenses::Disable Windows Event Logging [T1562.002] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,9 @@ rule: | |
authors: | ||
- [email protected] | ||
description: Looks for Windows API calls associated with reading and then writing file version information of executables on disk. Malware can use these calls to overwrite its own version information with that of a legitimate executable on the system (for instance, explorer.exe) to make it appear to be a legitimate application. | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Indicator Removal [T1070] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,9 @@ rule: | |
authors: | ||
- [email protected] | ||
- "@_re_fox" | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Process Injection [T1055] | ||
mbc: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,9 @@ rule: | |
authors: | ||
- [email protected] | ||
- "@mr-tz" | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Indicator Removal::File Deletion [T1070.004] | ||
mbc: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,9 @@ rule: | |
namespace: anti-analysis/anti-forensic | ||
authors: | ||
- [email protected] | ||
scope: basic block | ||
scopes: | ||
static: basic block | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Access Token Manipulation::Parent PID Spoofing [T1134.004] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,9 @@ rule: | |
namespace: anti-analysis/anti-forensic/timestomp | ||
authors: | ||
- [email protected] | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Indicator Removal::Timestomp [T1070.006] | ||
examples: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,9 @@ rule: | |
authors: | ||
- [email protected] | ||
description: Detect usage of GetForegroundWindow and Sleep APIs to check if there is any foreground window switch. Typically, sandboxes do not switch the foreground window like a user would in a normal environment. | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002] | ||
references: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,9 @@ rule: | |
authors: | ||
- "@_re_fox" | ||
- "[email protected]" | ||
scope: function | ||
scopes: | ||
static: function | ||
dynamic: unspecified # rule hasn't been migrated yet | ||
att&ck: | ||
- Defense Evasion::Virtualization/Sandbox Evasion [T1497] | ||
mbc: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.